Recently, several ICS end users in the Middle East and Asia have been exposed to attacks directly on the control systems through firewalls that have been misconfigured, or not configured correctly, for Modbus and OPC data. These attacks have caused weeks of rebuilding systems, with concomitant loss of production and loss of revenue. We have seen enough of this to validate the ISA99 "zones and conduits" model of ICS system architecture.
The problem is that the protocols themselves are not designed to be secure. Neither Modbus nor OPC Classic (based on COM/DCOM) can be secured in and of themselves. In the late 1990s, Eric Byres, then head of BCIT's Internet Security Lab, and now CTO of the Belden division that makes the Tofino industrial firewall product (what they now call the Tofino Security System), began to design a mitigating device. This device would be installed in the network between the actual device (PLC or PAC, etc.) and the network switch. The device would make the protected device "invisible" to the network, and only accept such data as was legitimate and correct.
Most firewalls are designed to protect Windows based systems. Byres designed his device to protect industrial end point devices. The difference is obvious.
But does it work? How do you know and how do you tell?
Reid Wightman, a leading security researcher, has completed the best and most rigorous testing on the Tofino device done to-date. His research was revealed this morning at the S4 meeting, put on by Digital Bond.
The results of the research are summarized below in the press release Belden (Tofino) put out this morning.
The only things Reid didn't like are summarized in his final verdict slide:
- A recommended product!
- Pros
- Great read-only/function protection – protect your safety systems, restrict engineering access
- Great protocol sanitization – protect controllers from baddata
- Very secure device, steps taken to reduce supply-chain risks (10+ years ahead of PLC security)
- Cons
- Doesn't prevent stoppable integrity attacks (yet)
- Can't prevent all integrity attacks (HMI one-way poison)
- Doesn't make me breakfast
Coming from a security professional, that's a ringing endorsement.
Here's the text of Belden's press release.
"Belden Inc., a global leader in signal transmission solutions for mission-critical applications, in collaboration with security experts at Digital Bond, Inc., today announced vulnerability testing results of the Tofino Security Appliance, a product of Tofino Security, a Belden Brand. Presented at the SCADA Security Scientific Symposium (S4) in Miami, Digital Bond's findings revealed that the industry's known sophisticated cyberattacks could not compromise the Tofino firewall.
"Advanced industrial communications opened the door to outside attacks and over the past few years these attacks have greatly increased in both volume and impacts. It's our job to ensure that organizations stay secure in a rapidly evolving industrial environment," said Eric Byres, CTO of Belden's Tofino Security.
"The Digital Bond team, led by Reid Wightman, a researcher at IOActive (and formerly with Digital Bond), shares our goal. Their testing and results demonstrate the strength of our security solutions, but also emphasize the critical nature of continuous assessment and the immediate resolution of discrepancies."
Considered one of the world's most respected sources for control system security research, Digital Bond's security evaluations are among the most rigorous tests in the industry.
Both the Tofino Security Appliance and its management software withstood a variety of sophisticated reverse engineering attacks. The firewall was also subjected to flooding, fragmentation and fuzzing attacks designed to determine if it could be tricked into either blocking good messages or allowing bad messages. The Tofino Security Appliance passed these tests without issue.
Testing also included attacks on Modbus communications, the world's leading industrial protocol. "Tofino Security provides an awesome security appliance that does the best possible job with the current protocols. It did an excellent job of securing the Modbus protocol, preventing disallowed function codes from getting through," said Wightman.
He concluded: "I would recommend the appliance to anyone in search of an industrial cyber security solution. In all, I'm quite impressed with the Tofino Security Appliance." Wightman's concerns were with the SCADA and IP protocols themselves - he would like to see the industry start creating standards for new, more robust protocols this year.
Byres acknowledged Wightman's concerns, "The SCADA protocols were never designed with security in mind. It will take a major effort to either fix the existing protocols or create new ones. In the meantime, Tofino's advanced Deep Packet Inspection determines if a message is a read or a write message and drops all write messages, significantly improving the security of the technologies that industry is using today."
In addition to Modbus, Tofino Security provides Deep Packet Inspection for the widely-used OPC and Ethernet/IP protocols. It is a key reason that major automation vendors Schneider, Honeywell, Emerson, Yokogawa and Invensys/Triconex have adopted Tofino and Belden firewalls to secure their systems. As a result, many new sales of critical SIS, PLC and DCS products include a robust industrial security solution from Belden.
For those companies that want even more security, Belden products such as the Tofino Virtual Private Network modules and Hirschmann Power Mice switches with Dynamic ARP Inspection provide robust anti-spoofing and integrity features. Belden's vision is to offer a layered solution that covers all aspects of critical industrial security.
"Customers need solutions designed for long-term implementation that just work," said Byres. "Our advanced technologies—including Deep Packet Inspection—and our comprehensive lifecycle approach to industrial security contribute to such solutions. Thank you to Digital Bond for their thorough testing of our products."
Tofino Security, a Belden Brand, provides practical and effective industrial network security and SCADA security products that are simple to implement and that do not require plant shutdowns. Its products include configurable security appliances with a range of loadable security modules plus fixed function security appliances made for specific automation vendor applications. Tofino Security products protect zones of equipment on the plant floor, and are complementary to Belden's Hirschmann brand, which leads industrial networking solutions. Both groups service and secure industrial networks in the oil and gas, utilities, transportation and automation industries. www.tofinosecurity.com.
Walt Boyes is the editor-in-chief for Control. Email him at [email protected] or check out his Google+ profile.