Exploring the Use of Multi-Vendor Firewalls in OT Network Security

The use of multiple firewall products from different vendors in operational technology (OT) networks has sparked significant debate in the critical infrastructure cybersecurity community. Proponents of this approach argue that multi-vendor firewalls enhance security by mitigating the risks associated with increasingly common zero-day exploits. Different firewall vendors are often vulnerable to unique exploits at varying times, and their detection techniques and rulesets typically vary, increasing coverage. However, critics contend that this strategy can be unwieldy for less mature organizations with limited resources, given the complexities of managing disparate administration tools, logging systems, and ruleset configurations. Dragos offers a nuanced perspective on this matter, which we will explore in depth.

The Case for Multi-Vendor Firewalls

Recent case investigations by Dragos’s Incident Response team highlight the vulnerabilities inherent in relying on a single firewall vendor across all OT facilities. Over the past quarter, several OT environments suffered widespread compromises due to the use of vulnerable or end-of-life firewall products from a single vendor. While enterprise perimeter infrastructure updates are typically prioritized, patching OT systems is often delayed—sometimes for months or even years. This discrepancy leaves OT environments exposed to emerging threats and emphasizes the critical need for proactive updates.

The security of perimeter devices is a key concern in the OT threat landscape. While phishing remains a top attack vector in enterprise networks, many OT incidents involve the compromise of perimeter devices such as firewalls and VPN concentrators. Adversaries, including initial access brokers and state actors, frequently exploit newly discovered vulnerabilities, using automated scans to rapidly identify and attack unpatched systems across the internet.

Once perimeter devices are breached, attackers often leverage the relative lack of defenses and detection within OT network segments to move laterally relatively trivially, conduct reconnaissance, and execute attacks. This makes the security of perimeter devices pivotal for protecting OT networks exposed to enterprise systems, the internet, or third-party remote access points.

Challenges and Caveats to Multi-Vendor Firewalls in OT

The use of firewalls from multiple vendors can serve as an additional layer of defense against the exploitation of perimeter devices. By employing products with different code bases and rule sets, organizations can reduce the risk of a single exploit compromising their entire network. However, several important considerations must be addressed to ensure this strategy’s effectiveness:

Firewall Placement: To maximize effectiveness, both vendors’ firewalls should defend perimeter ingress points into the OT network. Placing one vendor’s firewall at the demilitarized zone (DMZ) and another at lower levels of the Purdue model may be insufficient, as many significant attacks originate from compromised, trusted devices at Level 3, the factory network between the DMZ and the control levels. A more robust approach involves deploying both firewalls in-line at the network perimeter, including remote access points which significantly break the Purdue model’s goal of having a single DMZ.
Management Complexity: Managing multiple firewalls can significantly strain less mature organizations, as well as less resourced organizations. Each vendor requires distinct management interfaces, administrator training, and logging methods. Without adequate resources, organizations may misconfigure or neglect one or both products, potentially compromising security more severely. In such cases, using a single firewall vendor effectively and ensuring timely updates may be a better option.
Operational Prioritization: Deploying multi-vendor firewalls should not come at the expense of any foundational or critical cybersecurity initiatives.

Balancing Benefits and Challenges

Dragos recommends that more mature and well-resourced organizations consider implementing multi-vendor firewalls as valid aspect of defense-in-depth strategy, with several significant caveats:

Timely Updates and Maintenance: Organizations must have the capability and resources to ensure all OT firewalls are consistently updated and maintained to the same standards as enterprise firewalls. Lack of maintenance for key OT perimeter devices in critical infrastructure is a key issue which should be addressed first by regulatory and governing bodies.
Proper Tuning and Monitoring: Effective use of multiple firewalls requires robust tools, training, and human resources to tune, log, and monitor each product.
Strategic Deployment: Firewalls from multiple vendors should be strategically placed to defend ingress points to the OT network, including the DMZ and/or any remote access points that bypass the Purdue model.
Resource Allocation: The adoption of multi-vendor firewalls should not detract from other essential cybersecurity programs or initiatives, such as incident response, monitoring, secure architecture design, or vulnerability management.

Conclusion

The exploitation of perimeter devices remains a significant threat to OT networks. While adopting multi-vendor firewall solutions at key ingress points can enhance security, this approach requires careful planning and resource allocation. For organizations with the maturity and capacity to manage such complexity, this strategy can be a valuable component of a broader defense-in-depth framework. However, for less resourced entities, prioritizing the effective use of a single firewall vendor and addressing systemic issues like patching delays may provide a more practical path to resilience.