Cyber security: Firewall device creates its own rules
-- Control Engineering, 5/7/2008
Creating cyber defense-in-depth often involves adding small firewall devices at internal levels of a control system. Now those devices can be smart enough to create their own firewall rules based on observation of traffic patterns.
MTL Instruments and Byres Security Inc. have released a new loadable security module (LSM) for their Tofino industrial security device that reportedly discovers and identifies network devices and creates firewall rules to control the traffic flowing to them, all without risk to the industrial process. Known as the Tofino secure asset management module, it automatically locates devices and generates rules by analyzing the traffic on the network.
 |
| Tofino provides device-level industrial Ethernet security. |
In 2005, Sandia National Laboratories released a report describing a number of serious events from use of these tools, including this example: “A ping sweep was being performed to identify all hosts that were attached to the network, for inventory purposes, and it caused a system controlling the creation of integrated circuits in the fabrication plant to hang. The outcome was the destruction of $50,000 worth of wafers.”
As a result, many major energy and manufacturing companies have restricted or banned the use of IT-style asset tools on industrial networks, leaving control engineers without any techniques to determine what is actually connected to their network at any given moment.
The company says the new module provides a safe and secure means of locating what is on control system networks. Designed specifically for industrial control operations in critical industries such as oil and gas, manufacturing, utilities and power generation, the Tofino never probes the control devices. Instead, it listens for traffic and then uses special characterization techniques to determine the types of control devices on the network.
When it discovers a new device, it prompts the system administrator to either accept its deductions and insert the new device into the network inventory diagram, or flag the device as a potential intruder. This way, an up-to-the-minute network map is always available to the control engineer.
Eric Byres, CTO at Byres Security Inc., notes: “Passive scanning techniques have been discussed in academic literature or released in open source projects before, but as far as we are aware, this may be the first successful commercial application of the technology in the world.”
The module also guides the user while creating appropriate firewall rules to allow or block messages, based on what it has learned about the network traffic. Technical complexities such as IP addressing and TCP/UDP port numbers are managed behind the scenes, making firewall configuration easier for a controls professional.
Also from Control Engineering:
Inside look: How MTL Instruments fits with Cooper Industries
Defense in depth with Eric Byres podcast
—Edited by Peter Welander, process industries editor, peter.welander@reedbusiness.com,
Process & Advanced Control Monthly
Register here and scroll down to select your choice of free eNewsletters.
View All Blogs
Now Playing:
