Secure Connectivity for Networked Industrial Machines and the Internet of Things

With Barracuda Cloud Generation Firewalls

Download PDF

The World’s Getting Connected

The term “the Internet of things” was coined by Kevin Ashton of Procter & Gamble in 1999.”Things”, in the IoT sense, can refer to a wide variety of devices such as heart monitoring implants, biochip transponders on farm animals, cameras streaming live feeds, or automobiles with built-in sensors. Ashton correctly foresaw a world in which large numbers of connected things would communicate with each other autonomously via the internet—effectively creating an internet of things that is distinct from the internet of people.

Today we see a proliferation of smart, internet-connected home devices such as for control and automation of lighting, heating, ventilation, air conditioning systems, and appliances such as washer/dryers, robotic vacuums, air purifiers, ovens, or refrigerators/freezers that use Wi-Fi for remote monitoring.

In addition, we see an Industrial Internet of Things (IIoT) and M2M (Machine-to-Machine), terms used for the industrial sub-field of IoT where Intelligent systems connect machinery, sensors, and control systems to enable rapid manufacturing of new products, dynamic response to product demands, and real-time optimization of manufacturing production and supply chain networks. Automated process controls, operator tools, and service information systems optimize plant safety, while security and asset management use predictive maintenance to maximize reliability.

IoT is an expanding market. According to Forbes the business-to-business spending on IoT technologies, apps, and solutions will reach $267B (€250B) by 2020. About fifty percent of that will be driven by discrete manufacturing, transportation and logistics, and utilities. Gartner indicates the market for IoT devices is poised to explode and will reach nearly 20.8 billion connected devices by 2020.

How to Handle Thousands of “Things”?

Concerns have been raised that the internet of things is being developed too rapidly, without appropriate consideration of the profound security challenges involved. Whereas traditional cyber criminals target information and financial assets, hackers exploiting vulnerabilities in the internet of things—which may include everything from ATMs and cargo ships to power plants and your pacemaker—will be able to cause real-world mayhem far beyond what a data breach might accomplish.

Most of the technical security issues are similar to those of conventional servers, workstations, and smartphones. This means that every “thing” needs a firewall for protection. Without a firewall, these connected devices easily become a target for cyber criminals. They can use the devices as bots for a DDoS attack, or to infiltrate your network for other reasons. But how to handle the deployment and management of thousands of firewalls? What about the cost of such extremely large deployments?

The IoT is also changing the way we work and collaborate. In the decade following 2000, many business planners sought to reduce costs and focus resources on their core business by outsourcing IT. Today, however, many of these planners are noting that the core business is directly integrated with IT—that Operations and IT are no longer separable. They need to be connected, and suppliers, partners, and service providers also need to become part of these networks. All of this requires the definition of new roles and workflows with shared responsibilities. Who takes care of which components, what maintenance processes needs to be followed, and who are the decision makers?

The NextGen Firewall for the Internet of Things

Small IoT devices like wearables and toys need to be secure by design. If it is an older model, the best recommendation is a replacement. Barracuda offers solutions for medium-sized IoT devices, for example smart meters and traffic lights.

The Barracuda Solution consists of three components:

The Secure Connector Appliance establishes an encrypted connection between IoT devices and the Machine Access Security Broker, using Barracuda’s proprietary enhanced IPsec protocol TINA, which is more resilient and provides better performance than most competitive VPN solutions.

The Secure Connector Appliance comes with a choice of uplinks and automated failover in case one uplink fails. Besides wired uplinks typically use DHCP or static IP, the integrated wireless access point functionality can be reversed to access the WAN via existing wireless networks. The optional 3G modem offers even greater deployment flexibility. The Secure Connector Appliance also provides centrally manageable edge computing support via built-in Linux Container. This allows lets you create custom control and surveillance logic for the devices protected by the Secure Connector Appliance.

The ultra-compact design and affordable price point of the Secure Connector Appliance gives makes it flexible and easy to deploy across large IoT networks.

