Fundamental Principles of

Ethernet Security Firewalls in

Industrial Environments

by Joseph Benedetto

Executive summary
Security incidents rise at an alarming rate each year.
As the complexity of the threats increases, so do the
security measures required to protect industrial
networks. Plant operations personnel need to
understand security basics as plant processes integrate
with outside networks. This paper reviews network
security fundamentals, with an emphasis on firewalls
specific to industry applications. The variety of firewalls
is defined, explained, and compared.
998-2095-02-13-14AR0
 Fundamental Principles of Ethernet Security in Industrial Environments

Introduction If hackers can download a medical formula from a pharmaceutical firm, they could alter that
medication by making a slight variation in the formula. In the automotive industry a hacker
might alter a robotics program and cause it to make a defective part or to dump material
where it should not belong or alter the timing of a particular process. In an oil industry control
application, hacker meddling could result in a damaging spill.

As manufacturing processes and factories become more “wired”, vulnerabilities in network

devices can become targets for individuals writing worms and viruses. These threats are
disruptive to the ultimate goal of protecting the industrial environment from any business loss
including network failure and process line inefficiency.

One of the measures that can be taken to lower the level of risk is the deployment of proper
“firewalls”. A firewall is hardware and / or software used to protect network-connected devices
or network segments from unauthorized access. In an industrial Ethernet application, a
firewall can provide the physical separation between the control network and the plant or
corporate networks. It can also be used to create secure control zones within the control
network.

In a typical firewall installation, the connection coming from the plant network to the firewall is
referred as the “untrusted” port or connection. The port that will connect to the control
network is referred to as the “trusted” connection (see Figure 1).

Outside of Plant

Figure 1 Internet
Internet
The firewall serves as a Untrusted
barrier to unwanted outside Connection
intrusion while allowing Trusted
legitimate data to Connection
communicate with key
equipment components

Firewall
Automation System

The firewall’s basic function is to control message transmission. It is designed to block

unauthorized access while permitting authorized communication to the devices connected on
the “trusted” side of the firewall. It can be configured by the user to permit, deny, encrypt,
decrypt or act as an intermediary device (proxy) for all (in and out) traffic between different
security domains based upon a set of rules.

The first step in determining a system’s security requirements is to conduct a survey. The
survey identifies all the possible points of access and assists in determining the number and
location of firewalls needed in the system.

The firewall plays an important role in the overall protection of an industrial control network.
The control system requires fast data throughput so that it can provide a rapid response to
changes in the operation. At the same time, the control system needs the protection of the

Schneider Electric White Paper Revision 0 Page 2

 Fundamental Principles of Ethernet Security in Industrial Environments

firewall to block all unwanted and unauthorized traffic to devices, to ensure that the data they
receive is correct.

Three general categories of firewalls exist to protect industrial Ethernet applications. Each
Firewall provides a different level of protection. The choice of firewall should be based on the
categories application requirements, the level of risk that can be tolerated, and impact on a system
should that system be targeted for attack. Below are descriptions of the three firewall
categories:

• Packet Filtering Firewalls: These firewalls check each incoming or outgoing message
packet for its source address, destination address, and function. The firewall accepts or
rejects the message based on a comparison to a number of predefined rules called
Access Control Lists (ACLs). This is a low cost solution that examines the message
packet headers only and not the overall packet content. This type of firewall is easy to
circumvent by a skilled attacker. Packet filtering firewalls are not recommended for high
risk areas due to lack of authentication and their inability to conceal the protected
network’s architecture.
• Stateful Inspection Firewalls: These firewalls inspect message packets for each
transmission at the network layer and validate that the packets and their contents at the
application layer are legitimate. Stateful inspection ensures that all inbound packets are
the result of an outbound request. Stateful inspection firewalls provide a high level of
security and good performance but can be expensive and complex to configure.
• Application-Proxy Gateway: The application-proxy gateway examines every incoming
packet at the application layer, filters the traffic based on specific application rules, and
then reissues it to the target device. Application proxy gateways provide a high level of
security, but have overhead delays that impact the network performance of the control
system. Their use is therefore not recommended.

Firewall The security goal of a factory or other industrial site is to protect the control network and all of
its devices from any attacks. One consideration when implementing firewalls is the nature of
application devices to be protected and how these devices are accessed as part of normal operation.

