As the Industrial Internet of Things (IIoT) increasingly becomes the model for manufacturers in all segments, the criticality of robust information security exponentially grows. In food and beverage manufacturing operations, mitigating the risk of cyber breaches presents some unique challenges, but the consequences of failure are too high to ignore.
Firewalls are an essential part of any defense strategy. Understanding the types and capabilities of firewalls, and the best ways to employ these components, provides a solid foundation for designing and implementing a sound information security strategy for any food and beverage manufacturer.
The Growing Challenge of Cyber-Defense in Food and Beverage Manufacturing
It may go without saying, but is worth repeating, that for anyone in the food supply chain, safety and security are a top priority. Rigorous standards for cleanliness, temperature control and process control establish and enforce the conditions necessary in food manufacturing operations. While adherence to these standards is well within the control of the manufacturers, threats from outside the operation are not.
Agroterrorism — the intentional contamination of food supply — has been identified as a rising risk. The idea that hackers could access a food supply manufacturer’s network and alter recipes or other process parameters to spoil the products, shut down refrigeration systems or wreak havoc in some other way is difficult to fathom, and yet the potential is very real.
In the face of this reality, evidence exists that food manufacturers need to escalate the priority they place on securing the information networks that are increasingly present in the industrial operations they manage.
In 2014, OpenText (formerly ANX), an enterprise information management solutions company, identified eight major security gaps that affect food and beverage companies: outdated firewalls, insecure remote access, weak security configurations, operating system flaws, lack of staff training, flawed security policies, negligence and poor change control procedures. These findings make a compelling argument for a closer look at firewalls and the value they can deliver in protecting industrial environments.
Network Firewalls: The First Line of Defense
Unlike host firewalls, which are installed on a computer or are a part of the operating systems and designed to protect the device itself, network firewalls establish a boundary that only allows approved communication into and out of the network. Based on where they are installed and the role they play, network — or hardware — firewalls act as the first line of defense against cyber attacks.
These firewalls’ primary function is to filter data — in the form of packets — to determine if it corresponds to a desired template for communication traffic patterns, before forwarding. Templates are modeled on rules that are established based on the requirements of the network, including:
- From outside the boundary to components inside, such as servers and workstations
- From within the network, allowing only specific communication between internal devices
Defense in Depth: A Robust Strategy that Meets Today’s Cyber Security Challenge
The model of setting limitations between network participants in internal networks, as well as partitioning network areas off from one another, creates a layered defense with multiple security levels.
This approach, known as defense in depth, creates the most robust strategy — hampering threats with multiple layers of protection — while preventing any compromise from spreading in the event an attack does breach the boundary.
To achieve the protection afforded by this model, firewalls are used at multiple locations in the network. A sound design includes:
- Firewalls at the boundary to protect from outside threats. These firewalls are generally placed in the data center or may be implemented in the production area to isolate that network from the rest of the company network.
- Firewalls in small cells or external sites. Firewalls with router functions allow, for example, remote work sites to be connected to the rest of company’s control infrastructure via a cellular network. These firewalls must offer full capabilities for packet filtering in addition to filtering traffic between various networks.
- Firewalls at the field level. Similar to the defense strategies built into medieval castles where attackers faced multiple obstacles — moats, gates, etc. — to entry, firewalls at this level are deployed to limit communication within a network. These firewalls are configured differently from those deployed between networks, to allow traffic to flow to and from authorized devices while protecting others.
- Firewalls in wireless local area networks (WLANs). Like firewalls deployed at the field level, this particular type of firewall is essential for controlling communications between devices connected via a WLAN. These firewalls limit the ability of a connected device — or client — to access other devices that are connected to the same Ethernet network as the device. Situated at the WLAN access point, the firewall restricts messages between WLAN clients, preventing unauthorized communication.
Beyond Placement: Levels of Filtering Add to the Sophistication and Effectiveness
The placement of firewalls to meet the unique needs of the industrial environment is only the first step. Layering the levels of filtering mechanisms adds an effective level of complexity and challenge to any potential hacker.
