Unidirectional Security, Andrew Ginter of Waterfall Security

UNIDIRECTIONAL SECURITY GATEWAYS™

Digital Bond 2014 S4

Unidirectional Security: Level 101
Andrew Ginter
VP Industrial Security
Waterfall Security Solutions
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Ltd.

2014

Safety, Reliability, Confidentiality
Attribute

Enterprise / IT

Control System

Scale

Huge – 100,000’s of devices

100-500 devices per DCS

Priority

Confidentiality

Safety and reliability

Attack Motive

Data Theft

Sabotage

Exposure

Constant exposure to Internet
content

Exposed to business network,
not Internet

Equipment
lifecycle

3-5 years

10-20 years

Security
discipline:

Speed / aggressive change –
stay ahead of the threats

Security is an aspect of
safety - Engineering
Change Control (ECC)

ICS will always have a “softer interior” than IT networks.
Perimeter security will always be much more important for ICS
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions

2

Attacking Firewalls at Critical Network Perimeters
Attack Type

UGW

Fwall

1) Phishing / drive-by-download – victim pulls your attack through firewall

4

2

2) Social engineering – steal a password / keystroke logger / shoulder surf

4

1

3) Compromise domain controller – create ICS host or firewall account

4

2

4) Attack exposed servers – SQL injection / DOS / buffer-overflowd

4

2

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows

4

2

6) Session hijacking – MIM / steal HTTP cookies / command injection

4

2

7) Piggy-back on VPN – split tunneling / malware propagation

4

2

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns

4

2

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls

4

2

10) Forge an IP address – firewall rules are IP-based

4

2

11) Bypass network perimeter – cabling/ rogue wireless / dial-up

1

1

12) Physical access to firewall – local admin / no passwd / modify hardware

3

2

13) Sneakernet – removable media / untrusted laptops

1

1

45

23

Total Score:

Attack Success
Rate:

Impossible

Extremely
Difficult

Photo: Red Tiger Security

StraightForward

Difficult

Firewalls are too weak to deploy without compensating measures

3

Stronger Than Firewalls: A Spectrum of Solutions
●  Firewalls do not move data – they expose systems
●  Populating a spectrum of stronger-than-firewalls solutions

Examples:
Not For
IT
Security Networks

Routers

Firewalls

Offshore
Platforms

Secure
Bypass

Many:
Substations,
Generation,
BES Control Batch Processing,
Water,
Centers
Refining
Safety Systems

Secure In/Out
Configurations


FLIP

Unidirectional
Security
Gateways
4

Secure IT/OT Integration with Historian Replication
●  Hardware-enforced unidirectional historian replication – new modular
architecture
●  Replica historian contains all data and functionality of original
●  Corporate workstations communicate only with replica historian
●  Industrial network and critical assets are physically inaccessible from
corporate network & 100% secure from any online attack
Industrial Network
Historian

Corporate Network

Queries,
Responses

RX
Agent
Host

TX HW
Module

PLCs
RTUs

TX
Agent
Host

Workstations

Replica
Historian

RX HW
Module


Commands,
Responses

5

Unidirectional Communications: Under the Hood
● 
● 
● 
● 
● 

No IP address on gateways or agent host NICs connected to gateways
Gateways exchange OSI layer 2 Ethernet broadcasts with agent hosts
Waterfall-format application data and metadata in layer 2 broadcasts
No IP addresses communicated from inside ESP to outside
IP communications sessions terminate in agent hosts
Business Network

Control System Network
IP
Query/
Select

TX
Agent
Host

TX HW
Module

Non
Routable

Non-IP


RX HW
Module

RX
Agent
Host

Non-IP

6

IP
Insert/
Update

Secure OPC Replication
●  OPC-DA protocol is complex: based on DCOM object model – intensely
bi-directional
●  TX agent is OPC client. RX agent is OPC server
●  OPC protocol is used only in production network, and business network,
but not across unidirectional gateways

Industrial Network
OPC Server

PLCs
RTUs

Corporate Network
OPC
Client

OPC Polls,
Responses


OPC
Server

OPC Polls,
Responses

7

Unidirectional Gateway Software
Leading Industrial Applications/Historians
●  OSIsoft PI, PI AF, GE iHistorian, GE iFIX
●  Scientech R*Time, Instep eDNA, GE OSM
●  Siemens: WinCC, SINAUT/Spectrum
●  Emerson Ovation, Wonderware Historian
●  SQLServer, Oracle, MySQL, SAP
●  AspenTech, Matrikon Alert Manager

