Unidirectional Security, Andrew Gintner of Waterfall Security

  • 347 views
Uploaded on

This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control …

This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS.

Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
347
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
25
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. UNIDIRECTIONAL SECURITY GATEWAYS™ Digital Bond 2014 S4 Unidirectional Security: Level 101 Andrew Ginter VP Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Ltd. 2014
  • 2. Safety, Reliability, Confidentiality Attribute Enterprise / IT Control System Scale Huge – 100,000’s of devices 100-500 devices per DCS Priority Confidentiality Safety and reliability Attack Motive Data Theft Sabotage Exposure Constant exposure to Internet content Exposed to business network, not Internet Equipment lifecycle 3-5 years 10-20 years Security discipline: Speed / aggressive change – stay ahead of the threats Security is an aspect of safety - Engineering Change Control (ECC) ICS will always have a “softer interior” than IT networks. Perimeter security will always be much more important for ICS Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2
  • 3. Attacking Firewalls at Critical Network Perimeters Attack Type UGW Fwall 1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2 2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller – create ICS host or firewall account 4 2 4) Attack exposed servers – SQL injection / DOS / buffer-overflowd 4 2 5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking – MIM / steal HTTP cookies / command injection 4 2 7) Piggy-back on VPN – split tunneling / malware propagation 4 2 8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 4 2 9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 4 2 10) Forge an IP address – firewall rules are IP-based 4 2 11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1 12) Physical access to firewall – local admin / no passwd / modify hardware 3 2 13) Sneakernet – removable media / untrusted laptops 1 1 45 23 Total Score: Attack Success Rate: Impossible Extremely Difficult Photo: Red Tiger Security StraightForward Difficult Firewalls are too weak to deploy without compensating measures Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 3
  • 4. Stronger Than Firewalls: A Spectrum of Solutions ●  Firewalls do not move data – they expose systems ●  Populating a spectrum of stronger-than-firewalls solutions Examples: Not For IT Security Networks Routers Firewalls Offshore Platforms Secure Bypass Many: Substations, Generation, BES Control Batch Processing, Water, Centers Refining Safety Systems Secure In/Out Configurations Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions FLIP Unidirectional Security Gateways 4
  • 5. Secure IT/OT Integration with Historian Replication ●  Hardware-enforced unidirectional historian replication – new modular architecture ●  Replica historian contains all data and functionality of original ●  Corporate workstations communicate only with replica historian ●  Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Historian Corporate Network Queries, Responses RX Agent Host TX HW Module PLCs RTUs TX Agent Host Workstations Replica Historian RX HW Module Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions Commands, Responses 5
  • 6. Unidirectional Communications: Under the Hood ●  ●  ●  ●  ●  No IP address on gateways or agent host NICs connected to gateways Gateways exchange OSI layer 2 Ethernet broadcasts with agent hosts Waterfall-format application data and metadata in layer 2 broadcasts No IP addresses communicated from inside ESP to outside IP communications sessions terminate in agent hosts Business Network Control System Network IP Query/ Select TX Agent Host TX HW Module Non Routable Non-IP Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions RX HW Module RX Agent Host Non-IP 6 IP Insert/ Update
  • 7. Secure OPC Replication ●  OPC-DA protocol is complex: based on DCOM object model – intensely bi-directional ●  TX agent is OPC client. RX agent is OPC server ●  OPC protocol is used only in production network, and business network, but not across unidirectional gateways Industrial Network OPC Server PLCs RTUs Corporate Network OPC Client OPC Polls, Responses Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions OPC Server OPC Polls, Responses 7
  • 8. Unidirectional Gateway Software Leading Industrial Applications/Historians ●  OSIsoft PI, PI AF, GE iHistorian, GE iFIX ●  Scientech R*Time, Instep eDNA, GE OSM ●  Siemens: WinCC, SINAUT/Spectrum ●  Emerson Ovation, Wonderware Historian ●  SQLServer, Oracle, MySQL, SAP ●  AspenTech, Matrikon Alert Manager Leading Industrial Protocols ●  OPC: DA, HDA, A&E, UA ●  DNP3, ICCP, Modbus Remote Access ●  Remote Screen View™ ●  Secure Bypass Leading IT Monitoring Applications ●  Log Transfer, SNMP, SYSLOG ●  CA Unicenter, CA SIM, HP OpenView, IBM Tivoli ●  HP ArcSight SIEM , McAfee ESM SIEM Other connectors ●  UDP, TCP/IP ●  NTP, Multicast Ethernet ●  Video/Audio stream transfer ●  Mail server/mail box replication ●  IBM MQ series, Microsoft MSMQ File/Folder Mirroring ●  Antivirus updater, patch (WSUS) ●  Folder, tree mirroring, remote folders (CIFS) updater ●  FTP/FTFP/SFTP/TFPS/RCP ●  Remote print server Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 8
  • 9. Most-Deployed Unidirectional ICS Hardware ●  Two appliances: transmitter & receiver as separate units ●  All-in-one: one box with “magic in the middle” – NERC-CIP implications ●  Dual-NIC: plug-in cards Two-Appliance ●  Security issues: ●  Certification authorities suspicious All-In-One of all-in-one solutions – insufficient electrical isolation Dual-NIC ●  Look for a “positive” manufacturing process – one where functionality is designed-in, rather than subtracted-out Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 9
  • 10. Secure Remote Access: Remote Screen View ●  Vendors can see control system screens in web browser ●  Remote support is under control of on-site personnel ●  Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time ●  Vendors supervise site personnel ●  Site people supervise the vendors Most common application: support by untrusted third parties Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 10
  • 11. Central Management: Segregated Operations Network ●  Operations WAN (green) separate from corporate WAN ●  Unidirectional Gateways are only path from operations to corporate – breaks infection / compromise path from corporate WAN / Internet ●  Central operations staff have two workstations: one on operations network, and one on corporate network ●  Conventional firewalls and other defenses deployed to limit site to site threat propagation Safe, reliable, unidirectionallyintegrated WANs Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 11
  • 12. Stronger Than Firewalls: A Spectrum of Solutions ●  Firewalls do not move data – they expose systems ●  Populating a spectrum of stronger-than-firewalls solutions Examples: Not For IT Security Networks Routers Firewalls Offshore Platforms Secure Bypass Many: Substations, Generation, BES Control Batch Processing, Water, Centers Refining Safety Systems Secure In/Out Configurations Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions FLIP Unidirectional Security Gateways 12
  • 13. Waterfall FLIP™ ●  Unidirectional Gateway whose direction can be reversed: ●  Regular and randomized security updates & AV signatures ●  Chemicals / refining / mining / pharmaceuticals: batch instructions ●  Substations, pumping stations, remote, unstaffed sites ●  Variety of triggering options ●  When ‘flipped’ – incoming unidirectional gateway replicates servers: no TCP/IP, no remote control attacks Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 13
  • 14. Waterfall Flip™ - Normal Operation Waterfall TX agent Critical Network TX Module Waterfall RX agent RX Module Waterfall TX agent Waterfall RX agent External Network Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 14
  • 15. Waterfall Flip™ - Reversed Waterfall TX agent Critical Network TX Module Waterfall RX agent RX Module Waterfall TX agent Waterfall RX agent External Network Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 15
  • 16. FLIP: Stronger than Firewalls ●  Outbound data flows are absolutely secure – temporary in-bound flows are the concern ●  Remote control is practically impossible – there are never in-bound and out-bound data flows simultaneously ●  Gateways replicate servers / terminate protocol sessions – no packets forwarded ●  No TCP sessions are possible through the FLIP ●  Stronger than firewalls, stronger than removable media Stronger than firewalls: 100% secure 99+% of the time. Still stronger than a firewall the rest of the time Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 16
  • 17. FLIP for Substations ●  Designed for smaller, un-staffed sites ●  Contains the ‘FLIP’ and two computers in one 1U Waterfall Cabinet ●  Unidirectional Gateway whose orientation “flips” occasionally ●  Eg: ●  To allow “RESET” command after lightning strike ●  To allow occasional security updates or anti-virus updates Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 17
