© Hirschmann Automation and Control GmbH © Hirschmann Automation and Control GmbH Tofino Technical Training Creating the Intrinsically Secure Control System

© Hirschmann Automation and Control GmbH © Section 1: Introduction Understanding the Tofino Industrial Security Solution Section 2: Tofino Installation and Configuration Installing Tofino Security Appliances and Tofino CMP Mapping Your Network Creating and Testing your Rules Section 3: Tofino Management Event Management and Logging System Maintenance and Management Section 4: Advanced Topics Agenda

© Hirschmann Automation and Control GmbH © 1.1: Understanding the Tofino Industrial Security Solution

© Hirschmann Automation and Control GmbH © Key Tofino Components Tofino Security Appliance Tofino Loadable Security Modules (LSM) Tofino Central Management Platform (CMP)

© Hirschmann Automation and Control GmbH © The Tofino Architecture

© Hirschmann Automation and Control GmbH © Tofino Security Appliance: Zone Level Security

© Hirschmann Automation and Control GmbH © EAGLE20 Tofino Hardware specifications: Form factor similar to common I/O or barriers Temperature 0°C to 60°C Dual power supply inputs, 12-60VDC Relay Status Output Copper and/or Fibre Network Interfaces MUSIC Security Certified DIN Rail Mount Dual VDC Relay Status Output Secure USB Port Copper and Fibre I/F

© Hirschmann Automation and Control GmbH © Zero Configuration Installation Model Field technician need do no more than: Attach the appliance to the DIN Rail Attach instrument power Plug in network cables Walk away… Tofino is completely transparent to the process network on startup Layer 2 (Ethernet) bridging means no changes required to network architecture or addressing of existing equipment

© Hirschmann Automation and Control GmbH © Tofino Loadable Security Modules LSMs are software plug-ins providing security services such as: Firewall Secure Asset Management Content Inspection VPN encryption Each LSM is downloaded into the security appliance to allow it to offer customizable security functions, depending on the requirements of the control system.

© Hirschmann Automation and Control GmbH © Configure, manage and monitor all your Tofino Security Appliances from one workstation Built-in Network Editor to quickly model your control network Visual drag-and-drop editors for quick and easy configuration of security rules Tofino Central Management Platform (CMP): Centralized Security Management

© Hirschmann Automation and Control GmbH © Fast Deployment Using Tofino CMP Map your network Drag and drop talkers and protocols to create rules Test Deploy & manage

© Hirschmann Automation and Control GmbH © Tofino Secure Asset Management LSM: Tracks and Protects Network Devices Passive Asset Discovery locates network devices without any process disruption Assisted Rule Generation wizard guides users to create firewall rules from 'blocked traffic' reports Newly-discovered devices are reported to the Tofino Management Platform (CMP) as a security alert Keep current and detailed inventory lists for ANSI/ISA-99 and NERC standards compliance

© Hirschmann Automation and Control GmbH © Pre-defined Controller Templates Over 25 pre-defined controller templates Protocol definitions Special Rules for vulnerability protection, where necessary Drag and drop into Network Editor Updated with each new release

© Hirschmann Automation and Control GmbH © Control engineer defines list of traffic rules Automatically blocks and reports any traffic that does not match your rules Simple rule definition using graphical drag-and-drop editor Tofino Firewall LSM: Traffic Control Cop for industrial networks

© Hirschmann Automation and Control GmbH © Intuitive Rule Editor Preconfigured to block known device flaws Globally control specific types of communications Create a list of devices that can talk to a protected device using allowed protocols

© Hirschmann Automation and Control GmbH © Functionality for Control Protocols Tofino filters all major control protocols: MODBUS/TCP EtherNet/IP (Rockwell) GE-Fanuc Honeywell Yokogawa Emerson Mitsubishi PI OPC And many more! New protocols easily added with built-in protocol wizard

© Hirschmann Automation and Control GmbH © Control engineer defines list of allowed Modbus commands, registers and coils Automatically blocks and reports any traffic that does not match your rules Protocol 'Sanity Check' blocks any traffic not conforming to the Modbus standard Tofino Modbus TCP Enforcer LSM: Content Inspector for Modbus

© Hirschmann Automation and Control GmbH © Secures OPC DA, HDA, and A&E Tracks data connections created by OPC servers for authorized clients, and dynamically opens only the minimum required ports in firewall Sanity Check blocks any OPC requests not conforming to the DCE/RPC standard Tofino OPC Enforcer: Tracks and Secures OPC Connections

© Hirschmann Automation and Control GmbH © Creates secure tunnels between Tofino Security Appliances; between Tofino and PCs; and between Tofino and supported third-party devices Simple set-up and management Inter-operates with other Tofino LSMs (eg Firewall, Modbus TCP Enforcer) to combine security features Tofino VPN: Secure Tunnels Over Untrusted Networks

© Hirschmann Automation and Control GmbH © Tofino operates in three modes: PASSIVE - all traffic allowed, logging off TEST – all traffic allowed; logging on OPERATIONAL – firewall rules applied When operational, Tofino will drop any traffic for which there is no allow rule. Test mode allows all traffic, but reports traffic that would have been dropped if operational Critical to ensuring that all required traffic has a corresponding rule to permit it Process-Friendly Test Mode

© Hirschmann Automation and Control GmbH © Secure Asset Management (SAM) LSM implements a wizard to guide the user through creation of firewall rules from firewall alarms. Miss Some Rules? No Problem

© Hirschmann Automation and Control GmbH © Administration and Global Management One management station can monitor and manage hundreds of Tofino SAs, deployed in both local and remote locations. Tofino generates a heartbeat (like a fieldbus) to report status and events. Heartbeats may be relayed via Syslog or SQL DB for proactive alerting. (eg: , pager)

© Hirschmann Automation and Control GmbH © Tofino Security Appliance simultaneously records events to any of the following: Syslog server Tofino CMP workstation Local memory – offload via USB Enables central event logging without Tofino CMP in the control network Tofino Event Logger: Triple Protection for Event Log Records

© Hirschmann Automation and Control GmbH © More Than Just a Firewall Loadable Security Modules (LSM) allow multiple security functions to be deployed in one appliance. Available Now: Firewall Secure Asset Management Modbus Enforcer OPC Classic Enforcer VPN/Encryption Event Logger Future: More Enforcer modules New modules can be deployed at any time. List of available modules for download

© Hirschmann Automation and Control GmbH © Benefits Minimal risk to the plant Lowest total cost of ownership Benefits Lowest cost of deployment Enhanced security Benefits Minimal business risk Lowest total cost of ownership Designed for the Plant Floor Engineered to survive the hostile plant environment Zero down time during installation, configuration, and operation Test firewall rules without blocking traffic Designed for Control Staff Common controllers and protocols are pre-configured Ease of use leads to faster deployment and less chance of configuration errors Quality Manufacturing by Industry-Leading OEMs High quality and reliability Long-term support Advanced technology from proven suppliers Key Tofino Features and Benefits

© Hirschmann Automation and Control GmbH © Installing Tofino Security Appliances Installing and Licensing Tofino CMP Mapping your Network Creating and Testing your Rules Tofino Enforcer Technology Advanced Tofino Firewall Concepts Section 2: Tofino Installation and Configuration

© Hirschmann Automation and Control GmbH © Section 2.1: Installing the Tofino Security Appliance

© Hirschmann Automation and Control GmbH © EAGLE20 Tofino Front View Power, Relay Connector Untrusted Interface Trusted Interface Button and Indicators USB Connector RS-232/V.24 Connector

© Hirschmann Automation and Control GmbH © Copper and Fibre Interfaces are Available EAGLE20 Tofino-TX/TX: Copper/Copper (Untrusted/Trusted) EAGLE20 Tofino-TX/MM: Copper/Fibre (Untrusted/Trusted) EAGLE20 Tofino-MM/TX: Fibre/Copper (Untrusted/Trusted) EAGLE20 Tofino-MM/MM: Fibre/Fibre (Untrusted/Trusted) Copper is 10/100 Base T Fibre is multimode on DSC connector EAGLE20 Tofino Network Interfaces EAGLE20 Tofino MM/TX

© Hirschmann Automation and Control GmbH © P1, P2: DC power applied (24VDC nominal) MODE: indicates Tofino operating mode PASSIVE: off TEST: blinking OPERATIONAL: on FAULT: Tofino could not start 1/S, 2 /L, V.24/R: Normal: Link Status/Data Activity on Untrusted/ Trusted/V.24 port Button Press: Indicate Save/Load/Reset Operation EAGLE20 Tofino Indicators

