Software defined networking firewall for industry 4.0 manufacturing systems

Abstract

Purpose: In order to leverage automation control data, Industry 4.0 manufacturing systems requireindustrial devices to be connected to the network. Potentially, this can increase the risk of cyberattacks,which can compromise connected industrial devices to acquire production data or gain control over theproduction process. Search engines such as Sentient Hyper-Optimized Data Access Network (SHODAN)can be perverted by attackers to acquire network information that can be later used for intrusion. Toprevent this, cybersecurity standards propose network architectures divided into several networks segmentsbased on system functionalities. In this architecture, Firewalls limit the exposure of industrial controldevices in order to minimize security risks. This paper presents a novel Software Defined Networking(SDN) Firewall that automatically applies this standard architecture without compromising networkflexibility.Design/methodology/approach: The proposed SDN Firewall changes filtering rules in order toimplement the different network segments according to application level access control policies. TheFirewall applies two filtering techniques described in this paper: temporal filtering and spatial filtering, sothat only applications in a white list can connect to industrial control devices. Network administrators needonly to configure this application-oriented white lists to comply with security standards for ICS. Thissimplifies to a great extent network management tasks. Authors have developed a prototypeimplementation based on the OPC UA Standard and conducted security tests in order to test the viabilityof the proposal.Findings: Network segmentation and segregation are effective counter-measures against networkscanning attacks. The proposed SDN Firewall effectively configures a flat network into virtual LANsegments according to security standard guidelines.Research limitations/implications: The prototype implementation still needs to implement severalfeatures to exploit the full potential of the proposal. Next steps for development are discussed in aseparate section.Practical implications: The proposed SDN Firewall has similar security features to commerciallyavailable application Firewalls, but SDN Firewalls offer additional security features. First, SDN technologyprovides improved performance, since SDN low-level processing functions are much more efficient.Second, with SDN, security functions are rooted in the network instead of being centralized in particular network elements. Finally, SDN provides a more flexible and dynamic, zero configuration framework forsecure manufacturing systems by automating the rollout of security standard-based network architectures.Social implications: SDN Firewalls can facilitate the deployment of secure Industry 4.0 manufacturingsystems, since they provide ICS networks with many of the needed security capabilities withoutcompromising flexibility.Originality/value: The paper proposes a novel SDN Firewall specifically designed to secure ICSnetworks. A prototype implementation of the proposed SDN Firewall has been tested in laboratoryconditions. The prototype implementation complements the security features of the OPC UAcommunication standard to provide a holistic security framework for ICS networks.