S4: Wightman’s Tofino Raves & Limitations

When Reid Wightman was still at Digital Bond in 2012 we discussed how to follow up Project Basecamp. The idea was to give field firewalls a hard shake. Fortunately he was able to continue the work and present at S4 after moving to IOActive. I have a lot to say about field / industrial / SCADA firewalls, but here are the takeaways from Reid’s S4 presentation.

  • Reid gave the Tofino Security Appliance¬†high marks for providing the promised protection and for resisting a variety of attacks that would cause a poorly designed device to fail. He had some great pro-Tofino quotes such as: “I really like it … I would buy one of these.”
  • The ICS protocols lack of integrity can still be exploited. It’s not a fault of the Tofino firewall, but if you let insecure protocols cross security zones bad things can happen. Key takeaway is endpoint security is still needed; Tofino does not change that.
  • Extending tunneling attacks, such as DNS tunneling, to ICS protocol tunneling is an important attack concept to defeat firewall protection. Reid has released Modshaft to demonstrate this. Also Reid will soon release an ettercap tool for recording and replaying Modbus TCP, what he calls a Modbus VCR.
  • Huge respect to Eric Byres, Tofino Security and Belden for providing devices to an ICS security researcher who they know is looking to find vulns in their product. It shows confidence in the product and a desire to find and fix problems.
  • Reid, and other researchers, will give credit where credit is due. Many people after Project Basecamp just assumed any research effort by that crew would have negative results. The truth is the Project Basecamp PLC’s were pathetically weak and fragile and the Tofino was strong.

and just watch Reid present at S4x13.

Eric Byres and the Tofino team were rightly proud of results in a post S4x13 blog. I do think that title of their blog describing the results was exactly wrong: Digital Bond Testing Proves Tofino Hardens Vulnerable SCADA Protocols. It showed the value of application layer firewalls being applied in ICS and the good work by their R&D team in producing a secure device, but it didn’t reduce the risk of any part of the vulnerable SCADA protocol allowed through the firewall.

Additionally if you watched my NOW 10-minute keynote you can understand I’m disappointed that Eric went the SCADA apologist route. Eric states my urging of replacing the insecure by design PLC’s in the critical infrastructure in the next 1 – 3 years as “completely unrealistic”. How much longer should we wait? I wouldn’t argue if he or anyone else states it will take 1 – 4 years or whatever time frame they believe is more realistic, but it needs to start now. If industry experts like Eric say it is “completely unrealistic” to expect to secure critical infrastructure ICS why would any policy decision maker or C-level executive concern themselves with securing CI ICS?

Devices like Tofino have their place. We typically recommend the Read Only versions for sharing information between Safety Systems and DCS or anywhere else where you can use it to prevent writes or other function codes that would affect PLC and process integrity.

However, the idea of putting a Tofino in front of every critical infrastructure PLC seems like a waste of time and money. If you are going to let write requests or proprietary function codes that can load ladder or application logic through the firewall what are you really accomplishing? The time and non-trivial expense is better spent upgrading to a secure PLC.

In the end, technology like Tofino should and will be integrated on the Ethernet boards in the PLC’s and controllers themselves.

1 comment to S4: Wightman’s Tofino Raves & Limitations

Leave a Reply