Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks

BCIT Group for Advanced Information Technology, “Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks - Policy and Best Practice ID. 00157”, National Infrastructure Coordination Centre, UK , 23 February 2005


Abstract:  In reNISCC_SCADA_Firewalls_1.JPGcent years, Supervisory Controls and Data Acquisition (SCADA), process control and industrial manufacturing systems have increasingly relied on commercial information technologies such as Ethernet, TCP/IP and Windows for both critical and non-critical communications. While beneficial in other areas, use of these common protocols and operating systems has resulted in significantly less isolation from the outside world for vital SCADA and Process Control Networks (PCNs). These systems are now under risk of attack from a variety of threats, ranging from teenage script-kiddies to skilled and determined cyber terrorists.


 Unfortunately, there are few proven methods to protect these systems available to the asset owner or engineer. The commonly suggested security solution is to isolate the SCADA and PCN system from the corporate and Internet systems through the use of firewalls, but there is little information available on exactly how these firewalls should be deployed in terms of architectures, configuration and management. Firewalls can be complex devices to design and deploy correctly and guidance on how best to deploy firewalls in the industrial setting would be very useful.


To address this need, the Group for Advanced Information Technology (GAIT) at the British Columbia Institute of Technology (BCIT) to investigate and compile current best practices in SCADA/PCN firewall deployment. The intent was to examine the “state of the art” in firewall architectures, deployment and management used to protect industrial control environments.


In March 2004, the research team sent out requests for information regarding the use of firewalls in industrial settings to approximately 60 organizations and industry news lists. The information received was summarized in terms of firewall design, deployment and management to determine current security architectures and practices. These practices were then analyzed for their likely effectiveness in the industrial control environment.


PDF NISCC Good Practice Guide on SCADA Firewalls - White Paper (368kb)