When applying a firewall to create a physical separation between the control network and the
plant and corporate networks, the simple solution would be to install a single firewall device
at the connection point between the plant floor’s control network and the remainder of the
plant and company networks. This approach is illustrated in Figure 2 on page 4.

In the Figure 2 system configuration, the firewall provides protection between the plant
network and the control network. However this configuration does not isolate the
Programmable Logic Controller (PLC) system from the Human Machine Interface (HMI) and
Historian system. These types of devices are often located on PC-based systems that run
standard operating systems. This makes them easier targets for attackers seeking to enter
the system. These systems are accessed by devices on the plant network as well as by the
PLC systems, increasing the risk that an attack reaches the PLC system that controls an
operation or process. In addition, since these devices are PC-based, they can be accessed
by multiple users who could intentionally or unintentionally introduce malware or corrupt the
system. The simple act of loading a new version of a software package or using another
software package that is also running on the PC can introduce a risk to the PLC system.

The PLC system is traditionally based on a custom hardware design and utilizes a
manufacturer-specific operating system. This makes the PLC system more difficult for an
attacker to access, but in no way is the system 100% safe. If a PC-based device such as an
HMI or Supervisory Control and Data Acquisition (SCADA) system is on the same ‘trusted’

Schneider Electric White Paper Revision 0 Page 3

 Fundamental Principles of Ethernet Security in Industrial Environments

side of the firewall as the PLC, then there is a risk that an attack to the SCADA system will
affect the PLC.

To Corporate Network
and Internet

Figure 2 Untrusted Port

This illustration features a
single firewall device at the Firewall
connection point between the Trusted Port Plant Network
plant floor’s control network
and the remainder of the
Control Network
plant and company networks
HMI
Historian

PLC System w/ Ethernet I/O

The solution is to create a network architecture that includes a separate isolated area for
network devices such as HMI, SCADA systems and Historians, and that is capable of
communicating to both the plant network and the PLC control system. This isolation is
accomplished by using two firewalls, one connecting the plant network to the HMI, SCADA
systems and Historians, and a second connecting these devices to the PLC control system.
This isolated area, referred to as the demilitarized zone (DMZ), provides a safe and secure
means for sharing data betweens zones. Figure 3 illustrates this more secure configuration.

To Plant and Corporate

Network and Internet
Firewall
Device accessed by
Control and Plant DMZ
Figure 3 Networks
In this configuration, two
firewalls are present in order Local Server Firewall
to create a separate and
isolated area to protect Control Network
important assets

PLC System w/ Ethernet I/O

Schneider Electric White Paper Revision 0 Page 4

 Fundamental Principles of Ethernet Security in Industrial Environments

For critical control applications where it is necessary to isolate a particular control system
from the other controls systems on the control network, a firewall can be used to create an
isolated zone. In control applications such as emergency shutdown systems or the control of
a critical process, the security provided by the additional firewall can easily justify its cost.

In Figure 4, two firewalls are used to create a DMZ between the plant network and the
control network. The DMZ isolates the control network, and all of the control devices
connected to the network, from an attack coming from the plant or company networks. The
control system in work cell 3 is controlling a critical process that requires a higher level of
security. A firewall is applied between the PLC in work cell 3 and the switch that connects the
three work cells to the firewall in the DMZ. In this configuration, work cell 3 is protected from
unauthorized access by devices that are inside of the control network.

To Plant and Corporate

Network and Internet

Device accessed by
Control and Plant DMZ
Networks

Local Server
Firewall
Figure 4
In this configuration, work
cell 3 is provided the highest Control Network
level of security

Work Cell 1 Work Cell 2 Work Cell 3

PLC System w/ Remote I/O PLC System w/ Multi Rack I/O

PLC System w/ Ethernet I/O

Firewall An Industrial grade firewall provides protection from systems and devices that are connected
to the unsecured plant and / or corporate networks. The firewall must be properly configured
capabilities and located at the network access points to the control network. Listed below are some
capabilities which help to enhance the effectiveness of the firewall:

• Configuration of a physical separation between the control network and the plant and
corporate networks
• Segmentation of control networks into security zones
• Identification of an “untrusted” port for the connection of plant networks to corporate
networks that are unprotected by a firewall
• Configuration of a ”trusted“ port for connection to the control network and its devices
that are protected

