implementing-ics-firewall-with-tofino

Featured

Deploy and configure Tofino industrial firewalls from Belden/Hirschmann to protect SCADA systems and PLCs using deep packet inspection for OT protocols including Modbus, EtherNet/IP, OPC, and S7comm, enforcing granular access control between ICS security zones.

AI & Automation 16,326 stars 1981 forks Updated 2 weeks ago Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
90
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing ICS Firewall with Tofino ## When to Use - When deploying zone-level firewall protection directly in front of critical PLCs or RTUs - When requiring deep packet inspection of industrial protocols (Modbus, EtherNet/IP, OPC, S7comm) - When implementing IEC 62443 zone and conduit boundaries with protocol-aware enforcement - When protecting legacy PLCs that cannot be patched and need compensating controls - When segmenting control network zones without disrupting existing industrial communications **Do not use** for enterprise IT firewall deployment, for perimeter firewall between IT and OT (use Palo Alto/Fortinet at the DMZ), or for environments using only IP-based protocols without OT-specific DPI needs. ## Prerequisites - Tofino Xenon appliance or Tofino virtual appliance with appropriate license - Tofino Central Management Platform (CMP) for centralized policy management - Network topology map showing PLC/RTU placement and communication requirements - Baseline of OT protocol communications (Modbus function codes, EtherNet/IP CIP services) - Change management approval for inline deployment between network zones ## Workflow ### Step 1: Design Tofino Deployment Architecture ```yaml # Tofino ICS Firewall Deployment Architecture # Zone-level protection using deep packet inspection deployment_zones: zone_1_reactor_control: tofino_appliance: "TOFINO-XN-001" deployment_mode: "inline_bridge" protected_assets: - name: "PLC-REACTOR-01" ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
2 weeks ago
Language
Python
License
Apache-2.0

Bundled in these plugins

cybersecurity-skills

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-conduit-security-for-ot-remote-access

Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly.

16,326 Updated 2 weeks ago
mukul975
AI & Automation Featured

implementing-iec-62443-security-zones

This skill covers designing and implementing security zones and conduits for industrial automation and control systems (IACS) per IEC 62443-3-2. It addresses zone partitioning based on risk assessment, assigning Security Level targets (SL-T), designing conduit security controls, implementing microsegmentation with industrial firewalls, and validating zone architecture through traffic analysis and penetration testing against the Purdue Reference Model.

16,326 Updated 2 weeks ago
mukul975
AI & Automation Featured

implementing-network-segmentation-for-ot

This skill covers implementing network segmentation in Operational Technology environments using VLANs, industrial firewalls, data diodes, and software-defined networking. It addresses the Purdue Model-based segmentation strategy, migration from flat networks to segmented architectures without disrupting operations, configuring OT-aware firewalls with industrial protocol deep packet inspection, and validating segmentation effectiveness through traffic analysis.

16,326 Updated 2 weeks ago
mukul975