© Hirschmann Automation and Control GmbH © Save/Load/Reset button One Press: USB Save of log files Two Presses: USB Load of configuration created by Tofino CMP Three Presses: Reset Config to Initial Factory State Four Presses: Cancel Operation Button Presses confirmed by 1/S, 2 /L and V24/R Indicators EAGLE20 Tofino Controls

© Hirschmann Automation and Control GmbH © Every Tofino has a unique ID number Record this number when installing Tofino – it is required info for management software to communicate with Tofino Tofino ID

© Hirschmann Automation and Control GmbH © Goals Familiarity with Tofino hardware Familiarity with hardware installation procedure Lab 2.1.1: Tofino Hardware Installation

© Hirschmann Automation and Control GmbH © Verify that your Tofino Security Appliance has been reset back to factory defaults Ask instructor for help if you are not sure Install the Tofino between your PC and the switch Give the switch an IP address using HiDiscovery Ping the switch Telnet to the switch Start the switch web interface Tofino Hardware Installation Lab: Procedure HIRSCHMANN

© Hirschmann Automation and Control GmbH © Tofino Hardware Installation Lab: Results What impact does Tofino installation have on the operation of the PC and switch? HIRSCHMANN

© Hirschmann Automation and Control GmbH © Installation of the Tofino CMP Understanding Tofino CMP Views and Menus Setting up Your Tofino CMP Section 2.2: Installing and Licensing the Tofino CMP

© Hirschmann Automation and Control GmbH © Graphical User Interface to model the control network and manage Tofino Security Appliances All data is stored in database on PC Fully tested for Windows Server 2003 Partially tested and known to work on: XP Vista Windows 7 (32 and 64 bit versions) Server 2008 Other Windows versions to follow Tofino CMP

© Hirschmann Automation and Control GmbH © Both CMP and LSMs are licensed Each LSM needs to be licensed in order for it to be successfully activated License Types

© Hirschmann Automation and Control GmbH © License Data Flow POS Data Request File Grant File Customer License Activation Key

© Hirschmann Automation and Control GmbH © 1. Customer Installs CMP Software 2. Run CMP Software for the first time (with no license) 3. Customer enters License Activation Key 4. Customer exports License Request File, s to 5. License Grant File is ed back to customer 6. Customer imports License Grant File into CMP 7. Done - CMP and security modules are now licensed Licensing Procedure

© Hirschmann Automation and Control GmbH © CMP license is tied to specific customer PC (the one from which the License Request file was generated) LSM Licenses are tied to a specific Tofino CMP database LSM licenses act as a pool that are deployed to Tofino appliances as needed Additional LSM licenses can be licensed at any time once the CMP is licensed Grant file will not work on any other database Back up your database! More Licensing Info

© Hirschmann Automation and Control GmbH © CMP: Available from Help | About menu item LSMs: LSM License view (see lab 2.3.4) How to Locate License Info

© Hirschmann Automation and Control GmbH © Goal: Familiarity with CMP Installation procedure Familiarity with CMP and LSM licensing procedure Procedure: Start your CMP computer Install the CMP software from folder on the desktop Start CMP Click Obtain Licence / Import Grant File Lab 2.2.1: CMP Installation and Licensing

© Hirschmann Automation and Control GmbH © Lab 2.2.1: CMP Installation and Licensing Click OK Enter password as the new password

© Hirschmann Automation and Control GmbH © Lab 2.2.1: CMP Installation and Licensing Restore the blank database The database has a file extension of.zip. Do not try to unzip it.

© Hirschmann Automation and Control GmbH © Lab 2.2.1: CMP Installation and Licensing Restore the Devices, Protocols, and Special Rules. This step is only necessary because the database was created with a previous version of the CMP.

© Hirschmann Automation and Control GmbH © Lab 2.2.1: CMP Installation and Licensing The database is located under C:\Program Files\Tofino CMP

© Hirschmann Automation and Control GmbH © Creating Your Network Diagram Connecting to a Tofino SA Managing LSMs and Licensing Asset Discovery Section 2.3: Mapping Your Network

© Hirschmann Automation and Control GmbH © Tofino CMP can be broken down into five regions Tofino CMP Views

© Hirschmann Automation and Control GmbH © The Tofino CMP has multiple tabs with viewing windows This interface allows the user to: Rearrange Minimize Maximize Open Close Customizing Your Tofino CMP Screen Layout

© Hirschmann Automation and Control GmbH © Lab 2.3.0: Customising the CMP Views Delete some CMP windows. For example, delete: Protocols LSM License View Modules Use the Window | Show View menu to restore the windows Drag smaller windows into the Network Editor space. For example: Drag the Tofino View window into the Network Editor space Restore the windows to their previous configuration Only relevant windows need to be displayed during live operation

© Hirschmann Automation and Control GmbH © Used to view the status of Tofino SAs Network diagrams are created, configured and edited here Region #1: Network Editor

© Hirschmann Automation and Control GmbH © Displays the different nodes used to build a network diagram The nodes are broken down into six categories: Computers Controllers Devices Networks Networking Equipment Tofino SAs Region #2: Nodes Window

© Hirschmann Automation and Control GmbH © There are six types of nodes to consider when creating a network diagram With each node there are a number of attributes that are stored in the Tofino CMP database, such as IP address, node name, and physical location When a node is added to the network diagram, a wizard will appear that will guide you through entering these attributes Using Nodes

© Hirschmann Automation and Control GmbH © Protected Device A device (PLC, computer etc) that is located behind a Tofino and protected from attack Talker A device that is allowed to initiate communications with a Protected Device Some Tofino CMP Terminology

© Hirschmann Automation and Control GmbH © Goals Ability to create and edit a network diagram Ability to identify Talkers and Protected Devices in a network diagram Lab 2.3.1: Tofino CMP Network Configuration

© Hirschmann Automation and Control GmbH © Create a network diagram that models your demo system Drag appropriate node types from the Nodes window and drop them on the Network Editor Fill in the node properties for each node Note: the Tofino ID must start with 00:80:63 Use any digits for the rest of the Tofino ID. It is just a dummy. CMP Network Configuration Lab: Procedure HIRSCHMANN

© Hirschmann Automation and Control GmbH © Ensure your network diagram looks like this: Identify the Talker and Protected Device in this drawing. What is the minimum required info to create a Tofino? A Protected Device? A Talker? CMP Network Configuration Lab: Results

© Hirschmann Automation and Control GmbH © Representing Physical Network Connections in Tofino CMPs Network Editor Devices below the Tofino (child nodes of the Tofino) are connected to the Trusted port Devices above (peer or parent nodes of the Tofino) are connected to the Untrusted port

© Hirschmann Automation and Control GmbH © Mandatory Fields Tofino Name Tofino ID Recommended Primary and Backup Contact Others Set as required for application IP Address is optional All zeroes (default) means no IP address is assigned Tofino General/Communications Parameters

© Hirschmann Automation and Control GmbH © Tofino is stealthy - has no IP address and doesnt respond to port scans All communications encrypted using SSL Authentication using client and server key pairs Keys upgraded in the Tofino from the Tofino CMP server once a connection is made Only one Tofino CMP can talk to a Tofino CMP-to-Tofino Communications

© Hirschmann Automation and Control GmbH © Tofino Discovery and Wakeup 1. Network discovery properties defined 2. Tofino installed 5. Mgmt station sends encrypted wakeup to PLC Key CMP Port CMP IP Dscv Port Tofino ID Device Cluster CMP Intranet Key Wake Up Port PLC IP CMP Port Tofino ID Key Dscv Port PLC IP CMP Port ID ??? 3. Discovery Message Sent to PLC 4. Discovery Reply

© Hirschmann Automation and Control GmbH © Initial Key Exchange 6. SSH session established to Tofino pretending to be PLC 7. Tofino & CMP exchange default factory keys SSH Session Setup Key Exchange Key Update 8. All keys updated to unique pairs Device Cluster CMP Intranet

© Hirschmann Automation and Control GmbH © LSM Installation and Deployment 9. LSMs and Policy pushed to PLC over SSH 10. Tofino installs LSM and executes policy LSM and Policy Commission & Mode Heartbeats 11. Tofino sends periodic & exception heartbeats 11. CMP sets Tofino mode Device Cluster CMP Intranet

© Hirschmann Automation and Control GmbH © By default, Tofino has no IP address – it borrows one from a downstream device Tofino ID must be correct because it ensures secure communications to the correct Tofino at all times Contacting the Tofino

© Hirschmann Automation and Control GmbH © Goals Understand basic requirements for successful CMP/Tofino communications Lab 2.3.2: CMP/Tofino Communications

