Even the most advanced next-gen firewalls have blind spots when it comes to industrial security. Here’s how to close those security gaps across your network.
Enterprise information technology (IT) managers face an uphill battle when it comes to detecting and mitigating ever more frequent and sophisticated cyber threats. In their constant match of wits against sophisticated hackers, next-generation firewalls (NGFWs) have emerged as a game-changing IT security asset. And enterprises worldwide have voted with their pockets – a recentMarketsandMarkets report forecasts a 12.3% compound annual growth rate for the NGFW market from 2017 to 2022, reaching $4.27 billion by 2023.1
With the increasing convergence of IT and operational technology (OT) threats, industrial enterprises are looking for ways to leverage and adapt their existing IT cybersecurity investments to address new cyber threats targeting their OT networks as well.
Integrating NGFWs with dedicated industrial cybersecurity solutions can provide organizations with comprehensive and effective protection across both their IT and OT networks. Let's explore some of these advantages and see how such an integrated solution works.
Deploying next-gen firewalls in OT Networks
An NGFW is an IT-oriented network security device that provides advanced filtering capabilities beyond a traditional, stateful firewall. In addition to port and protocol inspection of incoming and outgoing network traffic, NGFWs typically include functionality like application awareness and control, integrated intrusion prevention and threat intelligence.
NGFWs offer a deep-packet inspection function that examines the data carried in network packets. They are also well-equipped to address advanced persistent threats (APTs) because they can be integrated with threat intelligence services. This is very important for detecting complex, multi-vector attacks that can traverse from the IT to the OT network.
NGFWs have been deployed in critical infrastructure sectors, including utilities and transportation, oil and gas, and manufacturing, with varying levels of success in preventing cyberattacks on industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks.
Adding OT expertise to your IT cybersecurity arsenal
With the rise of external and internal threats targeting industrial infrastructure, organizations need real-time, 360-degree visibility and security while addressing the unique technical and operational requirements of their OT networks.
In this context, deploying NGFWs in conjunction with OT-specific security tools can enhance network visibility and control. Monitoring OT network traffic and ICS devices requires technical expertise and tools that don't exist in most IT organizations. NGFWs, for example, cannot query ICS devices in their native language. This type of functionality is critical for detecting unauthorized changes to ICS devices that do not travel across the network (e.g., serial connection).
Another key OT security requirement is an up-to-date and accurate inventory of ICS assets. A typical ICS network may contain hundreds of programmable logic controllers (PLCs), remote terminal units (RTUs) and distributed control systems (DCSs) from a mix of vendors. To assess risk and build an effective defense strategy, you need to know the manufacturers, models, firmware versions, latest patches and current configuration for each asset in your network.
NGFWs can integrate with ICS asset discovery and tracking tools. Detailed asset inventory information, such as IP address, device type, vendor and model, can be delivered as a tag to the NGFW. This enables admins to define and extend security policies across IT and OT environments and improve their overall cybersecurity posture.
In addition, by combining OT alerts with IT procedures and policies in a single pane of glass, industrial organizations can reduce management complexity and accelerate the implementation of OT-focused firewall rules.
Real-world use cases
Here are a couple of practical examples of how an integrated solution can help protect ICS networks and assets from unauthorized access.
1) Streamline ICS device maintenance using granular security policies
Critical maintenance activities require network connections to sensitive ICS devices. Setting up a connection may necessitate a change in the NGFW’s intentionally strict security policies. These activities often need to be authorized on short notice, which requires detailed asset inventory information or clear visibility into the ICS network.
By integrating OT network security with the NGFW, administrators can configure policies that apply to specific ICS assets using dynamic address groups (DAG), taking their various characteristics into account. For example, when ICS network access is required to update engineering stations, the NGFW administrator can set a policy that applies only to these devices without having to rely on IP addresses which may have changed over time.
2) Secure network connections between ICS and IT environments
To enable network connections between assets in the ICS network and corporate IT applications, NGFW administrators are compelled to set permanent firewall rules that are too permissive and can’t automatically adapt when changes occur. This increases security risk by expanding the potential attack surface.
Using an integrated solution, administrators can configure specific rules for individual ICS assets and group them by type or vendor. There is no need for prior knowledge of the network or IP address. For example, an administrator can set a rule to allow only specific communications commands in order to facilitate data gathering from other devices in the OT network.
By integrating NGFWs with dedicated ICS security solutions, industrial organizations can augment visibility and control of their OT network. This type of integration enables unified detection of IT and OT threats, faster mitigation of potential risks and maximum return on investment. To learn more about securing your industrial operations from cyber threats, check out our whitepaper: Mind the Gap: A Roadmap to IT/OT Alignment.