APRIL 2007 THE INDUSTRIAL ETHERNET BOOK

As the famous military strategistClausewitz once said, ‘If youentrench yourself behind strong

fortifications, you compel the enemy to seeka solution elsewhere.’ The enemy of modernEthernet-based control systems – the wilyhacker or virus writer – will find a way aroundthe firewall and into the critical computers anddevices on the network if given any sort ofchance.

The IT world has learned this lesson in veryexpensive ways. After years of infected serversand desktops costing millions of dollars in lostproduction, most IT departments nowdemand that all computers must also havetheir own defence-in-depth mechanisms suchas anti-virus software and personal firewalls,regardless if they are behind a firewall or not.But the controls world has been largely devoidof personal firewall or encryption protectionaround products such as PLCs, DCS, HMIsand RTUs. As a result, most critical industrialdevices have not been as well secured as theaverage receptionist’s PC!

A software-configurable approach inhardware places a firewall security aroundindividual devices – or groups of devices –imparting security isolation down to devicelevel. Eric Byers and Ian Verhappen have led

the development effort for the device they callTofino. While both are slightly cagey (Frank

Ogden writes) about its precise operationalmechanism – for intellectual property reasonsthe authors say – they make the claim that thehardware can be installed in the field by staffwith no security training at all while at thesame time permitting company securityexperts and control system specialists tomonitor and manage control system securityconfidentially from anywhere in the world.

To elicit rather more on what it is and howit works, The Industrial Ethernet Book put afew questions to Eric and Ian about their newsecurity technology.

● Where does this unit sit on the network?

“The unit is suitable for Zone 2 and can, infact should be, mounted in the field. It isdesigned to go where ever the controller (PLC,DCS, etc) is located. For example, if you havea cabinet with a PLC mounted in it you wouldmount it beside the PLC. We are currently indiscussions with several controls vendors tocreate versions that will mount on theirbackplanes but these won’t be released untilearly 2008. I should also note it is like a PLCin terms of environmental hardening so it isnot waterproof.

● Does it implement a firewall at fieldbus levelas in... unsecured fieldbus commands in,sanitised fieldbus commands out or does it workat a higher (Ethernet protocol) level?

“It works at the fieldbus level as well ashigher levels, with specific field level protocolsbeing supported. The first version has Modbussupport with additional buses under develop-ment for future release.

The current version is either serial- orEthernet-based with support for protocols likeModbus that operate over these commonlower layer protocols. This choice was madefor two reasons. First nearly every fieldbusprotocol now comes in an Ethernet version,e.g. Profinet, FF HSE, EtherNet/IP and soon. Secondly, Ethernet or serial are wheremost of the serious hacker risk presently is.Further releases will support for specialityphysical layers like DeviceNet or FF H1.

Circle 71

Defence-in-depth nowtakes in fieldbus levelsBetween the centuries, Chinese emperors hiding behind the Great Walland IT managers hiding behind the firewall have learned thatdependence on a single point of security leads to a painful lesson indefeat. New technology offers a layered approach to network defencefrom the field level upwards. Eric Byres and Ian Verhappen

ART

WO

RK:F

RAN

KO

GD

EN

IEB38_p27 24/3/07 2:36 PM Page 27

28

SEC

URI

TY

THE INDUSTRIAL ETHERNET BOOK APRIL 2007

● Does the unit implement the firewall action in silicon or software?

“It is all done in software as downloadable modules much likeFunction Blocks for Fieldbus. We are able to add new modules ‘onthe fly’ without affecting the operation of existing units.

● What of the update service? How much does a subscription cost...who writes and distributes the updates?

“Updates will be on a subscription basis though we do not yet havethe price structure confirmed. The updates will be distributed by MTLafter joint development with Byres Security.

● Does the firewall process – whatever it is – affect overall systemlatency and determinism? – important for motion applications?

“Only in a very minor way, similar to the latency that a typicalEthernet switch might add. We have done extensive testing of this to

make sure these delays are acceptable for allprocesses we have encountered. And a futureloadable module is planned that will actuallyimprove network determinism by providingQoS options that one might find in high endmanaged switches.

● So how do you implement this field-levelsecurity system?

“In a nutshell, we envisage the following…Actually it is what our beta clients have toldus they will do.

The control system engineers decide whichdevices are either vulnerable or mission-criticalto their production and safety and thus needdefence-in-depth protection based the CERNtesting – and that includes most controllers inuse today. [CERN tests reveal IE securityflaws; IEB p12, Nov 2006]

The control system or security staff next setup a Central Management Platform (CMP)somewhere in the company for configurationand monitoring of the Tofino appliances –similar to a configuration station for Fieldbus,but is also remotely accessible using a secureweb browser. It can be located in the plantdirectly on the control system network, in theplant on the business network, at HQ on theenterprise network or all of the above. You

Boost your automation line

and your bottom line with Brad® Ethernet products for the factory floor.

You’ve relied on Brad for DeviceNet, PROFINET and ControlNet. Brad

for Ethernet is a complete line of industrial Ethernet products from

cordsets and gateways to a brand new offering of switches. All from

the recognized leader in automation solutions.