The Machine Access Security Broker acts as a connectivity hub for up to 2,500 Secure Connector appliances. It enforces security policies with the full feature set of Barracuda NextGen Firewalls, including IPS, Denial of Service protection, Application Control, URL Filtering, Virus Scanning, and even Advanced Threat Protection, including CPU-emulation sandboxing.

The Machine Access Security Broker is available as a virtual solution and can be deployed onpremises or directly in Microsoft Azure or Amazon Web Services.

The NextGen Control Center enables centralized management and secure remote connectivity for tens of thousands of IoT devices from a single pane of glass.

When you need to manage a quick rollout across multiple remote locations—many of which may lack qualified IT personnel—the NextGen Firewall’s Zero Touch Deployment capabilities make it easy. The Secure Connector Appliances are shipped directly to the remote locations without the need for pre-configuration. Onsite personnel simply unpack the appliances and power them up. They automatically connect to your Barracuda NextGen Control Center, which sends full configuration settings to the appliances via an encrypted VPN tunnel. With no onsite IT expertise, the appliances become part of the security infrastructure. With Zero Touch Deployment, rollouts to hundreds and even thousands of remote locations are executed quickly and managed easily, and require far fewer IT resources.

Managing and maintaining security appliance configurations can be a complicated and timeconsuming task. Barracuda uses a template-based configuration that lets you create templates at the various organizational levels supported by the NextGen Control Center. Once a template is changed, all Secure Connector appliances linked to this template will automatically update within seconds.

The NextGen Firewall for Industrial Environments

Managing and maintaining security appliance configurations can be a complicated and timeconsuming task. Barracuda uses a template-based configuration that lets you create templates at the various organizational levels supported by the NextGen Control Center. Once a template is changed, all Secure Connector appliances linked to this template will automatically update within seconds.

This increase in connectivity also exposes formerly isolated systems, including large Industrial Control Systems, to the dangers inherent in the internet. Barracuda offers advanced IoT security solutions for big devices in industrial environments.

Authentication and Segmentation for Industrial Components

The first step in securing these systems is to define effective perimeters between a secure, controlled realm and the world outside. These perimeters might be located deep within companies and manufacturing plants, but logically they are necessary. The most important element is to correctly determine where to place your perimeters.

In this process, you may create a large number of new perimeters, all of which need to be protected by a firewall. A solution with high scalability and easy manageability in that situation is critical to ongoing operational security.

Your firewalls also let you enforce new or existing access policies, so that technicians can access only the parts of the network relevant to their jobs, for example. Strong authentication techniques are critical to success in this regard, and it is typically considered a basic requirement of industrial security.

Detection and Containment of Threats

If your firewalls are correctly configured and deployed to defend the right perimeters, you will be able to detect and contain threats and attacks. Even if a modern worm like WannaCry penetrates one area, it cannot spread throughout your infrastructure.

In designing your infrastructure, It is important to resist the temptation to cut down on firewalls by combining zones that should ideally be kept discrete, perhaps in order to simplify and centralize remote access. Within the protected domain, the primary objective is to make it impossible for an attack or advanced threat to spread across logical zones. This objective is what determines the number of firewalls and the shapes of the perimeters to defend.

Analysis of Industrial Protocols

Machine-to-machine communication uses a variety of familiar protocols, but also many protocols that are little known in the office IT world. Some of them are partly or fully proprietary and cannot be easily analysed. So IoT security requires the flexibility to customize highly granular policies, including the ability to create your own protection profile patterns. It is, however, a process decision between IT and OT experts, what level of granularity fits into the protection profile.

For more detailed information on supported industrial protocols, please see Appendix "Supported Industrial Protocols".

Joint Operations between IT and OT

Until recently, the firewall was strictly an IT responsibility. However, IoT security means introducing firewalls into places and processes governed by Operations (OT), most of them older than firewall technology itself. This makes it crucial for IT and OT leaders to commit to open collaboration.

The firewall in an industrial machine must be understood both as an integral part of IT’s network of firewalls, and as an integral operating part of OT’s network of machines. Both IT and OT must be flexible about change and lifecycle management to succeed with this model.

