Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 2012
Stronger than Firewalls: Unidirectional Security Gateways
Andrew Ginter Director of Industrial Security Waterfall Security Solutions
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 2
Unidirectional Security Gateways
● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Server replication, not protocol emulation
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 3
Subverting Firewalls
● Errors and omissions
● Most common way through: persuade someone to “pull” your attack through
● Easiest way through: steal the password
● Attacks propagate via central helpdesk connections, vendor support centers and VPN connections
● Every “essential connection” is 2-way: a compromised server can corrupt clients
Why are there so many rules about firewalls in NERC-CIP?
Photo: Red Tiger Security
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 4
13 Ways Through A Firewall
1) Social Engineering: Steal a VPN password – look under keyboard
2) Phishing – persuade victim to pull your attack through firewall
3) Attack exposed servers – eg: SQL injection
4) Piggy-back on VPN – eg: split tunneling, malware propagation
5) Firewall vulnerabilities – eg: Cross-Site Request Forgery
6) Errors and omissions – rules accidentally too broad, or “left over”
7) Forge an IP address – bypass IP-based connectivity rules
8) Keyboard logger: Steal firewall admin password
9) Compromise domain controller – make your own admin account
10) “HTTP VPN” cross-domain exploits
11) DOS – flood ICS servers with SYN or other requests
12) Compromise privileged external endpoint – eg: remote HMI
13) Bypass perimeter – wireless, dial-up, incorrect wiring
14) Sneakernet – USB, network extends beyond physical perimeter
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 5
Unidirectional Security Gateways
● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Defeats advanced / remote control attacks
● Server replication, not protocol emulation
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 6
Example: Historian Replication
● TX agent is conventional historian client – request copy of new data as it arrives in historian
● RX agent is conventional historian collector – drops new data into replica as it arrives from TX
● TX agent sends historical data and metadata to RX using non-routable, point-to-point protocol
● Complete replica, tracks all changes, new tags, alerts in replica
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 7
Example: OPC Replication
● OPC-DA protocol is complex: based on DCOM object model – intensely bi-directional
● TX agent is OPC client: gathers data from production OPC servers
● RX agent is OPC server: serves data to business OPC clients
● TX agent sends only OPC data and metadata to RX
● OPC protocol is used only in production network, and business network, but not across unidirectional link
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 8
Leading Industrial Applications/Historians
● OSIsoft PI, GE iHistorian, GE iFIX
● Scientech R*Time, Instep eDNA, GE OSM
● Siemens: WinCC, SINAUT/Spectrum
● SQLServer, Wonderware Historian
● AspenTech, Matrikon Alert Manager
Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG
● CA Unicenter, CA SIM, HP OpenView, HP ArcSight
● McAfee ESM / NitroView SIEM
File/Folder Mirroring
● Folder, tree mirroring, remote folders (CIFS)
● FTP/FTFP/SFTP/TFPS/RCP
Leading Industrial Protocols
● Modbus, OPC (DA, HDA, A&E)
● DNP3, ICCP
Remote Access
● Remote Screen View™
● Secure Manual Uplink
Other connectors
● UDP, TCP/IP
● NTP, Multicast Ethernet
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM Websphere MQ series
● Antivirus updater, patch (WSUS) updater
● Remote print server
Waterfall Unidirectional Gateway Connectors
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 9
Remote Screen View and CIP V3-V4 ● V3 interpretation - Project 2009-26 - supervised remote access: “…
would temporary, indirect and monitored access such as that provided through remote terminal sessions (WebEx, etc.) or escorted physical access be considered supervision?
● NERC 2011 Guidance for Secure Interactive Remote Access: “This common configuration utilizes a unidirectional … outbound … connection to a read-only system. By its configuration, read-only monitoring prevents any access to, or control of, the BPS from occurring.
