An International Perspective on Security and Compliance

Transcription

1 UNIDIRECTIONAL SECURITY GATEWAYS An International Perspective on Security and Compliance ICSJWG Fall Conference 2014 Lior Frenkel, CEO and Co-Founder Waterfall Security Solutions Andrew Ginter, VP Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 2014

2 Nuclear Industry Unidirectional Gateways deployed at first nuclear generator Word spread quickly within American market - by 2010 hardwareenforced communications were effectively required by NEI and NRC 5.71 By the end of 2012, all American reactors had deployed unidirectional communications, the majority Waterfall s World-wide gateways deployed in nuclear generators in another dozen countries Nuclear generation embraced hardware-enforced unidirectional communications NRC Regulatory Guide 5.71 Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 2

3 North America NERC CIP CIP standards are widely studied and emulated, even outside NA and outside the power sector CIP V1 in 2007 made no mention of Unidirectional Gateway tech firewalls were seen as adequate CIP V5 in 2013 encourages unidirectional communications exemptions from 37 of 103 requirements FERC must carry out cost/benefit analysis, and is not permitted to require unduly expensive reliability or security measures Not permitted to require solving a problem until a solution exists How are conventional cyber risks different from nuclear risks? Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 3

4 Israel Small state, surrounded by unfriendly neighbours Actively sought solutions security for critical infrastructures in 2004 Academia Private Sector Nurtured Waterfall as a stronger alternative to firewalls By 2007 Waterfall is used by effectively all industrial critical infrastructures in the country Israel demanded technology that did not exist And then nurtured and embraced that technology Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 4

5 Singapore and South Korea Small states, surrounded by unfriendly neighbours, like Israel Singapore: Often takes inspiration from Israeli solutions and technologies Unidirectional Security Gateways now deployed at multiple industrial sites Korea: Regulations are evolving, especially in the nuclear sector How are Singaporean and S. Korean cyber-risks different from anyone else s? Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 5

6 IEC/ISA SP Feedback Waterfall submitted comments to ISA SP99 working group developing System Security Requirements and Security Levels Waterfall asked that the standard recommend unidirectional gateway to protect most secure safety-instrumented networks Response: This standard does not mandate specific solutions which are state-of-the-art at the time of publication, per IEC guidelines. This in spite of wide-spread adoption in the nuclear industry, and increasingly wide-spread adoption in conventional generation and other sectors Should the IEC/ISA standards document existing practice? Or advance the state of the practice? Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 6

7 Japan Initial deployments of Unidirectional Gateway technology in Japan In spite of this, Japan deployed Unidirectional Security Gateways on ICS Security test beds Used for research and training Japanese infrastructures are largely privately owned Should governments document existing practice? Or advance the state of the practice? Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 7

8 Threat Environment All software has bugs, and some bugs are vulnerabilities, so in practice, all software can be hacked Modern targeted, persistent attacks (TPAs) routinely defeat conventional software-based security controls TPA techniques are widely documented, and widely practiced All cyber-threats are pervasive Eg: cloud control systems are strategic targets whose compromise puts hundreds of identically-provisioned ICS sites at risk at once Should we be defending against motives? Or against universally- available capabilities? Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 8

9 Observations Israeli, Singaporean and increasingly S. Korean and Japanese governments are advancing the state of the practice demanding / developing / demonstrating effective solutions to new cyber threats Nuclear regulators in North America have embraced stronger-thanfirewall security, and nuclear regulators world-wide are moving as well FERC, ISA SP-99 and IEC document solutions industry has developed and deployed already Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 9

10 Conclusions Threats continue to evolve, and so must defenses Different geographies & cultures perceive risks differently Size of infrastructure Public vs private ownership of infrastructure Private owners may not have the same priorities as do governments Progress strong Unidirectional Gateway technology is increasingly deployed in many geographies and industries Key Question: are cyber threats not universal? Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 10

11 Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Deployed world-wide in all critical infrastructure sectors 2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 Only unidirectional technology on US Department of Homeland Security s National SCADA Security Test Bed, and Japanese Test Bed Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 11

12 Waterfall Product Accreditations Only unidirectional technology with cyber security assessment by Idaho National Laboratories Certified Common Criteria EAL4+ (High Attack Potential) Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors Recognized as an industrial cyber-security best-practice by DHS, NERC CIP, NRC, industry analysts & leading industrial cyber-security experts Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 12

13 Conclusions Threats continue to evolve, and so must defenses Different geographies & cultures perceive risks differently Size of infrastructure Public vs private ownership of infrastructure Private owners may not have the same priorities as do governments Progress strong Unidirectional Gateway technology is increasingly deployed in many geographies and industries Key Question: are cyber threats not universal? Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 13