Tofino Modbus TCP Enforcer LSM

Content Inspector for Modbus

  • Pre-emptive threat detection

  • Threat termination

  • Threat reporting

     

Tofino Modbus TCP Enforcer diagram - provide deep packet inspection for Modbus security.

 

Did you know that any device with a network connection to a Modbus controller can potentially CHANGE any of the controller’s I/O points or register values? Many controllers can even be reset, disabled, or loaded with new logic or firmware code!

 

The Tofino Modbus TCP Enforcer is a border guard inspector for Modbus communications, checking every Modbus command and response against a list of ‘allowed’ commands defined by your control engineers. Any command that is not on the ‘allowed’ list, or any attempt to access a register or coil that is outside the allowed range, will be blocked and reported by the Tofino Modbus TCP Enforcer.

Summary

Saves You Money Through:

  • Reduced down time and production losses

  • Lower maintenance costs

  • Improved system reliability and stability

Features

  • First-ever application of deep packet inspection technology to industrial protocols

  • Control engineer defines list of allowed Modbus registers and coils, and limits of accessible register and coil addresses

  • Automatically blocks and reports any traffic that does not match your rules

  • Protocol ‘Sanity Check’ blocks any traffic not conforming to Modbus standard

  • Supports multiple master and slave devices

  • Simple configuration and monitoring using the Tofino CMP

  • Certified Modbus compliant by Modbus IDA

Applications

  • Oil & gas custody transfer

  • Safety instrumentation systems

  • Historian servers

  • Display-only HMI panels

  • Partner access to telemetry data

Specifications

Supports Multiple Connections

Multiple master and slave Modbus devices are supported, with a unique set of inspection rules and options for each master/slave connection

Default Filter Policy

Deny by default: any Modbus function code, or register or coil address, that is not on the ‘allowed’ list is automatically blocked and reported

User-Settable Options

The following options may be set on a per-connection basis:

  • Permitted Modbus function codes

  • Permitted register or coil address range (for each permitted function code that accesses registers or coils)

  • Sanity check enable/disable

  • State tracking enable/disable

  • TCP Reset on blocked traffic (only for connections utilizing Modbus/TCP transport protocol)

  • Modbus exception reply on blocked traffic

     

Transport Protocols

Both Modbus/TCP and Modbus/UDP supported

Operating Modes

All standard Tofino modes supported:

  • Passive: no filtering or alerting

  • Test: no traffic filtered; alerts generated as per user-defined rules

  • Operational: traffic filtered and alerts generated as per user-defined rules

Security Alerts

Reports blocked traffic to the Tofino CMP management console via Tofino ‘Exception Heartbeat’ mechanism

Certifications

Certified Modbus-compliant by Modbus-IDA

System Requirements

Ordering Information

Part number LSM-MBT-100 (Tofino Modbus TCP Enforcer LSM)

 

Additional information:

 

Downloadable PDF Data sheet for the Modbus TCP Enforcer - describes features and benefits for modbus security Download Tofino Modbus TCP Enforcer Data Sheet