Recent Control & Safety Systems Discussions
Similar Posts
Emerson Smart Firewall configuration
New Emerson Smart Firewall Product Data Sheet
FireWall
ASA Firewalls
Firewall-IPD and CIOCs
Share
  • Not Answered

Is the Smart Firewall Necessary in Some Architectures?

Hello,

I have a customer who is considering implementing an Emerson Smart Firewall, but they are split on the decision and are asking me to provide them with a justification or list of pros and cons based on their current architecture.  I need some help considering a reply. Their network architecture is laid out as follows (using page 17 of the DeltaV Security Manual as a reference):

  • They have a Level 3 and above network which their corporate IT department manages and seem to do an effective job of. 
  • On the DeltaV side the L2 network exists
  • There is an air gap between the L2 and the L3 networks.

The L2.5 network will be implemented and a DeltaV Continuous Historian will be connected to it. They are going to add a firewall between the L3 and the L2.5 network and restrict the traffic. In the DMZ they plan to place a PI Data Collector server which will connect to the DeltaV Continuous Historian on the L2.5 network.  

The debate is whether or not the Emerson Smart Firewall is necessary, useful, and/or desired.  Currently, there are a few points/questions be debated:

  1. The corporate firewall is sufficient to handle all of the security between the networks, thus no Emerson Smart Firewall is necessary. A DMZ leg will be created off of the corporate firewall, and the PI Data Collector will reside there.
  2. Does a second firewall provides an additional layer of protection if viewed from a LOPA (Layers of Protection Analysis) perspective?
  3. If the Smart Firewall is added to the architecture, exactly what benefit does it provide? (Currently, they believe it provides no benefit.)

Your thoughts and expertise is appreciated!

Thanks,
Dave

dave_marshall

8 Replies

  • Alexandre Peixoto
    Dave,

    First of all, the perimeter protection at L2.5 is required. This is the security boundary of each DeltaV "cluster" and traffic controlled accordingly. The perimeter protection can be implemented with the Emerson Smart Firewall or other firewall that is already of the user's choice. The Emerson Smart Firewall provides you easy-to-configure rules set, DCOM-related rules are dynamically managed by the firewall, and the Emerson Smart Firewall is integrated into Network Device Command Center (DeltaV v13.3 or higher) for firewall alerts integration.

    The DeltaV Security Manual does not state you need to add a second firewall in the same layer (back-to-back firewalls), but this alternative could be used if the Corporate firewall is only managing the connection from DMZ up.

    In my opinion, you first need to design the network segmentation for the specific site, and then define which manufacturer, type and model of firewall you will use in each layer based on your specific requirements. The Emerson Smart Firewall is certainly a good fit for L2.5/DMZ segmentation, but it is not a mandatory requirement if you have other options available and preferred by the customer.

    You can contact Performance Services to provide you consultation services to design the architecture you are working on. Please call me directly if you need further information about the Emerson Smart Firewall.

    I hope this helps!

    Regards,

    Alexandre Peixoto
  • Andre Dicaire
    If I read this correctly, you are planning to use a firewall between L2.5 and 3.0, and that your question is whether the Emerson Smart Firewall is also required? As Alexandre indicates, this perimeter firewall does not need to be the Emerson Smart Firewall.

    A second firewall is not required, provided the single firewall is correctly configured to provide the required protection. Having two firewalls in series would compound the configuration since the combined set of rules would be in effect, making configuration and troubleshooting a challenge.

    The benefit of the Emerson Smart Firewall is the ease of use with respect to configuring the device, and is intended for the OT crowd. If the firewall configuration responsibility rests with the IT group, the ease of use features of the Emerson smart firewall will not likely be seen as benefits. From a support standpoint, Emerson is able to support the OT group on the Emerson Smart Firewall. The IT group would be required to support a firewall of their choosing, and troubleshooting connectivity issues would require their participation. The best choice is really a site dependent decision.

