Beyond the network firewall

Since many industrial devices are soft targets for hackers, placing smaller firewalls deeper in networks near PLCs or embedding them in such controllers is a practical way to add a higher level of protection.


Small Internet-connected devices control our factories, manage the power grid, dispense medicine via insulin pumps, and affect our everyday lives in countless ways. Yet many embedded device developers do not include a firewall to protect their devices from cyber attacks, believing their devices are somehow immune from attacks and that a firewall is not needed.

Some of the PLCs shown above are better protected than others. PLC 1 is wide open to attacks via the Internet, but PLC 2 and 3 have local defenses against invasion. PLC 4, 5, and 6 are behind the enterprise firewall, but attacks can come through other dev

The majority of control system devices, conventional and embedded, developed in the last few years have an Ethernet network interface that can connect to the Internet. Some include password protection and perhaps encrypted protocols such as SSH or SSL, but these are not enough. Some devices don’t even include these simple protections and are supplied with user names or passwords that cannot be changed. If these approaches provided sufficient protection, we would not be reading about security breaches in the media. Older systems are even more vulnerable. Their original designs often assumed they were part of a closed or isolated network and omitted security, but many are now connected to a more open network with no protection. The perception of what represents sufficient security for small, embedded devices is outdated and needs to change. 

Real-world threats and solutions

Frequently engineers assume hackers will not target devices deep within industrial networks, claiming criminals are only interested in attacking PCs and enterprise networks. However, you don’t have to look very hard to find recent reports of attacks against control devices in industrial applications that prove this is simply not true. Many industrial PLCs, PACs, and other control devices are very soft targets, and if they can be reached from the outside through their networks, a hacker can cause all sorts of trouble.

Industrial networking and embedded device engineers can take a page from IT security’s playbook and employ a multilayered security strategy using strategically placed firewalls and encryption protocols. A firewall provides a critical layer of security for such devices, along with authentication and security, blocking attacks that authentication and encryption can’t. A firewall must be efficient, consuming minimal system resources, and scalable to a wide range of devices from small 8-bit systems running a minimal or no operating system, to a sophisticated multicore system running a commercial RTOS (real-time operating system). Desktop firewalls used with office IT systems do not meet the needs of these devices. Windows- and Linux-based firewalls, while effective, are large and not easily portable to embedded devices or those distributed around an industrial environment. They also typically include filtering that is not relevant for such devices. 

Network firewalls help, but—

Network or enterprise firewalls are used to isolate private networks from the Internet. All traffic between computers inside the network and the Internet must pass through the firewall. It is configured with communication policies to protect the machines inside the network from attacks originating from the Internet. Firewall policies control the protocols, ports, and IP addresses allowed to pass through. Network firewalls may also perform deep packet inspection to block viruses and malware targeting Windows systems. Properly configured, they can provide an effective layer of defense against hackers, DoS (denial of service) attacks, viruses, and malware.

However, network firewalls are designed to provide protection for the entire network. As such, they are configured with policies that make sense for the network as a whole. The communication requirements for an individual controller or other embedded device farther down in a network are frequently very specific, with only a few protocols and ports supported and often with a limited number of IP addresses communicating with the device. A firewall embedded in the device or adjacent to it provides protection at the device level with policies specifically configured for that device, allowing much tighter control. 

Attacks can also originate from within a network. These attacks are not blocked by the network firewall, and without an embedded firewall, devices on the network are vulnerable to these attacks. These attacks can be launched by insiders, or from communications that were not blocked by the network firewall or from communications that bypassed the firewall. Stuxnet, for example, attacked machines on a private network after infiltrating the network via USB flash drives.

To go a step farther, the assumption that a controller or other embedded device will always be deployed behind a network firewall should also be carefully examined (see diagram). Networks evolve over time, firewalls can be compromised by hackers, and the manner in which these devices are deployed changes. Is it really possible to be absolutely certain that an embedded device will always be deployed behind a network firewall? And even if the device is behind a network firewall, do you want to trust the firewall as the main and perhaps only line of defense?

Device-level firewalls

A firewall embedded in a control device or separate firewall appliance connected to the controller enforces a set of policies designed to create a safe zone where the device may operate. Embedded firewalls are becoming more common as growing numbers of manufacturers understand the need for this type of protection. Firewall policies govern allowable protocols and ports, which may communicate with the device and may initiate communication with the device. Such firewalls are integrated directly with the TCP/IP stack of the device and filter packets at the IP protocol layer. They block unwanted packets, unfriendly login attempts, and DoS attacks before authentication is allowed to begin.

One or more strategies are used to enforce firewall policies. Common filtering methods are:

  • Rules-based filtering: Compares each packet to a set of preset static rules determining if the packet is blocked or allowed. All decisions are made based on the information in the packet.
  • Stateful packet inspection (SPI): Maintains information regarding the state of each connection and uses that information when making filtering decisions.
  • Threshold-based filtering: Maintains statistics on received packets and monitors threshold crossings to detect packet floods and DoS attacks.

Rules-based filtering enforces policies by blocking unused protocols, closing unused ports, and enforcing IP address whitelists and blacklists. For some devices, rules-based filtering is all that’s required. Consider a hacker trying to reach and manipulate a pump controller from outside via the Internet. In normal operation, that pump controller would only have reason to communicate with a small set of known IP addresses. A rules-based firewall configured with a trusted list of IP addresses would block this attack.

Other devices require more open communication. A printer typically needs to accept print jobs from any IP address. Rules-based filtering can still be used to block unused ports and protocols, but SPI or threshold-based filtering are desirable for additional protection.

SPI provides protection against packets received with invalid TCP state information, a common web-based attack. SPI can also be used to create a lockdown mode where all connections must originate from the embedded device.

Threshold-based filtering is more complex and requires significant system processing time and memory, but provides a powerful tool for detecting packet floods and DoS attacks.

Devices such as Icon Labs’ Floodgate are available that make it easy and affordable to add an embedded firewall to virtually any controller or embedded device. These are designed for the specific requirements of device-level applications and can provide static filtering, threshold-based filtering, and SPI to protect embedded devices from Internet-based threats. Floodgate has a small footprint, low CPU processing requirements, and is easily integrated with any embedded IP stack.

Hackers are actively targeting embedded devices.  News articles recently reported attacks against thermostats, car computer systems, medical devices, and SCADA systems. The question really should be, “Why wouldn’t I include a firewall?”

David West is vice president of engineering at Icon Labs. Reach him at david.west(at) 

Key concepts:

  • Many industrial devices buried deep within industrial networks have become targets for hackers.
  • Expectations that these devices are safe thanks to obscurity have proven to be false.
  • Small device-level firewalls can be configured to provide protection specifically for these devices. 

ONLINE extra

No comments