Food Engineering logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • PRODUCTS
  • TOPICS
  • EXCLUSIVES
  • MEDIA
  • FOOD MASTER
  • EVENTS
  • RESOURCES
  • EMAGAZINE
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Latest Headlines
  • Manufacturing News
  • People & Industry News
  • Plant Openings
  • Recalls
  • Regulatory Watch
  • Supplier News
  • PRODUCTS
  • New Plant Products
  • New Retail Products
  • TOPICS
  • Alternative Protein
  • Automation
  • Cannabis
  • Cleaning | Sanitation
  • Fabulous Food Plants
  • Food Safety
  • Maintenance Strategies
  • OEE
  • Packaging
  • Sustainability
  • More
  • EXCLUSIVES
  • Plant Construction Survey
  • Plant of the Year
  • Sustainable Plant of the Year
  • State of Food Manufacturing
  • Top 100 Food & Beverage Companies
  • MEDIA
  • Podcasts
  • Videos
  • Webinars
  • White Papers
  • EVENTS
  • Food Automation & Manufacturing Symposium and Expo
  • Industry Events
  • RESOURCES
  • eNewsletter
  • Custom Content & Marketing Services
  • FE Store
  • Government Links
  • Industry Associations
  • Market Research
  • Classified Ads
  • EMAGAZINE
  • eMagazine
  • Archive Issue
  • Advertise
Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!
Automation

TECH FLASH

Account for these 13 firewall limitations to prevent attacks

Attackers use numerous methods to bypass security barriers.

By Shane O'Halloran
Account for firewall limitations to prevent attacks
May 28, 2013

Industrial control-focused security programs depend on firewalls to minimize the threat of intrusion into operations networks, but security practitioners often fail to account for their limitations. Most firewalls are deployed in many layers, but attackers can move through them one at a time using an extensive toolbox of methods. An article from Andrew Ginter for the International Society of Automation reviews 13 classes of firewall attacks, along with several mitigating actions available to security professionals.

The first class of firewall attack is phishing. Phishing attacks involve sending emails through a firewall, persuading the recipient to forfeit passwords or unknowingly download malware. To prevent phishing attacks, security professionals should use unidirectional gates to prevent externally generated emails into firewall-secured industrial networks.

The second class of firewall attack, social engineering, most often manifests as password theft. Attackers can simply physically search for written-down passwords or attempt to convince system administrators of their bogus credentials to receive a new password for an existing account or a new account entirely. Unidirectional gateways also prevent many social engineering attacks, as gateways cannot communicate attacks back to protected networks. Two-factor authentication also helps, since it requires more than just a password to access networks.

The third method for attacking firewalls covered in Ginter’s paper is to compromise a domain controller or other trusted external asset. In recent years, control systems have relied increasingly on IT domain controllers, domain name servers or enterprise resource planning servers, even though they may not be managed as safety-critical or reliability-critical assets. That means one controller can be made into a single point of failure for all others, making the entire network only as strong as its weakest link. To protect industrial networks, security professionals should not allow systems to trust a corporate domain controller.

Zero-day vulnerabilities, the fourth class of firewall attack, allow attackers to exploit never-before-attacked weaknesses in a network or device. Most systems utilize a signature-based network or host intrusion detection system, but these methods are ineffective against novel attacks. According to Ginter, industrial security researchers report finding a dozen or more zero-day vulnerabilities in each industrial network or software device they examine. Anomaly-based detection and prevention can detect some zero-day attacks, but application control and whitelisting systems are more effective preventive tools.

The fifth class of firewall attack is to attack exposed clients. Clients’ industrial software is as vulnerable as an operation’s industrial servers, and compromised servers on business networks can bring intrusions back onto industrial networks. A mistake as simple as downloading a file or pulling a webpage from an infected external server can result in a virus or malware on an industrial network. Ginter recommends not allowing industrial clients to access servers on less-trusted networks, either by changing firewall rules or deploying unidirectional gateways.

Session hijacking represents the sixth class of firewall attack. Attackers can insert their own commands into existing authenticated communications streams either on a segment of a local area network (LAN) or by impersonating a wireless hotspot. Consequently, communications sessions carrying commands should always be encrypted, and network users should be trained not to click through or ignore encryption error messages and warnings. Unidirectional gateways may also be employed to prevent the receipt of commands from less-trusted networks.

The seventh class of firewall is piggybacking on VPN commands. Malware on a trusted user’s computer terminal can traverse VPN connections ending in that computer, allowing attackers to launch remote attacks on industrial assets via VPN connections. Ginter suggests not allowing VPN connections to the industrial network through firewall or unidirectional gateway protection.

Firewall vulnerabilities constitute the eighth class of attack in Ginter’s paper. Firewalls, like all software, have defects. Some security defects discovered recently in industrial firewall software have been as basic as hard-coded passwords and security keys. Others are design vulnerabilities—security vulnerabilities that cannot be fixed because of their essential role in carrying out the software’s operation. The most effective mitigation for firewall vulnerabilities is to use hardware-enforced unidirectional gateways instead of software-based firewalls.

