protecting safety and reliability

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions

UNIDIRECTIONAL SECURITY GATEWAYS™

2014

Protecting Safety and Reliability

Colin Blou, VP SalesWaterfall Security Solutions

Advance threats require Advanced defenses

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2

Industrial Network Corporate Network

Unidirectional Security Gateways

Waterfall TX Server

Waterfall RXServer

Waterfall TX Module

Waterfall RX Module

● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network

● TX uses 2-way protocols to gather data from protected network

● RX uses 2-way protocols to publish data to external network

● Absolute protection against online attacks from external networks


Industrial Network Connectivity: Drivers and Risks

● Predictive maintenance: crew scheduling, HR integration, spare parts inventories and ordering

● Just-in-time manufacturing, real-time inventories, batch records, LIMS integration, production planning, SAP/ERP integration

● Centralized support: more effective use of skilled personnel, critical mass of current experts next decade’s experts

● But industrial network connects tobusiness network, which connects toInternet & other networks

These connections let attackerstarget critical network withremote, online attacks


Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat them

How Secure are Firewalls Really?

Photo: Red Tiger Security

Attack Success Rate:

Impossible Routine Easy

Attack Type UGW Fwall

1) Phishing / drive-by-download – victim pulls your attack through firewall

2) Social engineering – steal a password / keystroke logger / shoulder surf

3) Compromise domain controller – create ICS host or firewall account

4) Attack exposed servers – SQL injection / DOS / buffer-overflowd

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows

6) Session hijacking – MIM / steal HTTP cookies / command injection

7) Piggy-back on VPN – split tunneling / malware propagation

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls

10) Forge an IP address – firewall rules are IP-based


http://www.telegraph.co.uk/sponsored/business/sme-home/11241249/improve-cyber-security.html

Going Phishing…


Attack Pattern #3 – Persistent, Targeted Attacks

● Use “spear phishing” to punch through corporate firewalls

● Use custom malware to evade anti-virus

● Operate malware by interactive remote control

● Steal administrator passwords / password hashes

● Create new administrator accounts on domain controller

● Use new accounts to log in – no need to “break in” any more –defeats software update programs

Bypasses standard IT securitycontrols: firewalls, encryption, AV,security updates


Central Monitoring Site

Emerging Threat: Remote Monitoring and Diagnostics

● Control system / equipment / turbine vendor site “monitors” many customer sites, in many countries

● “Cloud” vendor site configured for “occasional” remote control

● Industrial network exposed to attackfrom central site and from othercustomers / countries

● Remote control attacks,virus propagation

Vendor connection bypassescorporate security protections

Industrial network is completelydependent on vendor security


PLCs RTUs

HistorianServer

HistorianServer

HistorianServer

Workstations

ReplicaServer

ReplicaServer

ReplicaServer

WaterfallTX agentWaterfallTX agentWaterfallTX agent

Waterfall RX agentWaterfall RX agentWaterfall RX agent

Corporate NetworkIndustrial Network

Unidirectional Historian replication

Waterfall TX Module

Waterfall RX Module

Historian Replication With Unidirectional Gateways

● Hardware-enforced unidirectional server replication

● Replica server contains all data and functionality of original

● Corporate workstations communicate only with replica server

● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack


Secure OPC Replication

● OPC-DA protocol is complex: based on DCOM object model – intensely bi-directional

● TX agent is OPC client. RX agent is OPC server

● OPC protocol is used only in production network, and business network, but not across unidirectional gateways

