stronger than firewalls: unidirectional security · pdf filestronger than firewalls:...

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 2012

Stronger than Firewalls: Unidirectional Security Gateways

Andrew Ginter Director of Industrial Security Waterfall Security Solutions


Unidirectional Security Gateways

● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network

● TX uses 2-way protocols to gather data from protected network

● RX uses 2-way protocols to publish data to external network

● Server replication, not protocol emulation


Subverting Firewalls

● Errors and omissions

● Most common way through: persuade someone to “pull” your attack through

● Easiest way through: steal the password

● Attacks propagate via central helpdesk connections, vendor support centers and VPN connections

● Every “essential connection” is 2-way: a compromised server can corrupt clients

Why are there so many rules about firewalls in NERC-CIP?

Photo: Red Tiger Security


13 Ways Through A Firewall

1) Social Engineering: Steal a VPN password – look under keyboard

2) Phishing – persuade victim to pull your attack through firewall

3) Attack exposed servers – eg: SQL injection

4) Piggy-back on VPN – eg: split tunneling, malware propagation

5) Firewall vulnerabilities – eg: Cross-Site Request Forgery

6) Errors and omissions – rules accidentally too broad, or “left over”

7) Forge an IP address – bypass IP-based connectivity rules

8) Keyboard logger: Steal firewall admin password

9) Compromise domain controller – make your own admin account

10) “HTTP VPN” cross-domain exploits

11) DOS – flood ICS servers with SYN or other requests

12) Compromise privileged external endpoint – eg: remote HMI

13) Bypass perimeter – wireless, dial-up, incorrect wiring

14) Sneakernet – USB, network extends beyond physical perimeter


Unidirectional Security Gateways

● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network

● TX uses 2-way protocols to gather data from protected network

● RX uses 2-way protocols to publish data to external network

● Defeats advanced / remote control attacks

● Server replication, not protocol emulation


Example: Historian Replication

● TX agent is conventional historian client – request copy of new data as it arrives in historian

● RX agent is conventional historian collector – drops new data into replica as it arrives from TX

● TX agent sends historical data and metadata to RX using non-routable, point-to-point protocol

● Complete replica, tracks all changes, new tags, alerts in replica


Example: OPC Replication

● OPC-DA protocol is complex: based on DCOM object model – intensely bi-directional

● TX agent is OPC client: gathers data from production OPC servers

● RX agent is OPC server: serves data to business OPC clients

● TX agent sends only OPC data and metadata to RX

● OPC protocol is used only in production network, and business network, but not across unidirectional link


Leading Industrial Applications/Historians

● OSIsoft PI, GE iHistorian, GE iFIX

● Scientech R*Time, Instep eDNA, GE OSM

● Siemens: WinCC, SINAUT/Spectrum

● SQLServer, Wonderware Historian

● AspenTech, Matrikon Alert Manager

Leading IT Monitoring Applications

● Log Transfer, SNMP, SYSLOG

● CA Unicenter, CA SIM, HP OpenView, HP ArcSight

● McAfee ESM / NitroView SIEM

File/Folder Mirroring

● Folder, tree mirroring, remote folders (CIFS)

● FTP/FTFP/SFTP/TFPS/RCP

Leading Industrial Protocols

● Modbus, OPC (DA, HDA, A&E)

● DNP3, ICCP

Remote Access

● Remote Screen View™

● Secure Manual Uplink

Other connectors

● UDP, TCP/IP

● NTP, Multicast Ethernet

● Video/Audio stream transfer

● Mail server/mail box replication

● IBM Websphere MQ series

● Antivirus updater, patch (WSUS) updater

● Remote print server

Waterfall Unidirectional Gateway Connectors


Remote Screen View and CIP V3-V4 ● V3 interpretation - Project 2009-26 - supervised remote access: “…

would temporary, indirect and monitored access such as that provided through remote terminal sessions (WebEx, etc.) or escorted physical access be considered supervision?

● NERC 2011 Guidance for Secure Interactive Remote Access: “This common configuration utilizes a unidirectional … outbound … connection to a read-only system. By its configuration, read-only monitoring prevents any access to, or control of, the BPS from occurring.

