Belden Helps Schneider Electric Secure Critical Industrial Infrastructure

Industrial automation systems are increasingly being coupled with business systems, as organizations look to work more effectively and efficiently. Industrial communication systems, originally designed to work only within facility walls, now carry far more information than before, with data sometimes passing into the outside world as well as around the plant floor. At the same time, the level of cyber threat to critical infrastructure, especially energy, water and transportation systems, has increased dramatically.

“Manufacturers are under continuous threat of new and increasingly dangerous cyberattacks, which requires greater vigilance and security,” says Dave Doggett, program director for Industry Cyber Security at Schneider Electric. “The ConneXium Tofino Industrial Security Solution provides a key element in reducing risks, by managing the traffic to and from Schneider Electric automation devices before patches are applied, or new more secure products are deployed.

“In addition, this capability can be used to enforce plant procedure by blocking inappropriate programming commands to devices, preventing mistakes. By collaborating with the experts at Tofino Security, we are able to provide our customers with an easy-to-deploy industrial grade firewall that works seamlessly with our systems.”

The core of the new product line is the ConneXium Tofino Firewall. This is a rugged security appliance that inspects each network message that passes through it, ensuring that only the right network messages, from the right computers, can be sent to critical controllers. Hacking attempts, deliberately corrupted messages, and even network traffic storms are halted by the ConneXium Tofino Firewall.

The popular Modbus protocol is further secured using the Deep Packet Inspection capabilities provided by the ConneXium Tofino Modbus TCP Enforcer module. Only “allowed” Modbus commands from “allowed” devices go through the firewall. This prevents incidents caused either by inappropriate remote programming or by deliberately corrupted messages from malware, until appropriate patches or changes can be applied to the control system.

The firewall is configured using the new ConneXium Tofino Configurator. This is Windows-based software that includes Tofino’s patented Plug-n-Protect technologies. “We have worked hard to make the ConneXium Tofino a solution that can be used out of the box,” says Eric Byres, CTO and vice president of engineering at Tofino Security. “Engineers don’t need to be security experts to secure their facility with Tofino.”

An example of the Plug-n-Protect technologies included in the ConneXium Tofino is the set of 15 pre-configured templates for major Schneider automation products. Engineers simply select the models of Schneider product they are using in their plant from the templates. They then decide which devices they want to allow communications to, and the ConneXium Tofino Configurator automatically determines the appropriate rules. The software also includes expert technology that looks for common mistakes in firewall programming, and proposes possible improvements.