Industrial Control Systems Joint Working Group (ICSJWG)

Firewalls with Deep Packet Inspection (DPI) capabilities are now mainstream for IT protocols like HTTP, but achieving the same for SCADA protocols has been painful.

Unfortunately SCADA needs DPI technology even more than IT does. SCADA traffic over TCP/IP can blocked by any firewall, but fine-grained control has been impossible. Since most SCADA protocols have few authentication features built in, any computer that can read a register from a PLC can also write to it or even reprogram it. Even passwords are of little use, as most are transmitted in plaintext.

Focusing on two popular SCADA protocols, Modbus TCP and OPC/DA, this talk looks at the lessons learned, including why DPI is needed, how the technology has evolved, what is available today and the challenges going forward. We look at early efforts in SCADA DPI, such as the opensource “ModbusFW” project, the technical issues in creating a SCADA DPI firewall that is useable and the solutions we see emerging.