Leading Industrial Protocols
●  OPC: DA, HDA, A&E, UA
●  DNP3, ICCP, Modbus
Remote Access
●  Remote Screen View™
●  Secure Bypass

Leading IT Monitoring Applications
●  Log Transfer, SNMP, SYSLOG
●  CA Unicenter, CA SIM, HP OpenView,
IBM Tivoli
●  HP ArcSight SIEM , McAfee ESM SIEM

Other connectors
●  UDP, TCP/IP
●  NTP, Multicast Ethernet
●  Video/Audio stream transfer
●  Mail server/mail box replication
●  IBM MQ series, Microsoft MSMQ
File/Folder Mirroring
●  Antivirus updater, patch (WSUS)
●  Folder, tree mirroring, remote folders (CIFS)
updater
●  FTP/FTFP/SFTP/TFPS/RCP
●  Remote print server

8

Most-Deployed Unidirectional ICS Hardware
●  Two appliances: transmitter & receiver as separate units
●  All-in-one: one box with “magic in the middle” – NERC-CIP
implications
●  Dual-NIC: plug-in cards
Two-Appliance
●  Security issues:
●  Certification authorities suspicious
All-In-One
of all-in-one solutions – insufficient
electrical isolation
Dual-NIC
●  Look for a “positive” manufacturing
process – one where functionality is
designed-in, rather than
subtracted-out


9

Secure Remote Access: Remote Screen View
●  Vendors can see control system screens in web browser
●  Remote support is under control of on-site personnel
●  Any changes to software or devices are carried out by on-site
personnel, supervised by vendor personnel who can see site screens
in real-time
●  Vendors supervise
site personnel
●  Site people supervise
the vendors

Most common application:
support by untrusted third
parties

10

Central Management: Segregated Operations Network
●  Operations WAN (green) separate from corporate WAN
●  Unidirectional Gateways are only path from operations to corporate –
breaks infection / compromise path from corporate WAN / Internet
●  Central operations staff have two workstations:
one on operations network, and one on
corporate network
●  Conventional firewalls and other defenses
deployed to limit site to site
threat propagation

Safe, reliable,
unidirectionallyintegrated WANs

11


Examples:
Not For
IT
Security Networks

Routers

Firewalls

Offshore
Platforms

Secure
Bypass

Many:
Substations,
Generation,
Water,
Centers
Refining
Safety Systems

Secure In/Out
Configurations


FLIP

Unidirectional
Security
Gateways
12

Waterfall FLIP™
●  Unidirectional Gateway whose direction can be reversed:
●  Regular and randomized security updates & AV signatures
●  Chemicals / refining / mining / pharmaceuticals: batch instructions
●  Substations, pumping stations, remote, unstaffed sites
●  Variety of triggering options
●  When ‘flipped’ – incoming unidirectional gateway replicates servers:
no TCP/IP, no remote control attacks


13

Waterfall Flip™ - Normal Operation

Waterfall
TX agent

Critical Network

TX Module

Waterfall
RX agent

RX Module

Waterfall
TX agent

Waterfall
RX agent

External Network


14

Waterfall Flip™ - Reversed

Waterfall
TX agent

Critical Network

TX Module

Waterfall
RX agent

RX Module

Waterfall
TX agent

Waterfall
RX agent

External Network


15

FLIP: Stronger than Firewalls
●  Outbound data flows are absolutely secure – temporary in-bound
flows are the concern
●  Remote control is practically impossible – there are never in-bound
and out-bound data flows simultaneously
●  Gateways replicate servers / terminate protocol sessions – no packets
forwarded
●  No TCP sessions are possible through the FLIP
●  Stronger than firewalls, stronger than
removable media

Stronger than firewalls: 100% secure
99+% of the time. Still stronger than a
firewall the rest of the time

16

FLIP for Substations
●  Designed for smaller, un-staffed sites
●  Contains the ‘FLIP’ and two computers in one
1U Waterfall Cabinet
●  Unidirectional Gateway whose orientation “flips” occasionally
●  Eg:
●  To allow “RESET” command after lightning strike
●  To allow occasional security updates or anti-virus updates