Secure Remote Access in Industrial Environments

Whereas the number one threat vector in the internet of people is email, in industrial control systems it is the built-in web server that provides remote management access. Most design paradigms do not allow for remote access outside certain narrow environments. The Barracuda NextGen Firewall’s Remote Access feature makes it extremely convenient to grant secure, temporary VPN access to sensitive parts of manufacturing assets for third-party-maintenance providers, providing a more secure alternative to the native remote management interface.

Your IT admin can configure granular permissions to let specified Operations staff open a predefined remote VPN connection, and authorize a third party to use it, via phone or tablet. Onsite Operations staff need no IT expertise.

Firewalls in Harsh Environments

Barracuda offers a range of specialized full-featured and ruggedized appliances with extended temperature range, shock resistance, and no need for active cooling. They are specifically designed for Industrial Control Systems (ICS) used in critical infrastructure and for manufacturing industries in harsh environments, where networking equipment is exposed to extreme temperatures, humidity, dust, and vibration.

Centralized management with the Barracuda NextGen Control Center fully integrates the ruggedized appliances in a large and dispersed ICS network.

Barracuda’s NextGen Firewall Feature Set at a Glance

Barracuda provides all the connectivity and security features required to set up and run a dispersed IoT network.
  • Secure SD-WAN and Traffic Intelligence
  • WAN Compression
  • Failover and Link Balancing
  • Dynamic Bandwidth Detection
  • Dynamic Latency Detection
  • Performance-Based Transport Selection
  • Adaptive Session Balancing across multiple transports of a VPN tunnel
  • Adaptive Bandwidth Reservation
  • Application-Based Routing
  • Application Control
  • Deep Application Context
  • File Content Enforcement
  • Custom Application Awareness
  • User Identity Awareness
  • Web Filtering
  • Botnet and Spyware Protection
  • Intrusion Detection & Prevention
  • DoS and DDoS Protection
  • Malware Protection
  • Advanced Threat Protection

Scalability, Enhanced Security, and Comprehensive Manageability for IoT

Barracuda IoT solutions bring together scalability, secure and reliable connectivity, state-of-theart security, and simple centralized management. The compact Secure Connector appliance is optimized for securing and connecting large networks of IoT devices, easily and economically. A streamlined rollout process with Zero-Touch Deployment and centralized management help keep your IT overhead low, and features like Remote Access help to establish collaboration between Information Technology and Operational Technology.

Flexible deployment options—appliances or virtual solutions on premises and cloud-native versions for Microsoft Azure and Amazon Web Services—give you the tools you need to implement a tailor-made architecture that matches your specific requirements, today and in the future.

Conclusion

According to Gartner, there will be nearly 20.8 billion devices on the Internet of Things by 2020. Network control and management of manufacturing equipment, asset and situation management, or manufacturing process control brings IoT within the realm of industrial applications.

Whereas the realm of tiny IoT devices like wearables and toys will have to rely on security by design, many use cases can and must be approached with a new type of firewalling. Barracuda is addressing this challenge with an ultra-small appliance providing zone-based firewalling, which reliably connects each remote device with a Machine Access Security Broker, for intrusion prevention (IPS), antivirus protection, and application detection and control.

The digital transformation in today’s manufacturing processes requires permanent and on-demand connectivity with customers, partners, and suppliers on a rapidly increasing scale. The challenge is to find the appropriate mechanism to securely connect OT (operational technology) with IT (information technology) and to manage this process, not only in scale, but also regarding shared responsibilities. Barracuda addresses this challenge with specialized full-featured ruggedized appliances and comprehensive centralized management.