  • 18. Stronger Than Firewalls: A Spectrum of Solutions ●  Firewalls do not move data – they expose systems ●  Populating a spectrum of stronger-than-firewalls solutions Examples: Not For IT Security Networks Routers Firewalls Offshore Platforms Secure Bypass Many: Substations, Generation, BES Control Batch Processing, Water, Centers Refining Safety Systems Secure In/Out Configurations Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions FLIP Unidirectional Security Gateways 18
  • 19. Balancing Authority / Control Center Solution ●  Gateways send commands “out” to partner utilities. Second channel polls/reports data “in” ●  Multiply redundant – automatic at site, manual fail-over between sites ●  Some ICCP reconfiguration needed – channels are independent Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 19
  • 20. Beware "Opposing Diode" Solutions ●  Some vendors will tell you “you need data back into your network? Of course – just drop another diode in, in the other direction” ●  Eg: bridging diodes in + bridging diodes out = twisted-pair cable ●  Eg: file server in + file server out = easy path for common viruses and targeted file-based malware ●  Key “opposing” design questions: ●  Can TCP session be established? ●  Can interactive remote control session be established? ●  Is one channel command and other response? Or independent? Pair of military-style bridging diodes ●  Does solution forward protocollevel attacks? How “distant” are the opposing channels from one another? Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 20
  • 21. Opposing ICCP Gateway Security Analysis Attack Type 2xUGW Fwall 1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2 2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller – create ICS host or firewall account 4 2 4) Attack exposed servers – SQL injection / DOS / buffer-overflow 3 2 5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking – MIM / steal HTTP cookies / command injection 3 2 7) Piggy-back on VPN – split tunneling / malware propagation 4 2 8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 3 2 9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 3 2 10) Forge an IP address – firewall rules are IP-based 4 2 11) Bypass network perimeter – cabling/ rogue wireless / dial-up 1 1 12) Physical access to firewall – local admin / no passwd / modify hardware 3 2 13) Sneakernet – removable media / untrusted laptops 1 1 41 23 Total Score: Attack Success Rate: Impossible Extremely Difficult Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions StraightForward Difficult 21
  • 22. Stronger Than Firewalls: A Spectrum of Solutions ●  Firewalls do not move data – they expose systems ●  Populating a spectrum of stronger-than-firewalls solutions Examples: Not For IT Security Networks Routers Firewalls Offshore Platforms Secure Bypass Many: Substations, Generation, BES Control Batch Processing, Water, Centers Refining Safety Systems Secure In/Out Configurations Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions FLIP Unidirectional Security Gateways 22
  • 23. Waterfall Secure / Emergency Bypass ●  Temporary bypass of security perimeter ●  Hardware enforced: relays connect and disconnect ●  Variety of trigger mechanisms ●  Deployed in parallel with Unidirectional GW: ●  Emergency remote access: offshore platform evacuation ●  Temporary remote access, controlled from the plant side ●  Modular configuration with embedded PC: firewalled and whitelisted “100% secure, 99% of the time” As secure as a firewall, rest of the time Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 23
  • 24. Waterfall Security Solutions ●  Headquarters in Israel, sales and operations office in the USA ●  Hundreds of sites deployed in all critical infrastructure sectors Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market – 2010, 2011, & 2012 ●  Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Waterfall’s expanded mission: replace ICS firewalls Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 24
  • 25. Waterfall's Mission: Replace ICS Firewalls ●  Waterfall’s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls ●  Look for additional product announcements over the next 12 months Not For IT Security Networks Routers Firewalls Offshore Platforms Secure Bypass Substations, Generation, BES Control Batch Processing, Water, Centers Refining, Safety Systems WF for BES Control Centers Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions Waterfall FLIPTM 25 Unidirectional Security Gateways