I manage an OT system and am looking at beefing up cyber security measures, as mandated by regulatory commission. I have a firewall for VPN access and Internet connection for my limited engineering users (3).
But I am looking for recommendations on what brands/models firewalls or security appliances others use for the segregation between the ICS network and SCADA servers/workstations. Hoping for something relatively plug and play and cost effective, as we’re public sector.
We tend to have a mixture between fortinet, checkpoint, Palo Alto, watch guard, Cisco, ruggedcom.
Personally I’ve found the fortigates the most user friendly in setting up and maintaining, tends to be a common comment by some of my colleagues.
Palo Alto, Cisco, Fortinet are the ones I’ve seen used. From a security design protective, it’s great to choose a different brand from the one you already have. The reason is so that if one device/brand is compromised, hopefully the other isn’t. It might also force different management tools and resources (people) so you have separation of duties (likely also called out in your regulations). In one if our installations, we had all three of those brands because we also had an SIS that required yet another firewall.
I think if you wanted to, you could also go something a bit more industrial and choose something like the Belden Tofino firewalls that do protocol inspection, which is way cool, as your firewall rules could say, permit tag reads, but not writes. They are pretty easy for controls folks to figure out.
Palo Alto over here. If you’re doing NGFW, stay away from Cisco
Do you work in Electricity?
What about airgapping with Diodes? Seems to be the in thing now
Your SCADA / DCS probably has their preferred platform. My vendors recommendation is Tofino.
check out fortigate firewall, they are quite actively looking into OT environment. like Fortigate 40F + OT subscription. web interface is user friendly.( easy to use and deploy)
Give TosiBox a look.
Diodes are very interesting for high security data passthrough. But beware of the pricetag!
Had to look those up lol… How would you handle operator access for control from SCADA? I also have VPN users for on call rotation that need to be able to see SCADA, we’re using vtscada fwiw.
If you are interested I find this a good read SP 800-82 Rev. 3, Guide to Operational Technology (OT) Security | CSRC
It’s a balancing act at the end of the day. Are they going to do write or control operations? If that is a case, I think VPN is unavoidable. You will want to make sure your VPN is secured ideally through 2FA with access revoke. The SCADA should also allow RBAC. I’m personally not a security expert but I did took some course.
I’ve seen a lot of folks just looking at dashboarding for monitoring so you can just funnel the OT Data thought the diode into a repository and possible visualize them using a BI or Grafana? Lots of ways to collect data nowadays, Historians, your typical DBs, “IOT” platforms
I also want to mention some diodes for some reason can allow bidirectional traffic. I am not sure about how it’s done. You can reach out to them and see what they offer. A showstopper I’ve seen is always bandwidth between the diode pairs
I found OWL has a bidirectional, I’ll check it out. Thanks!