PAN-OS 8.0: New Non-IP Protocol Control Feature Secures ICS Layer-2 Networks

Feb 10, 2017
3 minutes
... views

A key reason for the growing adoption of our Next-Generation Firewall within OT environments is our App-ID technology, which enables Layer-7 visibility and control over many ICS/SCADA protocols and applications, both standards-based and vendor-specific.  Furthermore, through App-ID decoders, users can create dozens of command- and/or function- level custom App-IDs to bring even deeper insight and control.

So far, our ICS/SCADA protocol security capabilities have been for IP-based traffic, but with our new PAN-OS 8.0 release, we are excited to announce a new feature called non-IP protocol control for controlling ethernet traffic. This feature enhances the zone protection profile with the ability to create and apply a filter to any zone to block or explicitly permit traffic based on the header's ether-type value.

An example of where this could be applied in ICS is in the growing area of IEC 61850 substation automation. IEC 61850 is a family of protocols that includes both IP-based and ethernet-based protocols. One of these ethernet-based protocols is GOOSE (ether type of 0x88b8). Without getting into the details, due to strict real-time performance requirements with IEC 61850, encryption was excluded from the standard. Furthermore, although GOOSE message authentication was defined via the IEC 62351-6 standard, there is still an associated complexity and also a loss of performance with the authentication enforced. Hence, most practical implementations will not have either of these security features turned on and are therefore vulnerable to cyberattacks. In fact, several research studies have validated the feasibility of GOOSE-related cyberattacks across different attack classes, such as modification, denial of service and replay.

As a basic example of attack and defense, consider a scenario where an attacker has successfully made his way to a business/engineering area of a substation network. This could be via a pivot from the control center or perhaps from a WiFi network at the substation, used for maintenance.  Once present on the LAN, the attacker could initiate a GOOSE DoS attack or send specially crafted GOOSE packets into the IEC 61850 VLAN that may cause erratic behavior, poor performance, loss of service (opening relays), or even damage to equipment. With the non-IP protocol control feature, users can define a zone protection profile that blocks GOOSE traffic into the IEC 61850 zone, thereby preventing the attack and associated undesirable events. Attack scenarios from the IEC 61850 that zone “upstream” to the business zone seem to be less of a concern, but a zone protection profile in that direction could also be easily applied.

Although less research has been published on attack cases for sampled values and GSE management – the other protocols under IEC 61850 with specific ether types – the non-IP control feature can also be applied by simply filtering their respective ether types of 88b9 and 88ba. This could be useful as future attack cases for SV and GSE management are discovered.

If you are interested in learning more about how you can better secure your industrial control systems with App-ID and the other elements of our platform, please check out our Security Reference Blueprint White Paper for ICS/SCADA and tech brief for App-ID for ICS/SCADA. If you are interested in learning about all that the new PAN-OS 8 has to offer, please visit to our PAN-OS 8.0 page.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.