unidirectional security, andrew ginter of waterfall security

UNIDIRECTIONAL SECURITY GATEWAYS™

Unidirectional Security: Level 101

Andrew Ginter VP Industrial Security Waterfall Security Solutions

2014 Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Ltd.

Digital Bond 2014 S4

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2

Safety, Reliability, Confidentiality

Attribute Enterprise / IT Control System Scale Huge – 100,000’s of devices 100-500 devices per DCS

Priority Confidentiality Safety and reliability

Attack Motive Data Theft Sabotage

Exposure Constant exposure to Internet content

Exposed to business network, not Internet

Equipment lifecycle

3-5 years 10-20 years

Security discipline:

Speed / aggressive change – stay ahead of the threats

Security is an aspect of safety - Engineering Change Control (ECC)

ICS will always have a “softer interior” than IT networks. Perimeter security will always be much more important for ICS


Firewalls are too weak to deploy without compensating measures

Attacking Firewalls at Critical Network Perimeters

Photo: Red Tiger Security

Attack Success Rate: Impossible Extremely

Difficult Difficult Straight- Forward

Attack Type UGW Fwall 1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2

2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1

3) Compromise domain controller – create ICS host or firewall account 4 2

4) Attack exposed servers – SQL injection / DOS / buffer-overflowd 4 2

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2

6) Session hijacking – MIM / steal HTTP cookies / command injection 4 2

7) Piggy-back on VPN – split tunneling / malware propagation 4 2

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 4 2

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 4 2

10) Forge an IP address – firewall rules are IP-based 4 2

11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1

12) Physical access to firewall – local admin / no passwd / modify hardware 3 2

13) Sneakernet – removable media / untrusted laptops 1 1

Total Score: 45 23


Stronger Than Firewalls: A Spectrum of Solutions

●  Firewalls do not move data – they expose systems ●  Populating a spectrum of stronger-than-firewalls solutions

Routers Firewalls Unidirectional Security

Gateways

FLIP Secure In/Out Configurations

Secure Bypass

Examples: Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining Safety Systems

Many:


PLCs RTUs

Historian

Workstations

Replica Historian

Corporate Network Industrial Network

Secure IT/OT Integration with Historian Replication

●  Hardware-enforced unidirectional historian replication – new modular architecture

●  Replica historian contains all data and functionality of original ●  Corporate workstations communicate only with replica historian ●  Industrial network and critical assets are physically inaccessible from

corporate network & 100% secure from any online attack

TX Agent Host

RX Agent Host

TX HW Module

RX HW Module

Queries, Responses

Commands, Responses


●  No IP address on gateways or agent host NICs connected to gateways ●  Gateways exchange OSI layer 2 Ethernet broadcasts with agent hosts ●  Waterfall-format application data and metadata in layer 2 broadcasts ●  No IP addresses communicated from inside ESP to outside ●  IP communications sessions terminate in agent hosts

Control System Network

Unidirectional Communications: Under the Hood

TX Agent Host

TX HW Module

IP

Query/ Select

Business Network

RX HW Module

RX Agent Host

IP

Insert/ Update

Non Routable

Non-IP Non-IP


Secure OPC Replication

●  OPC-DA protocol is complex: based on DCOM object model – intensely bi-directional

●  TX agent is OPC client. RX agent is OPC server ●  OPC protocol is used only in production network, and business network,

but not across unidirectional gateways

PLCs RTUs

OPC Server

Corporate Network Industrial Network

OPC Polls, Responses

OPC Polls, Responses

OPC Client

OPC Server


Leading Industrial Applications/Historians ●  OSIsoft PI, PI AF, GE iHistorian, GE iFIX ●  Scientech R*Time, Instep eDNA, GE OSM ●  Siemens: WinCC, SINAUT/Spectrum ●  Emerson Ovation, Wonderware Historian ●  SQLServer, Oracle, MySQL, SAP ●  AspenTech, Matrikon Alert Manager

Leading IT Monitoring Applications ●  Log Transfer, SNMP, SYSLOG ●  CA Unicenter, CA SIM, HP OpenView,

IBM Tivoli ●  HP ArcSight SIEM , McAfee ESM SIEM

File/Folder Mirroring ●  Folder, tree mirroring, remote folders (CIFS) ●  FTP/FTFP/SFTP/TFPS/RCP

Leading Industrial Protocols ●  OPC: DA, HDA, A&E, UA ●  DNP3, ICCP, Modbus

Remote Access ●  Remote Screen View™ ●  Secure Bypass

Other connectors ●  UDP, TCP/IP ●  NTP, Multicast Ethernet ●  Video/Audio stream transfer ●  Mail server/mail box replication ●  IBM MQ series, Microsoft MSMQ ●  Antivirus updater, patch (WSUS)

updater ●  Remote print server

Unidirectional Gateway Software


Most-Deployed Unidirectional ICS Hardware

●  Two appliances: transmitter & receiver as separate units ●  All-in-one: one box with “magic in the middle” – NERC-CIP

implications ●  Dual-NIC: plug-in cards ●  Security issues: ●  Certification authorities suspicious

of all-in-one solutions – insufficient electrical isolation

●  Look for a “positive” manufacturing process – one where functionality is designed-in, rather than subtracted-out

