Ever since news of the Stuxnet attack hit the automation world by storm, the security of the automation network has become increasingly important to operators and vendors alike.
Although most of the Automation Network can be secured using traditional methods and standard IT security products, these networks do provide some unique challenges.
One of these challenges is provided by a myriad of legacy communication protocols, many of which started as serial (RS-232/422/485) protocols but have subsequently been implemented over Ethernet.
WIAC Ltd recently assisted a client in implementing measures to secure their end user’s legacy communications between the HMI and a Safety PLC.
The requirement, deriving from the End User (the client’s client), was to secure the Modbus/RTU over Ethernet communications between a SCADA server and the PLC. The main details of the requirement are as follows
- Whitelisting – only specified nodes can access protected devices
- Protocol Control – only specified protocols/ports can be accessed on the protected devices
- Modbus Function Code Limiting – only specified function codes can be used
- Modbus Address Limiting – only specified addresses can be accessed
The End User had specified the use of the Tofino Xenon Safety Appliance (SA), with a Modbus Enforcer (Loadable Security Module – LSM) to fulfil this requirement.
WIAC Ltd undertook to assess the suitability of the Tofino SA, specify and test its configuration and to provide operational and validation documentation. Note penetration testing was not within the scope of our work.
WIAC Ltd made use of a simple desktop test rig to try out configuration options and to develop tests and tools in order to fulfil the requirements.
The Tofino Xenon SA is marketed as a Plug-n-Protect™ product. The device is DIN rail mountable and is adaptable, by the use of Loadable Software Modules, to a number of functions.
The following modules were purchased for this application,
- Firewall – applies rules to allow or deny access of specified protocols
- NetConnect – allows configuration via the network
- Modbus TCP Enforcer – provides Deep Packet Inspection (DPI) of Modbus data
- Event Logger – allows for events to be logged to a Syslog server
The key outcome of the assessment stage was the determination that the Tofino device and its Modbus Enforcer LSM were not able to perform the actions required. This was due to the fact that Enforcement module requires knowledge of the protocol in order to perform its deep packet inspection, the Tofino products only have this knowledge of Modbus/TCP.
After further investigation to review other products which might fulfil the requirement, WIAC Ltd.’s recommendation was to switch the PLC from using Modbus RTU to using Modbus /TCP.
This required the replacement of the existing OPC Server with KEPServerEX, as the original, bespoke OPC Server could only handle Modbus RTU. WIAC Ltd. undertook to install, configure and test the KEPServerEX software.
A further outcome of the assessment was that although the event logs could be copied directly from the device to a USB memory stick, it was recommended that a Syslog server be provided to collect the logs for easier processing and analysis.
With these caveats the Tofino SA device was determined to be a suitable solution for requirement.
A more detailed description and review of the Tofino Xenon SA will be the subject of another article.
The Tofino Xenon SA is configured using a proprietary configuration tool, Tofino Configurator 2 (TC2). This tool allows the configuration of the device using a variety of predefined templates, though you are able to create your own templates if the predefined ones don’t meet your needs.
Configuration is based around the definition of network assets, devices which are connected to the network, such as workstations, servers and PLCs.
A more detailed description of configuration will be the subject of another article.
The purpose of testing was twofold.
Firstly, tests were created to ensure that the configuration was ‘as required’, that the protective functions work as expected. These tests could be completed on the bench.
Secondly, tests were devised to ensure that the introduction of the Tofino Xenon SA had not degraded the operation of the system; that the HMI was able to fully communicate with the PLC as before.
No penetration testing, or other deliberate attempt was made to circumvent the security of the device as this was outside of the scope of the project.
WIAC Ltd configured a bench top test set up using two laptops; one to act as the PLC (Server) and one to act as the HMI (Client).
WIAC Ltd. also specified and where necessary created a suite of testing tools to verify and validate each of the main requirements.
Multiserver simulator was used to simulate a number of servers, some required others not. A port scanner was then used to scan for open ports on the server simulator PC.
In order to test the Modbus enforcer, WIAC Ltd selected ModTest and ModSak from WingPath Software Development. This software was able to use the full range of Modbus function codes and was even able to send custom codes and invalid codes.
With ModTest we were able to configure multiple Modbus messages with an expected response, then to run those messages one after the other from a single click. The ‘list’ of transactions can be saved and effectively run many times as a script. The result of the individual messages is displayed, as is the overall result. A log files of the messages can be saved.
The use of this software enabled us to create test scripts which would send and receive the responses to 40000 messages to individually test the enforcement on all standard Modbus addresses.
In order to test the configuration of the Whitelist, WIAC Ltd. developed a tool set to change the IP address of the Client simulator PC. A script could be run which would automatically change the IP address, perform a testing action (Ping PLC), compare the result against an expected result, record either a Pass or a Fail, then move on to the next IP address. Once all IP addresses had been tested an overall result was recorded and the test record could be printed and archived for later use.
During a search for alternatives to the Tofino Xenon SA during the assessment stage we came up with two that appear to duplicate the required functionality. As neither of these devices protect RTU over Ethernet, it was decided to stay with the end user’s recommendation for the project. However, readers might wish to evaluate the following:
Moxa Industrial Secure Routers – particularly series EDR-810, EDR-G902 and EDR-G903. Transparent firewall, Deep Packet Inspection with PacketGuard and Real-time events and alarms.
It should also be stated that the Moxa Modbus Gateway MB3000 series can also provide protection along the same lines as these device for Ethernet to Serial conversion.