© Hirschmann Automation and Control GmbH © Start with the network diagram you created in the previous lab. Set up the Tofino properties in the CMP 1.Double-click the Tofino icon in your network diagram 2. Set its Primary Contact to the switch 3. Set the Tofino SAs ID from the label on the front of the device 4. Click Apply Test that the communications works: 1. Set mode to Passive 2. Click Apply 3. Confirm that the current mode is set to passive 4. Tofino and CMP will now be locked to each other CMP/Tofino Comms Lab: Procedure

© Hirschmann Automation and Control GmbH © Ensure that the Tofino CMP reports that the mode change was successful Watch for Heartbeats in the Event View Make sure that Periodic Heatbeats are NOT filtered in the Event View, so they will show up CMP/Tofino Communications Lab: Results

© Hirschmann Automation and Control GmbH © Tofino Discovery (An Easier Way!) Tofino Discovery can automatically do all the work in the previous lab Tofino CMP scans network for unconfigured Tofino SAs Drag and drop discovered Tofino SAs from Tofino Discovery view into network editor All required settings (Tofino ID, Contact IP address) are pre-set for the user

© Hirschmann Automation and Control GmbH © Tofino CMP scans the network at a very low rate (one address per second) to avoid network disruption Unconfigured Tofino SAs will respond to a discovery request from any Tofino CMP Configured Tofino SAs will only respond to a discovery request from the same Tofino CMP that configured them Prevents rogue CMP from discovering and taking control of Tofino SAs Tofino Discovery Scan

© Hirschmann Automation and Control GmbH © Goals To understand the Tofino Discovery feature Procedure Delete your Tofino and the switch from the network Select YES when asked to factory-reset your Tofino Put your Tofino back to factory default (using the button) Select Create New Tofino Discovery Scan from Tools menu Enter starting and ending scan addresses. This range should include the switch address. Then click OK Lab 2.3.3: Tofino Discovery

© Hirschmann Automation and Control GmbH © 1. Check Tofino Discovery view to confirm that the Tofino discovered is yours 2. Drag and drop the discovered Tofino to the correct place in your network 3. The Node Wizard should start – change the name to something that makes sense to you 4. Select Yes when asked to place the Tofino in Passive Mode 5. Do not activate the LSMs Tofino Discovery Lab: Procedure

© Hirschmann Automation and Control GmbH © 1. Check the Tofinos Primary and Backup Contact Why was your mode change successful? 2. Double click on the Tofino View Tab to expand this window 3. Refresh your Tofino in the Tofino View What is the TD Contact address? 4. Add your switch back to the topology Tofino Discovery Lab: Results

© Hirschmann Automation and Control GmbH © Tofino CMP uses a list of IP addresses to try to connect to a Tofino SA: 1. IP used in last successful connection (if exists - cleared on CMP restart) 2. IP Address manually set on Tofino (if present) 3. Last Heartbeat address 4. Primary Contact Device 5. Secondary Contact Device 6. TD Contact (Tofino Discovery) address CMP uses the first address that works Remember: The Tofino ID and unique key ensures that CMP connects to the correct Tofino, even if multiple SAs are using the same contact address Tofino IP Address Usage

© Hirschmann Automation and Control GmbH © Contact devices MUST be on the opposite side of the Tofino from the CMP By default, all downstream devices are listed in a pick list (assumes CMP is upstream) More option lets any device in network (upstream or downstream) be selected as a contact device Tofino Contact Devices

© Hirschmann Automation and Control GmbH © Two contact devices can be selected: Primary Contact Backup Contact CMP moves around? Pick Primary and Secondary Contact Devices on opposite sides of Tofino Hint: Managed switches make great contact devices NOTE: TD Contact address is a convenience feature only! Primary and Backup contact devices should still be set so CMP and SA can still communicate even if contact device disappears Tofino Contact Devices

© Hirschmann Automation and Control GmbH © Managing LSMs and Licensing

© Hirschmann Automation and Control GmbH © Tofino implements features in modules called Loadable Security Modules (LSM) Current LSMs: Firewall Secure Asset Management (SAM) MODBUS TCP Enforcer OPC Enforcer VPN/Encryption (VPN Server, VPN Client) Event Logger Future LSMs New Enforcer modules Tofino LSMs

© Hirschmann Automation and Control GmbH © LSMs available to add to a Tofino SA are in the Modules window Modules can be deployed on a Tofino by: Drag & drop from the Modules view onto the Tofino SAs icon Through the Tofino SAs Modules tab Modules Window (CMP Region #2)

© Hirschmann Automation and Control GmbH © A factory-reset Tofino contains no LSMs Step 1: LSM installation Step 2: LSM activation LSM Licensing, Installation and Activation

© Hirschmann Automation and Control GmbH © Each LSM needs to be licensed in order for it to be successfully activated LSM licenses are issued in blocks by using the license request/license grant cycle See CMP Installation and Licensing lab for details LSM licenses are allocated to specific Tofino SAs by the customer using Tofino CMP LSM Licenses

© Hirschmann Automation and Control GmbH © Permanent License never expires Enables use of any LSM released before expiry of maintenance agreement Temporary (time-expired) Sales demonstration: valid until 45 days after next Tofino version is released Customer evaluation: valid for 90 days from issue Emergency replacement: case by case; should be replaced by a permanent license ASAP License Types

© Hirschmann Automation and Control GmbH © Expiry Date Date at which LSM will stop working Enforces demo/eval/emergency license use Maintenance Date LSMs released after this date may not be installed and activated using this license Enables software upgrades within warranty or maintenance contract period License Dates

© Hirschmann Automation and Control GmbH © Displays details of the LSMs licensed to the Tofino CMP LSM License view (CMP Region #3) 137

© Hirschmann Automation and Control GmbH © Goal: Familiarity with LSM installation and activation Procedure: 1.Double-click Tofino icon, select Modules tab 2. Highlight Firewall LSM and click Activate Module Results : Is the firewall LSM now installed on Tofino? What changed on the Tofinos list of tabs? What changed in the LSM License view? What changed in the Tofino view? (you must Refresh) Lab 2.3.4: LSM Installation and Activation

© Hirschmann Automation and Control GmbH © LSM Installation and Activation - Results

© Hirschmann Automation and Control GmbH © Asset Discovery (SAM LSM)

© Hirschmann Automation and Control GmbH © Tofino Secure Asset Management LSM: Tracks and Protects Network Devices Passively locates network devices without any process disruption Assisted Rule Generation wizard guides users to create firewall rules from 'blocked traffic' reports Newly-discovered devices are reported to CMP as a security alert Keep current and detailed inventory lists for ANSI/ISA-99 and NERC standards compliance

© Hirschmann Automation and Control GmbH © Map Your Network with SAM The Secure Asset Management (SAM) LSM discovers devices for your network Identifies device types Drag and drop discovered devices on the diagram

© Hirschmann Automation and Control GmbH © Keep current and detailed network inventory lists for ANSI/ISA- 99 and NERC standards compliance All asset lists can be saved to spreadsheets via CSV export Keep Control Device Inventory Current

© Hirschmann Automation and Control GmbH © Tofinos will generate alarms if new devices try to talk on the network Good for 1 st level intrusion detection Detected device can be anywhere in system (doesnt have to be local like switch based systems) New Device Alarms

© Hirschmann Automation and Control GmbH © Goal Familiarity with Asset Discovery feature Procedure 1. Delete all icons except Tofino and Plant Network from your network Diagram 2. Install and activate SAM LSM on Tofino 3. Open DOS prompt window, ping your switch Results What happens in the Asset Discovery View? BONUS: how did SAM know the brand of device? Lab 2.3.5: Asset Discovery

© Hirschmann Automation and Control GmbH © Goal Familiarity with Asset Discovery Device Deployment feature Procedure Drag and drop the discovered switch and PC to your network diagram Set switch Node Type to the correct product Give the switch an appropriate name Confirm that the IP address is correct Results What happens in the Asset Discovery View? How can you view all Assets even if they are deployed? How do you export lists of assets? Lab 2.3.6: Asset Discovery Device Deployment

© Hirschmann Automation and Control GmbH © Device type selection is confirmed during drag & drop into Network View Pre-defined protocols and rules are assigned to the asset More in the Firewall labs (section 2.4)… Asset Discovery – Device Type Assignment

© Hirschmann Automation and Control GmbH © Events, Alarms and Heartbeats Understanding Tofino SA Modes Firewall Basics Modbus TCP Enforcer Advanced Firewall Rules Section 2.4a: Creating and Testing your Rules