CIP: no “supervised remote access” – cyber access is only allowed by authorized local personnel
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 10
NERC-CIP V3-V4 CAN-0024
● Some hardware-enforced unidirectional communications are routable, and others are not
● The use of the Internet Protocol and other routable protocols determines whether a unidirectional appliance is routable or not
● NERC-CIP auditors are encountering unidirectional communications technology routinely
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 11
NERC-CIP V5
● CIP V5 encourages the use of Unidirectional Security Gateways
● External Routable Connectivity: The ability to access a BES Cyber System that is accessible from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.
● 37 of 103 medium-impact requirements apply only if the affected cyber asset has external routable connectivity
“When you are considering security for your control networks, you need to keep in mind innovative security technologies such as unidirectional gateways” Tim Roxey, NERC CSSO
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 12
Cyber Assets - Impact
● High-impact cyber assets: cyber assets in large Control Centers or backup Control Centers
● Medium-impact cyber assets: pretty much everything that was a Critical Cyber Asset in CIP V4
● Low-impact cyber assets: pretty much “everything else” associated with the operation of the BES
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 13
Non-ERC High-Impact & Medium-Impact Exemptions
Standard Req ERC Exempt
Remaining
002 BES Cyber System Categorization 7 -
003 Security Management Controls 4 -
004 Personnel & Training 19 16 3 HI only
005 Electronic Security Perimeters 8 6 ESP & dial-up
006 Physical Security 14 10 1 HI, process, mon, alert
007 Systems Security Management 20 5
008 Incident Reporting & Resp. Planning 9 -
009 Recovery Plans 10 -
010 Change Mgmt & Vuln Assessments 10 -
011 Information Protection 4 -
Totals: 103 37
Plus: many exemptions for Physical Access Control Systems without External Routable Connectivity
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 14
CIP-004 Personnel & Training
Requirement Assets
1.1 Security awareness HI, MI
2.1 Training content HI, MI/ERC
2.2 Training prior to elec-access & unescorted phys access HI, MI/ERC
2.3 Training every 15 months HI, MI/ERC
3.1 Process to confirm identity HI, MI/ERC
3.2 Criminal records check HI, MI/ERC
3.3 Evaluate criminal records check HI, MI/ERC
3.4 Contractors & service providers HI, MI/ERC
3.5 Ensure personnel risk assessment every 7 years HI, MI/ERC
4.1 Authorize based on need HI, MI/ERC
4.2 Authorize electronic access HI, MI/ERC
4.3 Verify authorization records once per quarter HI, MI/ERC
4.4 Verify specific electronic privileges every 15 months HI, MI/ERC
4.5 Verify access to storage locations for BES cyber info HI, MI/ERC
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 15
CIP-004 Personnel & Training
Requirement Assets
5.1 Process to initiate removal of access HI, MI/ERC
5.2 Reassignments or transfers HI, MI/ERC
5.3 Termination actions to revoke access HI, MI/ERC
5.4 Revoke user account on termination HI
5.5 Change passwords on shared accounts HI
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 16
CIP-005 Electronic Security Perimeters
Requirement Assets
1.1 Electronic Security Perimeter HI, MI
1.2 All ERC through EAP HI/ERC, MI/ERC
1.3 EAP permissions EAP’s
1.4 Dial-up authentication HI/DU, MI/DU
1.5 Detect malicious communications (NIDS) EAPs for HI/CC,
MI/CC
2.1 Remote Access: intermediate device HI, MI/ERC
2.2 Remote Access: encryption HI, MI/ERC
2.3 Remote Access: multi-factor authentication HI, MI/ERC
Electronic Access Point rules apply only when there are EAP’s – ie: when there is External Routable Communications to Cyber Assets inside an ESP
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 17
CIP-006 Physical Security
Requirement Assets
1.1 Procedural controls to restrict physical access MI w/out ERC
1.2 Physical access control for unescorted physical access MI/ERC
1.3 Two or more physical access controls HI
1.4 Monitor unauthorized circumvention of access controls HI, MI/ERC
1.5 Issue alarm or alert for unauthorized circumvention HI, MI/ERC
1.6 Monitor physical access ctl sys for unauthorized access HI, MI
1.7 Issue alarm or alert for unauthorized circumvention HI, MI
1.8 Log entry of each authorized individual HI, MI/ERC
1.9 Retain authorized individual access logs for 90 days HI, MI/ERC
