Waterfall Security Solutions Overview Q1 2012

1,385 views
1,290 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,385
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Waterfall Security Solutions Overview Q1 2012

  1. 1. ® ® Utilizing Unidirectional Security Gateways to Achieve Cyber Security January 2012, Israel Danny Berko Waterfall Security Solutions© Copyright 2012 by Waterfall Security Solutions 1
  2. 2. ® Today’s Agenda ● Waterfall Security Solutions Ltd. Introduction ● The Need: Protecting Critical National Infrastructure Facilities ● How threats impact us - threats scenarios ● Meeting threats - Cyber Security Best Practices ● Unidirectional Security Gateways ™ ● Use Cases ● Summary© Copyright 2012 by Waterfall Security Solutions 2
  3. 3. ® Waterfall Allows Information Flow from Protected Network to External Network with NO Return Path ● Industrial ● Business ● Protected Network ● External Network© Copyright 2012 by Waterfall Security Solutions
  4. 4. ® Waterfall Security Solutions Introduction ● Located in Israel, local office and subsidiary in NY, USA ● Product core developed at 2004 and is evolving since ● US Patent 7,649,452 ● Hundreds of installations in North America (USA and Canada), Europe, Israel and Asia ● Technology and Business Focus for SCADA Networks, Industrial Control networks, Utilities and Critical Infrastructures ● Strategic cooperation with industry leaders such as OSIsoft, GE, Siemens, Westinghouse, Nitro/McAfee and many more ● Tight and continuous relationships with relevant regulators and authorities ● First and Sole INL assessed solution© Copyright 2012 by Waterfall Security Solutions 4
  5. 5. ® Waterfall’s Unique Value Proposition● What do we do: • Pioneer and Market Leader for Unidirectional Security Gateway Solutions. • We provide absolute security of any cyber attack from external networks into critical networks. • We offer end-to-end solutions for seamless, industrial grade, out-of-the-box integration and connectivity to existing infrastructures, industrial applications and SCADA protocols.● What makes Waterfall Security Solutions so unique: • Pike Research named Waterfall as key player in the cyber security market. • Robust, reliable, manageable, unidirectional security gateways. • Only solution to support High-Availability, Gigabit connectivity and Many-to-One architecture • Stronger than firewalls – no remote hacking to your industrial network • Assist achieving compliance to NERC, NRC, CFATS and other relevant regulations • Installed base includes any industrial, critical or operational environment types • Power generation (Nuclear, Fossil, etc.), pipelines, refineries, petro-chemical, oil & gas, water, transportation, governmental and more.© Copyright 2012 by Waterfall Security Solutions 5
  6. 6. ® ® The Need: Protecting Critical National Infrastructure Facilities© Copyright 2012 by Waterfall Security Solutions 6
  7. 7. ® Protecting CNI from Threats Waterfall assist in avoiding cyber threats to CNIs ● Trivial threats or not as trivial ● Human errors, viruses propagation ● “Boasting rights” hackers: targeted, amateur, resource-poor ● Anonymous attacks on HB Gary, MasterCard, PayPal, Sony ● Insiders: amateur, targeted, have credentials, positioned well for social engineering ● Organized crime: professional, opportunistic ● Botnets, identity theft, money laundering ● Nationstate militaries/intelligence agencies, professional, targeted, resource-rich ● Shady RAT, Night Dragon, Remote Administration Tools = remote control ● Stuxnet is in a league of its own – sabotage of Iranian uranium enrichment ● Traversed firewalls on connections “essential” to operation of control system© Copyright 2012 by Waterfall Security Solutions 7
  8. 8. ®Standard Hacking Skills Suffice ● Persistent, targeted attacks Internet ● Facebook, Linkedin homework ● Emailed PDF files Firewall ● High success rate Corporate ● Hacking skill sets Network ● Downloaded tools, recompiled to evade Anti-Virus Firewall ● Plant firewalls are no real barrier Plant ● Remote control Network Firewall Control Network© Copyright 2012 by Waterfall Security Solutions 8
  9. 9. ® The Threats are Real© Copyright 2012 by Waterfall Security Solutions
  10. 10. ®Stuxnet Worm ● Strong circumstantial evidence: target was Natanz Iranian gas centrifuge uranium enrichment site ● Almost no evidence, but widespread speculation: authors were Israeli or US intelligence agencies, or militaries ● PLC code slows centrifuges down until they are ineffective, speeds them up to damage them, and changes rotation speed fast enough to destroy power supplies or centrifuges ● Estimates of between 200 and 5000 centrifuges damaged, out of inventory of 5000 units ● Stuxnet proved the concept.© Copyright 2012 by Waterfall Security Solutions 10
  11. 11. ® ® Threats scenarios that Waterfall addresses© Copyright 2012 by Waterfall Security Solutions 11
