"Software-processing-less" firewall which enhances security of high-speed control systems for such as power plants and factories

September 19, 2019

Hitachi, Ltd. today announced newly developed technique for firewalls which can be applied to high-speed control systems used in fields such as power transmission and distribution systems and factory automation. This technique includes a unique logic circuit which implements a judgment algorithm in "software-less" manner and data invalidation method, which can judge and eliminate unauthorized communication data in about two microseconds. Enhancing security for control devices such as DCSs^*1 and PLCs^*2 operating with a control cycle time of 10 milliseconds or less, as well as monitoring terminals and control servers, has been difficult with existing firewalls designed for IT networks; however, the developed technique makes it possible regardless of device type or whether the installation is new or existing [see Figure 1]. It is thus expected to reduce loss costs such as damage to plant equipment caused by cyber attacks. From now onwards, Hitachi will practically verify these developed technology so that it contribute to improving the security of control systems.

Figure 1: Examples of security measures using the developed technique

Background and addressed challenges

• With the progress of digitalization, the use of network technology has expanded into the industrial field, while damage to control systems due to cyber attacks has become an apparent threat.
• It is necessary for firewalls to reduce the time to judge if the communication data is authorized or not, because existing IT firewalls sometimes take too long judgement time and it may cause a risk of disturbance to control cycle time when connected to high-speed control systems.

Developed technique

The following architecture and method have been developed for reducing the judgement time.

• "Software-processing-less" architecture for judging communication data preventing it from staying in the firewall
• Method for invalidating unauthorized communication data after it is sent out from the firewall

Verified effects

The result of implemention and evaluatiion of this technique on a FPGA^*3 confirmed that the communication data can be judged in 2.12 to 2.2 microseconds through the firewall, which is sufficiently shorter than the control cycle time of general factory automation (1 to 10 milliseconds).

Detail of developed technique

1. "Software-processing-less" architecture for judging communication data preventing it from staying in the firewall

Firewalls judge if incoming communication data is authorized or not by checking it with predefined rules. In conventional firewalls, the entire packet of communication data is stored in memory and then checked with the rules by software processing [see Figure 2(a)]; consequently, it sometimes stays in the firewall for a long time, depending on conditions such as data length and incoming frequency. To avoid such situation, new firewall architecture [see Figure 2(b)] has been developed. It employs a unique logic circuit implementing an algorithm to check incoming communication data without software processing using a CPU or memory. The communication data is checked with rules sequentially as it flows through the circuit, so it stays in the firewall only for significantly short time.

Figure 2: Judgment of unauthorized communication data (comparison with conventional)

2. Invalidation method of unauthorized communication data that has passed through the firewall

In conventional firewalls, communication data will be sent out after being checked entirely and judged if it is authorized or not, which also cause the data to stay for a long time in the firewall. In the developed method, the communication data is sent out before checking is completed and thus regardless of if it is authorized or not. Instead, when the communication data has been judged as unauthorized, its FCS^*4 field located at the tail is modified [see Figure 3]. Communication data with modified FCS is judged to be corrupted and will not be received at its destination device; thus the attempt of cyber-attack will not succeed. Since the firewall can invalidate unauthorized communication data after sending it out, it can begin sending the data before completeing checking and judging, which contributes to further shortening staying time.

Figure 3: Invalidation of invalid communication data

*1

Distributed Control System: A form of a control system configured by connecting multiple control devices via a network or the like.

*2

Programmable Logic Controller: A control device that can control external devices by using a program.

*3

Field Programmable Gate Array: An integrated circuit where the circuit configuration can be rewritten.

*4

Frame Check Sequence: The answer value for verification to make sure that the communication data was received correctly.

For more information, use the enquiry form below to contact the Research & Development Group, Hitachi, Ltd. Please make sure to include the title of the article.