Latency Evaluation of a Firewall for Industrial Networks Based on the Tofino Industrial Security Solution

Nowadays, industrial control networks are no longer conceived as isolated systems, being them exposed to the same kind of security threats affecting traditional office and business networks. For this kind of systems, the main security requirement is availability, thus the protection measures used to secure industrial control networks must take into account also performance aspects, such as latency and jitters, usually not critical in traditional networks. For this reason, knowing the delays introduced by devices used to protect the network is of paramount importance, in order to evaluate whether the timing constraints of the communication are still satisfied. This paper presents an experimental evaluation of the communication latency introduced by a firewall for industrial control networks built around the Tofino Industrial Security Solution. Experiments have been carried out in three main working conditions of the firewall, that is when 1) it is plugged in the network with all the protection modules disabled (decommissioned mode); 2) it implements basic security policies only; 3) it adopts complex filtering mechanisms allowing the deep inspection of Modbus TCP packets.