Eaton MTL

MTL Instruments Group

FAQs in Industrial Security

Questions

Answers

How can I evaluate the firewalls rules that I’ve created?

The first firewall rule that matches a packet will determine what the firewall does with that packet, based on the ‘permission’ setting of the rule. If no rule matches a packet, then the default action is to block that packet and generate an alarm.

When using Tofino CMP, firewall rules are evaluated in the following order:

1. Rules for non-IP protocols in the firewall tab of each Tofino icon
2. Rules for IP-based protocols in the firewall tab of each Tofino icon
3. Rules for IP-based protocols on the firewall tab of each protected device under a Tofino (‘Talker’ rules)

All rules are evaluated top to bottom as displayed visually in the CMP network editor, within the groups outlined above. Where multiple rules match the same packet, the first rule that is evaluated will determine how the packet is processed. For example, if a Tofino has a global rule that allows Modbus/TCP traffic, and there is also a Talker rule on a protected device under the same Tofino that uses the Modbus TCP Enforcer to perform content inspection on
Modbus/TCP traffic, the Modbus/TCP traffic will be allowed without inspection since the global rule is evaluated before the talker rule.

Rules can be re-ordered by the user on any firewall tab, except that Global rules will always be evaluated before Talker rules (top to bottom, as described above). CMP always displays them in alphabetic order based on the device name, but devices in the network editor can be re-ordered by changing the device name to get the desired rule evaluation order.

How to determine function codes and coil or register addresses for Modbus Enforcer rules?

It’s best if there is documentation available that describes what function codes and coil/register addresses are used, because it’s possible that some function codes or addresses may only be used intermittently or for certain operating modes of the plant. However, if documentation is not available then it’s also possible to determine the function codes and addresses by using Tofino’s test mode. The function codes can be determined by allowing just a single
function code that is known not to be used (for example, 127) and then run the Tofino in Test mode. The alarms will list all the function codes that are seen by the Enforcer.Once the function codes are known, then Modbus Enforcer rules can be set up for them but with a dummy register address range, for example 0-0. Alarm messages will be generated showing the register addresses that are actually being used, and then the address ranges in the rules can be adjusted to match.

How do I get started with a Tofino security appliances?

Here are a couple of resources that may be helpful in getting started with Tofino:

1. The first section of the CMP user guide is entitled “15 steps to a secure control system.” This is a great step-by-step introduction to setting up a Tofino, modelling your control network, configuring some firewall rules and then testing the rules before deployment. Please note that the Tofino is an Ethernet bridge (like an Ethernet switch) with no IP address, so to discover the Tofino as described in the tutorial, you must connect it between your CMP computer and another device that DOES have an IP address. Additionally, when you perform the “Tofino Discovery” as described in the tutorial, the IP address that you should scan is the IP address of the device BEHIND the Tofino (opposite side of the Tofino from your CMP computer).

2. We have a demonstration video on our website that provides a basic introduction to Tofino, and give examples of configuring the key security modules.This video is accessible using the link below:
http://www.mtl-inst.com/training-education/demonstration-videos/mtl_industrial_security_solution_live_demonstration

How to free the LSM licenses that are assigned to a missing Tofino?

The Tofino CMP must be able to communicate with the real Tofino device in order to deactivate the licenses and return them to “available” status. If the CMP cannot communicate with the Tofino appliance (for example, the Tofino ID was entered incorrectly, or the Tofino has a hardware failure that prevents it from communicating) then the CMP database can be edited to release the licenses.

Here is the procedure to edit the CMP database:

1. Create a CMP database backup file (“Tools | Database Admin | Database Backup…” menu item)
2. Send an e-mail to .(JavaScript must be enabled to view this email address) with a short explanation of the problem. Attach the CMP database backup to the e-mail, and be sure to identify the ID number(s) of the Tofino(s) to which the license(s) were assigned.
3. Tofino Security will manually edit the database backup file and return it to the originator.

How to import and use special rules?

Here is the procedure for importing and using a new special rule in Tofino CMP.

1. Copy the special rule to the hard drive of the CMP computer
2. In CMP, right-click in the “Special Rules” view (bottom right corner of CMP) and select “Import”
3. Navigate to the folder where the special rule was saved on the hard drive. Select the file and click “OK”. The new special rule should now appear in the “Special Rules” view.

Special rules may be deployed in the same way as protocol definitions:

- If the rule is for non-IP traffic, it may be dragged and dropped onto the “Global Rules” list on a Tofino’s firewall tab
- If the rule is for IP-based traffic, it may be dragged and dropped onto any firewall rule list on the Tofino’s firewall tab, or on the firewall tab of
any protected device

What happens if I lose my password to login to CMP?

