Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as an ICS / SCADA environment internal segmentation firewall

    Scheduled Pinned Locked Moved Firewalling
    29 Posts 8 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      ka3ax
      last edited by

      johnpoz, bmeeks, thanks for your inputs.

      I still do not have full list of important ICS firewall differences (from regular firewall). I remember few points discussed:

      • no access to the Internet or to email should be allowed from ICS networks
      • ICS networks should be defended from other plant networks, especially those with Internet access
      • limited or on-demand (normally blocked) remote access
        Those requirements are conflicting with our typical access and maintenance scenarios...
      JKnottJ bmeeksB 2 Replies Last reply Reply Quote 0
      • JKnottJ
        JKnott @bmeeks
        last edited by

        @bmeeks said in pfSense as an ICS / SCADA environment internal segmentation firewall:

        There is usually no concept of SSL. Even SSH is not common and Telnet is still widely available (yep ... ).

        Of course the reason for that is SCADA predates the public Internet and was originally run over dedicated networks. About 11 years ago, I was in this place updating some telecommunications equipment. They were still using dial up modems to connect the various sites to their control centre. Yep, the Ontario power network was controlled with dial up modems. When I was in there, about 3 years ago, the equipment I put in was gone and they'd moved on to a more modern system over fibre.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @ka3ax
          last edited by

          @ka3ax said in pfSense as an ICS / SCADA environment internal segmentation firewall:

          johnpoz, bmeeks, thanks for your inputs.

          I still do not have full list of important ICS firewall differences (from regular firewall). I remember few points discussed:

          • no access to the Internet or to email should be allowed from ICS networks
          • ICS networks should be defended from other plant networks, especially those with Internet access
          • limited or on-demand (normally blocked) remote access
            Those requirements are conflicting with our typical access and maintenance scenarios...

          The no internet access is easy enough. You just don't connect it to anything. Critical networks are often completely separate from those used for other purposes. What triggers the "on demand" access?

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @ka3ax
            last edited by bmeeks

            @ka3ax said in pfSense as an ICS / SCADA environment internal segmentation firewall:

            johnpoz, bmeeks, thanks for your inputs.

            I still do not have full list of important ICS firewall differences (from regular firewall). I remember few points discussed:

            • no access to the Internet or to email should be allowed from ICS networks

            This is to protect those vulnerable components from malware infestation. The primary exploit vectors these days are through browser or browser plugin flaws (Adobe Flash being one example) and email attachments or hyperlinks. If vulnerable components and networks can't access the Internet or email, those attack vectors are mitigated.

            • ICS networks should be defended from other plant networks, especially those with Internet access

            This is another layer of protection from the threats I described above. Trusted networks can act as a "carrier" of a virus that then infects your sensitive networks. You want to severely limit "trust" in ICS networks.

            • limited or on-demand (normally blocked) remote access

            Remote access equals bad cyber practice! In the industry I retired from recently, remote access to control systems was absolutely prohibited by government regulations. You got into serious trouble for violating that one! We used those data diodes to enforce that rule. If I needed to make any change to a control network, my butt went into the physical plant, through all the physical security and stood in front of the actual device (or least a terminal within a physical security boundary that was attached to the control network). And speaking of physical security, you need to have absolute physical access control to all parts of your Control Layer network. That means locked rooms where Control Layer components are located. It also means some type of alarm system for locked cabinets that might have to be located outside your typical physical security boundary (think a device that might have to be outside the fence).

            Those requirements are conflicting with our typical access and maintenance scenarios...

            I understand it can be a pain in the butt, but remote access to critical Control Layer components is just never a good idea. It is very hard to secure at a very high confidence level. You just can never eliminate human error.

            One thing I did not see you mention, but that is a HUGE concern, is what are called portable media and mobile devices. This area includes USB memory sticks, flash memory cards, CD/DVD discs and even cell phones being charged via USB cables. You need very tight controls on these devices around Control and even Monitoring Layer networks. It would be so easy to compromise a system via a USB stick or even some employee plugging in their cell phone's USB charger cable into a vulnerable PC. In fact, USB media is exactly how the infamous Stuxnet virus infiltrated the Iranian nuclear processing facility and then went on to damage multiple centrifuge machines there. A worker was used to unknowingly carry the virus into the secure facility on a USB stick. When he plugged the USB stick into a computer on the secure and isolated network, that allowed it to spread across the sensitive Control Layer network and do its work.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by bmeeks

              I'll say one last thing to maybe more directly answer one of your questions about the differences between a typical firewall and an ICS firewall.

              Functionally, there is no real difference. One firewall is fundamentally the same as another when speaking of today's stateful inspection technology. It's mostly a difference of features, support and of course cost. Cost runs the gamut from free to thousands and thousands of dollars for the hardware and software support contracts.