2.1 Continuous escorted access for unauthorized individuals HI, MI/ERC
2.2 Log entry of each visitor HI, MI/ERC
2.3 Retain visitor logs for 90 days HI, MI/ERC
3.1 Maintenance and testing of physical access ctls / 24 mo HI, MI/ERC
3.2 Document access control outages / retain logs 24 mo HI, MI/ERC
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 18
CIP-007 Systems Security Management
Requirement Assets
1.1 Enable only necessary logical network ports HI, MI/ERC
1.2 Enable only necessary physical ports / removable media HI, MI
2.1 Patch management HI, MI
2.2 Evaluate patches at least every 35 days HI, MI
2.3 Apply patch or create mitigation plan HI, MI
2.4 Implement the mitigation plan HI, MI
3.1 Deploy methods to deter/detect/prevent malicious code HI, MI
3.2 Mitigate the threat of identified malicious code HI, MI
3.3 Process to update signatures, when sigs are used HI, MI
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 19
CIP-007 Systems Security Management
Requirement Assets
4.1 Log events: failed/successful logins, malicious code HI, MI
4.2 Generate alerts: malicious code, logging failures HI, MI/ERC
4.3 Retain 4.1 logs for 90 days HI, MI/CC
4.4 Review logs every 15 days HI
5.1 Enforce authentication of interactive users HI, MI/CC, MI/ERC
5.2 Inventory default/generic account types HI, MI
5.3 Identify individuals with access to shared accounts HI, MI/ERC
5.4 Change default passwords HI, MI
5.5 Password complexity HI, MI
5.6 Password changes every 15 months HI, MI/ERC
5.7 Limit/alert on unsuccessful logins HI, MI/CC
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 20
Cost Savings
● Eliminate firewall management /documentation costs – eg: typical third-party non-CIP firewall management costs $1500 - $5000 per firewall per month
● Essentially eliminate security training & personnel background checks for MI assets – leave only security awareness program
● Essentially eliminate physical security programs for MI/ERC assets – leave only procedural controls
● Reduce vulnerability assessment costs: firewalls consume disproportionate amounts of attention during assessments
● Eliminate Network Intrusion Detection Systems for assets at Control Centers & NIDS 24x7 monitoring/false-positive costs
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 21
Preventable Incidents
● Cost of all preventable, serious cyber incidents in the next decade, divided by (10 years x number of similar facilities sharing the risk)?
● Cost of preventable “routine” malware infestations – expect one per site per decade? Expect 1 / 5 infestations to trigger safety shutdown with associated downtime/startup costs, reliability penalties, and lost revenues?
● Cost of preventable “insider” incidents – eg: well-meaning business IT personnel reaching into production network outside of operations engineering change control structures? Expect several per decade, but lower cost per incident.
Photo: National Institutes of Health
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 22
Waterfall Security Solutions
● Headquarters in Israel, sales and operations office in the USA
● Hundreds of sites deployed in all critical infrastructure sectors
● Frost & Sullivan: Entrepreneurial Company of the Year Award for ICS network security
● Pike Research: Waterfall is key player in the cyber security market
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors
Market leader for server replication in industrial environments
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 23
Select Customers – North America
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 24
Hundreds of Installations World-Wide
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 25
● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks
● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security
● Costs: reduces security operating costs – improves security and saves money in the long run
Market leader for server replication in industrial environments
Stronger Than Firewalls
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 26
High Availability
● N-way HA architecture supported
● All components are hot-swappable, no reconfiguration needed
● Windows agent host clustering – Microsoft and third-party clustering technologies supported
HA Architecture
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 27
True Remote Control: Secure Manual Uplink ● Physically connects/disconnects copper network cables
● Automatically disconnects again after programmable interval
● Activation modes:
● Physical key
● Electronic key