CIP Security - Cell Firewalls

aavnet89 · ‎08-31-2023

Rockwell's FactoryTalk services (Platform, Networking Manager, View Software, Policy Manager, System Services) as a product group achieve device authentication, data integrity and data confidentiality, by means of certification, cryptographic protocols, HMAC and data encryption. For those of you that are in the space already, or have working experience with Industrial Network devices, what scenario / use-case would require a Cell / Area based Industrial Firewall (Cisco in this case), given (from my understanding) that the Firewalls are stateless, and act as a whitelist / ACL filter in essence, which similarly, Rockwell's FactoryTalk architecture is able to deliver? Defense in-depth is always a consideration, with overlapping security layers, I am curious to hear of real world use cases.

My questions is; - if a top level Firewall / Security Appliance (Rockwell in this scenario) has the ability to encrypt data, provide traditional, Certificate verification, segmentation, ACLs etc. what purpose is a Firewall at Levels 0-2 of the Purdue / Converged Ethernet models? Which by design is downstream of the Level 3 Firewall.

My thoughts;

- Supplicant / endpoint / cell requires additional routing to an SSL / TLS proxy for Cloud based communications?
- Additional micro-segmentation, off-loading / dropping packets at the cell border, rather than traffic hitting a distribution switch, network manager and identity services?
- Where a Cell / Zone is larger, with it's own Network Services internal to the Cell?

Thanks in advance.

Albert Mitchell · ‎08-31-2023

The reasons for additional Firewalls deeper into the production network vary by customer. you identified some of the reasons why. Additional reasons can be political. IT is responsible for distribution and core part of the network. OT is responsible for network below distribution. in these cases, the OT will put a Firewall between their network devices and the IT network devices.