What ports should be open on a SCADA firewall?

Only the specific ports required for your SCADA protocols should be open: Modbus TCP (502), DNP3 (20000), OPC UA (4840), Ethernet/IP (44818), and IEC 61850 MMS (102). Beyond port filtering, use deep packet inspection to restrict function codes and register ranges. Apply default-deny rules and only allow traffic from authorized source IP addresses.

Is IPsec or SSL VPN better for SCADA remote access?

IPsec VPN is preferred for site-to-site SCADA connections due to its network-layer encryption and hardware acceleration support. SSL/TLS VPN is commonly used for remote user access because it works through standard web browsers without client software. Many organizations use both: IPsec for permanent site-to-site tunnels and SSL VPN for engineer remote access through a web portal.

What is an Industrial DMZ and why is it important?

An Industrial DMZ (IDMZ) is a network segment between the IT and OT networks, bounded by firewalls on both sides. It hosts shared services like historian mirrors, remote access portals, and patch servers. The IDMZ ensures no direct traffic flows between IT and OT networks, forcing all data exchange through controlled intermediaries. This architecture is recommended by IEC 62443 and NIST 800-82.

VPN and Firewall Configuration for SCADA

The SCADA Cybersecurity Challenge

SCADA and industrial control systems were historically isolated, air-gapped networks with minimal cybersecurity concerns. Modern operational requirements, including remote monitoring, cloud-based analytics, vendor remote support, and IT/OT convergence, have connected these systems to enterprise networks and the internet. This connectivity creates attack surfaces that adversaries actively exploit. The NIST Cybersecurity Framework, IEC 62443, and NERC CIP standards all require network segmentation and access control as foundational security measures for industrial control systems.

Network Segmentation with Industrial Firewalls

The Purdue Enterprise Reference Architecture (ISA-95) defines five levels of industrial network hierarchy, from Level 0 (field devices) through Level 5 (enterprise/internet). Firewalls enforce boundaries between these levels, controlling which traffic can flow between zones. The most critical firewall placement is at the IT/OT boundary (between Levels 3 and 4), often called the Industrial Demilitarized Zone (IDMZ).

IDMZ Architecture

Dual-firewall design: An outer firewall faces the enterprise network and an inner firewall faces the OT network, with a DMZ between them hosting shared services (historian mirror, patch server, remote access portal)
No direct traffic: No traffic should pass directly from IT to OT or vice versa. All data exchange occurs through DMZ intermediaries (data diodes, replication servers, or jump hosts)
Default deny: Both firewalls block all traffic by default and only allow explicitly configured rules for required communications
Protocol inspection: Industrial firewalls from vendors like Palo Alto, Fortinet, and Cisco perform deep packet inspection (DPI) of industrial protocols including Modbus TCP, DNP3, OPC UA, Ethernet/IP, and S7comm

ICS-Specific Firewall Rules

Industrial firewall rules must be protocol-aware. Simply allowing TCP port 502 (Modbus) is insufficient. Effective rules should also restrict which Modbus function codes are permitted, blocking dangerous write operations (function codes 5, 6, 15, 16) from unauthorized sources while allowing read operations (function codes 1, 2, 3, 4) for monitoring systems.

Modbus TCP: Port 502. Restrict by source IP, function code, and register address range
DNP3: Port 20000. Filter by source/destination address, function code, and object type
OPC UA: Port 4840. Enforce certificate-based authentication and message-level encryption
Ethernet/IP: Port 44818 (explicit), Port 2222 (implicit). Allow CIP service codes selectively
IEC 61850 MMS: Port 102. Restrict by GOOSE/SV multicast group and APPID

Site-to-Site VPN for SCADA WANs

SCADA communication between a central control room and remote field sites often traverses carrier networks (cellular, microwave, satellite) or the public internet. IPsec VPN tunnels encrypt this traffic end-to-end, preventing eavesdropping and tampering. Site-to-site VPNs establish permanent, always-on encrypted tunnels between the control center firewall and each remote site firewall or cellular modem.

IPsec VPN Configuration for SCADA

IKEv2: Use IKE version 2 for faster tunnel establishment and better NAT traversal compared to IKEv1
Encryption: AES-256-GCM provides both encryption and integrity checking. Avoid deprecated algorithms (DES, 3DES, MD5)
Authentication: Certificate-based authentication is preferred over pre-shared keys for multi-site deployments. Use a private Certificate Authority (CA) to issue device certificates
Dead peer detection (DPD): Configure DPD to detect tunnel failures and automatically re-establish the VPN. Set DPD interval to 10-30 seconds for SCADA applications
Perfect Forward Secrecy (PFS): Enable PFS with Diffie-Hellman Group 14 or higher to protect past sessions even if long-term keys are compromised
Split tunneling: Avoid split tunneling in OT environments. All traffic from remote sites should traverse the VPN to ensure consistent security policy enforcement

Remote Access VPN for Engineers

Remote access to SCADA systems for engineering, troubleshooting, and vendor support requires additional security controls beyond site-to-site VPN. Remote access sessions should terminate in the IDMZ on a jump host or remote desktop gateway, never directly into the OT network. All remote access must use multi-factor authentication (MFA) combining something the user knows (password) with something they have (hardware token, authenticator app, or smart card).

Secure Remote Access Best Practices

Jump hosts: Remote users connect to a hardened Windows or Linux jump host in the DMZ, then access OT systems from the jump host. This prevents direct network connectivity between the remote user's computer and OT devices
Session recording: Record all remote access sessions (screen capture and keystroke logging) for audit and forensic purposes
Time-limited access: Grant remote access for specific maintenance windows only. Disable access when not actively needed
Vendor access: Require vendors to use your remote access infrastructure. Never allow vendors to install their own remote access tools (TeamViewer, AnyDesk) on OT systems
Network access control: Assign remote users to restricted VLANs with firewall rules allowing only the specific systems and protocols needed for their task

Monitoring and Logging

VPN and firewall logs provide critical visibility into network activity and potential threats. Forward all firewall logs, VPN connection events, and intrusion detection alerts to a centralized SIEM (Security Information and Event Management) system. Configure alerts for anomalous events such as VPN connections from unexpected locations, firewall rule violations, unusual protocol activity, and failed authentication attempts. Regular log review identifies configuration drift, unauthorized access attempts, and potential indicators of compromise.

NFM Consulting Cybersecurity Services

NFM Consulting designs and implements secure network architectures for industrial control systems following IEC 62443 and NIST guidelines. Our services include IT/OT network segmentation design, industrial firewall deployment and rule configuration, site-to-site VPN implementation for SCADA WANs, secure remote access solutions, and ongoing security assessment. We work with operators to balance security requirements with operational accessibility, ensuring that cybersecurity controls do not impede the engineers and operators who keep critical infrastructure running.