© Hirschmann Automation and Control GmbH © Events, Alarms, and Heartbeats

© Hirschmann Automation and Control GmbH © Alarms and events are called Heartbeats Displays all alarm and event information generated by the Tofino SAs or Tofino CMP Event View

© Hirschmann Automation and Control GmbH © Periodic Heartbeats Tofino Security Appliance status report Im still here, and this is my status Exception Heartbeats Alarm message You should look at this (Events that may require attention) Blocked traffic Ethernet port changed state Power fail input changed state Tofino went missing (created by Tofino CMP) Tofino Heartbeat Types

© Hirschmann Automation and Control GmbH © The Event View tab organizes alarm and event information under six headings: Timestamp: When logged at the Tofino SA Event Type: Periodic or Exception Event Priority: Notice, Warning, Alert or Critical Source Node: Tofino SA that generated event LSM Name: Tofino LSM that generated event Description: Provides details on the event (such as the IP addresses of blocked network packet) Event View

© Hirschmann Automation and Control GmbH © Double click on an Event Time Stamp to see more details Heartbeat Details

© Hirschmann Automation and Control GmbH © Provides a snapshot of the current Event View Good for when events are scrolling by quickly Event Capture

© Hirschmann Automation and Control GmbH © Goals: Familiarity with the two basic types of heartbeats Procedure: 1. Ensure that Tofino is in Passive mode 2. Ensure Show Periodic Heartbeats is checked in the Event View filter 3.Disconnect, then re-connect protected-side network cable 4. Disconnect the unprotected-side network cable Results: What appears in the heartbeat view? How long does it take? Lab 2.4.1: Heartbeats

© Hirschmann Automation and Control GmbH © PASSIVE, DECOMMISSIONED: no action Allow all traffic through Dont log any traffic TEST: test your firewall rules Allow all traffic through Log as per firewall rules OPERATIONAL: implement your firewall rules Traffic and logging as per firewall rules Traffic and Logging versus Mode

© Hirschmann Automation and Control GmbH © Goals Become familiar with Tofino SA behaviour in its three main modes: –Passive –Test –Operational Lab 2.4.2: Tofino Modes

© Hirschmann Automation and Control GmbH © Ensure the Tofino is in Passive mode What two ways can you do this? Make sure that the Tofino Firewall LSM is activated Ping your switch Confirm that the switch responds to pings Check Tofino CMP screen for Tofino status Tofino Mode Lab: Procedure

© Hirschmann Automation and Control GmbH © Change Tofino mode to Test Ping your switch again Does the switch still respond to pings? What is happening in the Tofino CMP? What is the MODE LED showing? Tofino Mode Lab: Procedure

© Hirschmann Automation and Control GmbH © Change Tofino mode to Operational Ping your switch again Does the switch still respond to pings? What is happening in the Tofino CMP? What is the MODE LED showing? Tofino Mode Lab: Procedure

© Hirschmann Automation and Control GmbH © Operational mode implements your firewall rules: Allow/deny traffic, logging as per firewall rules Default for all traffic is DENY Recommended Deployment Strategy: 1. Build rules 2. Use Test mode – note any exceptions, add rules 3. Go to Operational mode ONLY after Test mode runs with no accidental deny heartbeats Tofino Mode Lab: Results

© Hirschmann Automation and Control GmbH © Rule Types, Direction and Permission Talker Rules Device Database and Asset Discovery Testing Firewall Rules Assisted Rule Generation Tofino Firewall Basics

© Hirschmann Automation and Control GmbH © Network traffic flows through the Tofino from one Ethernet port to the other Firewall compares network traffic against a set of rules When a rule matches the traffic, a decision is made whether to: Allow or deny the traffic Log, or dont log, an alarm (heartbeat) to Tofino CMP If no rule matches the traffic, it is DENIED and LOGGED Tofino Firewall LSM

© Hirschmann Automation and Control GmbH © Devices (TCP/UDP Rules Only) Defined by the rules location and type (Global or Talker) Protocol Port Number(s) (TCP/UDP Rules) Ethernet Type (non-IP rules) Direction Who creates the connection? Permission Allow or block the traffic Log, or dont log, an Exception Heartbeat What are the Components of a Firewall Rule?

© Hirschmann Automation and Control GmbH © Drag and drop from Protocols View, or double-click rule and select from list Protocols on Firewall Rules

© Hirschmann Automation and Control GmbH © Firewall Rule Permissions If no rule matches, default policy is DENY NameTraffic Allowed?Generate Heartbeat? ALLOWYesNo ALLOW_LOGYes DENYNoYes DENY_NOLOGNo Determines whether traffic is allowed through the Tofino, and whether or not it generates an Exception Heartbeat (Alarm) in Tofino CMP

© Hirschmann Automation and Control GmbH © A Tofino SA with a Firewall LSM installed must be located between the source of the traffic and the node you wish to protect. Tofino can only block traffic that passes through it! Firewall Configurations for Protected Devices

© Hirschmann Automation and Control GmbH © Goals: Understand how to create and test Talker rules Procedure: Configure your Network Editor with icons for your PC and switch (drag/drop from the Nodes view) Create a talker rule to allow pings from your PC to the switch Try your Tofino in TEST and OPERATIONAL mode Change the rule direction to Outgoing and test again Results Do your pings work in Test mode? Operational mode? What happened when you changed the rule direction? Lab 2.4.3: Firewall Talker Rules

© Hirschmann Automation and Control GmbH © Firewall Tab on Switch

© Hirschmann Automation and Control GmbH © Specifies who sets up the connection (ie: client vs server) – not the direction of data transfer Incoming: Connections may only be established from an external device to the protected device Outgoing: Connections may only be established from the protected device to the external device Bidirectional: Connections may be established by either the protected device or the external device Remember - once the connection is established, traffic will be able to flow in both directions regardless of the rules direction Incoming versus Outgoing versus Bidirectional

© Hirschmann Automation and Control GmbH © Tofino CMP Device Database: Pre-defined Controller Templates CMP Nodes View contains over 25 pre-defined controller templates Protocol definitions Special Rules for vulnerability protection, where necessary Drag and drop into Network Editor Updated with each new release User may add/change/delete device definitions as desired

© Hirschmann Automation and Control GmbH © Goals Understand how to use the Device Database (Nodes view) Procedure Delete PC and Switch icons from Network Editor Drag/drop the HMI icon from Computer/HMI/Wonderware HMI above the Tofino and the PLC from Controller/Wago/ PLC below the Tofino Lab 2.4.4: The Device Database and Firewall Rules

© Hirschmann Automation and Control GmbH © Lab 2.4.4: The Device Database and Firewall Rules Open up the PLCs firewall tab, then drag the HMI from the Network view and drop it on the Talker Rules item in the PLCs Firewall tab Results What happened when you dropped the HMI icon onto the Talker rules item? Why?

© Hirschmann Automation and Control GmbH © Each device definition has a set of protocol rules associated with it Dropping a device as a Talker automatically creates a rule set from the protocols common to both the Talker and Protected Device Asset Discovery helps match up discovered assets against the device database when they are added to the Network Editor Tofino CMP Device Database

© Hirschmann Automation and Control GmbH © Test mode is the key to safely implementing a firewall in a live, operating control network Test mode allows all traffic, but reports traffic that would have been dropped if Tofino was operational Permits testing of firewall rules against real network traffic Critical to ensuring that all required traffic has a corresponding rule to permit it Tofinos Test Mode

© Hirschmann Automation and Control GmbH © 1. Create rules to permit only the minimum set of traffic that is required for correct plant operation E.g.: block viruses by not permitting the protocols they use to propagate themselves to other machines 2. Specify rules as tightly as possible E.g.: use Talker rules wherever possible – not global rules 3. Use Test Mode to test your rules live in the network, without risk of disrupting the plant Continue editing and testing rules until no more Firewall Exception Heartbeats are generated 4. Deploy to Operational Mode Best Practices for Deploying a Firewall in a Live Control Network

© Hirschmann Automation and Control GmbH © Assisted Rule Generation (SAM) Provides a wizard to guide the user through creation of firewall rules from firewall alarms.

