firewall

Deep Packet Inspection (DPI) is important for the future of SCADA / ICS security - and in this article I explain why.  

DPI SCADA Security: Reviewing the Basics

In Part 1 of this series I explained DPI technology in detail. To review, the traditional IT firewall examines the TCP/IP and Ethernet headers in the network messages it sees. It then makes decisions whether to allow or block a message based on this limited information.

I have talked repeatedly about something called Deep Packet Inspection (DPI) and why it is so important for SCADA / ICS security (for example, see Air Gaps Won’t Stop Stuxnet’s Children). The trouble is, I have never described what DPI actually is. So in today’s blog I will back up and explain what DPI firewall technology is all about.

When you hear the words “defense–in-depth” do you immediately think of layers of firewalls?

If so, you are not alone – most of us immediately think of security concepts in traditional physical security terms.  For example, we imagine “more defense” as being more moats and castle walls around the crown jewels.  But that is not the only way (or even the best way) to create secure ICS or SCADA systems.

Over the years I have been asked by a number of control engineers, “Our IT dept says we have VLANs, so why do I need a firewall?”

Back in the mid-90s, I was a big supporter of Virtual Local Area Networks (VLANs) for security. Unfortunately, I have seen so many issues with this technology that I no longer believe it provides effective security.

It is easy for me to forget that just because I have taught a concept at one or two conferences, not everyone in the world has heard it. This was driven home with amazing clarity at the Hirschmann Critical Network Design Conference back in September when a participant asked me:

We use computers with two network cards as security between the control system and the business system. Is that a good idea?