Although asset management tools have been available in the IT world for more than a decade, all rely on sending probing messages onto the network to discover what is deployed. But these messages can cause SCADA and process control systems to crash. In 2005, Sandia National Laboratories in the US released a report describing several serious events arising from the use of these tools, including one case where the system controlling the creation of semiconductor chips was disrupted, destroying $50,000 worth of wafers.

As a result, many manufacturers and energy suppliers have banned the use of IT-style asset tools on industrial networks.

The new Tofino module gives engineers a safe means of finding out what is on their control networks. The module, designed specifically for industrial control operations in critical industries, never probes the control devices. Instead, it listens for traffic on the network and uses special techniques to determine the control devices attached to the network.

When it discovers a new device, it prompts the system administrator to either accept its findings, or to flag the device as a potential intruder. The module also guides the user to create appropriate firewall rules to allow or block messages, based on what it has learned about the network traffic.

"Passive scanning techniques have been discussed in academic literature and released in open source projects before," admits Eric Byres, chief technology officer at Byres Security, "but as far as we are aware, this may be the first successful commercial application of the technology in the world."

He describes the Asset management module as "a key step in our Tofino intrinsically secure strategy. Our goal is to make security understandable for control engineers, so that they can focus on keeping their process running safely and efficiently."