ApplicationSolution

OVERVIEWSecure and reliable OPC Classic communications between Safety Integrated Systems (SIS) and primary control systems can now be realized using a defense-in-depth strategy that combines the Triconex® Tofino™ Firewall and the TriStation™ access control system. This application solution outlines how to secure OPC-based systems at multiple levels, including Denial of Service (DoS) prevention, protocol sanity checking, real-time TCP port management and OPC read-only controls.

BENEFITS, RISKS AND SOLUTIONS FOR OPCOPC Classic is the world’s most widely used industrial integration protocol. Its almost universal acceptance among the major control systems vendors, combined with its object-oriented design, has made the interfacing of different industrial control products easy to do. It is used to interconnect critical safety integrated systems, distributed control systems (DCS), human machine interface (HMI) workstations, data historians and other hosts on the control network with enterprise databases, enterprise resource planning (ERP) systems and other business-oriented systems.

THE CHALLENGE OF OPC CLASSICUntil recently OPC Classic also brought with it a number of significant security concerns. The protocols underlying OPC, namely RPC and DCOM, were designed before security issues were widely understood. As a result, OPC has been almost impossible to secure using conventional IT-style firewalls.

One of the serious issues was that unlike most other network applications, servers using OPC Classic dynamically assign TCP ports to each executable process serving objects to clients. OPC Clients then discover the ports associated with a particular object by connecting to the server and asking what port they should use. Because OPC servers are free to use any port between 1024 and 65535, OPC becomes very “firewall unfriendly” - configuring an IT firewall to leave such a wide range of ports open presents a serious security hole and is generally considered unacceptable practice.

Figure 1: Triconex Tofino Firewall and Tricon Controller

Summary

The new Triconex Tofino

firewall is the first of its

kind, designed to protect

safety systems from high

data traffic that speak

Triconex proprietary

communication protocols

as well as OPC Classic

protocol.

Business Value

The Triconex Tofino

Firewall is the first true

OPC Classic security

solution. It offers superior

security over conventional

commercial-off-the-shelf

firewall and it is designed

to automatically interpret

Triconex proprietary

communications protocol

right out of the box.

Combined with the Tricon

Communications Module

(TCM), the Triconex Tofino

Firewall creates the ideal

defense-in-depth solution

for better safety integrated

system reliability and

security.

Triconex Tofino FirewallSecuring OPC Communications to Triconex Safety Systems

Figure 2:Triconex Tofino Firewall

SIMPLE, RELIABLE OPC SECURITYTo enable greater interoperability of its Triconex safety systems, Invensys Operations Management pioneered embedding OPC servers within its Tricon™ communications module (TCM). At the same time, Invensys wanted to ensure that these modules were highly secure, so it teamed with Byres Security to create a firewall specifically for Triconex systems. The result is the Triconex Tofino Firewall, which is now available for Invensys customers using the Triconex TCM with the embedded OPC solution.

The combination of the Triconex TCM with the Triconex Tofino Firewall automatically addresses a wide variety of security issues by offering multiple layers of defense:

1. Tightly closed firewall automatically tracks all the TCP ports assigned by OPC servers for Data Access (DA) and Alarms & Events (A&E) connections and then dynamically opens those ports in the firewall only when needed and only between appropriate client/server pairs

2. Built-in OPC sanity checking blocks any OPC requests not conforming to the DCE/RPC standard, preventing many common malware attacks

3. Pre-defined anti-DoS filters manage traffic levels so that traffic storms cannot impact the safety system4. Read/Write access control features in the TCM allow complete lockdown of what devices can read or

write to the safety system

All these state-of-the-art security features can be used by staff without network security experience. In fact as the remainder of this application note will show, all security configuration is easily defined using the TriStation software supplied with all Triconex systems.

SIMPLE INSTALLATIONThe Triconex Tofino Firewall is designed to be inserted in-line between the control network and the Ethernet port on the Triconex Communications Module (TCM) as shown in Figure 3. In this way all network traffic destined for the TCM can be inspected by the firewall, and any potentially harmful traffic can be blocked before it can reach the TCM.

The firewall has two Ethernet interfaces. The lower (“trusted”) interface is labeled with a closed padlock symbol; this interface should be connected to an Ethernet interface on the TCM. The upper (“untrusted”) interface is labeled with an open padlock; this interface should be connected to the rest of the control network (DCS, HMI, etc). If multiple Ethernet interfaces are active on the Triconex, then a separate Triconex Tofino Firewall should be installed on each interface.