Schneider Electric White Paper Revision 0 Page 5


“No firewall system is
100% impenetrable, but a
robust firewall will deter
hackers and encourage
them to look elsewhere for
easier targets to exploit.”
Industrial vs.
IT grade
firewall
Fundamental Principles of Ethernet Security in Industrial Environments
• Configuration of a control network structure that is invisible to the outside so that
hackers cannot determine the types of devices on the network
• Restriction of network traffic and selected services only to authorized devices while still
allowing secure information to be viewed by authorized users
• Allowance of communication “handshaking” for port connections that include
autonegotiation, autopolarity, autocrossing and full or half duplex modes
• Control of communications messages based on IP addresses of source and destination
devices, categories of data that can be transmitted and received, and proper alignment
of device access to services provided
• Stateful packet inspection for assurance that all inbound data packets are the result of
an outbound request
• Dynamic packet filter inspection of data packet source and destination addresses so
that undesired traffic can be blocked
• Virtual Private Network (VPN) connection so that secure transfer of data over public
networks to selected devices can be assured
• Protection from the flooding of devices with too much traffic or connections through use
of a Denial of Service Traffic Limiter
• Provision of security alarm and event logging information that can indicate when an
attack or device failure is occurring
• Determination of which protocols and services should run over which ports of a device
• Anti virus protection capability for HTTP, FTP, SMTP and POP3 protocols
• Encryption capabilities that include Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES)
• Network Address Translation (1:1 NAT) with FTP, IRC protocol that permits chatting
and Port to Port Tunneling Protocol (PPTP) and pass through (in router modes)
Firewall limitations
A properly configured firewall will not protect against the following:
• Unauthorized access through connections that are not connected to the firewall (such
as a dial-up modem)
• Internal attacks where the attacker bypasses the firewall and connects to the control
system
• Software vulnerabilities where software packages used in the control system, such as
HMI or SCADA, do not have up-to-date patches
• User error and human engineering
• Virus or malware that enters the control system through an unprotected connection
In most organizations, the IT group is often tasked with Ethernet security installation,
maintenance of firewalls, and other security measures. IT team members should be part of
the industrial system survey process, but the selection of firewall devices should be based on
the needs and capabilities of the control engineers who will be implementing and maintaining
the firewalls as part of the control systems. Industrial grade firewalls are different from
commercial / IT grade firewalls. In control applications where interruptions in operation cannot
be tolerated, an industrial grade firewall is the correct choice. Table 1 illustrates some of the
important differences between IT and Industrial firewalls.
Schneider Electric White Paper Revision 0 Page 6
 Fundamental Principles of Ethernet Security in Industrial Environments

Industrial grade firewalls IT / commercial firewalls

Can be configured by control engineer

Table 1
Commercial firewall
technology is not designed to
protect industrial process
control networks
using web-based tools, IT knowledge
not required
Designed to integrate with industrial
controls
Maintenance can be performed by
technician or engineer
Designed for continuous operation
Divides automation system into work
cells, provides protection by isolation
Hardware made of industrial grade
components that withstand harsh
environments (vibration, shock, heat)
Meets control system component
standards
Must be configured by IT department
Designed for an office environment,
not part of the automation system,
making dedicated protection for each
system difficult
Requires IT personnel to configure
and maintain these devices and
requires knowledge of complex tools
Shutdowns, reboots and unplanned
interruption to operation accepted in
IT world
Centralized security appliance which
leaves security gaps at plant level
Requires fan or cooling to work on
the plant floor
Susceptible to electrical noise found
in industrial environments

Conclusion Security is a process that begins with a plan that defines the roles and responsibilities of
plant personnel, the types of actions and activities that are allowed to be performed, and
some clearly communicated consequences for non-compliance.

An assessment of critical systems should be performed to identify communication paths and

potential external access points. Network attached devices should be audited to determine
both security capabilities and vulnerabilities.

A firewall is an integral part of any overall system security solution, but by itself, a firewall will
only protect the point of entry that it is connected to. No firewall system is 100%
impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere
for easier targets to exploit.

Schneider Electric. All rights reserved.

About the author

Joseph Benedetto is responsible for the global development of Schneider Electric's
Industrial Ethernet Infrastructure products business. Over the last 35 years he has
specialized in developing solutions for Schneider Electric’s Industrial Automation customers.
Over his career he has held various roles including: Product Marketing, Industry Marketing,
System Engineering and Application Engineer. Mr. Benedetto holds a Bachelor of Science
degree in Industrial Engineering from Northeastern University.
© 2014

Schneider Electric White Paper Revision 0 Page 7