We can re-set your login information in CMP if you send us a copy of the raw CMP data files. First, ensure that CMP is not running. Next, create a ZIP archive containing the entire contents of the directory “C:\Documents and Settings\[user name]\Application Data\Tofino CMP” and e-mail the archive to us. (”[user name]” represents the Windows user name that you use to log in to the Windows PC.) We will reset the password and send you back a replacement file set. Overwrite the files in this directory with the replacement files. When you start CMP, the admin password will be set back to the default “password” and you can log in and change it to something secure. (Note: on Windows Vista, Windows 7 and Windows Server 2008 the raw files are located in “C:\Users|[user name]\AppData\Roaming\Tofino CMP”)

How does Tofino licensing work?

When you license Tofino, there are 2 different types of license created - one for CMP, and the other for the Loadable Security Modules (LSMs) that you will use in the Tofino appliances. The CMP license is assigned to the PC that was used to create the license request file. If you try to import a CMP license grant file on a PC that is different from the PC used to create the license request file, it will fail with an error message. Every CMP database is assigned a unique ID number when it is created. The LSM licenses are tied to the CMP database that was is use when the license request file was created. If you try to import a license grant file into CMP when a different CMP database is used, it will fail with an error message. The error message you received is for the second case (database ID doesn’t match). This means that the CMP database changed between the time that the license request file was generated, and the time that the license grant file was imported into CMP. In this case, you should create a new license request file and e-mail it to .(JavaScript must be enabled to view this email address) We will generate a new license grant file which will work with your current CMP database. After you import that grant file, you can back up your CMP database (use the “Tools | Database Admin | Database Backup…” command in CMP) and your licenses will be saved in the backup file that is created.

Can I create backups for my Tofino configuration?

The Tofino locks its config files to a specific device ID (MAC address). The MAC address is part of the config file name. This means you can have multiple config files on a single ACA. However, you can’t create a config file that can be loaded into any device - you must enter the device’s specific MAC address into the CMP software before generating the config files.

So the best way to handle replacing a failed device is to keep one spare hardware device on hand, keep one spare set of licenses in the Tofino CMP software, and keep the Tofino CMP software accessible. Here is the procedure to configure the replacement device when one of the in-service devices fails:

1. Physically swap the failed device with the replacement. MAKE NOTE of the ID number (MAC address) of the new device.
2. In the Tofino CMP software, locate the icon in the Network Editor that represents the failed device. Edit the ID number for this icon, replacing it with the ID number of the new replacement device, and click OK to save the changes.
3. If Tofino CMP has a network connection to the replacement Tofino, you can download the configuration to the replacement device by right-clicking on the icon in the network editor and selecting “Sync Tofino”. Otherwise, you can right-click on the icon and select “Create loadable USB key” to save the config files to an ACA, then carry that ACA to the replacement device and load the config into it.

What can’t I discover my Tofino?

Sometimes when starting with Tofino, users have difficulty “discovering” the Tofino devices on the network. Here are some tips and common problems for this step:

1. The Tofino itself does not have an IP address. To communicate with a Tofino, there must be at least one device BEHIND the Tofino that does have an IP address. When we perform a Tofino discovery, we are scanning the IP address of the device(s) behind the Tofino, not the Tofino itself.
2. If the Tofino appliance is not brand new (i.e. a loaner or demo unit), it may have arrived with a configuration already loaded into it. In this case, it will only respond to discovery requests from the same CMP computer that configured it. The solution is to perform a factory reset on the Tofino device.
3. If the Windows firewall on the CMP computer is enabled, it may be blocking the “heartbeat” messages coming back from the Tofino devices. Exceptions should be enabled in the Windows firewall, and Tofino CMP should be listed as an exception (i.e. enabled to send and receive network traffic).
4. If there is a router or firewall between the CMP computer and the Tofino, it must be configured to allow management traffic to pass between them. Also, if it performs any port translation on the traffic coming back from the Tofino to the CMP then Tofino Discovery may not work. Check Tofino application note no 112 for more details: http://www.tofinosecurity.com/professional/configuring-firewalls-allow-tofino%E2%84%A2-cmp-traffic

Can I move my CMP (central management platform) to another PC? If so, how?

