Post on 14-Feb-2021
transcript
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions
UNIDIRECTIONAL SECURITY GATEWAYS™
2014
Protecting Safety and Reliability
Colin Blou, VP SalesWaterfall Security Solutions
Advance threats require Advanced defenses
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2
Industrial Network Corporate Network
Unidirectional Security Gateways
Waterfall TX Server
Waterfall RXServer
Waterfall TX Module
Waterfall RX Module
● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Absolute protection against online attacks from external networks
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 3
Industrial Network Connectivity: Drivers and Risks
● Predictive maintenance: crew scheduling, HR integration, spare parts inventories and ordering
● Just-in-time manufacturing, real-time inventories, batch records, LIMS integration, production planning, SAP/ERP integration
● Centralized support: more effective use of skilled personnel, critical mass of current experts next decade’s experts
● But industrial network connects tobusiness network, which connects toInternet & other networks
These connections let attackerstarget critical network withremote, online attacks
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 4
Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat them
How Secure are Firewalls Really?
Photo: Red Tiger Security
Attack Success Rate:
Impossible Routine Easy
Attack Type UGW Fwall
1) Phishing / drive-by-download – victim pulls your attack through firewall
2) Social engineering – steal a password / keystroke logger / shoulder surf
3) Compromise domain controller – create ICS host or firewall account
4) Attack exposed servers – SQL injection / DOS / buffer-overflowd
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows
6) Session hijacking – MIM / steal HTTP cookies / command injection
7) Piggy-back on VPN – split tunneling / malware propagation
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls
10) Forge an IP address – firewall rules are IP-based
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 5
http://www.telegraph.co.uk/sponsored/business/sme-home/11241249/improve-cyber-security.html
Going Phishing…
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 6
Attack Pattern #3 – Persistent, Targeted Attacks
● Use “spear phishing” to punch through corporate firewalls
● Use custom malware to evade anti-virus
● Operate malware by interactive remote control
● Steal administrator passwords / password hashes
● Create new administrator accounts on domain controller
● Use new accounts to log in – no need to “break in” any more –defeats software update programs
Bypasses standard IT securitycontrols: firewalls, encryption, AV,security updates
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 7
Central Monitoring Site
Emerging Threat: Remote Monitoring and Diagnostics
● Control system / equipment / turbine vendor site “monitors” many customer sites, in many countries
● “Cloud” vendor site configured for “occasional” remote control
● Industrial network exposed to attackfrom central site and from othercustomers / countries
● Remote control attacks,virus propagation
Vendor connection bypassescorporate security protections
Industrial network is completelydependent on vendor security
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 8
PLCs RTUs
HistorianServer
HistorianServer
HistorianServer
Workstations
ReplicaServer
ReplicaServer
ReplicaServer
WaterfallTX agentWaterfallTX agentWaterfallTX agent
Waterfall RX agentWaterfall RX agentWaterfall RX agent
Corporate NetworkIndustrial Network
Unidirectional Historian replication
Waterfall TX Module
Waterfall RX Module
Historian Replication With Unidirectional Gateways
● Hardware-enforced unidirectional server replication
● Replica server contains all data and functionality of original
● Corporate workstations communicate only with replica server
● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 9
Secure OPC Replication
● OPC-DA protocol is complex: based on DCOM object model – intensely bi-directional
● TX agent is OPC client. RX agent is OPC server
● OPC protocol is used only in production network, and business network, but not across unidirectional gateways
PLCs RTUs
OPCServerOPC
ServerOPC
Server
Workstations
CorporateHistorianCorporateHistorianCorporateHistorian
TX agent /OPC ClientTX agent /OPC ClientTX agent /OPC Client
RX agent /OPC ServerRX agent /
OPC ServerRX agent /
OPC Server
Corporate NetworkIndustrial Network
Waterfall TX Module
Waterfall RX Module
OPCOPC
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 10
Leading Industrial Applications/Historians
● OSIsoft PI, PI AF, GE iHistorian, GE iFIX
● Scientech R*Time, Instep eDNA, GE OSM
● Siemens: WinCC/SINAUT/Spectrum
● Emerson Ovation, Wonderware Historian
