2011 July

July 2011

SCADA Firewall Comparison Guide

We have been getting a lot of requests from our clients to rate the effectiveness of various types of network gateway devices that can be used as a “SCADA firewall” to provide access control into critical infrastructure environments.

Depending on the level of risk, this gateway device could take on the form of several classes or types of network devices. The table below illustrates several types of typical network gateways that can be used to secure SCADA networks, the ease of deployment, the level of security the device provides, and finally some overall comments on the scenarios when best to use each type of gateway.

Our clients have found this helpful, so we are pushing this out to the larger community. Hope you find this helpful. – Jonathan

Device Type Security Capability     Ease of Deployment / Maintenance Security Assurance   Overall
Switch / Router Layer3 device utilising VLANs and ACLs (Access Control Lists) to filter
traffic based on source/destination IP address and/or source/destination port. Can not maintain state or perform deep packet inspection of the traffic payload.


EASY >> Existing network infrastructure devices that may already deployed may have layer 3 seperation capabilities built-in, which can eliminate the  need to implement new devices. Existing telecom team may be able to maintain the enhanced secure configuration.


  LOW Only use in very low-risk environments as ACLs and VLANs can be compromised.
Firewall Firewalls are purpose-built embedded network appliances that can maintain state in addition to perform the same ACLs and VLAN separation as layer 3 switches and routers. Some switching components can be upgraded to have “firewall feature set” added to the switch.


MED >> New firewall devices will most likely need to be deployed, new IP networks and sub-networks may need to be created. Specific rules will have to be created for each type of network traffic that must traverse various network interfaces.


  MED Firewalls are the first level of security appliances that can maintain state for each session. They provide true network isolation and specific rules must be made for each network path.



UTM (Unified Threat  Management) UTM devices can perform all of the security features of the switch/router and firewall, plus they can also perform “deep packet inspection.” They can block traffic when the payload of the network packets are a match on a known virus or exploit signature.


HARD >> Unified Threat Management devices require a greater level of detail when configuring them. All of the same switching, routing, and firewall features must be programmed, and in addition, specific actions can be taken when malicious payloads are detected.


HIGH If the decision is made to upgrade from a layer 3 device, the UTM is the best choice since it provides the highest level of protection without jumping into the next class of “application-aware” firewalls. The packet inspection capability can be set to “detect-only and not block.”


SCADA Application
Industrial Firewall
SCADA Application-Aware firewalls, also known as Layer 7 firewalls, are programmed to be able to parse the network traffic down to the protocol layer, and can either DENY or ACCEPT traffic based on the SCADA command, such as READ or WRITE data blocks from specific PLC registers.


HARD >>To properly deploy  Application-Aware firewalls, the programmer must have intimate knowledge of the process or HMI application. Rules must be made to either block or allow traffic based on the SCADA operator command and the specific area of PLC memory.




This class of firewalls can lock down the SCADA system down to the PLC memory address to only allow network traffic that is required to operate the plant or facility. These class of firewalls can prevent a Stuxnet-like attack by blocking data writes to specific registers and coils.


Data Diode Uses optics to physically ensure that data can only be trasnferred in one direction.



HARDEST >> Since data can only transfer in one direction, some protocols that require a connection handshake will need to be tested. The way data is written may need to be altered from a built-in API to a SFTP or PUSH type of data transfer.   HIGHEST Data diodes are proven to only allow data to be transferred in one direction. In very high risk scenarios, such as nuclear plants and hazardous chemical plants, data diodes can ensure that network traffic can not pass down to the controllers.

Leave a Reply