How to Select, Set Up, and Configure the Right ICS/OT Firewall
Introduction
As industrial systems become increasingly connected, the risk of cyberattacks targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments has surged. Traditional IT firewalls are not always suitable for the unique communication protocols and availability requirements of ICS/OT networks.
This is where specialized ICS firewalls come into play. But how do you select, set up, and configure an ICS firewall to protect your critical assets without disrupting operations?
With 30+ years in industrial automation and OT cybersecurity, I’ve implemented firewall strategies across various sectors—from oil & gas refineries to pharmaceutical plants. This guide will help you:
- Understand ICS firewall requirements
- Choose the right firewall for your OT environment
- Set up and configure rules and zones properly
- Avoid common mistakes in ICS/OT segmentation
🔐 What Is an ICS/OT Firewall?
An ICS firewall is a security device designed specifically for industrial control systems, providing protocol-aware traffic filtering while maintaining system availability and deterministic communication.
Unlike IT firewalls, ICS firewalls:
- Recognize OT protocols (Modbus, DNP3, PROFINET, EtherNet/IP)
- Operate in low-latency environments
- Protect Level 1 and Level 2 devices (PLC, RTU, HMI)
- Provide deep packet inspection (DPI) for industrial traffic
- Often support layered or zone-based defense per the Purdue Model
🛠️ Step 1: How to Select the Right ICS Firewall
Before choosing a firewall, consider these criteria:
✅ 1. Protocol Awareness
Your firewall must support OT-specific protocols, such as:
- Modbus TCP/RTU
- EtherNet/IP
- DNP3
- PROFINET
- OPC UA
- MQTT (for IIoT)
🧠 Firewalls that can’t inspect industrial protocol packets are blind to malicious or malformed control commands.
✅ 2. Deployment Flexibility
Decide where in your ICS network you need protection:
- Between Level 2 (control network) and Level 3 (operations)
- Between PLCs (Level 1) and SCADA/HMI systems (Level 2)
- At IT/OT boundary (Level 3/4 transition)
Look for firewalls that support:
- Transparent/bridge mode
- Routed mode
- Tap/passive monitoring mode
✅ 3. Real-Time Performance
ICS applications can’t tolerate high latency. Choose a firewall with:
- Low packet processing delay (<1ms)
- High throughput with small packet sizes
- No jitter introduction in control loops
✅ 4. Redundancy & Fail-Safe Modes
Firewalls should fail open or switch to bypass mode during power loss or failure to avoid unplanned plant shutdowns.
✅ 5. Certification & Compliance
Look for:
- IEC 62443-4-2 compliance
- NERC CIP readiness (for utilities)
- Vendor support for GAMP, FDA (for pharma)
🔍 Recommended ICS Firewall Vendors:
| Vendor | Product | Key Features |
|---|---|---|
| Fortinet | FortiGate Rugged Series | DPI for Modbus, DNP3, SCADA protocols |
| Palo Alto | PA-220R Industrial Firewall | App-ID for OT, user-ID, zone policies |
| Cisco | Secure Firewall for OT | Works with Cyber Vision for DPI |
| TXOne Networks | EdgeIPS/EdgeFire | Designed for Level 1/2 control layer |
| Tofino Xenon | Hirschmann/Belden | Protocol DPI modules, plug-and-protect |
⚙️ Step 2: Setting Up Your ICS Firewall
Once selected, follow these best practices:
✅ 1. Follow the Purdue Model
Segment your OT network into zones and conduits:
| Purdue Level | Zone | Firewall Placement |
|---|---|---|
| Level 4 (IT) | Enterprise Network | IT/OT DMZ |
| Level 3 | Site Operations | Firewall to protect OT network |
| Level 2 | Supervisory Control (HMI, SCADA) | Segment HMI/SCADA from control layer |
| Level 1 | Control (PLC, RTU, IED) | Isolate PLCs into device-level zones |
🔐 Segmenting networks limits lateral movement during cyberattacks.
✅ 2. Create a Zone-Based Firewall Policy
Each zone should have:
- Clear asset inventory
- Allowed communication paths only (no “any-any” rules)
- Separate rules for read vs. write access
- Monitored and logged activities
🧰 Step 3: Configuring Firewall Rules and Protocol Filters
✅ Essential Configuration Tips:
- Whitelist-Only Rules
- Allow only known source/destination IPs
- Define specific ports and OT protocols (e.g., allow Modbus TCP port 502)
- Use DPI for Industrial Protocols
- Block specific Modbus functions (e.g., function code 43 for device identification)
- Detect and block malformed DNP3 packets
- Alert on Anomalies
- Unexpected write commands to PLCs
- Access to configuration registers outside maintenance windows
- Time-Based Access Rules
- Allow programming software (e.g., TIA Portal, RSLogix) only during scheduled maintenance
- Log and Monitor All Events
- Integrate with SIEM or OT monitoring (e.g., Nozomi Networks, Claroty)
🚫 Common Mistakes to Avoid
| Mistake | Why It’s Risky | Better Practice |
|---|---|---|
| Using IT firewalls for OT zones | Misses OT-specific threats | Use protocol-aware ICS firewalls |
| Flat network architecture | No segmentation = high breach risk | Use zone/conduit model per IEC 62443 |
| Allowing “Any-Any” firewall rules | Creates wide-open backdoors | Only allow specific, justified connections |
| Ignoring maintenance mode configuration | Opens the door for accidental access | Set temporary, auto-expiring policies |
🧪 Real-World Example: OT Firewall in a Chemical Plant
Scenario: A chemical manufacturing plant had its PLC network exposed directly to the corporate IT environment, leading to a ransomware breach attempt.
Solution:
- Deployed FortiGate Rugged firewalls between Level 3 (engineering workstations) and Level 2 (PLC network).
- Configured DPI rules to allow only necessary Modbus read commands.
- Created maintenance-only policies with timed access for programming software.
Result:
- Eliminated unnecessary exposure
- Improved NIST and IEC 62443 compliance
- Enhanced visibility and control without affecting uptime
📋 Interactive Checklist: Is Your ICS Firewall Strategy Ready?
✅ Have you segmented OT networks using zones and conduits?
✅ Are you using DPI-capable firewalls for OT protocols?
✅ Are all PLC communications locked to specific IPs and ports?
✅ Do you log and monitor all firewall events centrally?
✅ Is there a documented firewall policy reviewed quarterly?
Score:
- 5/5: Excellent—Your ICS network is well-defended.
- 3–4: Room to improve—review configurations and policies.
- 0–2: Critical gaps—start planning your ICS firewall deployment now.
✅ Conclusion
Protecting industrial systems from cyber threats is not a luxury—it’s a necessity. ICS firewalls are your first line of defense in a layered OT cybersecurity architecture. The key is not just selecting the right firewall, but setting it up intelligently—based on industrial protocols, deterministic communication patterns, and access needs.
A well-configured ICS firewall ensures that you secure without disrupting operations, preserving safety, compliance, and uptime.
🔑 Key Takeaways:
- Use OT-protocol-aware firewalls designed for ICS traffic.
- Follow the Purdue Model to segment and protect each layer.
- Configure DPI, whitelist policies, and time-based rules to reduce risk.
- Avoid IT firewall shortcuts—they miss critical OT risks.