Security Analysis Tool Is Possible IT First

Sept. 16, 2008
Loadable Security Module (LSM)

MTL and Byres Security have now officially released the Loadable Security Module (LSM) for their Tofino Industrial Security Solution that was showcased at ABB Automation World back in April. The new Secure Asset Management module discovers and identifies what devices are on a network and then creates the firewall rules to control the traffic flowing to them. Unlike previous IT asset management tools which send probing messages on to the network to discover what is deployed, the LSM poses no threat to the industrial process being controlled since it locates the devices and generates the firewall rules simply by analyzing network traffic.

Such a passive approach is essential in industrial applications because many major energy and manufacturing companies have banned the use of IT-style asset tools, leaving control engineers without any means of determining what is connected to a network at any given moment. Their intransigence follows a number of well-documented incidents in which discovery messages have caused SCADA and process control systems to crash. In one case reported by Sandia National Laboratories, a “ping sweep” of a network in an integrated circuit fabrication plant caused a system to hang and led to the destruction of $50k worth of wafers.

Tofino’s new module never probes the control devices, but listens for traffic and then uses special characterization techniques to determine the types of devices on the network. When it discovers a new device, it prompts the system administrator to either accept its deductions and insert the new device into the network inventory diagram or flag the device as a potential intruder. As a result, an up-to-the-minute network map is always available to the control engineer. “Passive scanning techniques have been discussed in academic literature or released in open source projects before but, as far as we are aware, this may be the first successful commercial application of the technology in the world,” claimed Byres Security CTO Eric Byres.

Once the module has discovered everything on the network, it guides the user through the previously daunting task of creating appropriate firewall rules to allow or block messages, based on its knowledge of the network traffic. Technical complexities such as IP addressing and TCP/UDP port numbers are managed behind the scenes, making firewall configuration practicable for the controls professional.

Among the security professionals who have seen the pre-release version of the Secure Asset Management module is leading firewall expert Charles Payne of Adventium Labs, who has headed up a number of U.S. Navy security projects. “Tofino’s novel context-sensitive approach ensures appropriate security policies for each protected device,” he noted. “The new automatic asset discovery and automatic rule generation will ensure that nothing is missed. These capabilities are critical for creating informed security policy in the industrial world.”