Vendor marketing confuses firewall selection. Everyone claims to be "OT-aware," "ICS-hardened," and "deterministic." But OT firewall selection should focus on architectural fit, performance under production load, and the operational reality of maintaining rules for 15 years without security patches breaking your devices.
The most expensive firewall is not the most capable—it's the one that doesn't fit your network topology or requires constant troubleshooting to maintain production uptime. Buy for steady-state operations, not peak marketing claims.
Technical Criteria That Matter
Stateful session handling must preserve TCP and UDP timeouts appropriate for slow industrial protocols. Many commercial firewalls default to 30-second timeouts that timeout long-lived Modbus sessions. Confirm the device supports configurable timeouts, not just Mbps throughput. Throughput at line rate is worthless if the firewall breaks your production traffic.
Rule capacity matters more than you expect. A small industrial facility may have 500-1000 access control rules. A multi-zone facility can easily exceed 5000 rules. Firewalls that choke at 2000 rules become liabilities when you add a second production line. Select for headroom, not current load.
What You Actually Need
- Stateful Inspection: Session tracking, connection state awareness, and customizable timeout values. Not advanced threat detection—just reliable session handling.
- Protocol-Aware Filtering: Ability to write rules on Modbus function codes, OPC operations, or Ethernet/IP commands. Generic IP rules alone create either overly permissive or brittle policies.
- High Availability: Sub-second failover between redundant units without session loss or TCP sequence number resets. Confirms the firewall can handle the uptime requirements of production networks.
- Logging and Visibility: Per-session flow logs, not just blocked-packet counts. You need to know which device attempted which operation, succeeded or failed, at what time. This is essential for incident investigation.
What You Don't Need
Do not buy a firewall because it claims "AI-powered threat detection" or "behavioral anomaly analysis." OT firewalls are enforcement points, not detective controls. Detection and response belong in separate systems (IDS, historian analysis, SIEM). A firewall trying to do too much becomes slow and unreliable at its primary job.
Avoid firewalls that require internet connectivity for threat intelligence updates. Your OT network should not depend on cloud licensing, vendor databases, or external threat feeds for basic operation. Air-gapped OT networks need firewalls that function fully offline.
Most importantly, choose a vendor who will support the device for 10+ years with security patches that don't break existing rules. This is a longer commitment than server hardware. If you'd like to discuss firewall architecture for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.