Tofino OPC Enforcer LSM

Tracks and secures OPC connections

Tofino OPC Classic Enforcer

OPC Classic, based on Microsoft COM/DCOM technology, is widely used in control systems as an interoperability solution, interfacing control applications from multiple vendors. But the DCOM technologies underlying OPC Classic were designed before network security issues were widely understood. As a result, OPC Classic is almost impossible to secure using a conventional firewall.

The Tofino OPC Classic Enforcer Loadable Security Module (LSM) inspects, tracks, and secures every connection that is created by an OPC application. It dynamically opens only the TCP ports that are required for each connection, and only between the specific OPC client and server that created the connection. It’s simple to use – no configuration changes are required on the OPC clients and servers – and offers superior security over what can be achieved with conventional firewall or tunneler solutions.

Your OPC clients and servers are vital to the operation of your plant. Protect them now with the Tofino Security Appliance and Tofino OPC Classic Enforcer LSM.

Summary

Saves You Money Through:
  • Improved system reliability and stability
  • Simplifying compliance to safety and security standards
  • Reduced down time and production losses
  • Lower maintenance costs

Unique Capabilities
  • First-ever application of connection tracking technology to industrial protocols
  • Secures OPC DA, HDA, or A&E
  • Automatically tracks TCP ports assigned by OPC servers for data connections and dynamically opens those ports in firewall
  • Protocol ’Sanity Check’ blocks any OPC requests not conforming to the DCE/RPC standard
  • Programmable data connection delay period to shut down unused connections
  • Supports multiple OPC clients and servers
  • Simple configuration using the Tofino Configurator’s graphical user interface

Typical Applications
  • Manage all network traffic on systems that use OPC DA, had, or A&E
  • Secure data transfers to and from data historians and supervisory applications
  • Protect safety instrumentation systems

Specifications

Supports All Variations of DCOM-based OPC

Data Access (DA), Historical Data Access (HDA), Alarms and Events (A&E), Data eXchange (DX), and XML Data Access (XML-DA)

Supports Multiple Connections

 Multiple OPC clients and servers can be protected by a single Tofino Security Appliance running the OPC Classic Enforcer LSM

Default Filter Policy

Deny by default including:

  • Any attempted OPC traffic that is not between defined OPC client and server pairs will be blocked and reported
  • Any attempted TCP connection that was not successfully negotiated between a valid OPC client and server will be blocked and reported

User-Settable Options

The following options may be set:

  • Sanity check enable/disable on all OPC connection attempts
  • Packet fragmentation controls
  • Maximum time to wait for data connection to start

Configuration Method

Simple configuration using the Tofino Configurator

Operating Modes

All standard Tofino modes supported:

  • Test: all traffic allowed; alerts generated as per user rules
  • Operational: traffic filtered and alerts generated as per user rules

Security Alerts

Reports security alerts to mechanism syslog server and to non-volatile memory on a Tofino Security Appliance

Certifications

Tested for OPC protocol compliance using OPC Foundation test suite

System Requirements

Ordering Information

Tofino OPC Classic Enforcer LSM: Part number 942 016-117

Additional Information:

Tofino OPC Enforcer LSM Datasheet

Tofino OPC Classic Enforcer Introduction - PowerPoint (508kb)