Re: [foxboro] Ethernet FBM security

Tim,

The FDSI is a firewall. That is, it does not pass IP packets to anything. It 
could be corrupted in an attack, but there is no IP link from the FDSI to the 
MESH network.

(MESH-IP/Ethernet)--CP270--(IEEE 1118/PIOBus)--FDSI FBM--(IP/Ethernet)--PLC

The IEEE 1118 based PIOBus runs an IPS designed HDLC based protocol that has a 
very limited instruction set. It is not capable of picking up an IP packet and 
delivering it to the CP.

There is a 'pass-thru' mechanism that allows an application on the MESH to talk 
to field device through the FDSI FBM, but that requires special coding and a 
working FDSI.

The FDSI did have some services that you might not expect to be enabled in 
early releases, but my understanding is that they have been shutdown in later 
releases. Our Global Consulting Security group would be thrilled to give you a 
hand on this. I've copied Doug Clifton on this e-mail if you want a contact - 
doug.clifton@xxxxxxxxxxxxxxxxx

Does this help?


Regards,
 
Alex Johnson
Invensys Process Systems
10900 Equity Drive
Houston, TX 77041
713 329 8472 (desk)
713 329 1600 (operator)
713 329 1944 (SSC Fax)
713 329 1700 (Central Fax)
alex.johnson@xxxxxxxxxxxxxxxx

-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On 
Behalf Of Lowell, Timothy
Sent: Tuesday, September 23, 2008 10:50 AM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Ethernet FBM security

Stupid Crackberry...

We're doing a security assessment at one of our refineries that has 
FBM232/FBM233's, and the question is coming up of what ability is there of 
Ethernet packets to traverse from the PLC network through the FBM to the MESH 
network.  Obviously, the Modbus TCP and ControlLogix, etc, packets make it 
through if you install the correct device driver or it wouldn't work, but what 
about other packets that could constitute malware, DoS, etc?  Is the FBM a 
filter that definitively stops all other packets, or should we be putting a 
firewall between the PLC and the FBM?  I'd be interested to hear what everybody 
is doing or what Invensys considers is best practice.

Tim

-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On 
Behalf Of Corey R Clingo
Sent: Tuesday, September 23, 2008 8:44 AM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Ethernet FBM security

It must be good.  That encryption is inscrutable :)

Corey Clingo
BASF Corporation






"Lowell, Timothy" <TLowell@xxxxxxxxxxx> 
Sent by: foxboro-bounce@xxxxxxxxxxxxx
09/23/2008 10:41 AM
Please respond to
foxboro@xxxxxxxxxxxxx


To
<foxboro@xxxxxxxxxxxxx>
cc

Subject
[foxboro] Ethernet FBM security






YïëyÚ"?¬yË«?Ü?²Ç¬²g§µ«h?ê¢êëyø§z¸?²ØZ¶¬6ßoÅÍ·ßûÿjwm?ê®zËb¢x¬r?¢?
©¡ü!jÖ??X­Ê+-?êÞ¡ñ-?êçzÚZrG­²Ú-­«Þ®Ç?®?­?ãË
w­Â?ä¶èºm?áA2Ú-?ãHyÞ·
+?ó?¾*.²\ÿ¶?¡Öî±0?jwB¢{k¢Rè?,ÿz×ÿ¥§$zÛ&jG¢¶Øk¢è!?ü¨º)쵩e¶?¢ºÞr×^¾'v¸¯zº+?Ü(ºWgþÜ(®OÛºÜ!jÖ?¢ëh¶«¥§$zÛ-?«\¢é]r?ì¶+nµé??«{ðèK÷­sò,¶?Æ??[^®ØZµ×??x­?÷¥ÊËh¦Æ¥??azºZrG­³ú+².?Ümên¶Ø§?§â­ì?VÞ·
??Ø^<°??ÛaxPLü?Ým觵êÞ²×?¶?^j¼!jׯz¼?¡Ü¢±Ú"?
+­"{Þ?̬r?ì?׫²+zËi­§-?Çÿ
 


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 


* Confidentiality Notice:
This e-mail and any associated files are intended solely for the individual or 
entity to whom they are addressed. Please do not copy it or use it for any 
purposes, or disclose its contents to any other person. Further, this e-mail 
and any associated files may be confidential and further may be legally 
privileged. This email is from the Invensys Process Systems business unit of 
Invensys plc which is a company registered in England and Wales with its 
registered office at Portland House, Bressenden Place, London, SW1E 5BF 
(Registered number 166023).  For a list of European legal entities within the 
Invensys Process Systems business group, please click here 
http://www.invensys.com/legal/default.asp?top_nav_id=77&nav_id=80&prev_id=77.

If you have received this e-mail in error, you are on notice of its status. 
Please notify us immediately by reply e-mail and then delete this message from 
your system. Thank you for your co-operation. You may contact our Helpdesk on 
+44 (0)20 7821 3859 / 2105 or email inet.hqhelpdesk@xxxxxxxxxxxxx This e-mail 
and any attachments thereto may be subject to the terms of any agreements 
between Invensys (and/or its subsidiaries and affiliates) and the recipient 
(and/or its subsidiaries and affiliates).


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

Other related posts: