Eaton INDGW-X2 User Manual

Also see for INDGW-X2: Manual

Cybersecurity considerations for electrical distribution systemsSecuring the Network Management Module – 196•••••5.1.6 Designing for the threat vectors5.1.6.1 FirewallsFirewalls provide the capability to add stringent and multifaceted rules for communication between various network segments andzones in an ICS network. They can be configured to block data from certain segments, while allowing the relevant and necessarydata through. A thorough understanding of the devices, applications, and services that are in a network will guide the appropriatedeployment and configuration of firewalls in a network. Typical types of firewalls that can be deployed in a network include:Packet filter or boundary firewalls that work on the network layerThese firewalls mainly operate at the network layer, using pre-established rules based on port numbers and protocols toanalyze the packets going into or out of a separated network.These firewalls either permit or deny passage based on these rules.Host firewallsThese firewalls are software firewall solutions that protect ports and services on devices. Host firewalls can apply rules thattrack, allow, or deny incoming and outgoing traffic on the device and are mainly found on mobile devices, laptops, anddesktops that can be easily connected to an ICS.Application-level proxy firewallsThese firewalls are highly secure firewall protection methods that hide and protect individual devices and computers in acontrol network. These firewalls communicate at the application layer and can provide better inspection capabilities. Becausethey collect extensive log data, application-level proxy firewalls can negatively impact the performance of an ICS network.Stateful inspection firewallsThese firewalls work at the network, session, and application layers of the open system interconnection (OSI). Statefulinspection firewalls are more secure than packet filter firewalls because they only allow packets belonging to allowedsessions.These firewalls can authenticate users when a session is established and analyze a packet to determine whether they containthe expected payload type or enforce constraints at the application layer.SCADA hardware firewallsThese are hardware-based firewalls that provide defense for an ICS based on observing abnormal behavior on a device withinthe control network. For example, if an operator station computer suddenly attempts to program a PLC, this activity could beblocked and an alarm could be raised to prevent serious risk to the system.5.1.6.2 Demilitarized zones (DMZ)Network segmentation is a key consideration in establishing secure control networks. Firewalls should be used to create DMZ bygrouping critical components and isolating them from the traditional business IT network. A three-tier architecture should beemployed at a minimum, with a DMZ between the organization’s core network and an isolated control system’s network as shownin below figure.