Implementing ICS Firewall with Tofino

When to Use

• When deploying zone-level firewall protection directly in front of critical PLCs or RTUs
• When requiring deep packet inspection of industrial protocols (Modbus, EtherNet/IP, OPC, S7comm)
• When implementing IEC 62443 zone and conduit boundaries with protocol-aware enforcement
• When protecting legacy PLCs that cannot be patched and need compensating controls
• When segmenting control network zones without disrupting existing industrial communications

Do not use for enterprise IT firewall deployment, for perimeter firewall between IT and OT (use Palo Alto/Fortinet at the DMZ), or for environments using only IP-based protocols without OT-specific DPI needs.

Prerequisites

• Tofino Xenon appliance or Tofino virtual appliance with appropriate license
• Tofino Central Management Platform (CMP) for centralized policy management
• Network topology map showing PLC/RTU placement and communication requirements
• Baseline of OT protocol communications (Modbus function codes, EtherNet/IP CIP services)
• Change management approval for inline deployment between network zones