The spectrum of filtering capabilities is very broad — from simple traffic or protocol pattern recognition to the ability to understand functions and procedures in industrial protocols that allow the firewall to prevent specific communication patterns in a targeted manner.
Just as the deployment of firewalls is done as a combination of types, so to should the choice of filtering capabilities be evaluated as part of a defense-in-depth strategy. The range of filtering mechanisms includes:
- Stateless firewalls. Only able to determine if devices and applications can communicate with one another.
- Stateful firewalls. Capable of monitoring communication processes of participants and uses the behavior of the partners during essential communication operations as the foundation for packet filtering.
- Deep packet inspection. This mechanism goes one step further to discover specialized attack patterns hidden in the communication flow by distinguishing between a “well-formed” packet and a malicious packet. Firewalls with these abilities are often implemented as additional components and only at certain mission-critical points in the network to create a very strong hardening of industrial communication.
Firewall Management for Optimized Protection
Today’s modern, high-quality firewalls make it possible to overcome the challenges to optimal configuration presented by the likely lack of documentation of numerous communications relationships.
“Learning” firewalls use special analysis modes to analyze the communication relationships in a network. With this analysis, administrators can quickly and easily create custom configurations for desired and undesired communications. The advantages of using these modes to facilitate the setup of the firewalls include time savings and the elimination of downtime and failures.
For ongoing maintenance, network management tools that enable mass configuration make it possible for reconfiguration based on evolving requirements to be completed efficiently.
Network Firewalls: Key to Protecting the Industrial Operation
As the threat of cyber attacks against industrial operations rises, a more sophisticated approach to protecting the network from external and internal breaches is required. When an organization understands the advances in firewall technology and where and how these devices can best be deployed, the journey to protecting the network from both external and internal threats can begin.
Firewalls set clear boundaries for communication traffic — both at the perimeter of the network and within critical zones. With the range of features and technical characteristics available today, these devices afford any food manufacturing operation an effective first line of defense from cyber threats.
To learn more about the role of firewalls in food and beverage production and security, please download the white paper: Understanding Firewall Technology for Industrial Cybersecurity.
About the authors
Tobias Heer has been with Belden since 2012 and specializes in topics that revolve around security and wireless in industrial control systems. He is a professor of IT security at the University of Applied Science in Albstadt-Sigmaringen, Germany. He received his doctorate in 2011 and worked as a postdoctoral researcher at the Chair of Communication and Distributed Systems at RWTH Aachen University. His focus areas are network protocol design, security and wireless communication. Tobias was involved in the development and standardization of secure internet protocols in the Internet Engineering Task Force (IETF).
Oliver Kleineberg joined Belden in 2007 and he is responsible for Advance Development within Belden’s Industrial IT platform. From 2012 to 2013, Oliver facilitated the integration of Tofino Security into Belden’s Industrial Networking portfolio. He has collected broad and deep expert knowledge in all matters of cyber security, including the distinct application within the automation world. Oliver graduated from the Esslingen University of Applied Sciences in computer engineering and holds a doctorate in computer engineering from the University of Limerick. His doctoral thesis focused on developing fault-tolerance concepts for time-sensitive Ethernet networks.
Jeff Lund is a senior director of product line management in Belden’s Industrial IT group. He is responsible for Belden’s vision and product initiatives related to the Industrial Internet of Things, as well as for coordinating and driving cyber security and wireless product direction across Belden industrial IT product groups. He also serves as Belden’s primary representative at the Industrial Internet Consortium, where he is co-chair of the marketing working group. Jeff has more than 20 years of Industrial IoT experience working with manufacturers and integrators to add intelligence and networking to devices for industrial, building automation, transportation system and smart grid use. Jeff has an MBA from the Wharton School of the University of Pennsylvania and a bachelor’s degree in electrical and computer engineering from the University of California at Davis.