CMP may be moved to another PC using the following steps:

1. Log in to CMP and create a backup of your existing configuration database (“Tools | Database Admin | Database Backup…” menu item)
2. Install CMP on the new PC. If installing on Windows Vista, Windows 7 or Server 2008 then please take note of the special requirements in Appendix B of the CMP installation guide.
3. License CMP on the new PC using the same License Activation Key that was used on the existing CMP computer.
4. Once CMP is licensed on the new computer, transfer the backup file that you created in step 1 above and restore it into the new CMP using the “Tools > Database Admin > Database Restore…” menu item.

Do I need to use any specific type of USB drive for the Tofino?

Tofino requires USB storage devices that are compatible with revision 2.0 of the USB specification. The device need NOT be a high-speed device, full-speed devices also work. The following brands are listed in the Tofino CMP manual as being compatible:

• Kingston Data Traveler
• SanDisk cruzer
• Sony Microvault
• Lexar

In addition, we have regularly used the 2 GB and 4GB Verbatim USB memory sticks successfully.

Can I use VLAN with Tofinos?

Tofino is completely transparent to VLAN tagged traffic. If the traffic is tagged, and it is allowed by the user’s firewall rules to pass through the Tofino, then the VLAN tag will be preserved on the traffic. This means that the Tofino can be installed on VLAN trunks if desired. The firewall rules created by the user do not filter based on VLAN tags, they can filter only on IP address and protocol. This usually does not create any problem when VLANs are used however, in most installations each VLAN tag is associated with a unique subnet.

Why is Tofino better than other firewall devices?

Tofino is simple to install - no DIP switches or IP addresses.

Tofino is simple to configure and monitor in an industrial environment.

Zone 2 FM and ATEX approved

If a “hacker” manages to obtain a copy of the CMP

ABSOLUTELY NOT - Each CMP database has a unique random key. The first time a CMP establishes a connection to new Tofino appliance, it uploads its random key to that Tofino. From then on that Tofino can only communicate with the CMP that owns the key.

Should CMP (Central Management Platform) be always online?

If the CMP is shut down there is no risk to security whatsoever. We suggest that the Tofino CMP is left online at all times so it can collect events from Tofinos in the field and provide alarms to the operator, however this is strictly optional.

Can you deploy Tofinos in a redundant network?

YES - Generally Tofino can be used on redundant networks based on systems like Spanning Tree Protocol (STP), Fault Tolerant Ethernet (FTE) and others straight out of the box.

If a Tofino appliance doesn’t have an IP address

The Tofino uses a patent-pending technology to “borrow” IP addresses of the devices that it will be protecting for its configuration and event messages. This does not impact the devices being protected in any way, but it makes the Tofino almost impossible for hackers to detect.

How could a PLC using MODBUS/TCP

MODBUS has no authentication and may be easily spoofed so any MODBUS devices controlled/monitored by Windows PCs which may be compromised.

My DCS vendor says that their protocol has authentication o

If the DCS only uses that authenticated protocol and that protocol has been security tested by a certification service such as MUSIC or Idaho National Labs, then the protocol is probably secure. However, many products also communicate using older un-authenticated protocols such as Ethernet/IP, MODBUS, HTTP or telnet.

Is a defense-in-depth strategy important for all control systems or

A defense-in-depth strategy is needed for all control systems. The North American Electrical Reliability Council (NERC) notes that poor defense in depth design is the second most common security vulnerability in modern control systems.

My control system is separated from the business network with a firewall

Many attacks come through secondary pathways such as infected laptops, remote access over VPNs, and modems that will completely bypass the firewall. To address this, the critical devices inside the control system firewall should be given additional layers of protection (eg: office PCs have personal firewalls and anti-virus software). This is known as a defense-in-depth strategy

My control system is never connected to the Internet. Am I still at risk from cyber incidents?

Absolutely - most attacks enter the system from either the business network or through secondary pathways such as infected laptops, USB keys, remote access over Virtual Private Networks (VPNs) or modems.

What is included in the Tofino™ Starter Pack?

Tofino Starter pack (9530-STP CK) consist of : 1x Tofino SA, 1x Central Management Platform (CMP), 1X Secure Asset Management LSM, 1X Firewall LSM.

Please note starter Pack CMP restricted to managing a maximum of 3 Tofino SAs per facility

Tofino Starter Pack Datasheet

Can the CMP software / Tofino routing through another server?

Yes, CMP and Tofino need ports 6689 or 65000 open to communicate through a Firewall

How do I preform a factory reset on an MTL9211-ET Tofino hardware unit?

Power the Tofino off, hold down the large mode button while you power it up, keep holding until all four LEDs blink twice. It may take as long as 2 minutes. Once they blink you can release the button and the Tofino has reset.