  12. 12. ® Main Threat Scenarios: ● Let’s focus on two main threat scenarios:© Copyright 2012 by Waterfall Security Solutions 12
  13. 13. ® Scenario I – Linking Critical and Business Networks The critical (operational, industrial) network is required to send real- time information to business/administrative networks  Plant and production information  Operational monitoring and status information  Equipment usage, conditional monitoring, service levels for important customers, spare parts inventories, raw materials and finished goods inventories, etc.  Alerts and events The business network is commonly connected to other networks, including the Internet Via these connections, attackers can gain access to the critical network and carry out remote, online attacks into it© Copyright 2012 by Waterfall Security Solutions 13
  14. 14. ®Scenario II – Remote Monitoring of Critical Networks  A Control Center or Operations Center is remotely monitoring a critical network or an equipment within it  This can be a 3rd party vendor or service provider monitoring equipment for maintenance and service level  The Control Center usually monitors many other networks, from other facilities and other countries  Critical network now exposed to threats originating from each and every network which is monitored by this Control Center Internet/ Public network Central Monitoring Site© Copyright 2012 by Waterfall Security Solutions 14
  15. 15. ® ® Meeting threats - Best Practices© Copyright 2012 by Waterfall Security Solutions 15
  16. 16. ® IT security “Best Practices” ● Firewalls ● Patching ● Anti-virus ● Host hardening© Copyright 2012 by Waterfall Security Solutions 16
  17. 17. ®IT/Software Based Security“What you must learn is that these rules are nodifferent than the rules of a computer system.Some of them can be bent.Others can be broken.Understand?” (Morpheus; The Matrix, chapter 15)© Copyright 2012 by Waterfall Security Solutions 17
  18. 18. ®The Problem with Firewalls ● Firewalls make use of Code, OS and Configuration – all have breaches (miss configuration/human errors) ● Viruses propagate across many VPN connections. You trust the users, but should you trust their workstations? Their cell phones? ● Keeping complex firewalls / VPNs secure is hard – Errors and omissions – Open/Close ports for illustrations, pilots and repairs ● Only “essential” connections allowed ● Insider attack from business network – with legitimate credentials ● Costly: procedures, training, management, log reviews, audits, assessments ● Prohibited by Regulation for Air Gap connectivity© Copyright 2012 by Waterfall Security Solutions 18
  19. 19. ® ® Waterfall One-Way™ Solution© Copyright 2012 by Waterfall Security Solutions 2011 19
  20. 20. ®The Challenge ● Business Processes and plant data are too valuable not to use Internet ● Critical decisions by key personnel while away… Firewall ● Vendors maintenance or critical Corporate Network intervention while not on premise… ● Process assets are too valuable to Plant Data put at risk Plant Network© Copyright 2012 by Waterfall Security Solutions 20
  21. 21. ®Unidirectional Security Gateway, an Innovative Solution© Copyright 2012 by Waterfall Security Solutions 21
  22. 22. ®Common (Insecure) Topology Industrial Network Corporate Network User’s Stations Historian PLCs RTUs etc● Critical assets are located in the industrial network● The corporate network is considered as an insecure and is usually connected to the Internet● Corporate User’s stations are located in the corporate network● The user’s stations communicate directly with the Historian at the industrial network! The Industrial Network and critical assets are accessible from the corporate network and thus at risk. Side # 22
  23. 23. ®Common (Insecure) Topology Industrial Network Corporate Network User’s Stations Historian PLCs RTUs etc● Critical assets are located in the industrial network● The corporate network is considered as an insecure and is usually connected to the Internet● Corporate User’s stations are located in the corporate network● The user’s stations communicate directly with the Historian at the industrial network! The Industrial Network and critical assets are accessible from the corporate network and thus at risk. Side # 23
  24. 24. ®Waterfall Based (Secure) Topology Industrial Network Corporate Network User’s Stations Waterfall Waterfall Replica Historian TX agent RX agent Historian Transmitter Receiver PLCs RTUs etc Waterfall Waterfall TX appliance RX appliance Hardware Based Unidirectional Waterfall Unidirectional Gateway Security Gateway ● The Waterfall Gateway enforces a unidirectional replication of the Historian to a Replica Historian ● Laser – Photocell– The Replica Historian contains all data and functionalities of the Historian ● Transmit Only The user’s stations communicate ONLY with the Replica Historian Receive Only  The Industrial Network and critical assets are physically inaccessible from the business network and thus 100% secure from any online attack  Compliance with NERC, NRC, NIST and CFATS regulations – easily met  The corporate users can continue to utilize the Historian data as they used to do before© Copyright 2012 by Waterfall Security Solutions Side # 24