● SQLServer, Oracle, MySQL, Postgres, SAP
● AspenTech IP21, Matrikon Alert Manager
● Schneider ClearSCADA
Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG
● CA Unicenter, CA SIM, HP OpenView,IBM Tivoli
● HP ArcSight SIEM , McAfee ESM SIEM
File/Folder Mirroring
● Folder, tree mirroring, remote folders (CIFS)
● FTP/FTFP/SFTP/TFPS/RCP
Leading Industrial Protocols
● OPC: DA, HDA, A&E, UA
● DNP3, ICCP, Modbus
● GENA, IEC 60870-5-104, IEC 61850
Remote Access
● Remote Screen View™
● Secure Bypass
Other connectors
● UDP, TCP/IP
● NTP, Multicast Ethernet
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM MQ series, Microsoft MSMQ
● Antivirus updater, patch (WSUS) updater
● Remote print server
Waterfall Unidirectional Gateway Connectors
World’s largest collection of COTS industrial server replications
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 11
Select Customers
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 12
Waterfall FLIP™
● Unidirectional Gateway whose direction can be reversed:
● Water systems: periodic security updates & anti-virus signatures
● Remote unstaffed sites: substations, pumping stations
● Chemicals / refining / mining / pharmaceuticals: batch instructions
● Trigger: button / key, schedule
● Stronger than firewalls, stronger than removable media
The FLIP is aUnidirectionalGateway thatcan “flip over”
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 13
FLIP - Normal Operation
Critical Network
TX Module RX Module
WaterfallRX agent
External Network
WaterfallTX agent
WaterfallRX agent
WaterfallTX agent
Controller
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 14
FLIP - Reversed
Critical Network
TX Module RX Module
WaterfallRX agent
External Network
WaterfallTX agent
WaterfallRX agent
WaterfallTX agent
Controller
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 15
FLIP: Stronger than Firewalls
● The FLIP is a Unidirectional Security Gateway – it can never be bi-directional
● The FLIP prevents interactive remote control – it can not FLIP fast enough to permit Remote Desktop or interactive SSH sessions
● Trigger mechanism cannot be subverted by network attacks
● Firewalls forward messages, the FLIP & Gateways do not
● No protocol-level attacks pass through – no fuzzing/buffer overflows. All communications sessions terminate inagent hosts.
FLIP: Stronger than firewalls
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 16
Evolving Best Practices – Unidirectional Gateways
NERC CIP exempts unidirectionally-protected sites from over 35% of requirements
DHS recommends unidirectional gateways in security assessments (ICS CERT)
NRC & NEI exempts unidirectionally-protected sites from 21 of 26 cyber-perimeter rules
Unidirectional gateways –limit the propagation of malicious code (ISA SP-99-3-3 / IEC 62443-3-3)
ENISA - unidirectional gateways provide better protection than firewalls
ANSSI Cybersecurity for ICS – many requirments for hardware-enforced unidirectionality
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 17
Waterfall's Mission: Replace ICS Firewalls
● Waterfall’s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls
● Enables safe IT/OT integration, remote services, industrial cloud
Routers Firewalls UnidirectionalSecurity
Gateways
WaterfallFLIPTM
Secure Inbound / Outbound
SecureBypass
Substations, Generation,Not For IT Offshore BES Control Batch Processing, Primary Production,Security Networks Platforms Centers Refining Safety Systems
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 18
● Headquarters in Israel, sales and operations office in the USA
● Deployed world-wide in all critical infrastructure sectors
2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice
IT and OT security architects should consider Waterfall for their operations networks
Waterfall is key player in the cyber security market –2010, 2011, & 2012
● Only unidirectional technology onUS Department of Homeland Security’sNational SCADA Security Test Bed,and Japanese CSSC Test Bed
Waterfall Security Solutions
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 19
● Only unidirectional technology with cyber security assessment by Idaho National Laboratories
● Certified Common Criteria EAL4+ (High Attack Potential)
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors
● Recognized as an industrial cyber-security best-practice by DHS, NERC CIP, NRC, industry analysts & leading industrial cyber-security experts
Market leader forunidirectional serverreplication in industrial environments
Waterfall Product Accreditations
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 20
Secure Application Integration
● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks
● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security
● Costs: reduces security operating costs – improves security and saves money in the long run