Appendix "Supported Industrial Protocols"

S7 Sub-protocols:

  • S7 UserData - Mode Transition
  • S7 Stop
  • S7 Warm Restart
  • S7 Run
  • S7 UserData - Cyclic Data
  • S7 Cyclic Data Unsubscribe
  • S7 Cyclic Data Memory
  • S7 Cyclic Data DB
  • S7 UserData - Block Functions
  • S7 List Blocks
  • S7 List Blocks of Given Type
  • S7 Get Block Info
  • S7 UserData - CPU Functions
  • S7 Read SZL
  • S7 Notify Indication
  • S7 Alarm-8 Indication
  • S7 Alarm-8 Unlock
  • S7 Alarm Ack
  • S7 Alarm Ack Indication
  • S7 Alarm Lock Indication
  • S7 Alarm Query
  • S7 Message Service
  • S7 Notify-8 Indication
  • S7 Diagnostic Message
  • S7 Alarm-8 Lock
  • S7 Scan Indication
  • S7 Alarm Unlock Indication
  • S7 Alarm-SQ Indication
  • S7 Alarm-S Indication
  • S7 UserData - Time Functions
  • S7 Read Clock
  • S7 Set Clock
  • S7 UserData - Programmer Commands
  • S7 Remove Diagnostic Data
  • S7 Erase
  • S7 Request Diagnostic Data
  • S7 Variable Table
  • S7 Read Diagnostic Data
  • S7 Forces
  • S7 UserData - Other Functions
  • S7 PLC Password
  • S7 PBC BSend/BRecv
  • S7 Request/Response
  • S7 PLC Stop
  • S7 Write
  • S7 Download
  • S7 CPU Services
  • S7 Upload
  • S7 PLC Control
  • S7 Setup Communication
  • S7 Read
  • S7 Other
  • S7 Ack
  • S7 Server Control
  • S7 User Data
  • S7 Comm (legacy)

IEC 60870-5-104 Sub-protocols:

  • IEC 60870-5-104 Process Information in Monitoring Direction
  • IEC 60870-5-104 Measured Value - Short Floating Point Number
  • IEC 60870-5-104 Packed Single-Point Information with Status Change Detection
  • IEC 60870-5-104 Measured Value - Normalized Value without Quality Descriptor
  • IEC 60870-5-104 Single-Point Information with Time Tag
  • IEC 60870-5-104 Measured Value - Short Floating Point Number with Time Tag
  • IEC 60870-5-104 Packed Output Circuit Information of Protection Equipment with Time Tag
  • IEC 60870-5-104 DoublePoint Information
  • IEC 60870-5-104 Step Position Information
  • IEC 60870-5-104 Measured Value - Scaled
  • IEC 60870-5-104 Integrated Totals
  • IEC 60870-5-104 Double-Point Information with Time Tag
  • IEC 60870-5-104 Step Position Information with Time Tag
  • IEC 60870-5-104 Bitstring of 32 Bits with Time Tag
  • IEC 60870-5-104 Event of Protection Equipment with Time Tag
  • IEC 60870-5-104 SinglePoint Information
  • IEC 60870-5-104 Bitstring of 32 Bit
  • IEC 60870-5-104 Measured Value - Normalized
  • IEC 60870-5-104 Measured Value - Normalized Value with Time Tag
  • IEC 60870-5-104 Measured Value - Scaled Value with Time Tag
  • IEC 60870-5-104 Integrated Totals with Time Tag
  • IEC 60870-5-104 Packed Start Events of Protection Equipment with Time Tag
  • IEC 60870-5-104 System Information in Monitoring Direction
  • IEC 60870-5-104 End of Initialization
  • IEC 60870-5-104 System Information in Control Direction
  • IEC 60870-5-104 Counter Interrogation Command
  • IEC 60870-5-104 Read Command
  • IEC 60870-5-104 Interrogation Command
  • IEC 60870-5-104 Reset Process Command
  • IEC 60870-5-104 Delay Acquisition Command
  • IEC 60870-5-104 Test Command with Time Tag
  • IEC 60870-5-104 File Transfer
  • IEC 60870-5-104 File Ready
  • IEC 60870-5-104 Section Ready
  • IEC 60870-5-104 Directory
  • IEC 60870-5-104 Call Directory, Select File, Call File, Call Section
  • IEC 60870-5-104 ACK File - ACK Section
  • IEC 60870-5-104 Segment
  • IEC 60870-5-104 Query Log - Request Archive File
  • IEC 60870-5-104 Process Information in Control Direction
  • IEC 60870-5-104 Single Command
  • IEC 60870-5-104 Set Point Command - Normalized Value
  • IEC 60870-5-104 Set Point Command - Scaled Value
  • IEC 60870-5-104 Set Point Command - Normalized Value with Time Tag
  • IEC 60870-5-104 Regulating Step Command
  • IEC 60870-5-104 Bitstring of 32 Bits
  • IEC 60870-5-104 Single Command with Time Tag
  • IEC 60870-5-104 Set Point Command - Short Floating - Point Number with Time Tag
  • IEC 60870-5-104 Bitstring of 32 Bits with Time Tag
  • IEC 60870-5-104 Double Command
  • IEC 60870-5-104 Set Point Command - Short Floating Point Number
  • IEC 60870-5-104 Double Command with Time Tag
  • IEC 60870-5-104 Regulating Step Command with Time Tag
  • IEC 60870-5-104 Set Point Command - Scaled Value with Time Tag
  • IEC 60870-5-104 Parameter in Control Direction
  • IEC 60870-5-104 Parameter of Measured Value - Normalized Value
  • IEC 60870-5-104 Parameter of Measured Value - Scaled Value
  • IEC 60870-5-104 Parameter of Measured Value - Short Floating Point Number
  • IEC 60870-5-104 Parameter Activation

