unidirectional security, andrew ginter of waterfall security
DESCRIPTION
This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS. Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.TRANSCRIPT
UNIDIRECTIONAL SECURITY GATEWAYS™
Unidirectional Security: Level 101
Andrew Ginter VP Industrial Security Waterfall Security Solutions
2014 Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Ltd.
Digital Bond 2014 S4
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2
Safety, Reliability, Confidentiality
Attribute Enterprise / IT Control System Scale Huge – 100,000’s of devices 100-500 devices per DCS
Priority Confidentiality Safety and reliability
Attack Motive Data Theft Sabotage
Exposure Constant exposure to Internet content
Exposed to business network, not Internet
Equipment lifecycle
3-5 years 10-20 years
Security discipline:
Speed / aggressive change – stay ahead of the threats
Security is an aspect of safety - Engineering Change Control (ECC)
ICS will always have a “softer interior” than IT networks. Perimeter security will always be much more important for ICS
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 3
Firewalls are too weak to deploy without compensating measures
Attacking Firewalls at Critical Network Perimeters
Photo: Red Tiger Security
Attack Success Rate: Impossible Extremely
Difficult Difficult Straight- Forward
Attack Type UGW Fwall 1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2
2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1
3) Compromise domain controller – create ICS host or firewall account 4 2
4) Attack exposed servers – SQL injection / DOS / buffer-overflowd 4 2
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2
6) Session hijacking – MIM / steal HTTP cookies / command injection 4 2
7) Piggy-back on VPN – split tunneling / malware propagation 4 2
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 4 2
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 4 2
10) Forge an IP address – firewall rules are IP-based 4 2
11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1
12) Physical access to firewall – local admin / no passwd / modify hardware 3 2
13) Sneakernet – removable media / untrusted laptops 1 1
Total Score: 45 23
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 4
Stronger Than Firewalls: A Spectrum of Solutions
● Firewalls do not move data – they expose systems ● Populating a spectrum of stronger-than-firewalls solutions
Routers Firewalls Unidirectional Security
Gateways
FLIP Secure In/Out Configurations
Secure Bypass
Examples: Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining Safety Systems
Many:
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 5
PLCs RTUs
Historian
Workstations
Replica Historian
Corporate Network Industrial Network
Secure IT/OT Integration with Historian Replication
● Hardware-enforced unidirectional historian replication – new modular architecture
● Replica historian contains all data and functionality of original ● Corporate workstations communicate only with replica historian ● Industrial network and critical assets are physically inaccessible from
corporate network & 100% secure from any online attack
TX Agent Host
RX Agent Host
TX HW Module
RX HW Module
Queries, Responses
Commands, Responses
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 6
● No IP address on gateways or agent host NICs connected to gateways ● Gateways exchange OSI layer 2 Ethernet broadcasts with agent hosts ● Waterfall-format application data and metadata in layer 2 broadcasts ● No IP addresses communicated from inside ESP to outside ● IP communications sessions terminate in agent hosts
Control System Network
Unidirectional Communications: Under the Hood
TX Agent Host
TX HW Module
IP
Query/ Select
Business Network
RX HW Module
RX Agent Host
IP
Insert/ Update
Non Routable
Non-IP Non-IP
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 7
Secure OPC Replication
● OPC-DA protocol is complex: based on DCOM object model – intensely bi-directional
● TX agent is OPC client. RX agent is OPC server ● OPC protocol is used only in production network, and business network,
but not across unidirectional gateways
PLCs RTUs
OPC Server
Corporate Network Industrial Network
OPC Polls, Responses
OPC Polls, Responses
OPC Client
OPC Server
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 8
Leading Industrial Applications/Historians ● OSIsoft PI, PI AF, GE iHistorian, GE iFIX ● Scientech R*Time, Instep eDNA, GE OSM ● Siemens: WinCC, SINAUT/Spectrum ● Emerson Ovation, Wonderware Historian ● SQLServer, Oracle, MySQL, SAP ● AspenTech, Matrikon Alert Manager
Leading IT Monitoring Applications ● Log Transfer, SNMP, SYSLOG ● CA Unicenter, CA SIM, HP OpenView,
IBM Tivoli ● HP ArcSight SIEM , McAfee ESM SIEM
File/Folder Mirroring ● Folder, tree mirroring, remote folders (CIFS) ● FTP/FTFP/SFTP/TFPS/RCP
Leading Industrial Protocols ● OPC: DA, HDA, A&E, UA ● DNP3, ICCP, Modbus
Remote Access ● Remote Screen View™ ● Secure Bypass
Other connectors ● UDP, TCP/IP ● NTP, Multicast Ethernet ● Video/Audio stream transfer ● Mail server/mail box replication ● IBM MQ series, Microsoft MSMQ ● Antivirus updater, patch (WSUS)
updater ● Remote print server
Unidirectional Gateway Software
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 9
Most-Deployed Unidirectional ICS Hardware
● Two appliances: transmitter & receiver as separate units ● All-in-one: one box with “magic in the middle” – NERC-CIP
implications ● Dual-NIC: plug-in cards ● Security issues: ● Certification authorities suspicious
of all-in-one solutions – insufficient electrical isolation
● Look for a “positive” manufacturing process – one where functionality is designed-in, rather than subtracted-out
Two-Appliance
All-In-One
Dual-NIC
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 10
Secure Remote Access: Remote Screen View ● Vendors can see control system screens in web browser ● Remote support is under control of on-site personnel ● Any changes to software or devices are carried out by on-site
personnel, supervised by vendor personnel who can see site screens in real-time
● Vendors supervise site personnel
● Site people supervise the vendors
Most common application: support by untrusted third parties
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 11
Central Management: Segregated Operations Network ● Operations WAN (green) separate from corporate WAN ● Unidirectional Gateways are only path from operations to corporate –
breaks infection / compromise path from corporate WAN / Internet ● Central operations staff have two workstations:
one on operations network, and one on corporate network