Ninth on the list are errors and omissions due to the complexity of modern firewalls. Minor errors can expose equipment to attack, and tracking down the original errors can be difficult. In this case, security professionals can deploy unidirectional gateways with hardware designed to protect industrial networks regardless of the software’s configuration.

Some attackers have attempted to forge IP addresses to persuade a firewall to accept communications. Forging an IP address is extremely simple, and works best if the attacking computer shares a LAN segment with the computer it will present itself as. To thwart IP forgeries, security professionals can use unidirectional gateways to block all access by untrusted networks regardless of IP address. 

The next class of firewall vulnerability involves bypassing a network security perimeter. Non-obvious, unprotected paths from business to industrial networks, as well as rogue wireless access points set up by well-meaning insiders, can compromise network security. Physical network perimeters can also extend beyond security perimeters, exposing sections of a network to untrusted connections. Strict network monitoring can help detect new wireless connections and foreign IP addresses.

The twelfth firewall vulnerability on Ginter’s list is physical access. Many firewalls contain administrative ports that allow unauthenticated users to change settings. They may be returned to factory settings or simply replaced with a router. Security professionals can be sure physical security programs are in place to protect the network perimeter’s physical integrity.

The thirteenth and final class of firewall vulnerability is the use of sneakernet. CDs, USB drives or laptops carried past security perimeters can expose networks to malicious attack by disgruntled insiders. Ginter urges training for end-users teaching the dangers of movable media, using device/media control software to limit the malware’s effectiveness on the physical media.

ISA-99 series and other industrial security standards offer a great deal of information on how to manage a firewall to keep it secure, but the complexity makes it difficult to keep firewalls secure without expending plenty of effort on processes, testing, audits, documentation and other activities.

Ginter says using hardware-based unidirectional gateways is an effective method of ensuring firewall security, but cautions that no one method can allay all firewall security threats. It’s important for most operations to take a layered approach to security while understanding the limitations of each.

KEYWORDS: cybersecurity industrial security networking

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
to unlock your recommendations.

Already have an account? Sign In

  • Global Organic Food & Beverage Market to Grow

    Global Organic Food & Beverage Market to Grow

    With a CAGR of 12.07%, Bonafide Research estimates this...
    Latest headlines
  • skilled MEP worker

    Predicting Food and Beverage Manufacturing Trends for 2024

    The two words that should be kept in mind are labor and...
    Automation
    By: Derrick Teal
  • cleaning and sanitation

    The basics of cleaning and sanitation in food plants

    Sanitation maintains or restores a state of cleanliness...
    Food Safety
    By: Richard F. Stier
Subscribe For Free!
  • eMagazine
  • eNewsletter
  • Online Registration
  • Manage My Preferences
  • Customer Service

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Food Plant Openings and Expansions April 2025

Food Plant Openings and Expansions April 2025

FA&M 2025 in Rewind

FA&M 2025 in Rewind

More Videos

Popular Stories

Conagra Logo

Conagra Brands to Sell Chef Boyardee Brand to Hometown Food Company

Salt

FDA to Amend Standards of Identity to Include Salt Substitutes

Butterfly pea flower

FDA Approves Three Food Colors from Natural Sources

CHECK OUT OUR NEW ESSENTIAL TOPICS

Alternative ProteinAutomationCleaning/SanitationFabulous Food Plants

Food SafetyMaintenance StrategiesOEE

PackagingSustainability

Events

June 5, 2025

Mass Customization Driving Innovation in the Food and Beverage Industry

The food and beverage industry is at the nexus of transformative global manufacturing trends, driving a shift toward personalized, customer-centric solutions. 

June 5, 2025

How Cafe Spice Uses Automation to Propel Private Label

Learn about Cafe Spice’s new, state-of-the-art, highly automated manufacturing facility in Beacon, New York. 

View All Submit An Event

Products

Recent Advances in Ready-to-Eat Food Technology

Recent Advances in Ready-to-Eat Food Technology

See More Products

Plant of the Year

Related Articles

  • Your cybersecurity protection is better than this...or is it?

    Prevent ransomware attacks and save your business from financial ruin

    See More
  • Don't let ransomware shut you down!

    Industrial control systems risk shutdowns and other dangerous outcomes due to cybersecurity attacks

    See More
  • Stress corrosion cracking - viewed under scanning electron microscope

    Know the causes of stainless-steel corrosion in retorts and take practical steps to prevent corrosion

    See More

Events

View AllSubmit An Event
  • November 13, 2014

    Flexible Design: Building for Tomorrow

    On Demand This Food Plant of the Future webinar explores how to think about tomorrow, today, without going overboard or getting locked into an untenable position. Also discussed: strategies and flexible technologies that are available to keep buildings as unrestricted as possible for future growth and how to build the space and systems to accommodate unanticipated needs.
View AllSubmit An Event
×

Elevate your expertise in food engineering with unparalleled insights and connections.

Get the latest industry updates tailored your way.

JOIN TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Food Master
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!