New Technologies Inside the Triconex Tofino Firewall

In my last blog, I mentioned that one of the good things about Invensys winning the Breakthrough Product of the Year Award for 2010 for the Triconex Tofino OPC Firewall was that it may indicate that industrial network security for control and SCADA systems is becoming mainstream in the engineering world.

The award is also yet another validation of the new security technologies that the Invensys team chose for their firewall. In this blog I will provide a brief tour of some of those technologies, and why I think they are important for the control system world going forward.

Extending the Fixed Configuration Firewall

Fixed Configuration Firewalls (FCFs) are security devices where the configuration rules are locked in at the factory after exhaustive testing.  The advantages are that this removes human configuration errors, a substantial risk factor, and prevents evil doers from changing firewall rules. This topic was discussed at length in a recent blog article.

For the Triconex firewall, the team took the FCF concept and extended it. The reason is that the Triconex Configuration Module (TCM) is very flexible in its configuration, so there had to be some way to fine tune a few of the firewall rules. Otherwise, some valid Triconex use cases would not work. At the same time, they didn’t want the rules to be wide open to modification the way an IT firewall is.

Automatically Generated Firewall Rule Sets

The solution was to start with a predefined group of allowable rules that make sense for 99% of all Triconex deployments. Next, the team decided to use the actual safety system logic to automatically fine tune the rule sets.

For example, if the TCM has an IP address of, that information will be contained somewhere in the SIS’s logic and configuration files. And most often, it will have been very carefully tested and validated during design and commissioning of the SIS. Why not use that information to drive the creation of firewall rules?

The result is that the safety engineer simply exports a standard SIS configuration file, passes it through a special Triconex rule wizard and a completely encrypted and locked set of rules is ready for loading into the firewall. As long as the safety system logic remains the same, the firewall rules remain the same. Since most companies have very good change management controls on their SIS logic (which usually never changes), the firewall automatically inherits the same change management rigor.

Frankly, we think the idea of automatically generating firewall rule sets (something that engineers don’t usually understand) from the process logic (something that engineers had better understand well) is a technology with big potential for reliable SCADA/ICS security.

OPC Enforcer Technology to Manage the Challenges of Unpredictable TCP Ports

The Triconex system also has the ability to act as a full OPC Classic server. This has its benefits – easy integration with other control systems – and its risks – the security challenges that come with OPC Classic, especially RPC’s wide open use of TCP port numbers.

The solution Invensys chose was the Tofino OPC Enforcer technology. This technology allows the firewall to secure the notoriously “difficult to firewall” RPC protocols that underlie OPC.

As the OPC clients and servers hop from one TCP port to another, the Triconex firewall tracks each move, opening firewall ports only after validating the packets, initiating the port change, have come from pre-approved OPC Client/Server pairs and are well-formed OPC connection requests. If the requests are not well formed, are not from approved servers or are non-OPC RPC traffic, the firewall remains as tight as a clam.

By the way, the Tofino OPC Security technology is not just for Triconex users. It is also available in a fully-configurable version from Byres Security as the Tofino OPC Enforcer for use with any OPC Classic system.

If you want to know more about the technology and why it is needed for OPC, check out the white paper from the OPC Foundation and Byres Security called “Securing Your OPC Classic Control System.

Taking Advantage of the Differences

When you add up the technologies above, it is very apparent how different industrial network security is from regular IT security. It also shows that these differences can be used to our benefit. The SCADA, PLC or SIS network is far more consistent on a day-to-day basis than the typical IT network. This provides opportunities in all aspects of security, including easier intrusion detection, simpler firewall deployments and better change management.

The industry needs to continue to take advantage of these opportunities as it moves towards secure control systems.


Subscribe to the "Practical SCADA Security" news feed

Add new comment