© Hirschmann Automation and Control GmbH © Goal Familiarity with Assisted Rule Generation feature of Secure Asset Management (SAM) LSM Procedure Delete the HMI and PLC icons. Insert the PC and Switch icons as before. Look for a Firewall Exception Heartbeat for ping traffic – double-click it to view detail Click Create Rule button to invoke the wizard Create a rule that will allow this traffic Test your rule Results Are you seeing any new heartbeats for this protocol? Where did Tofino CMP put the new rule? Lab 2.4.6: Assisted Rule Generation

© Hirschmann Automation and Control GmbH © Supports TCP- and UDP-based protocols, and ICMP Presents lists of all devices whose IP addresses match the traffic Can define new devices and protocols on the fly Assisted Rule Generation

© Hirschmann Automation and Control GmbH © New protocols New devices Importing protocols and devices 2.4b: Creating New Devices and Protocols

© Hirschmann Automation and Control GmbH © You can create your own protocols by Right clicking in the protocols window and selecting Create A Protocol Wizard will guide you through the creation of the new protocol For a new Ethernet protocol you will require the Ethertype value For a new TCP/UDP protocol you will require the port number and protocol Customizing Your Protocols List

© Hirschmann Automation and Control GmbH © Lab 2.4.7: Create New Protocols Create a new Ethernet protocol Create a new TCP/UDP protocol

© Hirschmann Automation and Control GmbH © You can create your own nodes by Right clicking in the nodes window and selecting Create A Nodes Wizard will guide you through the creation of the new protocol Customizing Your Nodes List

© Hirschmann Automation and Control GmbH © Lab 2.4.8: Create New Nodes Right click the Controller icon and select Create Enter Test Controllers as the name. Right click Test Controllers and select Create Enter Controller ABC as the name. Right click Controller ABC and select Properties Add some protocols

© Hirschmann Automation and Control GmbH © To import Protocols created by Byres Security Inc. right click in the Protocols window and select Import Importing Protocols

© Hirschmann Automation and Control GmbH © To import Special Rules created by Byres Security Inc. right click in the Special Rules window and select Import Importing Special Rules

© Hirschmann Automation and Control GmbH © Modbus TCP Enforcer OPC Classic Enforcer 2.5: Tofino Enforcer Technology

© Hirschmann Automation and Control GmbH © Modbus is the most widely used communications protocol in automation Started as a serial protocol (RS-232, RS-485) Migrated to Ethernet (MODBUS/TCP, MODBUS/UDP) Modbus slaves present a set of coils (binary on/off values) and registers (numeric values) that may be read and changed over the network Modbus commands are called function codes Function code 1: read coil Function code 3: read multiple registers Function code 16: write multiple registers Many controllers use proprietary Modbus function codes for maintenance and diagnostics Tofino Modbus TCP Enforcer - Background

© Hirschmann Automation and Control GmbH © Modbus has no authentication ANY computer that can ping a PLC can issue ANY MODBUS command to it Reading certain Modbus registers may divulge sensitive process information E.g.: custody transfer – may need to restrict what registers the partner organization can see Writing the wrong register or coil could have catastrophic impact on the process! E.g.: open a valve at the wrong time; set a pump speed too high or too low Issuing a maintenance or diagnostics command could reset or re-program a PLC Malformed or invalid Modbus commands can cause some controllers to crash MODBUS Security Issues

© Hirschmann Automation and Control GmbH © First-ever content inspection tool for industrial protocols Certified Modbus compliant by MODBUS-IDA organization Sanity checking of all key components of Modbus/TCP traffic MBAP header contents, packet size, payload size, register/coil address range Overall conformance to the Modbus protocol specification Simultaneously supports multiple masters and slaves List of permitted function codes can be defined for each Modbus connection Permitted range of register/coil addresses can be set for each function code Modbus TCP Enforcer - Features

© Hirschmann Automation and Control GmbH © All public and many proprietary function codes supported Modbus over both TCP and UDP supported Selectable error response: drop packet, generate Modbus exception reply, or reset connection (TCP protocol only) All disallowed accesses are immediately reported to the Tofino Central Management Platform Modbus TCP Enforcer - Features (Contd)

© Hirschmann Automation and Control GmbH © Provide enhanced security and protection for any MODBUS/TCP device, including filtering of invalid traffic that could cause denial of service or system failures Provide Read-Only Access to: Monitor-only display panels 3 rd party - custody transfer Customer - loading applications Historian access to critical controllers Safety Shutdown Systems connected to DCS Lock down programming or firmware update capabilities to a single approved programming workstation Prevent injection of MODBUS commands in a network by unauthorized computers, such as contractor laptops Modbus TCP Enforcer - Applications

© Hirschmann Automation and Control GmbH © Goal Become familiar with operation and features of Modbus TCP Enforcer Protect PLC even if HMI is compromised Procedure Switch Tofino to Test mode Activate the Modbus TCP enforcer LSM Drag/drop the HMI icon from Computer/HMI/Wonderware HMI above the Tofino and the PLC from Controller/Wago/ PLC below the Tofino Lab 2.5.1: Modbus TCP Enforcer

© Hirschmann Automation and Control GmbH © Lab 2.5.1: Modbus TCP Enforcer Create the rules by draging the HMI on to the Wago Delete the HTTP and Ethernet/IP rules Change permission to Enforcer on Modbus rule (double click the rule and change the permission to Enforcer)

© Hirschmann Automation and Control GmbH © Lab 2.5.1: Modbus TCP Enforcer Go to the Modbus TCP Enforcer tab Right click the HMI Select Add Function Code Double click Read Coils Select Reading Holding Registers Change the minimum and maximum address to and Results What is the result?

© Hirschmann Automation and Control GmbH © With no DPI (deep packet inspection) rules, everything goes through Once any rules are in place, only the specified function codes and registers may be accessed; others are DENIED and LOGGED (just like Firewall Exceptions) Conclusions

© Hirschmann Automation and Control GmbH © The Tofino OPC Classic Enforcer

© Hirschmann Automation and Control GmbH © OPC Classic is the worlds leading technology for integrating different automation products. Formerly known as OLE for Process Control, (where OLE stood for Object Linking and Embedding) Includes all OPC standards that are based on Microsoft's DCOM Technology (i.e. all but OPC-UA) Unfortunately OPC is famous for its poor security… OPC Classic

© Hirschmann Automation and Control GmbH © Most protocols use Fixed Port Numbers to identify the application to handle an incoming packet Example: Most Modbus TCP slaves use port 502 Typical TCP/IP Protocols Modbus Slave PLC Modbus Master Operator Station Modbus Command (Dst Port = 502) Modbus Reply (Src Port = 502)

© Hirschmann Automation and Control GmbH © Modbus (Port 502) Consistent TCP/UDP port numbers makes it easy to create firewall rules Example: To allow only Modbus traffic to get to a PLC and block all other messages: Allow Dst Port = 502 (Modbus), Deny All Else Typical TCP/IP Protocols Modbus Slave PLC Modbus Master Operator Station Web (Port 80)

© Hirschmann Automation and Control GmbH © OPC Classic dynamically assigns TCP ports to each executable process serving objects on a server Clients discover port associated with an object by connecting to the server and sending messages like: find COM object XXX for me and tell me what port it is on OPC Classic (aka OPC DCOM) OPC Server OPC Connection Request (Port 135) OPC DA Connection (Port 12345) Server Response: Use Port OPC DA Data (Port 12345) OPC Client

© Hirschmann Automation and Control GmbH © 2222 Rockwell-CSP Because OPC is free to use any port between 1024 and it is IT firewall unfriendly You dont know in advance what port the server will use So you cant define the firewall rule You have to leave all ports open on your firewall Configuring your firewall to leave such a wide range of ports open creates a serious security hole Until Now - An Unfirewallable Protocol 2404 IEC Mitsibishi MELSCQNA 5450 PI Data Historian 9100 Omron FINS And 1000s more!

© Hirschmann Automation and Control GmbH © DCOM callbacks in OPC are not handled on the same connection that is used for client/server calls Some OPC servers reject the first few connection attempts after they tell the client to use a specific port, completely breaking most firewall state engines! All this has made the industry consider OPC Firewalls virtually impossible It Gets Worse! OPC/DCOM in the Real World

© Hirschmann Automation and Control GmbH © Loadable security module that makes the Tofino Firewall OPC- aware Uses deep packet inspection technology to manage OPC traffic behind the scenes What is the Tofino OPC Classic Enforcer?

