Knowledge Base /
Technical Notes
Industrial Ethernet Integration with a Tofino Xenon Security Appliance
By Jake Nichelson
Product: DeltaV Virtual IO Module - VIM2

Introduction

The Tofino Xenon Security Appliance (or Tofino SA) is an industrial firewall designed specifically for protecting PLCs, HMIs, and control systems. By itself, the Tofino SA performs as a stateful layer 2, 3, and 4 firewall. A stateful firewall is used to review the network traffic and prevent the forwarding of traffic that does not match pre-defined conditions such as source/destination IP Addresses and TCP/UDP ports. Additional Loadable Security Modules (LSM) can be purchased to provide Deep Packet Inspection (DPI) for Modbus TCP/IP and EtherNet/IP protocols. The LSMs allow users to configure “Enforcer” rules which support additional filtering at the protocol level.

In the past, MYNAH Technologies has recommended only placing firewalls between networks or using a firewall to create a DMZ to protect the VIMs, PLCs, and VIMNet Explorer from less secure traffic. This approach works for insulating the VIMs and PLCs from external networks and does not pose any threat of accidentally blocking vital network communication between the VIMs and PLCs. Unfortunately this strategy does not address security risks from within the same network. For instance, the PLCs and VIMs would still be vulnerable to attacks originating from the VIMNet Explorer computer or computers used for configuring PLCs.

The Tofino SA can be used to help address this security vulnerability when it is placed between the VIM and the switch or between the PLC and the switch. The security appliance would act as a “last chance” firewall much like the software firewall on a Windows computer. The flip side to using the Tofino SA (or any similar device) is that it must be carefully configured and tested. An incorrectly configured firewall could interfere with vital process control communication or fail to stop malicious network traffic.

Requirements

  • Tofino Xenon
  • Tofino Configurator v03.0.00 or later
  • Tofino Configurator User Manual
  • Recommended: Modbus TCP/IP LSM (for Modbus TCP/IP DPI)
  • Recommended: EtherNet/IP LSM (for EtherNet/IP DPI)
  • USB thumb drive (optional)
  • Solid understanding of or background in IT and configuring firewalls

Warnings and Notes

  • Incorrectly configured firewall rules can interfere with process control
  • All network protocols without explicit firewall rules will be blocked
  • The Tofino SA firewall rules should be thoroughly tested before being added to the production environment
  • MYNAH Technologies can provide consulting services for configuring and testing firewall compliance


Application Note Scope

According to the Tofino Configurator User Manual, there are nine distinct steps for configuring the Tofino SA. The scope of this article is not to cover the entire Tofino SA configuration process but to define the necessary firewall rules to protect the VIM2 and its PLCs. Please refer to the Tofino Configurator User Manual for instructions pertaining to Tofino Configurator installation, creating a project, defining Tofino SAs, defining assets, configuring the event logger, installing the hardware, applying the configuration, and verifying the configuration.


Using Asset Templates

Tofino Configurator has a comprehensive list of asset templates to aid in the firewall configuration. MYNAH Technologies recommends using the EtherNet/IP VIM2, Modbus TCP/IP VIM2, and VIMNet Explorer templates as a starting point for firewall configurations. Templates are useful because they have predefined rules regarding the protocols that the devices use. For instance, the EtherNet/IP VIM2 has the following rule profiles:

  • VIMNet Explorer Special Rule (allows VIMNet Explorer to detect VIMs on the network)
  • EtherNet/IP (CIP) Implicit Messaging (Allows Class 1 communication)
  • EtherNet/IP (CIP) Explicit Messaging (allows UCMM DF1, Class 3, and Tag Access)
  • VIMNet Explorer Messaging (allows VIMNet Explorer to communicate to the VIM)
  • ICMP Ping Only


Workflow using Asset Templates

MYNAH Technologies recommends the following workflow when using asset templates:

  • Create device assets from templates for each device that will communicate through the firewall
  • Configure each device asset with the correct IP Address and MAC Address
  • Add a standard rule for a VIM2 to “Any” and select “Use rule profiles associated with selected assets to build firewall rules”
  • Modify the firewall rules according to the instructions within this tech note that match the scenario


Firewall Rules

Recommended Modbus TCP/IP Firewall Rules

Recommended EtherNet/IP Firewall Rules