Tofino Security Appliance Thwarts Cyber Attacks

  • January 19, 2013
  • Feature
Industrial Cyber Security Technology
January 2013
By Bill Lydon, Editor
Eric Byres, CTO of Belden’s Tofino Security called me last week to excitedly tell me how his Tofino Security Appliance was attacked by the Digital Bond team. The Digital Bond team, led by Reid Wightman, a researcher at IOActive concluded, “I would recommend the appliance to anyone in search of an industrial cyber security solution.” In all, I’m quite impressed with the Tofino Security Appliance,” said Wightman.
Byres had so much confidence in his product that he submitted it to be attacked by one of the world’s most respected sources for control system security research, Digital Bond. Both the Tofino Security Appliance and its management software withstood a variety of sophisticated reverse engineering attacks. The firewall was also subjected to flooding, fragmentation and fuzzing attacks designed to determine if it could be tricked into either blocking good messages or allowing bad messages. The Tofino Security Appliance passed these tests without issue. Testing also included attacks on Modbus communications. “Tofino Security provides an awesome security appliance that does the best possible job with the current protocols.” said Wightman. “It did an excellent job of securing the Modbus protocol, preventing disallowed function codes from getting through.” In addition to Modbus, Tofino Security provides Deep Packet Inspection for the widely-used OPC and Ethernet/IP protocols.
Results of the vulnerability testing were presented January 16, 2013 at the SCADA Security Scientific Symposium (S4) in Miami. Digital Bond's SCADA Security Scientific Symposium (S4) is an event for those wanting to learn and discuss advanced ICS (Industrial Control System) security topics. Digital Bond’s findings revealed that the industry’s known sophisticated cyber-attacks could not compromise the Tofino firewall.
Fundamental Industry Issues
The activities of these researchers bring to light fundamental design issues in industrial controllers and SCADA.  Wightman expresses concerns about SCADA and IP protocols themselves and would like to see the industry start creating standards for new, more robust protocols. Project Basecamp is a research effort led by Digital Bond and a team of volunteer researchers to highlight and demonstrate the fragility and insecurity of most SCADA and DCS field devices, such as PLC’s and RTU’s.
The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of industry inaction on improving controllers and industrial protocols will end. Part of their goal is to motivate SCADA and DCS owner/operators to demand secure and robust PLC and SCADA products, therefore driving vendors to finally provide a product worthy of being deployed in critical infrastructures.
Dale Peterson is the Founder and CEO of Digital Bond. Peterson was formerly with the NSA, (National Security Agency) and has certifications including CISSP, CISA and is an NSA certified cryptanalyst. Peterson introduces Project Basecamp in this video:
Thoughts & Observations
Cyber security is a growing issue for industrial control systems that rely on computers, Ethernet, and remote Internet connections. In many plants industrial control systems are physically on the same network cables and networking gear as business systems, creating more exposure to problems. Wireless Ethernet (802.11) is further complicating this issue since most industrial Ethernet protocols can be run over these open air networks.
A hardware cyber security solution, such as Tofino, located at controller level would seem to address more fundamental issues than other measures at the “top” of the network. Ultimately this level of technology should be built into controllers.
Reid Wightman’s concerns about SCADA and IP protocols being robust are ones I share based on the advances in technology and the age of industrial protocols built on IPV4.  IPV4 employs weaker security measures than the new IPV6.
Related Articles:

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..