“Waterfall’s unique solutions have thepotential to be the industry’s next game changing standard”
Market leader for stronger-than-firewalls solutions for industrialcontrol systems
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 21
Details
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 22
Data Integrity
● High quality optical hardware
● Forward error correcting codes
● Able to send every message multiple times – duplicates discarded
● Sequence numbers, heartbeats – prompt error detection
● Throughput tuning
● Buffers at every stage of transmission
● Backfill: manual retransmission
● High availability – no single point offailure impairs data movement
● Automatic, periodic backfill
In practice, less than 5% of users purchase high-availability
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 23
Remote Screen View
● Vendors can see control system screens in web browser
● Remote support is under control of on-site personnel
● Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time
● Vendors supervisesite personnel
● Site people supervisethe vendors
Each perspective islegitimate, both needs are met
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 24
Use Case: In/Out Gateways for Balancing Authority
● BA sends ICCP setpoints to partner utilities every 2 seconds + polls utilities for ICCP data every 2 seconds
● Independent channels – not command/response channels
● Each channel replicates one or more ICCP servers
● Multiply redundant – automatic at site, manual fail-over between sites
● Minimal ICCP reconfiguration needed
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 25
Inbound + Outbound: Stronger than Firewalls
● Multiple computers/layers of protection must all be compromised, rather than just one layer in the firewall
● TX Agents are clients. They do not forward messages. They ask for data and forward the answers/data
● No protocol-level attacks pass through – no fuzzing/buffer overflows. All communications / TCP / ICCP sessions terminate in agent hosts
● Targeted / persistent attacks are “flying blind” – targeted attack requires insider assistance
Inbound / outbound gateways do notforward packets or filter packets, theyforward data
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 26
Attack Type BES CC Fwall
1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2
2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1
3) Compromise domain controller – create ICS host or firewall account 4 2
4) Attack exposed servers – SQL injection / DOS / buffer-overflow 3 2
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2
6) Session hijacking – MIM / steal HTTP cookies / command injection 3 2
7) Piggy-back on VPN – split tunneling / malware propagation 4 2
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 3 2
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 3 2
10) Forge an IP address – firewall rules are IP-based 4 2
11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1
12) Physical access to firewall – local admin / no passwd / modify hardware 3 2
13) Sneakernet – removable media / untrusted laptops 1 1
Total Score: 41 23
Perimeter Security Attack Tree Analysis
Attack Success Rate:
ImpossibleExtremelyDifficult
DifficultStraight-Forward
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 27
Waterfall Secure/Emergency Bypass
● Temporary / emergency bypass of cyber-security perimeter
● Hardware enforced: relays physically connect and disconnect copper cables
● Automatically disconnects again after programmable interval
● Triggered pressing physical button orturning physical key, or on schedule
100% secure, > 99% of the timeAs secure as a firewall whenactivated
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 28
Waterfall Secure/Emergency Bypass
● Deployed in parallel with Unidirectional GW:
● Emergency remote access: plant is down
● Temporary remote access, controlled from the plant side –turbine vendors
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 29
Central Management: Segregated Operations Network
● Operations WAN (green) separate from corporate WAN
● Unidirectional Gateways are only path from operations to corporate –breaks infection / compromise path from corporate WAN / Internet
● Central operations staff have two workstations: one on operations network, and one on corporate network
● Conventional firewalls and other defensesdeployed to limit site to sitethreat propagation
Isolated, yet still centrallymanaged
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 30
Offshore Platforms
● Strong security: Unidirectional Security Gateways
● Wonderware Historian-> OPC -> PI Server unidirectional data replication: integrating different vendors’ historians
● Platform PI data from all platforms aggregated to corporate PI server