PLCs RTUs

OPCServerOPC

ServerOPC

Server

Workstations

CorporateHistorianCorporateHistorianCorporateHistorian

TX agent /OPC ClientTX agent /OPC ClientTX agent /OPC Client

RX agent /OPC ServerRX agent /

OPC ServerRX agent /

OPC Server

Corporate NetworkIndustrial Network

Waterfall TX Module

Waterfall RX Module

OPCOPC


Leading Industrial Applications/Historians

● OSIsoft PI, PI AF, GE iHistorian, GE iFIX

● Scientech R*Time, Instep eDNA, GE OSM

● Siemens: WinCC/SINAUT/Spectrum

● Emerson Ovation, Wonderware Historian

● SQLServer, Oracle, MySQL, Postgres, SAP

● AspenTech IP21, Matrikon Alert Manager

● Schneider ClearSCADA

Leading IT Monitoring Applications

● Log Transfer, SNMP, SYSLOG

● CA Unicenter, CA SIM, HP OpenView,IBM Tivoli

● HP ArcSight SIEM , McAfee ESM SIEM

File/Folder Mirroring

● Folder, tree mirroring, remote folders (CIFS)

● FTP/FTFP/SFTP/TFPS/RCP

Leading Industrial Protocols

● OPC: DA, HDA, A&E, UA

● DNP3, ICCP, Modbus

● GENA, IEC 60870-5-104, IEC 61850

Remote Access

● Remote Screen View™

● Secure Bypass

Other connectors

● UDP, TCP/IP

● NTP, Multicast Ethernet

● Video/Audio stream transfer

● Mail server/mail box replication

● IBM MQ series, Microsoft MSMQ

● Antivirus updater, patch (WSUS) updater

● Remote print server

Waterfall Unidirectional Gateway Connectors

World’s largest collection of COTS industrial server replications


Select Customers


Waterfall FLIP™

● Unidirectional Gateway whose direction can be reversed:

● Water systems: periodic security updates & anti-virus signatures

● Remote unstaffed sites: substations, pumping stations

● Chemicals / refining / mining / pharmaceuticals: batch instructions

● Trigger: button / key, schedule

● Stronger than firewalls, stronger than removable media

The FLIP is aUnidirectionalGateway thatcan “flip over”


FLIP - Normal Operation

Critical Network

TX Module RX Module

WaterfallRX agent

External Network

WaterfallTX agent

WaterfallRX agent

WaterfallTX agent

Controller


FLIP - Reversed

Critical Network

TX Module RX Module

WaterfallRX agent

External Network

WaterfallTX agent

WaterfallRX agent

WaterfallTX agent

Controller


FLIP: Stronger than Firewalls

● The FLIP is a Unidirectional Security Gateway – it can never be bi-directional

● The FLIP prevents interactive remote control – it can not FLIP fast enough to permit Remote Desktop or interactive SSH sessions

● Trigger mechanism cannot be subverted by network attacks

● Firewalls forward messages, the FLIP & Gateways do not

● No protocol-level attacks pass through – no fuzzing/buffer overflows. All communications sessions terminate inagent hosts.

FLIP: Stronger than firewalls


Evolving Best Practices – Unidirectional Gateways

NERC CIP exempts unidirectionally-protected sites from over 35% of requirements

DHS recommends unidirectional gateways in security assessments (ICS CERT)

NRC & NEI exempts unidirectionally-protected sites from 21 of 26 cyber-perimeter rules

Unidirectional gateways –limit the propagation of malicious code (ISA SP-99-3-3 / IEC 62443-3-3)

ENISA - unidirectional gateways provide better protection than firewalls

ANSSI Cybersecurity for ICS – many requirments for hardware-enforced unidirectionality


Waterfall's Mission: Replace ICS Firewalls

● Waterfall’s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls

● Enables safe IT/OT integration, remote services, industrial cloud

Routers Firewalls UnidirectionalSecurity

Gateways

WaterfallFLIPTM

Secure Inbound / Outbound

SecureBypass

Substations, Generation,Not For IT Offshore BES Control Batch Processing, Primary Production,Security Networks Platforms Centers Refining Safety Systems


● Headquarters in Israel, sales and operations office in the USA

● Deployed world-wide in all critical infrastructure sectors

2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice

IT and OT security architects should consider Waterfall for their operations networks

Waterfall is key player in the cyber security market –2010, 2011, & 2012

● Only unidirectional technology onUS Department of Homeland Security’sNational SCADA Security Test Bed,and Japanese CSSC Test Bed

Waterfall Security Solutions


● Only unidirectional technology with cyber security assessment by Idaho National Laboratories

