The Allen-Bradley Stratix® 5950 from Rockwell Automation combines several security functions into a single security appliance to help protect industrial automation infrastructures. It helps maintain protection against the latest threats and controls assets proactively with updates using subscription based licensing.
Most IT firewalls today cannot protect against threats to industrial network traffic, which limits their ability to minimize security risks on the plant floor. The Allen-Bradley Stratix 5950 security appliance incorporates new security technologies to help protect plant-floor systems.
The Stratix 5950 builds on common network security technologies that help provide enhanced access control, threat detection, and application visibility in industrial control systems (ICS). It leverages Cisco ASA Firewall technology, which provides the ability to control network traffic through configured security rules. Further, Cisco FirePOWER™ technology provides an Intrusion Prevention System (IPS) used to detect and control application-level network communications and potentially malicious traffic communicating through the network. This creates a security boundary between cell/area zones or helps protect a single machine, line, or skid while supporting compliance with IEC 62443.
Additionally, Deep Packet Inspection (DPI) technology helps provide granular control of allowable network traffic and helps identify and protect against potential system risks. DPI Technology inspects data packets to classify and potentially block actions at the application layer, such as CIP Write or CIP Read, to help maintain the integrity of plant operations.
“Combining ASA firewall, FirePOWER, and DPI technology gives IT professionals the granular visibility and control they need to protect industrial networks,” said Divya Venkataraman, global product manager, Rockwell Automation. “With the Stratix 5950 appliance, users can now configure and enforce policies that help prevent potentially malicious firmware updates and program downloads. This helps enhance the integrity of plant-floor operations.”
The Stratix 5950 security appliance can operate in three Industrial Firewall modes:
- Inline Transparent mode for use in deployments where the ability to actively protect the network is priority over traffic being affected by potential “false positives”
- Inline Routed mode for use in deployments where the same functionality as Transparent mode is desired and routing functionality is required.
- Passive Monitor-only mode for use in deployments where uninterrupted connectivity is priority over active network protection
An optional subscription license is available with the Stratix 5950 security appliance. Similar to a PC-based, anti-virus service, subscribers will receive ongoing threat and application-signature updates for protection against the latest known security threats.
Allen-Bradley Stratix 5950 includes four 1-gigabit Ethernet ports, and is available with copper-and-fiber or copper-only, small form-factor pluggable (SFP) slot options. The industrially hardened device is IP30-rated; can withstand electrical shocks, surges, and noise; and can operate in temperatures ranging from -40°F to 140°F.
The Stratix 5950 security appliance is the first Rockwell Automation product offering with DPI technology, which was announced in April 2016 as part of the strategic alliance between Rockwell Automation and Cisco.