In recent years, Supervisory Controls and Data Acquisition (SCADA), process control and industrial manufacturing systems have increasingly relied on commercial information technologies for both critical and non-critical communications. While beneficial in other areas, use of these common protocols and operating systems has resulted in significantly less isolation from the outside world for vital SCADA and Process Control Networks (PCNs). These systems are now under risk of attack from a variety of threats.
One commonly suggested security solution is to isolate the SCADA and PCN systems from the Internet and corporate enterprise network (EN) through the use of firewalls, which can be complex devices to design and deploy correctly.
This Centre for the Protection of National Infrastructure (CPNI) Good Practice document addresses the need for guidance in creating such firewalls. There are a significant number of different solutions used by the industry and the security effectiveness of these can vary widely. In general, architectures that allow the establishment of a Demilitarized Zone (DMZ) between the enterprise network and SCADA/PCN network will provide the most effective security solution.
Full Firewall document (PDF)