31 October 2008
The new loadable security module (LSM) for the Tofino™ Industrial Security Solution may be the smartest firewall on the market. It’s definitely an “industry first.”It analyses network traffic to “discover and identify” what devices are present and then creates firewall rules to control the information flowing to them, according to Eric Byres, CTO at Byres Security Inc. The device is a joint development of his company and MTL Instruments.THE DANGER FOR INDUSTRYThis innovation is a first in the industrial security world and possibly also in the IT security market, says Mr. Byres, who notes that asset management tools in the IT world have been available for over a decade, but they operate in a way that is dangerous for industrial environments.IT security works by sending probing messages (ping, SNMP, etc.) onto the network to discover what is deployed.Unfortunately for industrial users, there have been many documented cases where these discovery messages have caused SCADA and process control systems to crash. In 2005, Sandia National Laboratories in the U.S. released a report describing a number of serious events from use of these tools, including this example:“A ping sweep was being performed to identify all hosts that were attached to the network, for inventory purposes, and it caused a system controlling the creation of integrated circuits in the fabrication plant to hang. The outcome was the destruction of $50,000 worth of wafers.”As a result, many major energy and manufacturing companies have banned the use of IT-style asset tools on industrial networks. This, says Mr. Byres, leaves control engineers without any techniques to determine what is actually connected to their network at any given moment.THE QUIET LISTENERUnlike IT security, Tofino never probes the control devices. Instead, it quietly listens for traffic and then uses special characterisation techniques to determine the types of control devices on the network. Listening for network traffic is not a difficult job, says Mr. Byres. Most devices connected to an Ethernet network are “chatty” he says, broadcasting “here I am” type messages every five minutes or so to identify their locations and let the other devices on the network know that it is connected. He says that after about a half hour, it is possible for his firewall to have located all the devices on the network simply by listening to their periodic broadcast messages.When it “discovers” a new device, it prompts the system administrator to either accept its deductions and insert the new device into the network inventory diagram, or flag the device as a potential intruder. This way, an up-to-the-minute network map is always available to the control engineer.Mr. Byres notes: “Passive scanning techniques have been discussed in academic literature or released in open source projects before, but as far as we are aware, this may be the first successful commercial application of the technology in the world.”WRITING THE RULESThe Secure Asset Management module doesn't rest on its laurels once it discovers everything on the network, he says. It also guides the user through creating appropriate firewall rules to allow or block messages, based on what it has learned about the network traffic. Technical complexities such as IP addressing and TCP/UDP port numbers are managed behind the scenes, making the normally byzantine art of firewall configuration easy for the controls professional.The new module is receiving very positive reviews from the security professionals who have seen the pre-release version. Charles Payne of Adventium Labs, a noted firewall expert who has lead numerous US Navy security projects, said “Tofino's novel context-sensitive approach ensures appropriate security policies for each protected device. The new automatic asset discovery and automatic rule generation will ensure that nothing is missed. These capabilities are critical for creating informed security policy in the industrial world.”“The Asset Management module is a key step in our Tofino Intrinsically Secure strategy,” added Mr. Byres. “Our goal is to make security understandable for control engineers, so that they can focus on keeping their process running safely and efficiently.”
Print this page | E-mail this page
This isn't a paywall. It's a Freewall. We don't want to get in the way of what you came here for, so this will only take a few seconds.
Register Now