    Andre Dicaire

  • dave_marshall

    In reply to Andre Dicaire:

    Hi Andre,

    That is almost exactly the situation. The firewall experts at the customer don't believe that adding a second firewall is necessary. They seem to be confident in their option for configuration, but the plant thinks in terms of PHA/LOPA where having a redundant system is a good idea.
  • Andre Dicaire

    In reply to dave_marshall:

    Two firewalls in series is not redundancy. It is duplication, of effort and in trouble shooting. Since both firewalls would need to allow the same valid protocols, ports and devices to pass, once you create a valid packet, it will breeze through both. The only place I see a second firewall is if there are some additional computers between the first FW (by IT) that only considers IT level security, which would expose DeltaV to cyber security risks, and so a second DeltaV Smart Firewall would allow OT to further reduce the possible attack vectors without having IT change their policies on the first FW.

    Since your IT group is onboard to configure the FW for DeltaV protection, the second FW would, in my opinion serve no purpose. You would still meet the DeltaV recommendations of having a firewall between L3 and L2.5.

    The PHA/LOPA will identify risks. If the risk is loss of data access due to failure of the Firewall, then we need to look at fault tolerance in the L2.5 network. The risk mitigation for higher availability would not be two Firewalls in Series.

    Andre Dicaire

  • gamella
    Second firewall presence will provide a DMZ inbetween L3 (SITE/CORP NETWORK) AND L2 (DCS).
    PURPOSE of DMZ is to provide a network que where not trusted services can be deployed. Note that trusted/untrusted categorización depends on point view. For IT dep
    t. L3 is trusted but DCS (L2) is untrusted. However for DCS management team, L3 is untrusted and DCS (L2) is trusted.
    DMZ implementation makes untrusted network to be the same for both.
    Typical firewalls distiguishes trusted/untrusted in terms of private/public network (or LAN/WAN) and only allow to manage firewall settings from a computer connected to private side network. Single firewall arquitecture implies that IT has to take ownership of DCS computers. But DCS design may impose networking architecture/config not compatible with IT policies/rules.

    So, two firewalls (DMZ) could fit better, at the price of higher cost and more complex configuration
  • dave_marshall

    In reply to gamella:

    The firewall that the corporate IT group has chosen has the ability to create a separate DMZ network on its own.  In this separate DMZ that they can create (separate from the DeltaV Process DMZ in the security manual) they plan to place the PI Data collector. See the image below for reference as to what this would look like with the Emerson firewall.

     

     

    If they place the PI Data Collector server in the DMZ off of the Corp firewall, does this make the Emerson firewall un-necessary as Andre suggests?

  • Alexandre Peixoto
    Dave, 

    in my opinion the question that needs to be answered is if the DMZ between the L2.5 and L3 is required by the customer as per their policies and procedures.
    Ideally the DMZ networks are important to act as buffers between each boundary, but if in this case it is not being used in that way - or even not used at all, then the additional firewall is not required.
    If indeed the lower DMZ is required, then the Emerson Smart Firewall can be used to segment each layer and yet provide OT with tools to manage the firewall in an easy manner. Additionally, having different firewalls in the differrent layers is a good practice in terms os security.

    Best Regards,

    Alexandre Peixoto
  • Youssef.El-Bahtimy
    Seeing first hand what happens when those corporate firewalls are deployed ineffectively or in a utm one size fits all approach, I would opt for at least one other protection technology preferably deployed by the automation owners as accountable for their own domains. Risk assess the nominal cost of such technologies against the loss of production and IP that is becoming increasingly likely, and recognize the control systems of the immediate future will require chip level certificates, built in intrusion detection and prevention, and other common internet protocol principles. It's best we understand and integrate these now , while the learning curve is still (?) Manageable .

This is the official online community site of the Emerson Global Users Exchange, a forum for the free exchange of non-proprietary information among the global user community of all Emerson Automation Solution's products and services. Our goal is to improve the efficiency and use of automation systems and solutions employed at members’ facilities by sharing our knowledge, experiences, and application information.

User Groups | World Areas | Community Guidelines | Legal Information | Privacy Policy | Contact Community Manager

Website translation provided by Website Translator

© 2015-2022 Emerson Global Users Exchange. All rights reserved.