              I love pfSense, and it is a very secure firewall out of the box. But it has one shortcoming when used with ICS networks. It wants to be able to talk to the Internet. The "home" screen, immediately upon opening, attempts to query the pfSense/Netgate servers to check for new firmware updates. The package and update system of pfSense is also heavily dependent on Internet connectivity. You can, with much trouble, create a sort of offline package server, but it takes quite a bit of skill to pull this off.

              For ICS networks, especially those most sensitive Control Layer networks, you want a firewall that is happy being 100% isolated from the Internet. One that allows you to update it with a single file by uploading the file to the firewall from a local management network connection. So when looking for your ICS/SCADA firewall, ask the vendor about their support for 100% isolated setups where the firewall has absolutely no Internet access. Can the firewall work in that environment without issue, and does the vendor provide an offline update process that is workable for you? There are firewalls out there that fit this bill, but unfortunately none of the ones I'm familiar with are free.

              1 Reply Last reply Reply Quote 0
              • K
                ka3ax
                last edited by

                bmeeks, your post inspired me to read more about data diodes and unidirectional networks. Also found few articles explaining "why firewalls are not recommended for securing SCADA systems"...

                Luckily our site is not a power plant network and remote access to control systems is not prohibited by government regulations in our region... :)

                It is just a production plant with few assembly machines. If disaster strikes we can restore everything quite quickly, our estimation is 8-48 hrs. And management is happy with this estimation. So I hope that reasonable / descent security level will help us to improve our security score without going to very expensive solutions and paranoid security mode. :)

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @ka3ax
                  last edited by bmeeks

                  @ka3ax said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                  bmeeks, your post inspired me to read more about data diodes and unidirectional networks. Also found few articles explaining "why firewalls are not recommended for securing SCADA systems"...

                  Luckily our site is not a power plant network and remote access to control systems is not prohibited by government regulations in our region... :)

                  It is just a production plant with few assembly machines. If disaster strikes we can restore everything quite quickly, our estimation is 8-48 hrs. And management is happy with this estimation. So I hope that reasonable / descent security level will help us to improve our security score without going to very expensive solutions and paranoid security mode. :)

                  That's why my first post mentioned first determining the "value" of the network you are protecting. It's one thing if the loss is just monetary, but quite another if loss or sabotage of the network could result in injury or death to people. For a typical factory scenario, I would also say a data diode and all of the other physical security expenses I mentioned are overkill. However, if you are protecting a nuclear power station and its reactor, or a chemical processing facility or say the national electric grid, then more robust controls are definitely called for.

                  However, even with just a factory network, you will benefit from tight portable media and mobile device control. It would be a bad thing for the company to lose thousands of dollars of production because Joe brought in some pictures of his grandkids on a compromised USB stick and plugged it into a PC in the plant control room to show his co-workers.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    @ka3ax said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                    We have several outdated WinXP computers in our production area

                    If this was the case in any of the scenarios you mentioned, National Elec grid, Nuc planet - I would seriously be like WTF People!!!

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    bmeeksB NogBadTheBadN JKnottJ 3 Replies Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @johnpoz
                      last edited by

                      @johnpoz said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                      @ka3ax said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                      We have several outdated WinXP computers in our production area

                      If this was the case in any of the scenarios you mentioned, National Elec grid, Nuc planet - I would seriously be like WTF People!!!

                      WTF is an appropriate response, but that old nemesis money comes into play. You have vendors that provide highly specialized components (sometime custom designed for just one site) and they want many millions of dollars to "upgrade" their component for you and to certify their old software on new operating systems. It becomes, unfortunately, a money decision made on a risk vs cost to mitigate scale. Sometimes totally isolating the network and associated devices is the most cost effective approach for a short-term solution. Longer term you plan on replacing that component or system. However, in the case of power plants, consider the impact of spending millions and millions of dollars to upgrade systems on consumers' power bills. They will yell and scream and the utility rate regulators are stingy with granting rate increases.

                      1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad @johnpoz
                        last edited by

                        @johnpoz said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                        If this was the case in any of the scenarios you mentioned, National Elec grid, Nuc planet - I would seriously be like WTF People!!!

                        https://www.theregister.co.uk/2018/11/09/royal_navy_old_os_at_sea/

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Yeah that really is a WTF... but if that is true
                          "It’s all standalone, not connected to the outside world,”

                          That is something

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @johnpoz
                            last edited by

                            @johnpoz said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                            I would seriously be like WTF People!!!

                            Unfortunately, there is a lot of gear around where the manufacturer can't or won't update it. In some cases the hardware doesn't have the needed resources to support newer software. I have used some EXFO test equipment that ran XP and even with it, it was painfully slow. In that case, the only recourse is to buy newer equipment.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • JKnottJ
                              JKnott @NogBadTheBad
                              last edited by

                              @NogBadTheBad said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                              https://www.theregister.co.uk/2018/11/09/royal_navy_old_os_at_sea/

                              Ah yes, Windows Moron Edition. 😉

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                I had to deal with even a Windows NT 4.0 system, but at least it was a completely standalone single machine located in a high security area.

