Loadable Security Modules

Control networks vary widely in size and architecture - every one is unique and custom to the plant in which it was installed. But traditional security products have fixed functions and don't adapt well to unique requirements.

The Tofino Industrial Security Solution was designed from the ground up to be adaptable to your needs, based on a software-defined flexible architecture. Rather than hard-coding a fixed set of security features, the Tofino Industrial Security Solution packages each individual security function in a firmware module called a  Loadable Security Module (LSM).

LSMs may be installed in any combination on your Tofino Security Appliances to provide a flexible, custom solution for your security needs. And new LSMs are being released on a regular basis, so the Tofino Industrial Security Solution will grow and evolve over time to provide the best-in-class cyber security you need.

LSMs

Firewall

Traffic Control Cop for industrial networks
A control engineer defines rules that specify which devices are allowed to communicate, and which protocols they may use.
Any traffic that does not match the rules will be blocked and reported as a security alert.
Modbus TCP Enforcer

Content Inspector for Modbus
A control engineer defines rules that specify which Modbus function codes and register/coil addresses may be accessed.
Any traffic that does not match the rules will be blocked and reported as a security alert.
DNP3 Enforcer

A plug-in Deep Packet Inspection (DPI) module that provides real-time validity checking and content inspection for DNP3 traffic.
IEC 104 Enforcer

A plug-in Deep Packet Inspection (DPI) module that provides real-time validity checking and content inspection for IEC 104 traffic.
GOOSE Enforcer

A plug-in Deep Packet Inspection (DPI) module that provides real-time validity checking and content inspection for GOOSE traffic.

OPC Enforcer

Content Inspector for OPC Classic
Inspects, tracks and secures every connection that is created by an OPC application. It dynamically opens only the TCP
ports that are required for each connection, and only between the specific OPC client and server that created the connection.
It’s simple to use – no configuration changes are required on the OPC clients and servers.

 

EtherNet/IP Enforcer

Content Inspection for EtherNet/IP
Inspects content for EtherNet/IP communications, checking every message against a list of ‘allowed’ objects and services.
Choose from pre-defined lists of common actions, such as Read-Only, or build your own custom list of objects and services.
Any service that is not on the ‘allowed’ list, or any attempt to access an object that is not approved, is blocked and reported.

NetConnect LSM

Secure Remote Configuration
Allows the Tofino Configurator and Tofino Security Appliances (SAs) to communicate securely over any IP-based network,
including wide area networks and routed LANs network. This allows you to discover unconfigured Tofino SAs on the network,
and apply and verify their configuration—all from your PC without having to physically visit the hardware devices in the field.