● Certified Common Criteria EAL4+ (High Attack Potential)

● Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors

● Recognized as an industrial cyber-security best-practice by DHS, NERC CIP, NRC, industry analysts & leading industrial cyber-security experts

Market leader forunidirectional serverreplication in industrial environments

Waterfall Product Accreditations


Secure Application Integration

● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks

● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security

● Costs: reduces security operating costs – improves security and saves money in the long run

“Waterfall’s unique solutions have thepotential to be the industry’s next game changing standard”

Market leader for stronger-than-firewalls solutions for industrialcontrol systems


Details


Data Integrity

● High quality optical hardware

● Forward error correcting codes

● Able to send every message multiple times – duplicates discarded

● Sequence numbers, heartbeats – prompt error detection

● Throughput tuning

● Buffers at every stage of transmission

● Backfill: manual retransmission

● High availability – no single point offailure impairs data movement

● Automatic, periodic backfill

In practice, less than 5% of users purchase high-availability


Remote Screen View

● Vendors can see control system screens in web browser

● Remote support is under control of on-site personnel

● Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time

● Vendors supervisesite personnel

● Site people supervisethe vendors

Each perspective islegitimate, both needs are met


Use Case: In/Out Gateways for Balancing Authority

● BA sends ICCP setpoints to partner utilities every 2 seconds + polls utilities for ICCP data every 2 seconds

● Independent channels – not command/response channels

● Each channel replicates one or more ICCP servers

● Multiply redundant – automatic at site, manual fail-over between sites

● Minimal ICCP reconfiguration needed


Inbound + Outbound: Stronger than Firewalls

● Multiple computers/layers of protection must all be compromised, rather than just one layer in the firewall

● TX Agents are clients. They do not forward messages. They ask for data and forward the answers/data

● No protocol-level attacks pass through – no fuzzing/buffer overflows. All communications / TCP / ICCP sessions terminate in agent hosts

● Targeted / persistent attacks are “flying blind” – targeted attack requires insider assistance

Inbound / outbound gateways do notforward packets or filter packets, theyforward data


Attack Type BES CC Fwall

1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2

2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1

3) Compromise domain controller – create ICS host or firewall account 4 2

4) Attack exposed servers – SQL injection / DOS / buffer-overflow 3 2

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2

6) Session hijacking – MIM / steal HTTP cookies / command injection 3 2

7) Piggy-back on VPN – split tunneling / malware propagation 4 2

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 3 2

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 3 2

10) Forge an IP address – firewall rules are IP-based 4 2

11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1

12) Physical access to firewall – local admin / no passwd / modify hardware 3 2

13) Sneakernet – removable media / untrusted laptops 1 1

Total Score: 41 23

Perimeter Security Attack Tree Analysis

Attack Success Rate:

ImpossibleExtremelyDifficult

DifficultStraight-Forward


Waterfall Secure/Emergency Bypass

● Temporary / emergency bypass of cyber-security perimeter

● Hardware enforced: relays physically connect and disconnect copper cables

● Automatically disconnects again after programmable interval

● Triggered pressing physical button orturning physical key, or on schedule

100% secure, > 99% of the timeAs secure as a firewall whenactivated


Waterfall Secure/Emergency Bypass

● Deployed in parallel with Unidirectional GW:

● Emergency remote access: plant is down

● Temporary remote access, controlled from the plant side –turbine vendors


Central Management: Segregated Operations Network

● Operations WAN (green) separate from corporate WAN

● Unidirectional Gateways are only path from operations to corporate –breaks infection / compromise path from corporate WAN / Internet

● Central operations staff have two workstations: one on operations network, and one on corporate network

● Conventional firewalls and other defensesdeployed to limit site to sitethreat propagation

Isolated, yet still centrallymanaged


Offshore Platforms

● Strong security: Unidirectional Security Gateways

● Wonderware Historian-> OPC -> PI Server unidirectional data replication: integrating different vendors’ historians

● Platform PI data from all platforms aggregated to corporate PI server

protecting safety and reliability

Documents