Common ICS Cybersecurity Myth #3: The Unbreachable Firewall

Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series dispels five common myths related to ICS cybersecurity. Catch up on the series if you're interested:

• Common ICS Cybersecurity Myth #1: The Air Gap
• Common ICS Cybersecurity Myth #2: Proprietary Systems and Protocols

Now, let's dive in.

ICS Cybersecurity Myth #3

ICS is protected from cyberattacks because there is a firewall between the ICS network and other networks

ICS security is largely dependent on the effectiveness of the network design and firewall to prevent unauthorized access. To provide defense in depth, a firewall can be used to separate different layers of an ICS network (i.e., the HMI-level LAN from the ICS DMZ from the enterprise network).

Busting ICS Cybersecurity Myth #3

No doubt that a firewall and a demilitarized zone (DMZ) network architecture are a must to protect ICS networks from unauthorized access. However, this protection is only as good as the firewall policy (rules) and the security of the firewall itself.

A good firewall policy requires precise planning, accurate workflow, and continuous monitoring of any changes to the policy, network design, and firewall configurations. Any misconfiguration of the firewall/rules will result in a false sense of security and allow unauthorized access to the ICS network.

Gartner predicted that 99 percent of firewall breaches would be caused by firewall misconfigurations in 2020. Another study reported that open firewall rules ("Any-Any" rule that allows any traffic) are a major problem, and one out of five firewalls has one or more configuration issues.

While the firewall is an important ICS protection, it can only defend against attacks initiated outside the protected ICS network. Also, a simple firewall cannot protect against attacks that use already-allowed protocols/access. To defend against these attacks, an intrusion detection system (IDS) capability is required.

To combat malware introduced from USB devices, transient systems (mobile laptop), dialup, and other control network components, ICS must incorporate other system-level measures such as whitelisting, hardening, or host-based controls.

Next Steps

1. Periodically review firewall rules/policies and fix any misconfigurations and remove unnecessary rules. If possible, automate detection of changes to firewall rules and  configurations.
2. Access rules should be based on zero trust/least access and should be necessary for system functionality and/or business needs.
3. Route all connections to the ICS network—including vendor remote access and dialup—through the firewall, with no connections circumventing it.
4. Where feasible, the ICS network should be segmented into security zones for granular access and defense in depth strategy.
5. Multiple DMZs, or security zones, should be created for separate functionalities and access privileges, such as peer connections, the data historian, the OPC server or ICCP server in SCADA systems, the security servers, replicated servers, and development servers.

Stay tuned for the next part in this series, in which we break down Myth #4: the belief that serial communication (non-routable) between the control center and remote sites provides immunity from cyberattacks.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.