Application Notes

Secure and reliable OPC Classic communications between Safety Integrated Systems (SIS) and primary control systems can now be realized using a defense-in-depth strategy that combines the Triconex® Tofino™ Firewall and the TriStation™ access control system.

The bigger networks are the more vulnerable they get. To use the advantages of Ethernet infrastructures it is important to limit the traffic to the required protocols and to the required communication relations. A lot of customers use, or plan to use, firewalls. One available industrial solution is the Tofino SA (security appliance) from Byres Security. This is a software solution integrated into products from MTL, Hirschmann and Honeywell. This document describes how to best use the firewall with HIMA products.

This application note describes how a petroleum refinery used the Tofino Industrial Security Solution to provide secure communications between a Triconex™ Emergency Shutdown (ESD) system and a Honeywell Experion™ process control system. It also explains the use of the Tofino system in redundant networks, techniques for grouping large numbers of identical devices in “networks” and the management of nuisance alarms generated by unwanted multicast traffic.

Pre-staging or pre-deploying Tofino Security Appliances offers a unique solution offering enhanced security and easy deployment for remote or operational installations. This application note contains information on configuring and using this method of deployment.

The Tofino Central Management Platform (CMP) is a software application program that allows all Tofino Security Appliances (SAs) in a control network to be managed from a single workstation in the plant.

The Tofino CMP may be located anywhere in the network, as long as it is able to communicate with the Tofino SAs that it manages. If any routers or firewalls are located between the Tofino CMP and a Tofino SA in the network, then each router/firewall device must be configured to allow the Tofino CMP traffic to pass through these devices.

This application note contains a partial listing of the industries and applications where the Tofino Industrial Security Solution is deployed. If you do not see your application or control system listed, please feel free to contact us.

The Tofino Security Appliance is a self-contained microprocessor-based device that provides firewall, VPN, asset management, event logging and other security services in control and automation networks. Its functionality is determined by firmware stored in non-volatile memory inside the appliance.

As part of the ongoing development and enhancement of the product, Byres Security periodically releases firmware updates that may be installed in the appliance using the Tofino Central Management Platform (CMP) software.

Version 1.4 of the Tofino Industrial Security Solution introduced a new set of Tofino Loadable Security Modules (LSMs) that enable the creation of Virtual Private Network (VPN) connections in control networks. The Tofino VPN is designed specifically for use within an industrial environment, so it has some unique features tailored for use within SCADA and control systems:

The Tofino Central Management Platform (CMP) software provides visual drag-and-drop editors that permit the control systems engineer to create rules defining which devices on the control network are allowed to communicate with each other, and what protocols they are permitted to use. Another type of pre-defined rule, called Special Rules, allow the Tofino Security Appliance (SA) to implement more advanced filtering rules that cannot be expressed visually. This application note explores several special rules that implement traffic rate limiting.

There are many unusual protocols in the industrial world that require special handling to be allowed through a firewall. One such protocol is the Lantronix Discovery Protocol. This application note shows how to configure a set of firewall rules for the Tofino Firewall to allow the discovery request and reply traffic for the Lantronix line of serial/Ethernet converters.

As Distributed Control System (DCS) architectures integrate more IT-based technologies (such as Ethernet and Windows), it is important to implement a sound security strategy. This application note describes how Honeywell Process Solutions uses the Tofino Security Appliance (SA) to protect a system that is being migrated from an older TDC2000 DCS to modern Ethernet Experion™ PKS system.