« Changing the fate of information security
This week in Infosec - 2008-08-18 »

Passive network inventory and control

Processingtalk.com posted an article describing new passive monitoring module for the Tofino security product.

Sounds pretty neat.

When it discovers a new device, it prompts the system administrator to either accept its deductions and insert the new device into the network inventory diagram, or flag the device as a potential intruder.

It also guides the user through creating appropriate firewall rules to allow or block messages, based on what it has learned about the network traffic.

Technical complexities such as IP addressing and TCP/UDP port numbers are managed behind the scenes, making the normally byzantine art of firewall configuration easy for the controls professional.

I guess there’s been a history of typical IT security tools wreaking havoc on control systems:

In 2005, Sandia National Laboratories released a report describing a number of serious events from use of these tools, including this example: “A ping sweep was being performed to identify all hosts that were attached to the network, for inventory purposes, and it caused a system controlling the creation of integrated circuits in the fabrication plant to hang.

The outcome was the destruction of USD50K worth of wafers”.

A concern I’d have about a product like this is the need to assume that all the systems on the network are trusted at the time you are configuring the rule set.

Another is that caution must be used when such a device is operating in the presence of safety systems.

This system has the capacity to block communication, and in a safety system, that could be hazardous.

But all things considered - much of the control system infrastructure seems to be “tough to secure” without unacceptably high cost.

Bolt-on security is rarely effective, but if the system offsets sufficient risk, they may provide the needed security.

It’s also nice to see a product that doesn’t require the user to have in-depth knowledge of protocols and firewall configuration.

If the control systems people know the devices on their networks, what they do, and which devices should be communicating to which other devices, the Tofino product may be a big help.

If that’s not the case, then the product may be of little value, and simply help provide a false sense of security.

It would be good if Tofino creator Byres Security offered some kind of auditing process to verify that users are implementing the system correctly.

Bill

This entry was posted on Sunday, August 17th, 2008 at 9:44 pm and is filed under Control Systems, Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply