Overview

Floodgate Firewall is a complete embedded firewall providing a critical layer of security for networked devices. Floodgate Modbus Packet Filtering extends the Floodgate Firewall, adding protection for devices using Modbus/TCP.  Its unique design provides built-in filtering to protect the devices. This solution:

  • Blocks packets based on configurable rules
  • Controls who can send Modbus/TCP messages to the device, and what commands can be sent
  • Allows control and validation of individual fields within the message, and filtering of messages based on message type, content, and message source
  • Maintains interoperability with Modbus/TCP protocol standards

Floodgate Modbus/TCP Packet Filter

Cyber Threats for Industrial Control Devices

Internet-based attacks are on the rise and an increasing number of these attacks are targeting industrial devices. Modbus/TCP devices are notoriously easy targets as the protocol has no encryption, access control or other security features.

Floodgate Modbus Protocol Filtering adds a layer of protection for Modbus/TCP devices to control who can communicate with the device, what communication is allowed, and to protect against malicious commands.

Floodgate Modbus Filtering Provides:

  • Protection for Modbus/TCP systems with direct or indirect connection to the Internet
  • Protection from malware or attacks that originate within or outside the facility
  • Notification of malicious or suspicious Modbus/TCP traffic, allowing early detection of attacks

Features

  • Easily configurable filtering rules
  • Active (block and report) or Passive (report only) modes
  • Filter packets based on source address, function code, and packet contents
  • Logging of blocked packets/policy violations
  • Small footprint and efficient design for embedded systems
  • Portable source code for use with any embedded RTOS and embedded Linux
  • Whitelist or blacklist filtering modes

Floodgate Modbus/TCP Packet Filter

Configurable Filtering Policies

Floodgate Modbus Filter uses configurable rules to control the filtering engine.  The rules provide complete control over the type of filtering performed and the specific criteria used to filter packets.  Rules can be configured for:

  • IP address filtering, to allow or block all Modbus commands from the configured IP addresses
  • Modbus function code filtering, to allow or block all commands based upon the Modbus function code
  • IP address and Modbus function code, to control what Modbus commands are allowed from a specific IP address
  • Control blacklist and whitelist filtering modes
  • Enable DPI filtering rules to validate message contents
  • Enable active or passive modes

Floodgate Modbus Filter is integrated with Floodgate Agent, allowing configuration to be performed remotely by the Floodgate Manager or other security management system.

EDSA Compliance Support

Floodgate Modbus filtering provides an important building block for achieving EDSA compliance for embedded devices.  Floodgate Firewall provides support for the following capabilities mandated by EDSA-311:

  • Protocol fuzzing and replay attack protection
  • Denial of service protection
  • Notification of attacks
  • Audit support

Logging and Alerting

Floodgate Modbus Filter maintains a log of security events and policy violations.  Changes to firewall policies are also recorded in the logs enabling support for command audit requirements. 

Event logs can be used for forensic investigation to determine the source of an attack. 

Management System Integration

The Floodgate Modbus Filter is integrated with the Floodgate Agent, enabling remote management from the McAfee ePO, Icon Labs Floodgate Management system or other Security Information and Event Management (SIEM) systems.   This integration provides:

  • Centralized management of security policies
  • Situational Awareness and device status monitoring
  • Event management and log file analysis

Intrusion Detection and Prevention

Hackers attempting to penetrate an embedded device using remote attacks will probe the device for open ports and weaknesses.  Modbus/TCP protocol filtering limits the attack surface potential hackers can exploit.  Logging packets that violate configured filtering rules enables detection of unusual traffic patterns, traffic from unknown IP address or other suspicious behavior. 

Most cyberattacks remain undetected until it is too late.  Early detection is critical to contain attacks, block and prevent theft of confidential information, prevent disruption of services, and stop proliferation of the attack to other systems.