  25. 25. ® ® Use Cases© Copyright 2012 by Waterfall Security Solutions 25
  26. 26. ® Usage Scenarios – Supporting Any Need ● Replicating applications and historian systems ● Transferring SCADA protocols ● Integrated/Ref. Architecture ● Remote View and Remote Assistance© Copyright 2012 by Waterfall Security Solutions 26
  27. 27. ® Real-time Replication of Historian systems© Copyright 2012 by Waterfall Security Solutions 27
  28. 28. ® Real-time Transfer of SCADA protocols© Copyright 2012 by Waterfall Security Solutions 28
  29. 29. ®Integrated Use Case ● Production information replicated to corporate network via plant historian ● Security information routed to corporate SOC via embedded SIEM ● Remote vendor and IT support enabled via Remote Screen View ● Conventional firewall protects data confidentiality on corporate network© Copyright 2012 by Waterfall Security Solutions 29
  30. 30. ®Remote Monitoring and Remote Assistance ● Vendors can see control system screens in web browser ● Remote support is under control of on-site personnel ● Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time ● Vendors feel they are supervising site personnel ● Site people feel they are supervising the vendors© Copyright 2012 by Waterfall Security Solutions 30
  31. 31. ® Industrial Grade Solution ● Waterfall Gateway is a critical mission “ready” solution ● High availability implemented in the hardware (dual NICs) ● Cluster support by the software ● Inherent archiving and elastic buffering ● Dual power supply© Copyright 2012 by Waterfall Security Solutions 31
  32. 32. ® ® Summary© Copyright 2012 by Waterfall Security Solutions 32
  33. 33. ® Waterfall One-Way™ selected list of connectorsLeading Industrial Applications/Historians Remote Screen View ● OSISoft PI, GE iHistorian, GE iFIX, Leading Industrial Protocols ● Scientech R*Time, Instep eDNA, GE OSM, ● Modbus, OPC (DA, HDA, A&&E) ● Siemens WinCC, SINAUT, Wonderware ● DNP3, ICCP ● GE Bentley Nevada System One IT connectorsLeading IT Monitoring Applications ● Database (SQL) Replication ● SNMP, SYSLOG, CA Unicenter/SIM ● NTP, Multicast Ethernet, Rsync ● HP OpenView, Matrikon Alert Manager ● Video/Audio stream transfer ● Areva Powerplex/Powertrax ● Mail server/mail box replication ● Westinghouse Beacon/WCMS/Log Transfer ● IBM Websphere MQ, MSMQ, Tibco EMSFile/Folder Mirroring ● Antivirus updater, patch (WSUS) updater ● Folder, tree mirroring, remote folders (CIFS) ● Remote Print server ● FTP/FTFP/SFTP/TFPS/RCP ● UDP, TCP/IP © Copyright 2012 by Waterfall Security Solutions 33
  34. 34. ®Cost Recovery ● Most sites report 12-24 months cost recovery: ● Reduced firewall management costs ● Reduced DMZ equipment management costs ● Reduced audit and compliance documentation costs ● Reduced remote access training costs ● Reduced remote access management costs© Copyright 2012 by Waterfall Security Solutions
  35. 35. ®Regulation and Authorities Recognition ● Selected by US Department of Homeland Security, for its National Cyber Security Test-bed. ● Waterfall gateways first and sole to be assessed by Idaho National Labs ● No side channels, no back channels ● No “acknowledgement channel” which advanced adversaries can turn into a remote-control-command back-channel Two appliances mean no shared grounds, no shared power, or other shared components which can make back-channels difficult to identify© Copyright 2012 by Waterfall Security Solutions 35
  36. 36. ® Waterfall Security Solution Differentiators  Unidirectional Security Gateway™ - provides a full solution, out of the box  100% protection from remote hacking into your industrial network  US Patent covering SCADA/Control Networks security  Designed and built to meet Critical Infrastructure and Utilities needs  Off the shelf integral support for Historians, SCADA protocols, file transfers, streaming. Strategic partnership and cooperation leading industrial vendors  Enables compliance with NERC-CIP, NIST 800.53 and 800.82, RG 5.71  Pike Research named Waterfall as key player in the cyber security market  Worldwide installations for industrial, critical and operational environments  Host hardware invariance and compatibility  Unique High Availability, 1GB support and Many-to-One architecture support© Copyright 2012 by Waterfall Security Solutions 36
  37. 37. ®Hundreds of Installations Worldwide© Copyright 2012 by Waterfall Security Solutions
  38. 38. ® Questions? THANK YOU !© Copyright 2012 by Waterfall Security Solutions

×