Byres Security and MTL have jointly announced a significant addition to their Tofino cybersecurity solution, extending protection beyond the plant to communications with remote sites. Designed specifically to make authentication and encryption of SCADA and automation communications easy for control specialists, the Tofino Virtual Private Network (VPN) product line comprises Server and Client Loadable Security Modules (LSMs) and a VPN Client License and can be used securely to connect facilities and people together over untrusted networks such as the Internet. Applications are seen in the monitoring and control of remote sites from a central location; providing remote personnel with secure access to control systems; securing communications between critical controllers; and enabling legacy non-IP control traffic to be carried over IP networks.
As with Byres'earlier Tofino offerings, the emphasis is on providing a solution that can be set up and administered by control technicians without specialist IT support and ensuring that neither security nor reliability are compromised by configuration errors.
Security is provided by Secure Sockets Layer (SSL), widely used in commerce and selected because it is reckoned to be less complex to configure than other VPN technologies. Once the technician has installed the Tofino Security Appliances (SAs) in the field, deployment is completed centrally using the Tofino Central Management Platform (CMP) and without any changes to the existing control system network or addressing. Handling of security components occurs behind the scenes, with setup simply involving logging into and installing the VPN loadable modules into the SAs and then dragging and dropping the icons for SAs to pair the units. The LSMs create secure tunnels for communication between SAs, between SAs and PCs, and between SAs and supported third-party devices and, as with other Tofino products, VPN modules can be operated in "test" mode before they are activated.
SCADA-capable
As well as providing secure tunnels for communication, the VPN solution integrates with the Tofino Firewall and Modbus TCP Enforcers, ensuring that only "permitted" messages are distributed while preventing potentially dangerous transmissions such as a virus originating from a remote PC or a user sending inappropriate programming commands. As a result, it is claimed to be the only VPN solution currently available which has an integrated SCADA-capable firewall. The resultant high degree of granularity in setting access rules allows, for example, the designation of certain specific computers, such as remote HMI PCs, to have read-only access to PLCs for operational diagnostics, while a limited set of maintenance laptops can have remote programming access to PLCs.
"Our approach … is to deliver a system that is designed with the rugged environment, staff skills and needs of industry in mind, and that can be installed without plant downtime," said Byres Security CTO Eric Byres (Byres' wife Joann is CEO). "Unlike IT VPN solutions, the Tofino VPN products are readily configured and managed by controls engineers; they can be tested and implemented without risk to industrial processes; they are part of an industrially hardened system; and they support legacy automation devices and protocols."
