Securing EtherNet/IP Control Systems Using Deep Packet Inspection Firewall Technology

Technical Abstract

Next Generation Firewalls with Deep Packet Inspection (DPI) capabilities are now mainstream products for IT protocols. Unfortunately, designers and operators of industrial control systems (ICS) have not had access to these advanced technologies to protect their critical communications that involved protocols such as EtherNet/IP™. This is a serious problem. Mission critical control systems need DPI technology even more than IT systems do. This paper discusses the creation of a DPI firewall for EtherNet/IP and Common Industrial Protocol (CIP™), and the lessons learned in the process. It explores why DPI is needed for control security, what is available today, and the challenges going forward. This paper looks at the technical issues in creating an EtherNet/IP DPI firewall that is useable and the solutions that are emerging. The paper closes with a case history of the use of an EtherNet/IP DPI firewall.

Paper and presentation from the 2014 ODVA Industry Conference & 16th Annual Meeting

Eric Byres, Chief Technology Officer

Erik Schweigert, Lead Embedded Systems Developer

Michael Thomas, Lead Systems Developer

Tofino Security, a Belden Brand