Belden assists Schneider Electric to secure critical industrial automation systems
Belden Inc. announces that Schneider Electric has expanded its ConneXium network and security offer with the addition of EtherNet/IP Deep Packet Inspection (DPI) to the ConneXium Tofino Firewall. DPI is built to allow Schneider Electric’s customers to further harden their industrial control systems against network incidents and cyberattacks. It also is made to allow easier enforcement of company policies for network and device access.
The ConneXium Tofino Firewall is produced to inspect and secure network traffic to and from Schneider Electric automation devices. In addition, the technology is made for enforcement of plant procedure. For example, it is designed to block inappropriate modification or programming of critical devices and controllers.
The central functionality of the ConneXium Tofino Firewall is that it is produced to be a security appliance/firewall that inspects each network message that passes through it, ensuring that only the right network messages from the right computers can be sent to critical controllers.
Through the use of Tofino Security’s patented Plug-n-Protect technologies, deploying and configuring the product is designed to be easy for engineers who are not generally security experts. Specific Schneider Electric product know-how is built in with pre-configured firewall templates for their major automation products.
Advanced protection is provided through DPI technology. DPI technology is built to allow the firewall to dig deep into the SCADA and ICS protocols that sit on top of TCP/IP. The firewall then is designed to determine exactly what the protocol is being used for and make better decisions on what should be allowed or blocked.
The 2012 release of the ConneXium Tofino Firewall included DPI for the Modbus TCP protocol. This year, the capability has been expanded to include DPI for the EtherNet/IP protocol. This includes special functionality for EtherNet/IP communications:
- Support for Common Industrial Protocol (CIP) objects and services with pre-configured Graphical User Interface (GUI) elements according to ODVA specifications.
- Validity checking of both CIP and EtherNet/IP message headers to prevent common hacking techniques.
- An “advanced” option, which allows engineers to select specifically allowed services and objects for a firewall rule from a pre-configured drop down list.