CIP: no “supervised remote access” – cyber access is only allowed by authorized local personnel


NERC-CIP V3-V4 CAN-0024

● Some hardware-enforced unidirectional communications are routable, and others are not

● The use of the Internet Protocol and other routable protocols determines whether a unidirectional appliance is routable or not

● NERC-CIP auditors are encountering unidirectional communications technology routinely


NERC-CIP V5

● CIP V5 encourages the use of Unidirectional Security Gateways

● External Routable Connectivity: The ability to access a BES Cyber System that is accessible from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.

● 37 of 103 medium-impact requirements apply only if the affected cyber asset has external routable connectivity

“When you are considering security for your control networks, you need to keep in mind innovative security technologies such as unidirectional gateways” Tim Roxey, NERC CSSO


Cyber Assets - Impact

● High-impact cyber assets: cyber assets in large Control Centers or backup Control Centers

● Medium-impact cyber assets: pretty much everything that was a Critical Cyber Asset in CIP V4

● Low-impact cyber assets: pretty much “everything else” associated with the operation of the BES


Non-ERC High-Impact & Medium-Impact Exemptions

Standard Req ERC Exempt

Remaining

002 BES Cyber System Categorization 7 -

003 Security Management Controls 4 -

004 Personnel & Training 19 16 3 HI only

005 Electronic Security Perimeters 8 6 ESP & dial-up

006 Physical Security 14 10 1 HI, process, mon, alert

007 Systems Security Management 20 5

008 Incident Reporting & Resp. Planning 9 -

009 Recovery Plans 10 -

010 Change Mgmt & Vuln Assessments 10 -

011 Information Protection 4 -

Totals: 103 37

Plus: many exemptions for Physical Access Control Systems without External Routable Connectivity


CIP-004 Personnel & Training

Requirement Assets

1.1 Security awareness HI, MI

2.1 Training content HI, MI/ERC

2.2 Training prior to elec-access & unescorted phys access HI, MI/ERC

2.3 Training every 15 months HI, MI/ERC

3.1 Process to confirm identity HI, MI/ERC

3.2 Criminal records check HI, MI/ERC

3.3 Evaluate criminal records check HI, MI/ERC

3.4 Contractors & service providers HI, MI/ERC

3.5 Ensure personnel risk assessment every 7 years HI, MI/ERC

4.1 Authorize based on need HI, MI/ERC

4.2 Authorize electronic access HI, MI/ERC

4.3 Verify authorization records once per quarter HI, MI/ERC

4.4 Verify specific electronic privileges every 15 months HI, MI/ERC

4.5 Verify access to storage locations for BES cyber info HI, MI/ERC


CIP-004 Personnel & Training

Requirement Assets

5.1 Process to initiate removal of access HI, MI/ERC

5.2 Reassignments or transfers HI, MI/ERC

5.3 Termination actions to revoke access HI, MI/ERC

5.4 Revoke user account on termination HI

5.5 Change passwords on shared accounts HI


CIP-005 Electronic Security Perimeters

Requirement Assets

1.1 Electronic Security Perimeter HI, MI

1.2 All ERC through EAP HI/ERC, MI/ERC

1.3 EAP permissions EAP’s

1.4 Dial-up authentication HI/DU, MI/DU

1.5 Detect malicious communications (NIDS) EAPs for HI/CC,

MI/CC

2.1 Remote Access: intermediate device HI, MI/ERC

2.2 Remote Access: encryption HI, MI/ERC

2.3 Remote Access: multi-factor authentication HI, MI/ERC

Electronic Access Point rules apply only when there are EAP’s – ie: when there is External Routable Communications to Cyber Assets inside an ESP