Figure 3: A Secure OPC Network for Safety Systems

OUT-OF-THE BOX SECURITYThe Triconex Tofino Firewall comes pre-configured from the factory so it can be used in most Triconex installations without any adjustment. Only the following types of traffic will be allowed through the firewall:

• OPC (bi-directional) • Modbus TCP (bi-directional) • Network Time Protocol (Triconex may be a client to an external NTP/SNTP server) • Triconex management traffic (TriStation, TMI, TSAA, downloader, peer-to-peer, and time sync protocols)

• Network printing traffic (outbound only from Triconex to external printer) • “Ping” ICMP echo request/reply (inbound, initiated by external device only) • Any other types of network traffic will be blocked by the firewall before it can reach the TCM. The following additional security features are also provided by the Triconex Tofino Firewall:

– Rate limits are applied to all incoming traffic to ensure that the TCM cannot be disrupted by traffic overload conditions

– All OPC connection requests are ‘sanity checked’ for compliance with the RPC protocol specification; they will be blocked if non-compliant

– The Triconex Tofino Firewall saves a log of all exception conditions (including blocked network traffic) that are detected. These log entries may be saved to a USB storage device for inspection using a standard text editor.

FINE TUNING THE TRICONEX TOFINO FIREWALLThe rules in the Triconex Tofino Firewall can be further refined to allow only those protocol port numbers and TCM IP addresses specifically defined during the standard TriStation configuration process. For example, in some installations, the Triconex Communications Module will be configured to use custom TCP and UDP port numbers for Modbus TCP. In these installations, the Triconex Tofino Firewall must be re-configured to use the same port numbers; otherwise, the network traffic using these customized port numbers will be blocked by the firewall. The Triconex Tofino Configuration Utility makes this task simple.

Customizing the firewall is a three-step process.

1. The TriStation software is used to export the TCM configuration data into an XML file (see Figure 4)2. This XML file is read into the Triconex Tofino Configuration Utility, which saves a set of encrypted

firewall configuration files onto a USB memory stick3. Finally, the USB storage device is inserted into the firewall to load the encrypted configuration files

Figure 4:Saving TCM configuration for import into thefirewall utility is a simple process:

1. Select Controller2. Select Configuration3. Select the TCM that

will be protected4. Choose Setup 5. Export the file

Invensys, the Invensys logo, ArchestrA, Avantis, Eurotherm, Foxboro, IMServ, InFusion, SimSci-Esscor, Skelta, Triconex, and Wonderware are trademarks of Invensys plc, its subsidiaries or affiliates. All other brands and product names may be the trademarks or service marks of their representative owners.

© 2010 Invensys Systems, Inc. All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, broadcasting, or by any information storage and retrieval system, without permission in writing from Invensys Systems, Inc.

Invensys Operations Management • 5601 Granite Parkway III, #1000, Plano, TX 75024 • Tel: (469) 365-6400 • Fax: (469) 365-6401 • iom.invensys.com

After this procedure is performed, the custom configuration will be permanently stored in the firewall. If desired, a factory reset procedure may be used to return the Triconex Tofino Firewall to the original factory default configuration. (Both the USB load and factory reset procedure are described in the firewall’s hardware installation guide.)

ENFORCING READ-ONLY OPC COMMUNICATIONSThe Triconex TCM Access List feature permits the user to limit access to the Triconex SIS to specific devices on the control network, and also to restrict the type of access by protocol. For example, OPC clients can be limited to read-only access. By combining access control with the Triconex Tofino Firewall, the user can quickly and easily implement multi-layered ‘defense-in-depth’ protection for the SIS.

MANAGING NON-OPC PROTOCOLSOf course OPC Classic might not be the only protocol that needs to pass through the firewall, so the system is extensible to also allow Modbus TCP, Simple Network Time Protocol (SNTP), the Triconex management protocols, network printer access and ICMP (‘ping’) traffic. These protocols are allowed by default, but can be disabled by the firewall configuration utility if they are not active in the TriStation configuration file. This provides an extra level of security by blocking network traffic that is not required for correct plant operation.

SUMMARYThe Triconex Tofino Firewall is very simple to use-- absolutely no configuration changes are required on the OPC clients and servers-- and it offers superior security over what can be achieved with conventional firewall or tunneler solutions. It is designed to automatically interpret standard TriStation controller export XML files and create refined firewall rules without any special training. Combined with the TCM access list features, the Triconex Tofino Firewall creates the ideal defense-in-depth solution for better safety integrated system reliability and security.

Rel. 04/10 PN TR-0103

Figure 5: TCM access list settings controlling which clients get Read/Write access versus Read-Only access