© Hirschmann Automation and Control GmbH © Enforcer intercepts connection requests from the OPC client and checks: Is it to an approved server? Is it from client approved to talk to that server? Is it a properly formed OPC connection request message? How OPC Enforcer Works OPC Server OPC Client OPC Conn Req Invalid Request OPC Conn Req

© Hirschmann Automation and Control GmbH © Next Enforcer intercepts connection reply from the OPC server and checks: Is it a properly formed OPC connection reply message? Is it to the client that made the request? What TCP port is the server telling the client to use? How OPC Enforcer Works OPC Server OPC Client OPC Conn Reply Its a good reply and Server wants Client to use TCP port 5555

© Hirschmann Automation and Control GmbH © Enforcer momentarily opens the TCP port it found in the message, with the following restrictions: Only for communications between that client and server Only if the client uses the specified port Only if proper TCP session occurs within X seconds How OPC Enforcer Works OPC Server OPC Client OPC Data Req Invalid Client/Port Data Req (5555) OPC Data

© Hirschmann Automation and Control GmbH © Is not from approved clients and servers Tries to use other TCP port numbers Tries to borrow port numbers from other clients or servers Is not well formed RPC connection requests OPC Enforcer Blocks Dangerous Traffic OPC Server OPC Client Invalid Port # OPC Data Invalid Client Invalid Server Malformed Msg

© Hirschmann Automation and Control GmbH © Lab 2.5.2: Protecting an OPC Server Goal Become familiar with operation and features of OPC Enforcer Procedure Activate the OPC Enforcer LSM Add a generic controller below the Tofino Name it OPC Server

© Hirschmann Automation and Control GmbH © Create a Talker rule on the server to allow the HMI to use OPC Classic – TCP protocol Set firewall rule permission to Enforcer OPC Enforcer - Configuration Procedure

© Hirschmann Automation and Control GmbH © Click the OPC Classic Enforcer tab Sanity Check: enable/disable ensures OPC connection attempts meet DCE/RPC specs Fragment Check: Blocks any fragmented OPC traffic Conn T/O: Max time for firewall to leave dynamic port open waiting for data connection to start User-Settable Options

© Hirschmann Automation and Control GmbH © OPC clients may be configured to connect to the server by name rather than by IP address This will require additional firewall rules to allow NetBIOS name service and NetBIOS datagram service protocols between client and server Talker rules for OPC client Broadcast rules for server and client Additional Firewall Rules that May be Required

© Hirschmann Automation and Control GmbH © Talker Rules for NetBIOS Protocols Add the NetBIOS Talker rules to the OPC Server

© Hirschmann Automation and Control GmbH © Add the NetBIOS Broadcast rules to the Tofino (not the server) Broadcast Rules for NetBIOS

© Hirschmann Automation and Control GmbH © Global Rules versus Talker Rules Broadcast and Multicast Rules Protocol Rules versus Special Rules 2.6: Advanced Tofino Firewall Concepts

© Hirschmann Automation and Control GmbH © On Protected Devices: Talker rules – match traffic between the device and a specific talker Global rules – match traffic between the device and any talker On the Tofino SA: Global rules –Match traffic to/from any Protected Device –Talker may optionally be specified Broadcast rules Multicast rules Where Can I Add Firewall Rules?

© Hirschmann Automation and Control GmbH © Example: Global and Talker Rules on a Protected Device

© Hirschmann Automation and Control GmbH © Example: Global Rules on a Tofino Security Appliance

© Hirschmann Automation and Control GmbH © LocationTypeTalker AllowedPD Allowed Protected DeviceTalkerExact Match Protected DeviceGlobalAnyExact Match TofinoGlobal (Talker Specified) Exact MatchAny TofinoGlobal (No Talker Specified) Any Rule Location vs IP Address Matching

© Hirschmann Automation and Control GmbH © Goal: To understand global rules Procedure: Create a global rule to allow the HMI to ping any device protected by the Tofino Create a global rule to allow any device from the unsecure network to communicate with any device on the protected network using IEEE1588 PTP Lab 2.6.1: Global Rules

© Hirschmann Automation and Control GmbH © Each time a packet arrives at the Tofino appliance, the firewall rules are evaluated in the following order: 1. Global Rules on Tofino SA 2. For each Protected Device: 1. Global Rules 2. Talker Rules As soon as a rule MATCHES the packet, no further rules are evaluated i.e.: Global rules take precedence over talker rules Firewall Rule Evaluation

© Hirschmann Automation and Control GmbH © Up until now we have been using Protocol rules exclusively Protocol rules may be used to allow or block specific protocols passing through the firewall Special Rules are highly complex rules that go beyond simple allow or deny (eg: rate limiting) Written by Byres Security– distributed in encrypted form Operate at a low level within the Tofino Examples include: Rate limiting Blocking fragmented packets SYN flood protection RSTP IGMP Protocol Rules vs Special Rules

© Hirschmann Automation and Control GmbH © Hirschmann Special Rules The Hirschmann Layer 2 Redundancy Protocols rules allow or deny: HIPER Ring Redundant Ring Coupling A single rule covers both protocols

© Hirschmann Automation and Control GmbH © Goal: You want to allow Spanning Tree packets through the Tofino Procedure: In the Event Log, find an entry for Spanning Tree Hint: Spanning Tree uses the destination MAC address 01:80:C2:00:00:00 Lab 2.6.2: Firewall Special Rules

© Hirschmann Automation and Control GmbH © Lab 2.6.2: Firewall Special Rules An Exception Heartbeat for Spanning Tree looks like this…

© Hirschmann Automation and Control GmbH © Lab 2.6.2: Firewall Special Rules Add a Special Rule to the Tofino to allow Spanning Tree packets. Check whether there are any more entries in the Event Log for Spanning Tree Hints: To clear the old entries in the Event Log: –Select any event –Press CTRL A on your keyboard –Right click the event –Select Acknowledge Remember you can take a snapshot of the Event Log

© Hirschmann Automation and Control GmbH © Lab 2.6.2: Firewall Special Rules

© Hirschmann Automation and Control GmbH © Firewall Exception Heartbeats are rate-limited to prevent a self- inflicted Denial of Service Rate Limit: max number of firewall exception heartbeats per second Burst Limit: number of Firewall EHBs that will be sent before the rate limit is applied Log by Packet/Log by Connection Generate one EHB for every packet, or only generate a single EHB when the connection begins Firewall Logging Settings

© Hirschmann Automation and Control GmbH © Most rules used in the Tofino SA are designed to filter Unicast messages Messages that are sent to a general address and are expected to be received by everyone on the network are called: Broadcast messages Multicast messages The Tofino Firewall LSM allows creation of rules to handle these types of messages Broadcast and Multicast Rules

© Hirschmann Automation and Control GmbH © Broadcast packets, which are a normal part of network operation, are transmitted by a device to a broadcast address that all devices listen to Because they are directed to a broadcast address and not a specific devices address, the Tofino SA must have specific rules that can detect the broadcast address in the message A Broadcast Rule uses the specified devices IP address as the source address, and the devices broadcast address as the destination address What is a Broadcast Rule?

© Hirschmann Automation and Control GmbH © Multicast packets are transmitted to a multicast address that a set of devices listen to Because they are directed to a multicast address and not a specific devices address, the Tofino SA must have specific rules that can detect the multicast address in the message A Multicast Rule uses the specified devices IP address as the source address, and the devices multicast address as the destination address What is a Multicast Rule?

© Hirschmann Automation and Control GmbH © Event Management and Logging System Maintenance and Management Section 3: Tofino Management

© Hirschmann Automation and Control GmbH © Event Management within Tofino CMP Heartbeat Syslog Relay Event Logger LSM Section 3.1: Event Management and Logging

© Hirschmann Automation and Control GmbH © One management station can monitor and manage hundreds of Tofino SAs, deployed in both local and remote locations. Tofino generates a heartbeat (like a fieldbus) to report status and events. Heartbeats may be relayed via Syslog or SQL DB for proactive alerting. (eg: , pager) Administration and Global Management

© Hirschmann Automation and Control GmbH © Displays all alarm and event information generated by the Tofino SAs or Tofino CMP Alarms and events are called Heartbeats Region #4: Event View

© Hirschmann Automation and Control GmbH © Heartbeat Syslog Relay Relays heartbeats to another computer using industry-standard Syslog protocol (RFC 3164) Facilitates monitoring of Tofino SAs by other network management tools such as HP Openview, Kiwi Syslog, Whats Up Gold etc.