CIP-006 Physical Security

Requirement Assets

1.1 Procedural controls to restrict physical access MI w/out ERC

1.2 Physical access control for unescorted physical access MI/ERC

1.3 Two or more physical access controls HI

1.4 Monitor unauthorized circumvention of access controls HI, MI/ERC

1.5 Issue alarm or alert for unauthorized circumvention HI, MI/ERC

1.6 Monitor physical access ctl sys for unauthorized access HI, MI

1.7 Issue alarm or alert for unauthorized circumvention HI, MI

1.8 Log entry of each authorized individual HI, MI/ERC

1.9 Retain authorized individual access logs for 90 days HI, MI/ERC

2.1 Continuous escorted access for unauthorized individuals HI, MI/ERC

2.2 Log entry of each visitor HI, MI/ERC

2.3 Retain visitor logs for 90 days HI, MI/ERC

3.1 Maintenance and testing of physical access ctls / 24 mo HI, MI/ERC

3.2 Document access control outages / retain logs 24 mo HI, MI/ERC


CIP-007 Systems Security Management

Requirement Assets

1.1 Enable only necessary logical network ports HI, MI/ERC

1.2 Enable only necessary physical ports / removable media HI, MI

2.1 Patch management HI, MI

2.2 Evaluate patches at least every 35 days HI, MI

2.3 Apply patch or create mitigation plan HI, MI

2.4 Implement the mitigation plan HI, MI

3.1 Deploy methods to deter/detect/prevent malicious code HI, MI

3.2 Mitigate the threat of identified malicious code HI, MI

3.3 Process to update signatures, when sigs are used HI, MI


CIP-007 Systems Security Management

Requirement Assets

4.1 Log events: failed/successful logins, malicious code HI, MI

4.2 Generate alerts: malicious code, logging failures HI, MI/ERC

4.3 Retain 4.1 logs for 90 days HI, MI/CC

4.4 Review logs every 15 days HI

5.1 Enforce authentication of interactive users HI, MI/CC, MI/ERC

5.2 Inventory default/generic account types HI, MI

5.3 Identify individuals with access to shared accounts HI, MI/ERC

5.4 Change default passwords HI, MI

5.5 Password complexity HI, MI

5.6 Password changes every 15 months HI, MI/ERC

5.7 Limit/alert on unsuccessful logins HI, MI/CC


Cost Savings

● Eliminate firewall management /documentation costs – eg: typical third-party non-CIP firewall management costs $1500 - $5000 per firewall per month

● Essentially eliminate security training & personnel background checks for MI assets – leave only security awareness program

● Essentially eliminate physical security programs for MI/ERC assets – leave only procedural controls

● Reduce vulnerability assessment costs: firewalls consume disproportionate amounts of attention during assessments

● Eliminate Network Intrusion Detection Systems for assets at Control Centers & NIDS 24x7 monitoring/false-positive costs


Preventable Incidents

● Cost of all preventable, serious cyber incidents in the next decade, divided by (10 years x number of similar facilities sharing the risk)?

● Cost of preventable “routine” malware infestations – expect one per site per decade? Expect 1 / 5 infestations to trigger safety shutdown with associated downtime/startup costs, reliability penalties, and lost revenues?

● Cost of preventable “insider” incidents – eg: well-meaning business IT personnel reaching into production network outside of operations engineering change control structures? Expect several per decade, but lower cost per incident.

Photo: National Institutes of Health


Waterfall Security Solutions

● Headquarters in Israel, sales and operations office in the USA

● Hundreds of sites deployed in all critical infrastructure sectors

● Frost & Sullivan: Entrepreneurial Company of the Year Award for ICS network security

● Pike Research: Waterfall is key player in the cyber security market

● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors

Market leader for server replication in industrial environments


Select Customers – North America


Hundreds of Installations World-Wide


● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks

● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security

● Costs: reduces security operating costs – improves security and saves money in the long run

Market leader for server replication in industrial environments

Stronger Than Firewalls


High Availability

● N-way HA architecture supported

● All components are hot-swappable, no reconfiguration needed

● Windows agent host clustering – Microsoft and third-party clustering technologies supported

HA Architecture


True Remote Control: Secure Manual Uplink ● Physically connects/disconnects copper network cables

● Automatically disconnects again after programmable interval

● Activation modes:

● Physical key

● Electronic key


Temporary Remote Control

Temporary Remote Control ● 100% secure, 99% of the time

● On-site personnel decide when to grant access

● Remote access further controlled by conventional firewalls, VPNs, etc.

stronger than firewalls: unidirectional security · pdf filestronger than firewalls:...

Documents