Cyber security: Firewall device creates its own rules
Creating cyber defense-in-depth often involves adding small firewall devices at internal levels of a control system. Now those devices can be smart enough to create their own firewall rules based on observation of traffic patterns.
|Tofino provides device-level industrial Ethernet security.|
Asset management tools from the IT world have been available for over a decade, but they are typically based on the principle of sending probing messages onto the network to discover what is deployed. Unfortunately for industrial users, there have been many documented cases where these discovery messages have caused SCADA and process control systems to crash.
In 2005, Sandia National Laboratories released a report describing a number of serious events from use of these tools, including this example: “A ping sweep was being performed to identify all hosts that were attached to the network, for inventory purposes, and it caused a system controlling the creation of integrated circuits in the fabrication plant to hang. The outcome was the destruction of $50,000 worth of wafers.”
As a result, many major energy and manufacturing companies have restricted or banned the use of IT-style asset tools on industrial networks, leaving control engineers without any techniques to determine what is actually connected to their network at any given moment.
The company says the new module provides a safe and secure means of locating what is on control system networks. Designed specifically for industrial control operations in critical industries such as oil and gas, manufacturing, utilities and power generation, the Tofino never probes the control devices. Instead, it listens for traffic and then uses special characterization techniques to determine the types of control devices on the network.
When it discovers a new device, it prompts the system administrator to either accept its deductions and insert the new device into the network inventory diagram, or flag the device as a potential intruder. This way, an up-to-the-minute network map is always available to the control engineer.
Eric Byres, CTO at Byres Security Inc., notes: “Passive scanning techniques have been discussed in academic literature or released in open source projects before, but as far as we are aware, this may be the first successful commercial application of the technology in the world.”
The module also guides the user while creating appropriate firewall rules to allow or block messages, based on what it has learned about the network traffic. Technical complexities such as IP addressing and TCP/UDP port numbers are managed behind the scenes, making firewall configuration easier for a controls professional.Also from Control Engineering :
—Edited by Peter Welander, process industries editor, PWelander@cfemedia.com ,
Process & Advanced Control Monthly
Register here and scroll down to select your choice of free eNewsletters.