Performance Impact of Commercial Industrial Firewalls on Networked Control Systems

The connection of control and process networks to company infrastructures and the Internet, besides offering undeniable advantages, also imposes the adoption of adequate security countermeasures. Specialized firewalls, able to recognize and inspect traffic concerning peculiar communication protocols such as Modbus, which are commonly adopted in industrial applications, are beginning to spread on the market. However, several industrial control systems (ICSs) must satisfy critical performance and timing requirements and the impact of introducing such a kind of devices in an existing network should be evaluated carefully. In this paper we present a simple approach based on ordinary equipment and open source software, which can help system designers and managers to get approximate but useful information about effects produced by including an industrial firewall in their system. The proposed technique, though quite simple, has the advantage of circumventing the need of ad-hoc measurement instrumentation and can be used also by non-experts, virtually with little or no effort, to get rough guess indications about the extent the firewall insertion in the network can be tolerated.