ICS Firewall Assessment and Optimization 

Are Your Firewalls Providing a False Sense of Security? 

While many Industrial Control System (ICS) zones may be properly isolated by boundary firewalls, most ICS administrators cannot confirm that these firewalls are properly configured. It is commonplace to have outdated firewall configurations that are no longer securely or optimally configured. As a result of years of many different internal employees and contractors have managing and modifying the configurations, numerous misconfigurations may be unknowingly lurking in the firewall configuration leaving your ICS exposed to unnecessary vulnerabilities. This can be a result of possible lack of knowledge, poor management of change practices, or the set of loosely defined rules were left in place during an integration once the appropriate assets were communicating. 

Common Examples

  • Vulnerable Firmware/IOS Versions 

  • Unused objects, services, and groups 

  • Any Any rules between zones 

  • Higher use or more critical rules further down the ruleset 

  • Old/Unnecessary administrator accounts 

  • Firewalls are not actively monitored 

  • No logging configured 

  • Vulnerable Virtual Private Network (VPN) encryption algorithms in use 

A common way to evaluate the integrity of your firewall is to conduct an initial assessment to review the security posture of your ICS firewalls. This assessment can identify the vulnerabilities in your firewall configuration and management practices. The results of this assessment can then be used to put together a remediation plan and outline a management program that periodically reviews critical boundary ICS firewalls to ensure that appropriate Management of Change, monitoring practices, and technologies are in place. 

 

 

Challenges You May Face 

  • Lack of a robust, systematic process for assessing and optimizing firewall configurations

  • Lack of qualified personnel 

  • Permitted traffic flows have not been identified 

  • ICS networks, conduits, and required data flows are not well documented and understood 

  • Rules and their justification are undocumented 

  • Lack of a robust change management process for tracking historical changes 

  • Lack of access and rule logging 

  • Assessing and Optimizing firewalls is a time consuming

  • A misconfiguration can cause unplanned operational downtime 

While it can be a daunting task to properly assess and remediate vulnerabilities in an ICS firewall configuration or optimize its ruleset, aeSolutions has extensive experience in assessing, designing, optimizing, and mitigating vulnerabilities in existing ICS firewalls. aeSolutions has the tools and a proven process needed to conduct these assessments, put together an extensive remediation plan, and to build a maintenance program around ICS firewall management. 

What is a Firewall Assessment? 

A Firewall Assessment seeks to find inconsistencies, vulnerabilities, misconfigurations and optimization opportunities in your ICS Firewall by performing a thorough analysis of the device’s configuration, security policy, access policy, and management procedures. Using our experience with ICS Firewalls coupled with our knowledge of cybersecurity frameworks, aeSolutions can tailor a one-time firewall assessment and remediation plan or develop a comprehensive review and successful reoccurring assessment program to manage and maintain your ICS firewalls. 

ICS Firewall Assessment and Optimization Cycle

Our Solutions:

  • Systematic methodology for assessing, hardening, and optimizing firewall configurations 

  • Experience assessing, designing, hardening, and optimizing PCN firewalls 

  • We have several enhanced custom and vendor tools to support the process 

  • Assessments can be performed remotely 

  • If you do not already have your environment documented, we have systematic processes and custom tools for building Asset Inventories and Network Diagrams

  • Increased firewall reliability, security, and performance 

  • Conduit integrity between zones 

  • Improved maintainability 

Firewall Assessment Benefits 

Example Case Studies :

         A Polyurethane Plant who requested a Firewall Assessment on their PCN firewall during a Cybersecurity Risk Assessment. The Firewall Assessment took place on these three devices:

  • Cisco ASA Next-Generation Firewall

  • Cisco IOS Version – ASA Version 9.2(2)4

  • Cisco ASDM – ASDM 7.2(2)

Challenges:

  1. Duplicate objects

  2. Rules permit source traffic to “any” destination

  3. Rule allow outside host to ping “any” IP inside the firewall

  4. Cisco IOS version had many vulnerabilities

Our Solution:

  1. Set an Object Naming Policy

  2. Object Cleanup for Duplicate and Unused objects

  3. Rule Maintenance and review of all “any” rules

  4. Upgrade to less vulnerable IOS Version 

Client Benefits

  • Received a report outlining the items like low hanging fruit: misconfiguration and vulnerability

  • Better understanding vulnerabilities between zones

        A Midstream company using the Firewall as the PCN router. Site requested a full Firewall rule review and optimization for a Meraki MX84. 

Challenges:

  1. Rules were too open

  2. Unrestricted inter-zone communications

  3. VPN tunnel was open to corporate networks

  4. Multiple “any” rules

Our Solution:

  1. Created over 20 additional rules

  2. Eliminated all ANY rules

  3. Restricted VPN tunnel to approved connections

  4. Established a DMZ and eliminated L/3 traffic from directly communicating with L4

  5. Blocked unauthorized 3rd party access to PCN

  6. Blocked all internet traffic

Client Benefits

  • Enhanced security between PCN zones

  • Eliminated internet access to the PCN

  • Eliminated communications between the corporate network and the PCN (L1-3)

  • Established a DMZ

 

Learn more about assessing and optimizing your OT firewalls :

info@aesolns.com

United States

864-676-0600

Greenville, South Carolina
Corporate Headquarters

  • LinkedIn
  • Twitter
  • YouTube
  • Facebook

Contact Us