Two-Appliance

All-In-One

Dual-NIC


Secure Remote Access: Remote Screen View ●  Vendors can see control system screens in web browser ●  Remote support is under control of on-site personnel ●  Any changes to software or devices are carried out by on-site

personnel, supervised by vendor personnel who can see site screens in real-time

●  Vendors supervise site personnel

●  Site people supervise the vendors

Most common application: support by untrusted third parties


Central Management: Segregated Operations Network ●  Operations WAN (green) separate from corporate WAN ●  Unidirectional Gateways are only path from operations to corporate –

breaks infection / compromise path from corporate WAN / Internet ●  Central operations staff have two workstations:

one on operations network, and one on corporate network

●  Conventional firewalls and other defenses deployed to limit site to site threat propagation

Safe, reliable, unidirectionally- integrated WANs





Gateways


Secure Bypass


Many:


Waterfall FLIP™

●  Unidirectional Gateway whose direction can be reversed: ●  Regular and randomized security updates & AV signatures ●  Chemicals / refining / mining / pharmaceuticals: batch instructions ●  Substations, pumping stations, remote, unstaffed sites

●  Variety of triggering options ●  When ‘flipped’ – incoming unidirectional gateway replicates servers:

no TCP/IP, no remote control attacks


Waterfall Flip™ - Normal Operation

Critical Network

TX Module RX Module

Waterfall TX agent

Waterfall RX agent

External Network

Waterfall TX agent

Waterfall RX agent


Waterfall Flip™ - Reversed

Critical Network

TX Module RX Module

Waterfall TX agent

Waterfall RX agent

External Network

Waterfall TX agent

Waterfall RX agent


FLIP: Stronger than Firewalls

●  Outbound data flows are absolutely secure – temporary in-bound flows are the concern

●  Remote control is practically impossible – there are never in-bound and out-bound data flows simultaneously

●  Gateways replicate servers / terminate protocol sessions – no packets forwarded

●  No TCP sessions are possible through the FLIP ●  Stronger than firewalls, stronger than

removable media

Stronger than firewalls: 100% secure 99+% of the time. Still stronger than a firewall the rest of the time


●  Designed for smaller, un-staffed sites ●  Contains the ‘FLIP’ and two computers in one

1U Waterfall Cabinet ●  Unidirectional Gateway whose orientation “flips” occasionally ●  Eg: ●  To allow “RESET” command after lightning strike ●  To allow occasional security updates or anti-virus updates

FLIP for Substations





Gateways


Secure Bypass


Many:


Balancing Authority / Control Center Solution

●  Gateways send commands “out” to partner utilities. Second channel polls/reports data “in”

●  Multiply redundant – automatic at site, manual fail-over between sites ●  Some ICCP reconfiguration needed – channels are independent


Beware "Opposing Diode" Solutions

●  Some vendors will tell you “you need data back into your network? Of course – just drop another diode in, in the other direction”

●  Eg: bridging diodes in + bridging diodes out = twisted-pair cable ●  Eg: file server in + file server out = easy path for common viruses and

targeted file-based malware ●  Key “opposing” design questions: ●  Can TCP session be established? ●  Can interactive remote control session be established? ●  Is one channel command and other response? Or independent? ●  Does solution forward protocol-

level attacks?

How “distant” are the opposing channels from one another?

Pair of military-style bridging diodes


Attack Type 2xUGW Fwall

1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2

2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1

3) Compromise domain controller – create ICS host or firewall account 4 2

4) Attack exposed servers – SQL injection / DOS / buffer-overflow 3 2

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2

6) Session hijacking – MIM / steal HTTP cookies / command injection 3 2

7) Piggy-back on VPN – split tunneling / malware propagation 4 2

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 3 2

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 3 2

10) Forge an IP address – firewall rules are IP-based 4 2

11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1

12) Physical access to firewall – local admin / no passwd / modify hardware 3 2

13) Sneakernet – removable media / untrusted laptops 1 1

Total Score: 41 23

Opposing ICCP Gateway Security Analysis

Attack Success Rate: Impossible Extremely

Difficult Difficult Straight- Forward





Gateways


Secure Bypass


Many:


Waterfall Secure / Emergency Bypass

●  Temporary bypass of security perimeter ●  Hardware enforced: relays connect and

disconnect ●  Variety of trigger mechanisms ●  Deployed in parallel with Unidirectional GW: ●  Emergency remote access: offshore

platform evacuation ●  Temporary remote access, controlled

from the plant side ●  Modular configuration with embedded PC:

firewalled and whitelisted

“100% secure, 99% of the time” As secure as a firewall, rest of the time


●  Headquarters in Israel, sales and operations office in the USA ●  Hundreds of sites deployed in all critical infrastructure sectors

Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market –2010, 2011, & 2012

●  Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors

Waterfall’s expanded mission: replace ICS firewalls

Waterfall Security Solutions


Waterfall's Mission: Replace ICS Firewalls

●  Waterfall’s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls

●  Look for additional product announcements over the next 12 months


Gateways

Waterfall FLIPTM

WF for BES Control Centers

Secure Bypass

Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining, Safety Systems

unidirectional security, andrew ginter of waterfall security

Technology