DPI enforces industrial protocol rules
Block unauthorized Modbus writes, restrict OPC operations, and enforce IEC 104 command filtering at the application layer.
19.2 EAGLE40 Next-Generation Firewall
The EAGLE One handles simple cell protection with stateful filtering. When the application requires Deep Packet Inspection of industrial protocols, VPN tunnels, dynamic routing, or audit trail compliance, the EAGLE40 provides the necessary depth.
Hardware
Section titled “Hardware”| Specification | Value |
|---|---|
| Ports | 3 to 7 GbE |
| Software | HiSecOS (Hirschmann Security Operating System) |
| Firewall | Stateful + Deep Packet Inspection (DPI) |
| VPN | IPSec |
| Routing | OSPF, static |
| Redundancy | VRRP router redundancy |
| Bypass | Maintains connectivity on power failure |
| Temperature | -40 C to +70 C (variant dependent) |
Deep Packet Inspection (DPI) Modules
Section titled “Deep Packet Inspection (DPI) Modules”DPI goes beyond IP/port filtering. It inspects the payload of industrial protocols and enforces application-layer rules.
| Protection Suite | Protocols Inspected |
|---|---|
| Industrial Automation | EtherNet/IP enforcer + Modbus enforcer + OPC enforcer |
| Substation | IEC 104 enforcer + DNP3 enforcer + GOOSE enforcer + Modbus enforcer |
| Unified | Combines both suites |
Example: The Modbus enforcer permits read commands (function code 0x03) from the SCADA server but blocks write commands (function code 0x10) from any source except the engineering workstation. This prevents unauthorized PLC configuration changes even if the attacker has network access.
IEEE 1686 Compliance
Section titled “IEEE 1686 Compliance”HiSecOS implements IEEE 1686 requirements for cybersecurity of electronic devices in substations:
- Audit trail: logs every configuration change, login attempt, and firewall rule modification with timestamp and user identity.
- Password policies: minimum length, complexity, expiration, and lockout after failed attempts.
- Role-based access: separate privilege levels for operators, engineers, and administrators.
Bypass Function
Section titled “Bypass Function”The EAGLE40 bypass relay maintains Ethernet connectivity when the device loses power. Traffic passes through without inspection. This prevents a firewall power failure from isolating the protected network segment.
IDS Sensor/Server
Section titled “IDS Sensor/Server”The EAGLE40 supports Intrusion Detection System (IDS) operation. In sensor mode, it mirrors suspicious traffic to an IDS server for analysis. In server mode, it processes IDS alerts locally and triggers SNMP traps or syslog messages.
The following script parses EAGLE40 syslog messages to extract blocked connection events.
import refrom pathlib import Path
BLOCKED_RE = re.compile( r"(?P<ts>\S+ \S+).*FIREWALL.*DENY.*" r"src=(?P<src>\S+).*dst=(?P<dst>\S+).*" r"proto=(?P<proto>\S+)")
def parse_blocked(log_path: str) -> list[dict]: """Extract blocked connections from EAGLE40 syslog export.""" results = [] for line in Path(log_path).read_text().splitlines(): m = BLOCKED_RE.search(line) if m: results.append(m.groupdict()) return results
if __name__ == "__main__": for evt in parse_blocked("/var/log/eagle40.log"): print(f"{evt['ts']} {evt['src']} -> {evt['dst']} {evt['proto']}")Review blocked events daily during the first week after deployment. Legitimate traffic that triggers DENY rules indicates missing firewall rules.
Key Takeaways
Section titled “Key Takeaways”IEEE 1686 audit trail for substations
Every login, configuration change, and rule modification is logged with timestamp and user identity. Required for substation cybersecurity compliance.
What Comes Next
Section titled “What Comes Next”Firewalls filter traffic bidirectionally. The next section covers the Rail Data Diode, which enforces one-way data flow at the hardware level, eliminating the return-path attack surface entirely.
References
Section titled “References”- Belden/Hirschmann. (2024). EAGLE40 Data Sheet. Belden Inc.
- Belden/Hirschmann. (2024). HiSecOS Feature Overview. Belden Inc.