Deep Packet Inspection (DPI) is important for the future of SCADA / ICS security – and in this article I explain why.  

DPI SCADA Security: Reviewing the Basics

In Part 1 of this series I explained DPI technology in detail. To review, the traditional IT firewall examines the TCP/IP and Ethernetheaders in the network messages it sees. It then makes decisions whether to allow or block a message based on this limited information.

DPI technology allows the firewall to dig deep into the SCADA protocols that sit on top of TCP/IP and Ethernet. The firewall then determines exactly what the SCADA protocol is being used for and makesbetter decisions on what should be allowed or blocked.

The example I gave in the last article was theseaway management company that used Tofino Modbus DPI firewalls[1] to protect the PLCs runningits canal locks and bridges. By blocking all Modbus write messages(and programming messages), and allowing Modbus Data read messages, the company could improve the safety of the canal system for both the ships in the canals and the public usingthe draw bridges at the locks. Read more »

I have talked repeatedly about something called Deep Packet Inspection (DPI) and why it is so important for SCADA / ICS security (for example, see Air Gaps won’t Stop Stuxnet’s Children). The trouble is, I have never described what DPI actually is. So in today’s blog I will back up and explain what DPI firewall technology is all about.

Some Firewall Basics

To understand DPI, it is first important to understand how the traditional IT firewall works. A firewall is simply a devicethatmonitors and controls traffic flowing in or between networks. It starts by capturing traffic passing through it and comparingthat traffic to a predefined set of rules(called Access Control Lists or ACLs). Any messages that do not match the ACLs are then discarded. Read more »