How Security can be stronger than a Firewall: 13 different ways breaking through firewalls

UNIDIRECTIONAL SECURITY GATEWAYS™

1st Ibero-American Industrial Cybersecurity Congress
How Security Can Be Stronger Than a Firewall
13 Different Ways Breaking Through Firewalls
Andrew Ginter
VP Industrial Security
Waterfall Security Solutions
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd.
-- Copyright © 2013 by Waterfall Security Solutions Ltd.

2013

Industrial Security Priorities

Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions

2

Safety, Reliability, Confidentiality
Attribute

Enterprise / IT

Control System

Scale

Huge – 100,000’s of devices

100-500 devices per DCS

Priority

Confidentiality

Safety and reliability

Target

Data Theft

Sabotage

Exposure

Constant exposure to Internet
content

Exposed to business network,
not Internet

Equipment
lifecycle

3-5 years

10-20 years

Security
discipline:

Speed / aggressive change –
stay ahead of the threats

Security is an aspect of
safety - Engineering
Change Control (ECC)

Most IT controls are not appropriate. You manage IT and ICS
networks differently

3

Elephants in the Room
● Plain text communication protocols – at least for local / DCS
communications
● Anti-virus / constant change is hard – many sites limit use of AV
● Security updates / constant change is worse
● Vulnerable designs / components: 100,000 vulnerabilities
● Old equipment – will anyone sell you anti-virus signatures for
Windows 2000?
● Timing, network traffic and other sensitivities

Industrial sites deploy compensating
measures such as physical security
and cyber-perimeter security

4

13 Ways Through a Firewall
1) Phishing / drive-by-download – victim pulls attack
2) Social engineering / steal a password / keylogger
3) Compromise domain controller – create fwall acct
4) Attack exposed servers – SQL injection / DOS / etc
5) Attack exposed clients – compromise web servers
6) Session hijacking – MIM / steal HTTP cookies
7) Piggy-back on VPN – split tunnelling / viruses

8) Firewall vulnerabilities –zero-days / design vulns
9) Errors and omissions – bad rules / IT errors
10) Forge an IP address –rules are IP-based
11) Bypass network perimeter – eg: rogue wireless
12) Physical access to firewall – reset to fact defaults
13) Sneakernet – removable media / laptops

Photo: Red Tiger Security

Keeping a firewall secure takes people and processes…

5

#1 Phishing / Spam / Drive-By-Download
● Single most common way through (enterprise) firewalls
● Client on business network pulls malware from internet, or activates
malware in email attachment
● “Spear-phishing” – carefully crafted email to fool even security experts
into opening attachment


6

#2 Social Engineering – Steal a Password
● VPN password on sticky note on monitor, or under keyboard
● Call up administrator, weave a convincing tale of woe, and ask for the
password
● Ask the administrator to give you a VPN account
● Shoulder-surf while administrator enters firewall password
● Guess
● Install a keystroke logger


7

#3 Compromise Domain Controller – Create Account
● More generally – abuse trust of external system
● Create account / change password of exposed ICS server, or firewall
itself
● Other external trust abuse – compromise external HMI, ERP, DCS
vendor with remote access, WSUS server, DNS server, etc.


8

#4 Attack Exposed Servers
● Every exposed port is vulnerable:
● SQL injection
● buffer overflow
● default passwords
● hard-coded password
● denial of service / SYN-flood

Night Dragon Attack

9

13 Ways Through a Firewall
1) Phishing / drive-by-download – victim pulls attack
2) Social engineering / steal a password / keylogger
3) Compromise domain controller – create fwall acct
4) Attack exposed servers – SQL injection / DOS / etc
5) Attack exposed clients – compromise web servers
6) Session hijacking – MIM / steal HTTP cookies
7) Piggy-back on VPN – split tunnelling / viruses

8) Firewall vulnerabilities –zero-days / design vulns
9) Errors and omissions – bad rules / IT errors
10) Forge an IP address –rules are IP-based
11) Bypass network perimeter – eg: rogue wireless
12) Physical access to firewall – reset to fact defaults
13) Sneakernet – removable media / laptops

Photo: Red Tiger Security

Keeping a firewall secure takes people and processes…

10

Unidirectional Security Gateways
● Laser in TX, photocell in RX, fibre-optic cable – you can send data out,
but nothing can get back in to protected network
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Absolute protection against online attacks from external networks
Industrial Network

