Re: [foxboro] Ethernet FBM security



   As a followup to what AJ said previously,

   A fairly new QF is available that turns unused TCP/IP
   Ports off to improve security.


   CAR1010554
The FDSI IOM image was modified to address the following:

1.      The FDSI software has been modified to allow the device driver
to trigger a system alarm separate from the device communications
failure alarm. This separate alarm bit will set bit 7 of the ECB201's
DDIAG1 parameter. In order to make use of this new feature, the device
driver ZIPH must be a version that supports this functionality (such as
TSAA.ziph v1.43). Additionally, in order to generate system alarms based
on this feature, the user must have one of the following:
*       System Manager 1.2
*       SMDH on I/A Series 8.5 for Windows
*       SMDH on I/A Series 8.3 for Solaris w/ QF1010282

2.      The FDSI internal time mechanism has been improved such that it
can, on average, stay within 1ms of its host xCP270. This time accuracy
is only applicable and relevant to a user with an I/A Series system that
has an externally sourced Master TimeKeeper (MTK) which gets its date
and time from a GPS antenna and receiver.

3.      The Telnet, FTP, and HTTP services have been disabled for the
FDSI FBMs. This is a security enhancement for the Ethernet-based FBM232
and FBM233.


 Regards,


  Scott L. Landry
  Senior Systems Service Engineer
  IPS Gulf Coast USA

-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Kahlden
Sent: Tuesday, September 23, 2008 9:16 PM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Ethernet FBM security

Tim,

You may want to look at the Tofino firewall that Eric Byres was showing
during the IPS User Conference in Dallas.  Looks like a good candidate
for this type of security.  Here is the website for more info:

http://www.byressecurity.com/pages/products/tofino/

Jim Kahlden
LCRA
________________________________________
From: foxboro-bounce@xxxxxxxxxxxxx [foxboro-bounce@xxxxxxxxxxxxx] On
Behalf Of Lowell, Timothy [TLowell@xxxxxxxxxxx]
Sent: Tuesday, September 23, 2008 3:17 PM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Ethernet FBM security

It sounds like as long as the PLC network is stand-alone, and it is
controlling/interfacing with a non-critical process, there isn't much
risk, but if you connect the PLC's to the business LAN or other outside
networks and/or if you cannot tolerate any downtime or dropped
communication between the PLC and the I/A, you should probably put in a
firewall between the PLC network and the FBM.

Thanks for all the responses.

Tim
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of Goldie, Shaun S
Sent: Tuesday, September 23, 2008 12:46 PM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Ethernet FBM security

I did put in a PER with the word security in it

If you browse to an Ethernet FBM you get a blank page stating the web
server is enabled but not implemented which I see as a red rag to a bull
for a hacker.
The PER did go on to suggest the usefulness of putting something on this
page like other vendors but I know the importance of PER's to Foxboro
Shaun




NOTICE - This message and any attached files may contain information
that is confidential, legally privileged or proprietary.  It is intended
only for use by the intended recipient. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, be advised that you have received this message in
error. Any dissemination, copying, use or re-transmission of this
message or attachment, or the disclosure of any information therein, is
strictly forbidden. BlueScope Steel Limited does not represent or
guarantee that this message or attachment is free of errors, virus or
interference.

If you have received this message in error please notify the sender
immediately and delete the message.  Any views expressed in this email
are not necessarily the views of BlueScope Steel Limited.


_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave





_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 


* Confidentiality Notice:
This e-mail and any associated files are intended solely for the individual or 
entity to whom they are addressed. Please do not copy it or use it for any 
purposes, or disclose its contents to any other person. Further, this e-mail 
and any associated files may be confidential and further may be legally 
privileged. This email is from the Invensys Process Systems business unit of 
Invensys plc which is a company registered in England and Wales with its 
registered office at Portland House, Bressenden Place, London, SW1E 5BF 
(Registered number 166023).  For a list of European legal entities within the 
Invensys Process Systems business group, please click here 
http://www.invensys.com/legal/default.asp?top_nav_id=77&nav_id=80&prev_id=77.

If you have received this e-mail in error, you are on notice of its status. 
Please notify us immediately by reply e-mail and then delete this message from 
your system. Thank you for your co-operation. You may contact our Helpdesk on 
+44 (0)20 7821 3859 / 2105 or email inet.hqhelpdesk@xxxxxxxxxxxxx This e-mail 
and any attachments thereto may be subject to the terms of any agreements 
between Invensys (and/or its subsidiaries and affiliates) and the recipient 
(and/or its subsidiaries and affiliates).


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

Other related posts: