Full Report
The use of multiple firewall products from different vendors in operational technology (OT) networks has sparked significant debate in the... The post Exploring the Use of Multi-Vendor Firewalls in OT Network Security first appeared on Dragos.
Analysis Summary
# Best Practices: Multi-Vendor Firewall Strategy in Operational Technology (OT) Networks
## Overview
These practices address the strategic decision of deploying firewalls from multiple vendors within Operational Technology (OT) environments to enhance security against zero-day exploits, balanced against the operational complexity this introduces, particularly for organizations with limited maturity or resources.
## Key Recommendations
### Immediate Actions
1. **Audit Existing Perimeter Defenses:** Immediately inventory all firewall products guarding ingress points to the OT network (including DMZs and remote access points) and document their vendors, patch status, and current administrative overhead.
2. **Prioritize Patching of Single-Vendor Perimeters:** If operating a single-vendor perimeter defense, immediately prioritize and execute all outstanding security updates and patch management for these critical firewall products, as this is a foundational gap.
3. **Assess Resource Readiness:** Conduct a self-assessment to determine if the organization possesses the necessary administrative staff, training, and logging infrastructure to effectively manage multiple, disparate management interfaces and rulesets.
### Short-term Improvements (1-3 months)
1. **Ensure Timely Maintenance for All Firewalls:** Establish a mandatory, rigorously enforced policy requiring that all OT firewalls (regardless of vendor) are maintained and updated to the same rigorous standards as enterprise perimeter devices.
2. **Standardize Logging and Monitoring:** Implement centralized logging tools capable of ingesting, correlating, and alerting on events from all current firewall vendors to mitigate immediate complexity risks.
3. **Review Firewall Placement:** Evaluate current firewall placement against the Purdue model, specifically looking for single points of failure that bypass the DMZ (e.g., remote access points) and plan for in-line deployment redundancy.
### Long-term Strategy (3+ months)
1. **Strategically Deploy Multi-Vendor Defense (Mature Orgs):** For mature and well-resourced organizations, design and implement a defense-in-depth strategy utilizing two different firewall vendors positioned in-line at critical external ingress points to the OT network.
2. **Develop Cross-Vendor Training:** Invest in training security staff on the distinct management, monitoring, and troubleshooting disciplines required for each vendor's firewall product to ensure operational continuity.
3. **Integrate into Vulnerability Management:** Formalize procedures ensuring that new threat intelligence regarding perimeter device exploits immediately triggers a review across all vendor platforms, leveraging the differing code bases for comparative assessment.
## Implementation Guidance
### For Small Organizations
- **Default to Operational Excellence:** Prioritize achieving rigorous patch management, configuration hardening, and secure monitoring for a *single, effectively managed* firewall vendor rather than introducing the management burden of multiple vendors.
- **Focus on Foundational Fixes:** Direct resources toward closing existing security program gaps (e.g., incident response readiness, basic visibility) before undertaking complex architectural shifts.
### For Medium Organizations
- **Pilot Multi-Vendor Deployment:** Select one high-risk, non-critical ingress point to pilot the deployment of two different vendor firewalls working in tandem before rolling out enterprise-wide.
- **Invest in Centralized Management Tools:** Allocate budget for Security Information and Event Management (SIEM) or specialized OT security platforms that can unify log collection and alerting across different hardware vendors.
### For Large Enterprises
- **Mandate In-Line Redundancy:** Require that multi-vendor firewalls be deployed in a high-availability, in-line fashion at the primary OT network perimeter and critical remote access/VPN termination points to maximize protection against vendor-specific exploits.
- **Formalize Resource Allocation Review:** Institute an annual review to confirm that the increased administrative overhead associated with multi-vendor environments is being adequately funded and staffed to prevent configuration drift and maintenance neglect.
## Configuration Examples
*This article does not provide specific technical configuration syntax (e.g., CLI commands); however, the architectural guidance is:*
- **Deployment Model:** Deploy both Firewall Vendor A and Firewall Vendor B **in-line** defending the perimeter ingress points (including those that bypass the traditional DMZ layer of the Purdue model).
- **Placement Strategy:** Avoid relying solely on one vendor in the DMZ and another deeper in the network; the goal is layered defense at the boundary utilizing diverse code bases.
## Compliance Alignment
- While specific compliance standards (like NIST 800-82 or IEC 62443) often mandate specific security controls, adopting a multi-vendor approach relates fundamentally to **Defense-in-Depth** principles, reducing reliance on any single vendor's security assurance.
- **NIST Cybersecurity Framework (CSF):** Directly supports the **Protect** Function (e.g., ID.AM-3: Asset Management, PR.PT-4: Protective Technology).
- **ISO/IEC 27001/27019:** Aligns with controls requiring robust perimeter security and secure system acquisition/implementation.
## Common Pitfalls to Avoid
- **Neglecting Maintenance:** Assuming the security benefit of multi-vendor diversity outweighs the risk if one or both vendors are not patched or maintained at the same standard as enterprise-grade equipment.
- **Misplacing Firewalls:** Deploying firewalls sequentially where an attacker can bypass the multi-vendor boundary (e.g., relying only on the firewall at Level 3 demarcation instead of the external perimeter).
- **Overextending Resources:** Implementing a multi-vendor strategy when the organization lacks the necessary technical staff or centralized tooling, leading to misconfiguration and reduced security effectiveness.
- **Allowing Architectural Drift:** Using the multi-vendor deployment as an excuse to deprioritize foundational security programs like incident response planning or vulnerability management.
## Resources
- **Dragos Incident Response Services:** For historical context on perimeter compromises.
- **Purdue Enterprise Reference Architecture:** For understanding proper architectural segmentation in OT environments.
- **Threat Intelligence on Perimeter Exploits:** Continuous monitoring of advisories targeting VPN concentrators and boundary devices.