Industrial Internet Security Framework v 1.0 | Page 89
Security Framework
9: Protecting Communications and Connectivity
Gateways with filters control the flow of information passing between network segments.
Message filters control the flow of messages at some layer of a protocol stack, while application
gateways tend to control information flows more abstractly. Firewalls are examples of
bidirectional message-filtering gateways embodying many security features.
Examples of important IIoT filtering technologies include:
Air gaps are network segments with no online connection, wired or wireless, to any external
network. Air gaps are the strongest form of filtering, but provide none of the connectivity
benefits.
Layer 2 filters separate physical network signaling systems, but forward Open Systems
Interconnection (OSI) Layer 2 network frames. Managed switches and bridging firewalls are
examples of technologies that filter messages based on Ethernet Media Access Control (MAC)
addresses or other device-level addressing. Virtual Local Area Networks (VLAN) switches are used
for traffic management, but they are not security devices so they are not recommended as
perimeter protection mechanisms between network segments at different trust levels.
Layer 3/4 filtering: The most commonly used IIoT message filters are firewalls able to filter
messages based on network addresses, port numbers and connection state. Such filtering
technologies are known as packet filters and stateful inspection.
Application and middleware layer content filtering: Some firewalls and other message filters
understand specific communications protocols and are able to filter messages based on
application content. For example, an application layer filter might permit device register read
requests, but block write requests. Other filters might permit messages from a particular user,
but not other users. This is called deep packet inspection.
Message rewriting: Some message filters modify messages as they pass through the filter. For
example, network address translation (NAT) filters change IP addresses and port numbers, and
virtual private network (VPN) servers encrypt and decrypt message streams. VPN are often
deployed in IIoT systems to help protect interactive remote access mechanisms, and to
encapsulate and protect plain-text device communications protocols as they pass across WAN.
Proxies are application-layer message filtering with message-rewriting capabilities. Typically,
proxies maintain at least two similar transport-level connections: one to a device on a protected
network, and one to a device on an external network. Proxies may answer queries or serve other
protocol requests out of their own caches and data storage, or they may forward requests to
external data repositories.
Server replication: Server replication maintains a real-time copy of part or all of a protected
industrial server on a less-trusted network segment, most commonly at IT/OT network
perimeters. For example, a plant historian server may be replicated through an IT/OT firewall.
The replication mechanism can act as a filter by replicating only a subset of historical data points
out to the corporate network.
Virtual networks: Virtual networks may implement message filters in hypervisors or virtual
firewall hosts.
IIC:PUB:G4:V1.0:PB:20160926