06-12-2025 12:32 AM
We are evaluating the PA-400 Series (including PA-410, PA-415, etc.) for use in an industrial SCADA application that is subject to critical cybersecurity requirements, particularly those set by our national utility authority.
Specifically, we would like to clarify the following:
Does the PA-400 Series support functionalities equivalent to a Unidirectional Security Gateway (USG) or a Bidirectional Security Gateway (BSG), in terms of physically enforced one-way or strictly controlled two-way data transmission between OT (SCADA/DCS) and IT or external/cloud networks?
To meet compliance, such gateway solutions are typically required to:
Physically enforce one-way data transmission (in the case of USG), e.g., via optical diodes or similar hardware mechanisms.
Or, in the case of BSG, strictly control inbound and outbound data paths, with deep content inspection, command validation, and tamper-resistant design.
Be certifiable under standards such as IEC 62443, EAL4+, etc.
We have reviewed the PA-400 datasheet, but it appears that these hardware-enforced cybersecurity capabilities are not mentioned explicitly. Could you please confirm whether the PA-400 series can meet such requirements, or if you have a different product line that is specifically designed for industrial control system (ICS) or critical infrastructure OT-IT segmentation?
Any supporting documentation, use cases, or compliance references would be greatly appreciated.
Thank you for your time and support.
06-12-2025 07:22 AM
@huulamid -- I don't work primarily in the utility space, but do have some experience with ICS/SCADA controls through a Palo FW. Based what you're saying you need it seems like this would be something like a "data diode" or a "one-way-link." If that's in the realm of what you're looking for I would say a Palo firewall doesn't directly fit your use case.
I would say given the right Security policy and network setup you could probably achieve this though:
"Bidirectional Security Gateway (BSG), in terms of physically enforced one-way or strictly controlled two-way data transmission between OT (SCADA/DCS) and IT or external/cloud networks"
Using the "strictly enforced two-way data transmission." This would be achieved by placing endpoints in a particular Palo security zone then allowing only defined ICS/SCADA, Palo Alto defined, applications like CIP/modbus/DNP3.
06-16-2025 11:41 PM
Hi @huulamid ,
I agree with @Brandon_Wertz statement.
True USGs are hardware-enforced devices that physically prevent data flow in one direction. The PA-400 Series (or any standard NGFW) does NOT offer physically enforced one-way data transmission like a true data diode. It's a bidirectional device by nature. While you can configure highly restrictive security policies, this is a software-defined policy, not a physical enforcement.
The PA-400 Series can achieve strictly controlled two-way data transmission through its NGFW capabilities, but it's not a purpose-built "BSG" appliance in the sense of a dedicated, high-assurance industrial gateway from a vendor specialized in that area.
Kind regards,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