Corporate Network
Waterfall RX
Server

Waterfall TX
Server

Waterfall
TX appliance


Waterfall
RX appliance

11

Secure Historian Replication
● Hardware-enforced unidirectional historian replication
● Replica historian contains all data and functionality of original
● Corporate workstations communicate only with replica historian
● Industrial network and critical assets are physically inaccessible from
corporate network & 100% secure from any online attack
Industrial Network
Historian

Corporate Network

Waterfall
TX agent

Waterfall
RX agent

PLCs
RTUs
Unidirectional
TX appliance

Unidirectional
RX appliance

Unidirectional Historian replication


12

Replica
Historian

Workstations

Waterfall Unidirectional Gateway Connectors
Leading Industrial Applications/Historians
● OSIsoft PI, PI AF, GE iHistorian, GE iFIX
● Scientech R*Time, Instep eDNA, GE OSM
● Siemens: WinCC, SINAUT/Spectrum
● Emerson Ovation, Wonderware Historian
● SQLServer, Oracle, MySQL, SAP
● AspenTech, Matrikon Alert Manager

Leading Industrial Protocols
● OPC: DA, HDA, A&E, UA
● DNP3, ICCP, Modbus
Remote Access
● Remote Screen View™
● Secure Manual Uplink

Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG
● CA Unicenter, CA SIM, HP OpenView,
IBM Tivoli
● HP ArcSight SIEM , McAfee ESM SIEM

Other connectors
● UDP, TCP/IP
● NTP, Multicast Ethernet
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM MQ series, Microsoft MSMQ
File/Folder Mirroring
● Antivirus updater, patch (WSUS)
● Folder, tree mirroring, remote folders (CIFS)
updater
● FTP/FTFP/SFTP/TFPS/RCP
● Remote print server

13

Use Case: Iberdrola Confrentes Nuclear Plant
● Replicates plant historian to corporate network
● Unidirectional gateways are deployed at the majority of American
nuclear generators
● Protect safety networks, control networks and plant networks
● Routinely replicate OPC, historians, Syslog, Modbus and SNMP
● Specified in NRC 5.71 and NEI 08-09 regulatory guides

NRC Regulatory Guide 5.71

14

Use Case: New Brunswick Power – Power Generation
● Inter Control Center Protocol (ICCP) replication to regional electric
system control center
● OSIsoft PI Server replication at all generating plants
● Deployed fleet-wide: 3000 MW
● Absolute protection from
external network attacks


15

Use Case: Detroit Water – Waterfall Solution
● Replaced firewall a service provider was managing: $10,000/mo
● Deployed OSIsoft PI Server and replica: aggregate all information to
be shared with business network
● Hydraulic optimization reduces $50M/year power costs by 3-7%
● Cell-phone loop-check improves field technician productivity
● Real-time sewage utilization to client utilities reduces their costs and
increases customer satisfaction


16

Trends in Standards and Guidance
● Increasingly, regulations, standards and best-practice guidance recognizes
hardware-enforced unidirectional communications
● Most recent: ISA SP-99-3-3/IEC 62443-3-3 and NERC-CIP V5

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd.

17

Waterfall Security Solutions
● Headquarters in Israel, sales and operations office in the USA
● Hundreds of sites deployed in all critical infrastructure sectors
Best Practice Award 2012, Industrial Network Security
2013 Oil & Gas Customer Value Enhancement Award
IT and OT security architects should consider Waterfall
for their operations networks
Waterfall is key player in the cyber security market –
2010, 2011, & 2012
● Strategic partnership agreements /
cooperation with: OSIsoft, GE, Siemens,
and many other major industrial vendors


18

Unidirectional Gateways: Secure IT/OT Integration
● Firewalls are porous
● Security: absolute protection of safety and reliability of control system
assets, from network attacks originating on external networks
● Compliance: best-practice guidance, standards and regulations are
evolving to recognize strong security
● Costs: reduces security operating costs:
improves security and saves money

andrew . ginter @ waterfall – security . com

www.waterfall-security.com


19

How Security can be stronger than a Firewall: 13 different ways breaking through firewalls

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to How Security can be stronger than a Firewall: 13 different ways breaking through firewalls

Similar to How Security can be stronger than a Firewall: 13 different ways breaking through firewalls (20)

More from Community Protection Forum

More from Community Protection Forum (20)

Recently uploaded

Recently uploaded (20)

How Security can be stronger than a Firewall: 13 different ways breaking through firewalls