IEC 61850 Sub-protocols:

  • IEC 61850 Goose
  • IEC 61850 MMS
  • IEC 61850 SMV
  • IEC 61850 General

MODBUS Sub-protocols:

  • MODBUS Data Access
  • MODBUS Read Coils
  • MODBUS Read Discrete Inputs
  • MODBUS Read Holding Registers
  • MODBUS Write Single Register
  • MODBUS Read/Write Multiple Registers
  • MODBUS Write Single Coil
  • MODBUS Write Multiple Coils
  • MODBUS Write Multiple Registers
  • MODBUS Mask Write Register
  • MODBUS Read FIFO Queue
  • MODBUS Read Input Register
  • MODBUS File Access
  • MODBUS Read File Record
  • MODBUS Write File Record
  • MODBUS Diagnostics
  • MODBUS Read Exception Status
  • MODBUS Get Communication Event Log
  • MODBUS Report Server ID
  • MODBUS Diagnostic Check
  • MODBUS Get Communication Event Counter
  • MODBUS Encapsulated Interface Transport
  • MODBUS Read Device Identification
  • MODBUS CAN-Open General Reference
  • MODBUS (legacy)

DNP3 Sub-protocols:

  • DNP3 Control Functions
  • DNP3 Operate
  • DNP3 Select
  • DNP3 Direct Operate
  • DNP3 Direct Operate no ACK
  • DNP3 Time Synchronization
  • DNP3 Delay Measurement
  • DNP3 Record Current Time
  • DNP3 Transfer Functions
  • DNP3 Read
  • DNP3 Write
  • DNP3 Confirm
  • DNP3 Application Control
  • DNP3 Cold Restart
  • DNP3 Initialize Application
  • DNP3 Start Application
  • DNP3 Stop Application
  • DNP3 Warm Restart
  • DNP3 Initialize Data
  • DNP3 Configuration
  • DNP3 Save Configuration
  • DNP3 Enable Spontaneous Messages
  • DNP3 Assign Class
  • DNP3 Disable Spontaneous Messages
  • DNP3 Activate Configuration
  • DNP3 Response Messages
  • DNP3 Unsolicited Response
  • DNP3 Authentication Response
  • DNP3 Response
  • DNP3 Other
  • DNP3 Authentication Request
  • DNP3 Authentication Error
  • DNP3 Freeze Functions
  • DNP3 Freeze and Clear
  • DNP3 Freeze with Time
  • DNP3 Immediate Freeze
  • DNP3 Freeze and Clear no ACK
  • DNP3 Immediate Freeze no ACK
  • DNP3 Freeze with Time no ACK
  • DNP3 File Access
  • DNP3 Open File
  • DNP3 Delete File
  • DNP3 Abort File
  • DNP3 Authenticate File
  • DNP3 Close File
  • DNP3 Get File Info