Your net’s worth more with Ethernet products by Brad. For innovation,

performance and reliability – from a company that knows your industry

inside and out – choose Brad.

For more information Tel.: +33 2.32.26.96.36

NET WORTH.WHAT’S YOURS?

w o o d h e a d . c o m / e t h e r n e t

© 2 0 0 7 W o o d h e a d I n d u s t r i e s , a d i v i s i o n o f M o l e x I n c .

Circle 79

Internet

InternetFirewall

Business/ControlSystem Firewall

DMZ

DistributedFW

Cluster of PLCsSCADA RTU

DCS Controllers

DistributedFW

Business Network

Internet attacksInfected

Business PC

Infected HMI

Layer 5 Defence(Enterprise)

Layers 3/4 Defence(Control System)

Layers 1/2 Defence(Device)

A multilayer defence-in-depth architecturerecognises that any threat may be able tobypass any single point of defence but is unlikelyto be able to bypass multiple defence points. Italso acknowledges the fact that that threats canoriginate from both outside and within thesystem. In this illustration we see a controlsystem that is protected by three layers ofdefence; a corporate firewall to protect theoverall enterprise against general internetthreats, a business to control system firewall withDMZ to protect the overall control system, anddistributed security appliances to protect keyassets like PLCs or DCS.The layer numberscorrespond to the model of a typical industrialenterprise as defined in the ISA SP-99 Standardfor Automation and Control System Security-Part 1.

Defence in depth for fieldbus…

IEB38_p27 24/3/07 2:36 PM Page 28

APRIL 2007 THE INDUSTRIAL ETHERNET BOOK

can have multiple CMPs to manage andmonitor the system.

Technicians are sent into the field to installthe units in front of one or more of theidentified critical control devices – a singleTofino can protect up to 12 devices. This canbe done without impact to the process eitherbefore, during or after the CPM is set up. Theunits just sit quietly waiting for their ‘master’CPM to show up and tell them to go intoprotect mode. While they are waiting, they arein learning mode, completely transparent tothe network, yet learning about what is talkingto their future protected devices (and how) sothe firewall rules can be automatically built.

Once the Tofinos and the CPM are opera-tional, they set up highly secure connectionsand report what they have learned. The CPMthen looks up protection recipes (i.e. templates)for the devices needing protection andsuggestion these to the controls technician incharge of the security. The controls tech canthen decide to accept these suggestions or editthem using a simple screen with check boxes.(See screen dump above).

So imagine you have a system that has anumber of AB ControlLogix PLCs that arerunning a gas turbine. Tofino first discoverswhat is down stream and needs protection,which in this case, are the ControlLogix PLCs.Next it blocks all traffic that CERN or I willtell you should never be seen near aControlLogix… If you are suicidal you canover ride these blocking rules. It then tells youwhat traffic is going to and from theControlLogix gas turbine controls (and fromwhere) in a simple tree format. You decidewhat might not be valid traffic by putting ared ‘X’ in front of those devices you wantblocked and a green check mark in front ofdevices and protocols you want to talk to yourPLCs. This replaces the scripting of ugly accesscontrol lists like:acl 201 permit tcp any eq 80 10.20.30.00.0.0.255 gt 1023 established

or…

$IPT -A PCN_DMZ -p tcp --dport !$DH_PORT -j LOG_PCN_DMZ

which I can assure you everyone messes up,even if you have been writing these for years!

Next you can safely do a trial run ofblocking traffic in Test mode without affectingyour process. This is because in Test mode allthe traffic still gets allowed through the unit,but you get told what device would not havegotten its message to the PLCs if the Tofinowere in full Protect mode.

Finally you can go into Protect mode andsee how control system performs with fullsecurity operational. If you are concerned atany point you can back out and go back towhat was working earlier (just like onlineprogramming on an AB PLC).

So the controls tech in charge of securitystill has to learn what talks to what in thecontrol system and most techs and engineersknow that (or at least I hope they do). Whatthey don’t know are port numbers, IPaddresses, TCP flags, subnets and the like.And in case they don’t now what talks to whaton their control system, they will get that infor-mation presented in tree form so they canmake their decisions by checking off a fewboxes.

Unlike a traditional IT firewall, there is noIP addressing to worry about, no

DIP switches to set and nocomplex firewall rules to set

up. Interestingly thishas some importfringe benefitsfrom a securitypoint of view –since the securityappliance doesnot have an IPaddress, it is

almost impossible todetect using common hacking tools. If itcannot be found, it cannot be attacked.

● Odd name, ‘Tofino’?

“Tofino was originally conceived in my labat BCIT as a student thesis project about fiveyears ago. At the time we gave the students asmall processor called the Surf Board fordevelopment. Based on this, the studentsdecided to name the entire project Tofino afterthe surfer’s paradise community on the WestCoast of Vancouver Island. As Ian says, wethought the name was catchy and so it hasstuck.

Eric Byres is CEO, Byres Security, Inc.

Ian Verhappen is Director of IndustrialNetworking Technologies, MTL, Inc.

CMP set up screen for configuration andmonitoring of the Tofino appliances

FOR MORE INFORMATION CIRCLE 39

Circle 70

IEB38_p27 24/3/07 2:36 PM Page 29