© Hirschmann Automation and Control GmbH © Syslog Relay

© Hirschmann Automation and Control GmbH © Goal Familiarity with setup and operation of a Syslog server, and the heartbeat Syslog relay feature in CMP Procedure Install the Kiwi Syslog Daemon on your PC Set up your CMP to relay heartbeats to the Kiwi Syslog server running on your PC (Window/Preferences) Results What heartbeats are received on the Syslog server? Note: disable sending of Syslog messages when you have finished this lab Lab 3.1.1: Syslog Relay

© Hirschmann Automation and Control GmbH © Logs events locally on Tofino Security Appliance CMP performs log file rotation Offload via USB storage device Transmits event messages to Syslog server Supports UDP, TCP and TLS Syslog transport methods (RFC ) Messages are buffered locally if TCP or TLS connection is lost, and sent to server after connection is restored Tofino IP address only required for TCP and TLS Event Logger LSM

© Hirschmann Automation and Control GmbH © Event Logger: No CMP required in production network Removes potential single point of failure (CMP PC) from system May simplify management for non- technical operations personnel Syslog Relay: Built-in to CMP Easy setup - one setup screen in CMP CMP synthesizes exception heartbeat when Tofino goes missing CMP Syslog Relay vs Event Logger

© Hirschmann Automation and Control GmbH © Assign server IP address and source/destination port Assign minimum priority for logging Select transport type (certs and key required for TLS) IP address must be assigned to the Tofino (on the general settings tab) for TCP and TLS Syslog Simple Setup

© Hirschmann Automation and Control GmbH © Goals Familiarity with configuration of Event Logger LSM Procedure Install and activate the Event Logger LSM on your Tofino Configure Event Logger to send Syslog to your PC Check the events in Kiwi Disconnect your PC from the Tofino for a couple of minutes. Clear the Kiwi events and reconnect your PC Results What configuration is required on the Syslog server? What happened when the Syslog server was disconnected? Lab 3.1.2: Event Logger

© Hirschmann Automation and Control GmbH © Lab 3.1.3: Event Logger on USB Goals Familiarity with Event Logger on USB Procedure Insert your USB stick into the Tofino Press the Save button once. The 1/S LED will light Wait for the LED marquee pattern to finish Insert the USB stick into your PC and open the file Tofino_ID_evt.log Results What information is in the file?

© Hirschmann Automation and Control GmbH © User Administration Database Administration Updating Tofino SA Firmware Updating Tofino SA LSMs Replacing a Failed Tofino Security Appliance Tofino SA USB Configuration and Diagnostics Section 3.2: System Maintenance and Management

© Hirschmann Automation and Control GmbH © Tools Menu Database, licensing and user administration functions done from the Tools Menu

© Hirschmann Automation and Control GmbH © User Administration Controls who has access to the Tofino CMP Create or delete user accounts Usernames and passwords are limited to 30 characters. Passwords must be at least 6 characters long. Valid characters are a-z, A-Z, 0-9

© Hirschmann Automation and Control GmbH © CMP prompts the user to change the password if the defaults (admin/password) are still being used CMP Default User Name and Password

© Hirschmann Automation and Control GmbH © Two database backup types: Tofino Device Database Tofino CMP Database Device Database contains: Protocols Special Rules Device Profiles Main Database contains all of the above, plus: Tofino CMP Network model (including rules and config) LSM Licenses User Credentials Custom Tofino SA login key Database Management

© Hirschmann Automation and Control GmbH © Goals Familiarity with Tofino CMP Preferences Settings Familiarity with Database Backup Familiarity with Database Restore Lab 3.2.1: Database Administration

© Hirschmann Automation and Control GmbH © Make sure the Database Preferences are correct: Select menu Window > CMP Preferences Select the Database tab Set the Archive Location to your desktop Backup the Database Select menu Tools > Database Admin > Database Backup… Save your CMP Database What format is the database saved in? Database Admin Lab: Procedure

© Hirschmann Automation and Control GmbH © Firmware updates may temporarily impact the appliances ability to operate and/or pass network traffic Level 1: No impact Level 2: CMP loss of view Level 3: LSM function loss Level 4: brief packet loss Level 5: control network packet loss CMP operator is advised of the impact level, and is given an opportunity to cancel the update, before the update begins Tofino Firmware Update Impact Levels

© Hirschmann Automation and Control GmbH © Delete one or more items from your Network view Try restoring the database that was created on the previous slide which is located on the desktop. Tools > Database Admin > Database Restore… Note: The Tofino CMP software will restart after the database is restored. Database Admin Lab: Procedure

© Hirschmann Automation and Control GmbH © Use the Tools | Tofino Update… wizard to guide you through the update process Hints: –The Tofino firmware file extension is.tfo –By default the file is in C:\Program Files\ Tofino CMP Updating Your Tofino SA Firmware

© Hirschmann Automation and Control GmbH © Tofino Loadable Security Modules may be updated independently of the CMP or SA Firmware Update: Invoke Tools | Reload LSM Packages command CMP will confirm that it is OK to install updated LSMs into Tofino Security Appliances Tofino LSM Updates

© Hirschmann Automation and Control GmbH © Replacing a Failed Tofino SA It is a simple three step process to replaced an old Tofino SA with a new Tofino SA: 1. Install the new Tofino in the field 2. Type in the replacement Tofino SAs ID number, replacing the old ID number 3. Sync the new Tofino SA using Sync Tofino Do not select Sync CMP

© Hirschmann Automation and Control GmbH © Replacing a Failed Tofino SA Step 1: Install the new Tofino in the field Make sure that: You record the Tofino SAs ID number The new Tofino has been factory reset –EAGLE20 Tofino: Press SLR button 3 times

© Hirschmann Automation and Control GmbH © Replacing a Failed Tofino SA Step 2: Tofino ID in CMP must be changed to reflect new device

© Hirschmann Automation and Control GmbH © Replacing a Failed Tofino SA Step 3: Sync Tofino with Tofino CMP Right-click on the Tofino in Network view Use the Sync Tofino option

© Hirschmann Automation and Control GmbH © Goal: To become familiar with the user experience when swapping Tofino SAs in the field Procedure Exchange Tofino Demo Unit with another student group Factory Reset Tofino on Power Up (Check the Mode LED) Change Tofino ID Sync Tofino Results Any changes in the Tofino configuration? Any changes in Tofino CMP views? Lab 3.2.2: Swap Tofino

© Hirschmann Automation and Control GmbH © An LSM License is used for each Tofino (both original and replacement) LSM License is reclaimed when repaired Tofino returned & LSM deactivated If original Tofino cannot be returned to service, Byres Security will grant replacement license at sales/support discretion LSM License Issues with Swapped Tofino

© Hirschmann Automation and Control GmbH © For easy transferring of configurations, you can: Save Tofino configurations to a USB key from CMP Use the USB key to load the configurations to a Tofino SA Copy Tofino SA diagnostic files to a USB Key Save Logs to USB (requires Event Logger LSM) Remember to scan the USB key for viruses before connecting to the Tofino CMP! The Hirschmann ACA21 is the only approved USB stick USB Configuration

© Hirschmann Automation and Control GmbH © For convenience USB loaded Tofinos: Are always switched to Operational Mode Never Heartbeat until a CMP connects to them This because they may be located on remote networks with no CMP communications USB Configuration Load

© Hirschmann Automation and Control GmbH © Tofino handles USB significantly differently from typical desktop PCs No hotplug: USB device drivers are not loaded until the user initiates a USB config load or diagnostics save Drivers exist only for USB storage devices – no other device will work (eg serial adapter, Ethernet adapter) No auto-play – Tofino is programmed to load only files that are generated by Tofino CMP Tofino configuration files are encrypted and locked to a specific Tofino ID Corrupted or altered files will not be loaded Config files for multiple Tofino SAs may be stored on a single USB memory stick USB Security on Tofino

© Hirschmann Automation and Control GmbH © Procedure Delete the Tofino files from your USB stick Leave the USB stick in your PC Use the Tofino CMP to write Tofino config to USB –Right click Tofino Icon in Network Editor View –Select Create Loadable USB Key –Select USB key drive and select OK Factory reset your Tofino Install configuration from USB –Insert USB storage into Tofino USB connector –Press the Load button twice Lab 3.2.3: USB Configuration Load

© Hirschmann Automation and Control GmbH © How did the Tofino indicate that the configuration was being loaded from USB? Was configuration successful? What is the operating status of the Tofino? USB Configuration Load Lab: Results

© Hirschmann Automation and Control GmbH © Tofino Security Appliance can store diagnostics files on USB storage device If Event Logger LSM is activated, event logs will also be stored on USB Procedure: 1. Insert USB stick into USB connector on the front panel 2. Press Save button once 3. LED indicators scroll in a marquee pattern 4. Tofino writes files to the memory stick 5. LED indicators return to previous state USB Diagnostics Save

© Hirschmann Automation and Control GmbH © Goal Understand what diagnostics are available from Tofino SA Procedure Delete all files from USB memory stick Insert into Tofino, invoke diagnostics save function Look at the files on the stick using your PC Results What information is contained in the files? Lab 3.2.3: USB Diagnostics Save

© Hirschmann Automation and Control GmbH © All filenames are prefixed with Tofino ID An encrypted files is created (Tofino_ID_diagnostics.enc) This can be ed to Byres Security for analysis One clear-text summary file is created (Tofino_ID_diagnostics.txt) Provides Tofino ID, firmware version number, Ethernet status and memory usage If Event Logger LSM is activated, then one event logger file is created (eventlogger_logs) Clear-text record of most recent event messages USB Diagnostics Save Lab

© Hirschmann Automation and Control GmbH © Remote Access and VPNs Section 4: Advanced Topics

© Hirschmann Automation and Control GmbH © Tofino VPN Features and Benefits Tunnelling Traffic Within a Shared Network Connecting Remote Facilities via VPN Remote Access via PC Laptop Section 4.1: Remote Access and VPNs

© Hirschmann Automation and Control GmbH © Many Industrial facilities have remote communication requirements that are mission critical: Remote access for maintenance and support, Control connections to remote facilities (e.g. tank farms) Widely distributed SCADA systems (e.g. gas pipelines) Past: Modems, licensed radio, frame relay, etc. Today: Low-cost, high-speed Internet access BUT… uncontrolled connections to the Internet are major security risks Why is an Industrial VPN Solution Needed?

