HideWarning

Next Generation Firewalls with Deep Packet Inspection (DPI) capabilities are now mainstream products for IT protocols. Unfortunately, designers and operators of industrial control systems (ICS) have not had access to these advanced technologies to protect their critical communications that involved protocols such as EtherNet/IP^TM. This is a serious problem. Mission critical control systems need DPI technology even more than IT systems do.

The world’s manufacturing, energy and transportation infrastructures are currently facing a serious security crisis. These critical systems are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind.

The good news is that there is an effective and easy-to-deploy solution to this security crisis. Using an advanced technology called “Deep Packet Inspection” (DPI), SCADA-aware firewalls offer fine-grained control of control system traffic.

A number of previously unknown security vulnerabilities in the CoDeSys Ladder Logic Runtime product, plus fully functional attack tools that exploit them, have been publically disclosed.

While CoDeSys is not widely known in the SCADA and ICS field, its product is embedded in many popular PLCs and industrial controllers. There is a risk that criminals or political groups may attempt to exploit the vulnerabilities for either financial or ideological gain. 

September 2012 (25:02)

The major features and benefits of the Tofino OPC Enforcer LSM are presented, followed by a hands-on demonstration where we implement firewall protection for an OPC server in a plant network.

TV205: Tofino OPC Enforcer LSM

Related Links

September 2012 (26:07)

Recommended best practices are discussed for Tofino deployment, including:

September 2012 (18:26)

Building on the previous 'how-to' videos in this series, this video shows an example configuration session where we deploy the Tofino Modbus TCP Enforcer LSM to implement read-only protection for a Modbus PLC.

TV203: Tofino Modbus Enforcer LSM

September 2012 (17:06)

The major features and benefits of the Tofino Secure Asset Management module are briefly covered, and the SAM module is then demonstrated on the same simulated chemical blending plant that was used in the first video of this series.

September 2012 (24:28)

First steps with Tofino: a sample configuration session shows how to get started with the Tofino Security Appliance, Tofino Central Management Platform, and the Tofino Firewall LSM. A Tofino Security Appliance is used to protect a PLC in a simulated chemical blending plant.

To watch this video in full screen

The Tofino CMP allows the configuration of a single Eagle 20 Tofino, or a complete network, to be created before the actual hardware is available or remotely.

As a result, on-site deployment time is considerably reduced.

This movie shows the pre-deployment process, and many additional tips and tricks.

The Modbus TCP Enforcer LSM provides deep packet inspection for devices using this protocol for both TCP and UDP.

Read-only access can be enforced for coils and registers.  A Sanity Check option ensures that data passing through the Eagle 20 Tofino conforms to the Modbus TCP standard.

This movie shows the configuration options for the Modbus TCP Enforcer LSM.

To watch this video in full screen

The Tofino systems includes an innovative test mode, which allows the firewall rules to be tested before the security system is made operational.

Even for an existing network, security can be integrated with no disruption.

This movie demonstrates the test and operational modes of the Eagle 20 Tofino.

Tofino technology enables firewall rules to be created using drag and drop.

No IT knowledge is required to configure security for a network.

This movie shows how to configure effective security with a few mouse clicks.

To watch this video in full screen

To enable drag and drop Tofino configuration, and provide an accurate topology, end devices should be added to the Network View.

Devices can be added manually, or automatically using the Secure Asset Management LSM.

This movie demonstrates both techniques.

The Eagle 20 Tofino functionality is provided by Loadable Security Modules (LSM).

The Tofino functionality is therefore tailored to the application.

This movie shows how the LSMs are loaded on to the Tofino hardware.

Loadable Security Modules

Discovery is achieved using a proprietary scanning mechanism called Tofino Discovery on the Central Management Platform (CMP)

This movie shows how to discover Eagle 20 Tofino devices which are attached to the network.

Discovery of Eagle 20 Tofino Devices

TV105: How does Tofino Protect my Plant?

May 2012 (7:33)

Previous videos in this series have discussed how Defense in Depth can be an effective strategy to secure control networks. So how exactly does Tofino implement Defense in Depth? And what makes it the best solution?

May 2012 (5:45)

IT engineers have been dealing successfully with cyber security issues for years, and there are many security products in daily use in enterprise networks. Why is cyber security such a challenge on control networks? Why can't the same tools and techniques be used to secure these systems?

May 2012 (6:11)

The previous video in this series showed that a firewall on the plant network could not protect us against many cyber security threats. But if that doesn't work, then what ARE we supposed to do to protect our plant?