Byres Security and Invensys have announced a Tofino Firewall module for the Triconex Safety System. It looks an industrial device and has similar environmental specs, -40 to 70C, Class I Div 2 and Zone 2 approved. What is new about this product is OPC application intelligence.
The data sheet has most of the information, but if you want more details you need to register and download the white paper. The OPC application intelligence is in three areas:
“Built-in OPC sanity checking blocks OPC session requests not conforming to the DCE/RPC standard”
This should stop dumb fuzzing and non-OPC probing. Depending on the amount and quality of the checks could detect and stop buffer overflow and other attack attempts. There was no information beyond this general description.
Rate limiting to prevent or lessen the success of denial of service attacks.
Field device protocol stacks act notoriously bad when you send lots of data their way. Depending on the architecture and design, they can keep trying to process new requests until all resources are exhausted. The brochure says data “is rate-limited to prevent overload of the TriconCommunications Module”, and there is a traffic limit of 5000 packets per second. Whether the module has a known problem or not, this is a helpful feature.
The white paper doesn’t have more detail. Is this rather simple rate limiting based on 5,000 packets per second or does it analyze the type of traffic. And if so, at what layer/protocol. Ralph Langner showed a number of legitimate OPC requests to create new objects/groups/etc could crash a number of OPC servers in his 2007 S4 paper. It would be interesting to have Ralph dust off his toolkit and test this.
Firewall rules that track and only allow established OPC DA and A&E connections
This has some value since OPC servers dynamically assign ports, but the bigger win is having the OPC client IP’s specified in a standard, non-application intelligent, firewall rule. Perhaps this will prevent a valid client from hijacking another valid client’s OPC connection, but is that really a large threat. Perhaps I’m missing something here.
The Triconex Communications Module also has features controlling read/write access that are significant security controls, but are not specific to the Tofino firewall solution.
In summary – good to see control system application intelligence making it into field firewalls and the fact that this is being sold as just another component in a safety system by the vendor is a big win.