© Hirschmann Automation and Control GmbH © The Virtual Private Network Solution A VPN is a private network that operates over a public infrastructure like the Internet. Typically VPNs provide encryption tunnels for data over the Internet. You use the Internet for transport but your data is indecipherable to all but the intended group. Can operate over the corporate network to tunnel control system traffic.

© Hirschmann Automation and Control GmbH © What Can VPNs Do for SCADA? VPNs secure communication over the Internet. They use encryption to provide: Privacy – Hiding the content of the message through encryption Authentication – Proof that a person or device is who they claim to be Integrity – Ensure that messages are not modified in transit between the sender and receiver For industrial SCADA applications these last two are usually more important than privacy

© Hirschmann Automation and Control GmbH © IPsec Defined by the Internet Engineering Task Force RFC 2401 through 2412 Used in the IT world for corporate VPNs Many issues with complexity and interoperability SSL (Secure Sockets Layer) Developed by Netscape in the 1990s to enable secure web transactions Well tested over the years, proven to be very secure Used today for all e-commerce transactions on the Internet A de facto standard with no interoperability issues Types of VPNs

© Hirschmann Automation and Control GmbH © Some products that call themselves an SSL VPN are actually a proxy device providing remote access via a web browser The Tofino VPN is a true VPN, using SSL technology to create secure tunnels between two endpoints The Tofino VPN operates at layer 2, so it can: Tunnel non-IP traffic over IP networks Create tunnels within existing network infrastructure without changes to network addresses or architecture Tofinos SSL VPN Technology

© Hirschmann Automation and Control GmbH © Common Misconception: if you use a VPN then you are secure. This is not true! Once VPN endpoints are authenticated, a VPN lets all traffic through; it does not monitor or filter any of the traffic that passes through it In order to provide comprehensive security, a VPN must be combined with other security measures such as the Firewall LSM. The Tofino provides seamless firewall and VPN inter-operability VPNs are One Piece of the Total Solution

© Hirschmann Automation and Control GmbH © The Tofino VPN configuration involves a simple drag and drop of a client icon onto a server tab Easy Deployment and Management

© Hirschmann Automation and Control GmbH © The Tofino VPN includes a built-in Client Installer Package for Windows PCs One step process for controls specialists to connect laptops to a Tofino VPN for remote support Built-in Client Installer Package for PCs

© Hirschmann Automation and Control GmbH © The Tofino VPN specifications are listed on the Tofino VPN data sheet. The key specifications are highlighted below. Encryption: AES-CBC, 128-bit key Authentication: SHA-1, 160-bit key Number of connections: Server supports at least 16 simultaneous connections Integrated Test Mode Security Alerts: reports security alerts to Tofino CMP management console: –Link Established –Link Disconnected –Authentication Failure Specifications

© Hirschmann Automation and Control GmbH © Tofino VPN Server LSM Installed on a Tofino Security Appliance to implement the server side of a VPN connection. Tofino VPN Client LSM Installed on a Tofino Security Appliance to implement the client side of a VPN connection. Tofino VPN PC Client License for Windows PC Allows a Windows-based computer (XP or newer) to connect to a Tofino VPN server. Product Lineup

© Hirschmann Automation and Control GmbH © Each VPN connection requires: Tofino VPN Server LSM in Tofino Security Appliance Tofino VPN Client LSM in Tofino Security Appliance OR Tofino VPN PC Client License installed on a PC Multiple clients can connect to a single server All VPN PC clients require a Tofino VPN PC Client License in order to connect to a Tofino VPN Server Tofino Security Appliances can contain both a VPN Server LSM and VPN Client LSM at the same time Product Configurations

© Hirschmann Automation and Control GmbH © Secure Communications Between Controllers Many plants need to pass critical control traffic between different plant areas over a network (such as the business network) that is shared with other non-critical communications Tofino VPN technology ensures that the communication between controllers is secure

© Hirschmann Automation and Control GmbH © Allowing Non-IP Control Traffic to Travel over IP Networks Many industrial Ethernet systems do not use TCP/IP: Siemens PLC protocols ABB MasterBus 300 Electrical industries GOOSE protocol RSTP Tofino VPN technology allows non-IP protocols to tunnel over Internet or corporate IT network

© Hirschmann Automation and Control GmbH © Control Remote Sites from a Central Location Example: Gas utility monitoring and controlling pipeline compressor stations from a central office

© Hirschmann Automation and Control GmbH © Secure Access for Remote/Mobile Personnel Example: Support specialists need to connect to the control network remotely in order to investigate a reported operations problem Saves money by reducing travel costs/overtime, as well as increased plant productivity due to improved technician response time.

© Hirschmann Automation and Control GmbH © Tofino Connections – VPN Passive Mode Same as non-VPN case VPN is inactive

© Hirschmann Automation and Control GmbH © Tofino Connections – VPN Test Mode VPN tunnel is set up to confirm connectivity, but no traffic passes through it

© Hirschmann Automation and Control GmbH © Tofino Connections – VPN Operational Mode VPN and secure port are bridged together Encrypted VPN traffic MUST go through untrusted port VPN tunnel is set up AND used to carry traffic

© Hirschmann Automation and Control GmbH © Scenario Our control traffic is currently carried on a network that is shared with other non-control traffic Goal We want to provide an additional layer of isolation and security for the control traffic Ideally, this would be accomplished with no changes to the common network infrastructure Lab 4.1.1: VPN Tunnel Within Plant Network

© Hirschmann Automation and Control GmbH © VPN Lab #1 – Before HMI PLC

© Hirschmann Automation and Control GmbH © VPN Lab #1 – After HMI PLC VPN

© Hirschmann Automation and Control GmbH © VPN Lab #1 – Test Environment HIRSCHMANN Corporate Network CMP PC Client Switch Server Switch Server Tofino Client Tofino

© Hirschmann Automation and Control GmbH © 1. Reset Tofinos to factory default 2. Restore the blank project file on the CMP 3. Discover the Tofinos 4. Create the network map Put the Tofinos to passive mode Do not enable the LSMs VPN Lab #1 - Procedure

© Hirschmann Automation and Control GmbH © VPN Lab #1 - Procedure For each Tofino: Activate the VPN Server or Client LSM Give the Tofino an IP address and subnet mask Put the Tofino into TEST mode

© Hirschmann Automation and Control GmbH © VPN Lab #1 - Procedure Open the Server Tofino Go to the VPN Server tab Drag the Client Tofino from the Network View window into the Client List Click OK

© Hirschmann Automation and Control GmbH © VPN Lab #1 - Procedure Open the Server Tofino The Client List Status will show Connected At this point the VPN is established, but data is not running through the VPN. Put the Tofinos into OPERATIONAL mode to force the data through the VPN

© Hirschmann Automation and Control GmbH © VPN Lab #1 - Procedure Click the View Active Connections button in the VPN Server tab to see if data is going through the tunnel.

© Hirschmann Automation and Control GmbH © VPN Lab #1 - Procedure Ping from the PC to the Server Switch. What happens? Why?

© Hirschmann Automation and Control GmbH © VPN Lab #1 - Procedure Activate the Firewall LSMs on both Tofinos. What happens to the ping? Configure and test rules to allow the PC to communicate with the Server Switch using: Ping Telnet HTTP

© Hirschmann Automation and Control GmbH © VPN usage considerations Tofino MUST have an IP address assigned to it CMP computer always connects to untrusted network port (must be located upstream of the Tofino) VPN endpoint security VPN is a virtual wire – it does not perform traffic filtering Combine VPN with other LSMs (Firewall, Modbus Enforcer) for comprehensive security VPN Lab #1 - Conclusions