● Conventional firewalls and other defenses deployed to limit site to site threat propagation
Safe, reliable, unidirectionally- integrated WANs
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 12
Stronger Than Firewalls: A Spectrum of Solutions
● Firewalls do not move data – they expose systems ● Populating a spectrum of stronger-than-firewalls solutions
Routers Firewalls Unidirectional Security
Gateways
FLIP Secure In/Out Configurations
Secure Bypass
Examples: Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining Safety Systems
Many:
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 13
Waterfall FLIP™
● Unidirectional Gateway whose direction can be reversed: ● Regular and randomized security updates & AV signatures ● Chemicals / refining / mining / pharmaceuticals: batch instructions ● Substations, pumping stations, remote, unstaffed sites
● Variety of triggering options ● When ‘flipped’ – incoming unidirectional gateway replicates servers:
no TCP/IP, no remote control attacks
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 14
Waterfall Flip™ - Normal Operation
Critical Network
TX Module RX Module
Waterfall TX agent
Waterfall RX agent
External Network
Waterfall TX agent
Waterfall RX agent
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 15
Waterfall Flip™ - Reversed
Critical Network
TX Module RX Module
Waterfall TX agent
Waterfall RX agent
External Network
Waterfall TX agent
Waterfall RX agent
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 16
FLIP: Stronger than Firewalls
● Outbound data flows are absolutely secure – temporary in-bound flows are the concern
● Remote control is practically impossible – there are never in-bound and out-bound data flows simultaneously
● Gateways replicate servers / terminate protocol sessions – no packets forwarded
● No TCP sessions are possible through the FLIP ● Stronger than firewalls, stronger than
removable media
Stronger than firewalls: 100% secure 99+% of the time. Still stronger than a firewall the rest of the time
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 17
● Designed for smaller, un-staffed sites ● Contains the ‘FLIP’ and two computers in one
1U Waterfall Cabinet ● Unidirectional Gateway whose orientation “flips” occasionally ● Eg: ● To allow “RESET” command after lightning strike ● To allow occasional security updates or anti-virus updates
FLIP for Substations
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 18
Stronger Than Firewalls: A Spectrum of Solutions
● Firewalls do not move data – they expose systems ● Populating a spectrum of stronger-than-firewalls solutions
Routers Firewalls Unidirectional Security
Gateways
FLIP Secure In/Out Configurations
Secure Bypass
Examples: Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining Safety Systems
Many:
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 19
Balancing Authority / Control Center Solution
● Gateways send commands “out” to partner utilities. Second channel polls/reports data “in”
● Multiply redundant – automatic at site, manual fail-over between sites ● Some ICCP reconfiguration needed – channels are independent
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 20
Beware "Opposing Diode" Solutions
● Some vendors will tell you “you need data back into your network? Of course – just drop another diode in, in the other direction”
● Eg: bridging diodes in + bridging diodes out = twisted-pair cable ● Eg: file server in + file server out = easy path for common viruses and
targeted file-based malware ● Key “opposing” design questions: ● Can TCP session be established? ● Can interactive remote control session be established? ● Is one channel command and other response? Or independent? ● Does solution forward protocol-
level attacks?
How “distant” are the opposing channels from one another?
Pair of military-style bridging diodes
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 21
Attack Type 2xUGW Fwall
1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2
2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1
3) Compromise domain controller – create ICS host or firewall account 4 2
4) Attack exposed servers – SQL injection / DOS / buffer-overflow 3 2
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2
6) Session hijacking – MIM / steal HTTP cookies / command injection 3 2
7) Piggy-back on VPN – split tunneling / malware propagation 4 2
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 3 2
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 3 2
10) Forge an IP address – firewall rules are IP-based 4 2
11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1
12) Physical access to firewall – local admin / no passwd / modify hardware 3 2
13) Sneakernet – removable media / untrusted laptops 1 1
Total Score: 41 23
Opposing ICCP Gateway Security Analysis
Attack Success Rate: Impossible Extremely
Difficult Difficult Straight- Forward
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 22
Stronger Than Firewalls: A Spectrum of Solutions
● Firewalls do not move data – they expose systems ● Populating a spectrum of stronger-than-firewalls solutions
Routers Firewalls Unidirectional Security
Gateways
FLIP Secure In/Out Configurations
Secure Bypass
Examples: Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining Safety Systems
Many:
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 23
Waterfall Secure / Emergency Bypass
● Temporary bypass of security perimeter ● Hardware enforced: relays connect and
disconnect ● Variety of trigger mechanisms ● Deployed in parallel with Unidirectional GW: ● Emergency remote access: offshore
platform evacuation ● Temporary remote access, controlled
from the plant side ● Modular configuration with embedded PC:
firewalled and whitelisted
“100% secure, 99% of the time” As secure as a firewall, rest of the time
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 24
● Headquarters in Israel, sales and operations office in the USA ● Hundreds of sites deployed in all critical infrastructure sectors
Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market –2010, 2011, & 2012
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors
Waterfall’s expanded mission: replace ICS firewalls
Waterfall Security Solutions
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 25
Waterfall's Mission: Replace ICS Firewalls
● Waterfall’s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls
● Look for additional product announcements over the next 12 months
Routers Firewalls Unidirectional Security
Gateways
Waterfall FLIPTM
WF for BES Control Centers
Secure Bypass
Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining, Safety Systems