Considering cybersecurity for industrial control systems (ICS), the latency of a firewall could affect a timing restriction of a real-time control loops. To solve this issue, we propose the “real-time firewall”, the low and deterministic latency firewall for control networks. It employs on-the-fly rule matching method to minimize the latency of the firewall, which modifies the FCS (Frame Check Sequence) field of Ethernet frames to discard malicious frames. It also employs the Shift-and algorithm for signature pattern matching. We prototyped the real-time firewall using an FPGA and evaluated it, then confirmed that 1) it does not limit the throughput of 100BASE-TX wire speed, and 2) the latency ranges from 2.12µs to 2.2µs regardless of the frame size or the number of matching patterns to be inspected.
