Ethernet/IP firewall/Gateway Options

harryting

Lifetime Supporting Member
H
Join Date
May 2002
Location
Puget Sound
Posts
2,595
earlier thread: http://www.plctalk.net/qanda/showthread.php?t=65697

I am trying do the least painful way to passing data between 2 ethernet/IP networks. Network A needs to be completely secure while Network B is less secure than A. I want to pass data one way from A to B. (Secure to Less Secure)

I have thought about using two Prosoft E/IP to Modbus or DNP gateway but that's messy. I read about Tofino firewall in the prior thread linked above. How well is it accepted in the industry? I know I will get grilled by management on how secure it really is.
 
harryting said:
Network A needs to be completely secure while Network B is less secure than A. I want to pass data one way from A to B. (Secure to Less Secure)
Click to expand...

The only known way to make something 'completely secure' is to turn it off, lock it in a box, put armed guards surrounding the box. Even then it's toss-up. It all depends on how determined an attacker is.

Is this a realistic requirement? Or just management wanting to have things 'completely secure.' Do you actually see a major risk if you get hacked? Is the PLC baking biscuits or refining uranium?

I would recommend getting a copy of Homeland Security's "Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies." Don't forget there is more to it than a firewall.

You need to understand what you are realistically facing. If you're making widgets, such a security appliance might be more than enough. If this controls a municipal water supply I would be more concerned.
 
IMO, air gap just gives a false sense of security... back to the topic, neither network are connected to the internet or company business network but network A is CIP while network B is well, just a typical control/monitoring network that affect no life/safety.

I found another vendor, SecureCrossing, seems similar to Tofino, I guess I will talk to them and see if they can provide some references.

ETA: I see Prosoft makes Ethernet/IP to DF1 gateway, i wonder if I can hook up two of these back to back?
 
harryting said:
neither network are connected to the internet or company business network but network A is CIP while network B is well, just a typical control/monitoring network that affect no life/safety.
Click to expand...
To be honest if that is the situation (no Internet connection). You mostly have to worry about keeping unwanted traffic off the CIP network and maybe some curious employee from playing on the network, or inadvertently trying to mis-configure something.
Considering your threats and risk any competent firewall will be more than adequate.
 
Secure crossing is the best but real money. I use a ZenWall 2500 as my edge for my manufacturing network and Tofino for each line. The I have a DMZ between the Zen and a cisco firewall. The Cisco has a 2 WAN connectons to the internet and 1 connection to our corporate LAN to Pass traffic to the DMZ.

I use a barracuda SSL VPN to connect to my manufacturing network and a sonicwall VPN to make connections into the DMZ. The barracuda is locked down to the extreme and traffic from it is still passed to the secure crossing. A few power users can VPN into the sonicwall to make changes and custom reports on the vantage point EMI server.

We use policy based 2 factor authentication on everything as well as AD and factory talk security on everything. These are the basics and there are honeypots and a few other goodies I won't divulge here but you get the idea. IT is almost impossible to be secure and simplistic. It just does not happen.

If you have the budget then secure crossing would be the best device as it's a white list device where most firewalls are signature based blacklist devices. You need a industrial firewall on the industrial side and a IT firewall on the IT / internet side.
 
Homeland security (DHS in the US) has a free training course on industrial control system security in Idaho Falls - it's a week long and excellent. Would recommend it for engineers as we go down this security path for our control systems. They take International students as well.

A firewall is just a compensating control - to protect devices behind it that don't have the requisite security features installed and validated. It is a necessary piece of the puzzle, but as others have said there is no absolute security - if people who did Stuxnet are coming after you... they will get you. It's just a question of how long it takes and how much it costs. One approach is to implement security to make it as difficult as possible for the attackers, so they lose interest (I guess we hope they all have ADD/ADHD?) and go to your competitor who is an easier target.

I have used the Tofino devices and they are great at what they do - deep packet inspection for Modbus and OPC. I bet they either have or will have something for EtherNet/IP. They are part of Belden/Hirschmann, and have some good stuff on their website. I know other vendors OEM the product as well.
 
Harry,

Unfortunately, I can not speak to the Tofino firewall.

Below is a link to the Westermo management guide for their layer 2 and layer 3 Ethernet products. Chapter 30 addresses firewall management through their routers.

http://www.eternity-sales.com/westermo/files/WeOS+Management+Guide.pdf

Please review and let me know if this is something you wish to pursue further.

Disclosure, ESI is a distributor for Westermo products.
 
Pudden said:
Hi,

The easiest way to connect two Ethernet/IP networks, to me, would be to use a gateway such as:
http://www.anybus.com/support/support.asp?PID=164&ProdType=Anybus X-gateway

Mind you that i may be bias as i work for HMS...
Also, not sure about your security concerns...

My 2 cents

//Patrick L
Click to expand...
That's a very interesting device especially considering I'm just exchange a few words of data (alarms, status). I'll read up on it, thanks.

and thanks for the feedbacks on firewall, now I have a lot more information to base my research on. Firewall ability isn't my first priority but will probably will be in the future. Right now I just want to pass some data one way.
 

Similar Topics

A
reading data from siemens controller (profinet) to ethernet/IP controller
Hello I have a s7-1200 and I would like to read the tags present in this controller with my controllogix controller. The two controllers don't use...
Replies
0
Views
11
ahmeduqat
A
K
use Simotion D ethernet port as gate to access S7-1500 plc program
Can we use a Simotion D455 ethernet port x127 as a gate, to access S7-1500 plc Tia Portal program ? In the Simatic manager, we used Netpro to do...
Replies
2
Views
80
mk42
M
S
Powerflex 755 - Hardwired & Ethernet in Parallel
So I have a sort of unique situation where I'm wanting to run a PF755 from the IO and over ethernet. Of course, this comes with it's own set of...
Replies
9
Views
257
sparkie
S
afm
Ethernet Dongles for PC-to-PLC connection?
Hi all, My ethernet port on my laptop recently broke and I was hoping to just use a usb-c dongle in the mean time to go live on my PLC until I...
Replies
14
Views
453
JesperMP
JesperMP
A
Ethernet comm problem with PLC when inverter enables.
Hi; In a cabinet of a machine, a Fatek PLC with an Ethernet communication card is working. In the same cabinet, there is a 1 kW inverter. When...
2
Replies
16
Views
499
Gleichner33
G
Back
Top Bottom