17


Examples:
Not For
IT
Security Networks

Routers

Firewalls

Offshore
Platforms

Secure
Bypass

Many:
Substations,
Generation,
Water,
Centers
Refining
Safety Systems

Secure In/Out
Configurations


FLIP

Unidirectional
Security
Gateways
18

Balancing Authority / Control Center Solution
●  Gateways send commands “out” to partner utilities. Second channel
polls/reports data “in”
●  Multiply redundant – automatic at site, manual fail-over between sites
●  Some ICCP reconfiguration needed – channels are independent


19

Beware "Opposing Diode" Solutions
●  Some vendors will tell you “you need data back into your network? Of
course – just drop another diode in, in the other direction”
●  Eg: bridging diodes in + bridging diodes out = twisted-pair cable
●  Eg: file server in + file server out = easy path for common viruses and
targeted file-based malware
●  Key “opposing” design questions:
●  Can TCP session be established?
●  Can interactive remote control session be established?
●  Is one channel command and other response? Or independent?
Pair of military-style
bridging diodes
●  Does solution forward protocollevel attacks?

How “distant” are the opposing
channels from one another?

20

Opposing ICCP Gateway Security Analysis
Attack Type

2xUGW

Fwall

1) Phishing / drive-by-download – victim pulls your attack through firewall

4

2

2) Social engineering – steal a password / keystroke logger / shoulder surf

4

1

3) Compromise domain controller – create ICS host or firewall account

4

2

4) Attack exposed servers – SQL injection / DOS / buffer-overflow

3

2

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows

4

2

6) Session hijacking – MIM / steal HTTP cookies / command injection

3

2

7) Piggy-back on VPN – split tunneling / malware propagation

4

2

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns

3

2

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls

3

2

10) Forge an IP address – firewall rules are IP-based

4

2

11) Bypass network perimeter – cabling/ rogue wireless / dial-up

1

1

12) Physical access to firewall – local admin / no passwd / modify hardware

3

2

13) Sneakernet – removable media / untrusted laptops

1

1

41

23

Total Score:
Attack
Success Rate:

Impossible

Extremely
Difficult


StraightForward

Difficult
21


Examples:
Not For
IT
Security Networks

Routers

Firewalls

Offshore
Platforms

Secure
Bypass

Many:
Substations,
Generation,
Water,
Centers
Refining
Safety Systems

Secure In/Out
Configurations


FLIP

Unidirectional
Security
Gateways
22

Waterfall Secure / Emergency Bypass
●  Temporary bypass of security perimeter
●  Hardware enforced: relays connect and
disconnect
●  Variety of trigger mechanisms
●  Deployed in parallel with Unidirectional GW:
●  Emergency remote access: offshore
platform evacuation
●  Temporary remote access, controlled
from the plant side
●  Modular configuration with embedded PC:
firewalled and whitelisted

“100% secure, 99% of the time”
As secure as a firewall, rest of the time

23

Waterfall Security Solutions
●  Headquarters in Israel, sales and operations office in the USA
●  Hundreds of sites deployed in all critical infrastructure sectors
Best Practice Award 2012, Industrial Network Security
2013 Oil & Gas Customer Value Enhancement Award
IT and OT security architects should consider Waterfall
for their operations networks
Waterfall is key player in the cyber security market –
2010, 2011, & 2012
●  Strategic partnership agreements /
cooperation with: OSIsoft, GE, Siemens,
and many other major industrial vendors

Waterfall’s expanded mission:
replace ICS firewalls

24

Waterfall's Mission: Replace ICS Firewalls
●  Waterfall’s new mission: revolutionize ICS perimeter security with
technologies stronger than firewalls
●  Look for additional product announcements over the next 12 months
Not For
IT
Security Networks

Routers

Firewalls

Offshore
Platforms

Secure
Bypass

Substations,
Generation,
Water,
Centers
Refining,
Safety Systems

WF for BES
Control
Centers


Waterfall
FLIPTM

25

Unidirectional
Security
Gateways

Unidirectional Security, Andrew Ginter of Waterfall Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (15)

Similar to Unidirectional Security, Andrew Ginter of Waterfall Security

Similar to Unidirectional Security, Andrew Ginter of Waterfall Security (20)

More from Digital Bond

More from Digital Bond (20)

Recently uploaded

Recently uploaded (20)

Unidirectional Security, Andrew Ginter of Waterfall Security