12:28 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Belden Assists Schneider Electric To Secure Critical Industrial Automation Systems

Adds EtherNet/IP Deep Packet Inspection (DPI) to its ConneXium Tofino Firewall

St. Louis, Missouri – January 28, 2014 – Belden Inc. (NYSE: BDC), a global leader in signal transmission solutions for mission-critical applications, announces that Schneider Electric has expanded its ConneXium network and security offer with the addition of EtherNet/IP Deep Packet Inspection (DPI) to the ConneXium Tofino Firewall. The addition of DPI for the popular EtherNet/IP protocol allows Schneider Electric's customers to further harden their industrial control systems against network incidents and cyberattacks. It also allows easier enforcement of company policies for network and device access. The result is improved operational security, reliability and performance.

"Cyberattacks on manufacturing and process control facilities are increasing. They are also becoming more sophisticated. Enhanced security, along with the tangible business benefits of enforcing corporate security and compliance policies are a must," said Ken Mikelinich, product manager for industrial security devices at Schneider Electric. "The extension of the ConneXium Tofino Firewall to include superior protection of EtherNet/IP communications is another important way we are helping customers mitigate risk and support plant policy using security devices."

The ConneXium Tofino Firewall inspects and secures network traffic to and from Schneider Electric automation devices, providing protection from traffic storms, malformed messages and deliberate hacking attempts. In addition, the technology can be used to enforce plant procedure. For example, it can be used to block inappropriate modification or programming of critical devices and controllers, preventing costly mistakes and improving overall network uptime and reliability.

"We are pleased to be expanding our relationship with Schneider Electric with this additional product, and providing their customers with an easy-to-deploy, industrial grade firewall that works seamlessly with their systems," remarked Frank Williams, senior product manager for security at Belden.

The central functionality of the ConneXium Tofino Firewall is a security appliance/firewall that inspects each network message that passes through it, ensuring that only the right network messages from the right computers can be sent to critical controllers. Hacking attempts, deliberately corrupted messages and even network traffic storms are effectively prevented.

Deploying and configuring the product is made easy for engineers who are not generally security experts through the use of Tofino Security's patented Plug-n-Protect technologies. This includes expert technology that looks for common mistakes in firewall programming and corrects them with a single mouse click. Specific Schneider Electric product know-how is also built in, with pre-configured firewall templates for their major automation products.

Advanced protection is provided through DPI technology. Traditional IT firewalls examine TCP/IP headers in network messages and then make decisions whether to allow or block a message based on this limited information. DPI technology allows the firewall to dig deep into the SCADA and ICS protocols that sit on top of TCP/IP. The firewall then determines exactly what the protocol is being used for and makes better decisions on what should be allowed or blocked.

The 2012 release of the ConneXium Tofino Firewall included DPI for the Modbus TCP protocol. This year, the capability has been expanded to include DPI for the EtherNet/IP protocol. This includes special functionality for EtherNet/IP communications:

• Support for all Common Industrial Protocol (CIP) objects and services with pre-configured Graphical User Interface (GUI) elements according to ODVA specifications.

• Validity checking of both CIP and EtherNet/IP message headers to prevent common hacking techniques, such as buffer overflow attacks.

• An "advanced" option, which allows engineers to select specifically allowed services and objects for a firewall rule from a pre-configured drop down list.

"The ConneXium Tofino Firewall is unique in that it makes an easy to deploy security technology even easier by including smarts about Schneider Electric products," commented Eric Byres, chief technology officer at Belden's Tofino Security. "It then combines this ease-of-use with advanced firewall features that are specific to industrial needs. The result is a pragmatic and robust security solution for the plant floor."

The ConneXium Tofino Firewall with EtherNet/IP protection is the latest offering in the Schneider Electric ConneXium family of industrial communications and security products. In 2012, the ConneXium Industrial Firewall was released, providing boundary protection and encryption for industrial facilities. The ConneXium Tofino Firewall was also introduced that year, providing plant floor protection of automation systems from network incidents and cyberattacks.


The ConneXium Tofino Firewall is available for order now from Schneider Electric.

Model# TCSEFEA23F3F21

Description: ConneXium Tofino Firewall - 10/100BASE TX/TX

An early innovator in industrial Ethernet, Belden knows Industrial IT and is delivering the next generation of industrial networking solutions. Its global brands--Hirschmann, GarrettCom and Tofino Security--are leading the way in the evolution to EtherNet/IP. With a purpose-built portfolio, Belden's wired, wireless and embedded products deliver the highest confidence of reliability, availability and security. In addition, excellent warranties and dedicated customer support minimize downtime, protect critical infrastructure and provide peace of mind.

About Belden

Belden Inc., a global leader in high-quality, end-to-end signal transmission solutions, delivers a comprehensive product portfolio designed to meet the mission-critical network infrastructure needs of industrial, enterprise and broadcast markets. With innovative solutions targeted at reliable and secure transmission of rapidly growing amounts of data, audio and video needed for today's applications, Belden is at the center of the global transformation to a connected world. Founded in 1902, the company is headquartered in St. Louis and has manufacturing capabilities in North and South America, Europe and Asia. For more information, visit us at; follow us on Twitter @BeldenInc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.