The Tofino Xenon Security Appliance (or Tofino SA) is an industrial firewall designed specifically for protecting PLCs, HMIs, and control systems. By itself, the Tofino SA performs as a stateful layer 2, 3, and 4 firewall. A stateful firewall is used to review the network traffic and prevent the forwarding of traffic that does not match pre-defined conditions such as source/destination IP Addresses and TCP/UDP ports. Additional Loadable Security Modules (LSM) can be purchased to provide Deep Packet Inspection (DPI) for Modbus TCP/IP and EtherNet/IP protocols. The LSMs allow users to configure “Enforcer” rules which support additional filtering at the protocol level.
In the past, MYNAH Technologies has recommended only placing firewalls between networks or using a firewall to create a DMZ to protect the VIMs, PLCs, and VIMNet Explorer from less secure traffic. This approach works for insulating the VIMs and PLCs from external networks and does not pose any threat of accidentally blocking vital network communication between the VIMs and PLCs. Unfortunately this strategy does not address security risks from within the same network. For instance, the PLCs and VIMs would still be vulnerable to attacks originating from the VIMNet Explorer computer or computers used for configuring PLCs.
The Tofino SA can be used to help address this security vulnerability when it is placed between the VIM and the switch or between the PLC and the switch. The security appliance would act as a “last chance” firewall much like the software firewall on a Windows computer. The flip side to using the Tofino SA (or any similar device) is that it must be carefully configured and tested. An incorrectly configured firewall could interfere with vital process control communication or fail to stop malicious network traffic.
According to the Tofino Configurator User Manual, there are nine distinct steps for configuring the Tofino SA. The scope of this article is not to cover the entire Tofino SA configuration process but to define the necessary firewall rules to protect the VIM2 and its PLCs. Please refer to the Tofino Configurator User Manual for instructions pertaining to Tofino Configurator installation, creating a project, defining Tofino SAs, defining assets, configuring the event logger, installing the hardware, applying the configuration, and verifying the configuration.
Tofino Configurator has a comprehensive list of asset templates to aid in the firewall configuration. MYNAH Technologies recommends using the EtherNet/IP VIM2, Modbus TCP/IP VIM2, and VIMNet Explorer templates as a starting point for firewall configurations. Templates are useful because they have predefined rules regarding the protocols that the devices use. For instance, the EtherNet/IP VIM2 has the following rule profiles:
MYNAH Technologies recommends the following workflow when using asset templates:
MYNAH Technologies LLC
390 South Woods Mill Road, Suite 100
Chesterfield, MO 63017 USA
© MYNAH Technologies 2012 - 2020. All rights reserved.
Designs are marks of MYNAH Technologies, Emerson Process Management, DeltaV, and the DeltaV design are marks of one of the Emerson Process Management of companies. All other marks are property of their respective owners. The contents of this publication are presented for informational purposes only, and while every effort has been made to ensure their accuracy, they are not to be construed as warrantees or guarantees, expressed or implied, regarding the products or services described herein or their use or applicability. All sales are governed by our terms and conditions, which are available on request. We reserve the right to modify or improve the design or specification of such products at any time without notice.
While this information is presented in good faith and believed to be accurate, Mynah Technologies does not guarantee satisfactory results from reliance upon such information. Nothing contained herein is to be construed as a warranty or guarantee, express or implied, regarding the performance, merchantability, fitness or any other matter with respect to the products, nor as a recommendation to use any product or process in conflict with any patent. Mynah Technologies reserves the right, without notice, to alter or improve the designs or specifications of the products described herein.