                                You can make these machines secure by locating them behind high security physical barriers, locking down USB access with key-lock physical blocking devices inserted into the ports, and by putting them on data-diode isolated networks so two-way communcations with the "outside" is impossible. You would only use the data-diode option if it was necessary for the older machine to send its data to some other network. If everything was local, then most times no network is even connected and the RJ45 port is also physically blocked closed with a key-lock plug.

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @bmeeks
                                  last edited by

                                  @bmeeks said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                                  I had to deal with even a Windows NT 4.0 system, but at least it was a completely standalone single machine located in a high security area.

                                  IIRC, Windows NT only met Orange Book C2 security by having no connections to anything and floppies/USB sticks blocked.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  bmeeksB 1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks @JKnott
                                    last edited by

                                    @JKnott said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                                    @bmeeks said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                                    I had to deal with even a Windows NT 4.0 system, but at least it was a completely standalone single machine located in a high security area.

                                    IIRC, Windows NT only met Orange Book C2 security by having no connections to anything and floppies/USB sticks blocked.

                                    Luckily for me that NT machine was in a display-only role that simply received data from a remote sensor over a proprietary analog interface and displayed the output for trending. It was for local use only and had no external connection.

                                    1 Reply Last reply Reply Quote 0
                                    • JeGrJ
                                      JeGr LAYER 8 Moderator
                                      last edited by

                                      @johnpoz said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                                      "It’s all standalone, not connected to the outside world,”
                                      That is something

                                      Somehow with the whole twist this thread has been taking (and the horror scenarios...) while reading "isolated from the network" I had to remember something I read years before about "tempest shielding" like some sort of "bunker" isolation. Reminds me of that.

                                      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        ka3ax
                                        last edited by

                                        Thank you all guys for all the info and motivating scary stories. :)

                                        Back to my original question: Are there manuals or guidelines for turning pfSense into an ICS / SCADA firewall?

                                        T 1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by johnpoz

                                          @ka3ax said in pfSense as an ICS / SCADA environment internal segmentation firewall:

                                          ICS / SCADA firewall?

                                          You have yet to call out the specifics of this.. I don't even think its a thing to be honest.. There are firewalls, and then there are firewalls.. There isn't X firewall, and then B firewall for what devices you put behind them.

                                          You can put you ISC network behind a firewall.. You can then allow or block whatever traffic you want or don't want based on all kinds criteria. You can run IPS on the traffic you allow if you so desire. What else do you need?

                                          If I put my plex behind a firewall, I could call it my plex firewall if I wanted ;)

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • bmeeksB
                                            bmeeks
                                            last edited by bmeeks

                                            @johnpoz is correct. There is no difference between an ICS/SCADA firewall and any other typical firewall in terms of security or performance. Of course there are differences in appearance, perhaps differences in features and certainly differences in cost. An ICS/SCADA firewall is not more secure than any other firewall assuming both are configured with the proper firewall rules.

                                            Where there can be differences are in these two areas:

                                            1. Hardware touted as an ICS/SCADA firewall is more likely to be rated for use in harsher environmental conditions (higher temps, maybe higher humidity, etc.).

                                            2. Going back to one of my earlier posts, a true ICS/SCADA firewall is more likely to be able to operate isolated from the Internet. That means it does not need to constantly check a home web site for firmware updates and it is more likely to support an offline update process (meaning you can update the firewall's software without needing an Internet connection directly from the firewall).

                                            In terms of feature set differences, a vendor selling you so-called dedicated ICS/SCADA firewalls may well offer some pre-packaged firewall rules as features. Say something like having some canned Modbus rules ready for you, or perhaps rules for other standard industrial control protocols. Of course when it comes down to it, ports are ports and UDP and TCP are the same everywhere, so you could replicate any of these pre-packaged rules on your own. But you might have to do more research to find the proper ports and protocols, for example.

                                            A vendor selling you what they term an ICS/SCADA firewall is likely to be more attuned to industrial control terminology and technology, so their after-the-sale tech support may be superior to what you might get from say a more generic perimeter firewall vendor should you have questions related to industrial control technologies.

                                            So to sum up what I'm saying, in terms of security there is no inherent advantage of one firewall over another. It's the features one brand provides over another that is most likely to matter to you. And of course don't discount the operating environment. Typical industrial locations are much more harsh than a nice climate-controlled server room in a data center.

                                            In terms of making pfSense an ICS/SCADA firewall -- sure you can do that. But there may be some headaches. How big the headaches are depends on whether or not pfSense will have Internet access. If the firewall has unrestricted Internet access, then it can be a fine ICS/SCADA firewall. Just pay attention to any physical environment issues and buy hardware appropriate for the environment. If you need to put pfSense into a situation where it will not have direct Internet access, then you start to have the headaches. When the home page opens after login, it will attempt to contact the Netgate servers to check for updates. The GUI will be very slow during this time if there is no Internet access. Also, lack of direct Internet access will be a real burden if you want to load optional packages such as Snort or Suricata. Those all expect Internet connectivity in order to function.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.