Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Common ICS Cybersecurity Myth #3: The Unbreachable Firewall

Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series dispels five common myths related to ICS cybersecurity. Catch up on the series if you're interested:

Now, let's dive in.

ICS Cybersecurity Myth #3

ICS is protected from cyberattacks because there is a firewall between the ICS network and other networks

ICS security is largely dependent on the effectiveness of the network design and firewall to prevent unauthorized access. To provide defense in depth, a firewall can be used to separate different layers of an ICS network (i.e., the HMI-level LAN from the ICS DMZ from the enterprise network).

Busting ICS Cybersecurity Myth #3

No doubt that a firewall and a demilitarized zone (DMZ) network architecture are a must to protect ICS networks from unauthorized access. However, this protection is only as good as the firewall policy (rules) and the security of the firewall itself.

A good firewall policy requires precise planning, accurate workflow, and continuous monitoring of any changes to the policy, network design, and firewall configurations. Any misconfiguration of the firewall/rules will result in a false sense of security and allow unauthorized access to the ICS network.

Gartner predicted that 99 percent of firewall breaches would be caused by firewall misconfigurations in 2020. Another study reported that open firewall rules ("Any-Any" rule that allows any traffic) are a major problem, and one out of five firewalls has one or more configuration issues.

While the firewall is an important ICS protection, it can only defend against attacks initiated outside the protected ICS network. Also, a simple firewall cannot protect against attacks that use already-allowed protocols/access. To defend against these attacks, an intrusion detection system (IDS) capability is required.

To combat malware introduced from USB devices, transient systems (mobile laptop), dialup, and other control network components, ICS must incorporate other system-level measures such as whitelisting, hardening, or host-based controls.

Next Steps

  1. Periodically review firewall rules/policies and fix any misconfigurations and remove unnecessary rules. If possible, automate detection of changes to firewall rules and  configurations.
  2. Access rules should be based on zero trust/least access and should be necessary for system functionality and/or business needs.
  3. Route all connections to the ICS networkincluding vendor remote access and dialupthrough the firewall, with no connections circumventing it.
  4. Where feasible, the ICS network should be segmented into security zones for granular access and defense in depth strategy.
  5. Multiple DMZs, or security zones, should be created for separate functionalities and access privileges, such as peer connections, the data historian, the OPC server or ICCP server in SCADA systems, the security servers, replicated servers, and development servers.

Stay tuned for the next part in this series, in which we break down Myth #4: the belief that serial communication (non-routable) between the control center and remote sites provides immunity from cyberattacks.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Sanjay Chhillar
Sanjay Chhillar
Sanjay Chhillar is the head of OT/ICS Cybersecurity Practice at Siemens UK & Ireland.

Related Posts

ISA/IEC 62443 Referenced in CISA’s Cross-Sector CPGs

A July 2021 memorandum by President Biden required the Cybersecurity & Infrastructure Security Agency...
Steven Aliano Nov 29, 2022 5:30:00 AM

OT & IoT Cybersecurity: Marriage of Digital Factories & Cybersecurity

This blog has been repurposed from the August 2022 edition of InTech.
Contributing Authors Nov 22, 2022 5:30:00 AM

Is Employee Burnout a Threat to Your Organization’s Cybersecurity?

For your company to be successful, you need to treat your employees right. They need to feel safe and app...
Katie Brenneman Nov 15, 2022 5:30:00 AM