Safe Network Integration

Transcription

1 UNIDIRECTIONAL SECURITY GATEWAYS Safe Network Integration Stronger than Firewalls Shaul Pescovsky, Sales Director Waterfall Security Solutions Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 2014

2 Security Landscape 1M ICS hosts on the Internet? 500K in NA? Really only 7,000 Heartbleed encryption in lots of products, websites & VPNs broken NSA supply chain revelations. Does anyone really believe it was only the NSA? Always more ICS vulnerabilities found, and patching change-controlled network is slow Heartbleed drives home the point: all software has bugs. Some bugs are security holes. So in practice, all software can be hacked Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 2

3 Cyber Perimeter - How Secure are Firewalls Really? Attack Type UGW Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 2) Social engineering steal a password / keystroke logger / shoulder surf 3) Compromise domain controller create ICS host or firewall account 4) Attack exposed servers SQL injection / DOS / buffer-overflowd 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 6) Session hijacking MIM / steal HTTP cookies / command injection 7) Piggy-back on VPN split tunneling / malware propagation 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls 10) Forge an IP address firewall rules are IP-based Attack Success Rate: Impossible Routine Easy Photo: Red Tiger Security Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat them Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 3

4 Risk-Based Best Practice Security Attacks only become more sophisticated 2007 s pervasive threat: professional-grade organized-crime botnets Best-practice defense: security updates, firewalls, anti-virus 2014 s pervasive threat: professional-grade remote-control targeted attacks Best-practice: Unidirectional hardware protections Emerging threat: cloud control Security best practices must evolve as threats evolve Business Objectives Drive Risk Assessments Drive Best Practice Security Drive Compliance Proprietary Information -- Copyright 2014 by Waterfall Security Solutions

5 Waterfall s Technology Standards & Guidelines ENISA - unidirectional gateways provide better protection than firewalls Unidirectional gateways limit the propagation of malicious code (ISA SP / IEC ) ANSSI Cybersecurity for ICS many requirments for hardware-enforced unidirectionality DHS recommends unidirectional gateways in security assessments (ICS CERT) NRC & NEI exempts unidirectionally-protected sites from 21 of 26 cyber-perimeter rules Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 5 NERC CIP exempts unidirectionallyprotected sites from over 35% of requirements

6 Safe IT/OT Integration: Historian Replication Hardware-enforced unidirectional server replication Replica server contains all data and functionality of original Corporate workstations communicate only with replica server Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Historian Server Waterfall TX agent Corporate Network Waterfall RX agent Replica Server Workstations PLCs RTUs Waterfall TX Module Waterfall RX Module Unidirectional Historian replication Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 6

7 Safe IT/OT Integration: OPC Replication OPC-DA protocol is complex: based on DCOM object model intensely bi-directional TX agent is OPC client. RX agent is OPC server OPC protocol is used only in production network, and business network, but not across unidirectional gateways Industrial Network OPC Server TX agent / OPC Client Corporate Network RX agent / OPC Server Corporate Historian Workstations PLCs RTUs OPC Waterfall TX Module Waterfall RX Module OPC Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 7

8 Use Case: Protecting Entire Substation Continuous monitoring of substation via DNP3 / IEC FLIP on demand when commands come through FLIP trigger raises alarm if too many FLIPs Trigger controller cannot be compromised by network attack Substation Electronic Security Perimeter FLIP EMS How many FLIPs are normal, not suspicious? Relays RTUs WAN Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 8

9 Use Case: Continuous Adjustment Continuous monitoring of substation via DNP3 / IEC Continuous command channel Separate channels, not command/response Unlike firewall, do not forward messages, resists fuzzing & bufferoverflow attacks Substation Electronic Security Perimeter RTUs EMS Separate channels Relays WAN Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 9

10 Waterfall's Mission: Replace ICS Firewalls Waterfall s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls Enables safe IT/OT integration, remote services, industrial cloud Substations, Generation, Not For IT Offshore BES Control Batch Processing, Primary Production, Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure Inbound / Waterfall Unidirectional Bypass Outbound FLIP TM Security Gateways Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 10

11 Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Deployed world-wide in all critical infrastructure sectors 2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 Only unidirectional technology on US Department of Homeland Security s National SCADA Security Test Bed, and Japanese CSSC Test Bed Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 11

12 Waterfall Product Accreditations Only unidirectional technology with cyber security assessment by Idaho National Laboratories Certified Common Criteria EAL4+ (High Attack Potential) Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors Recognized as an industrial cyber-security best-practice by DHS, NERC CIP, NRC, industry analysts & leading industrial cyber-security experts Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 12

13 Safe, Hardware-Enforced IT/OT/Network Integration All software can be hacked. Which of our control equipment is so expendable that we are willing to protect it with software only? Unidirectional Gateways defeat modern interactive remote control (IRC) attacks Disciplined remote support is possible: RSV, Secure Bypass & parallel IT/OT WANs The FLIP defeats IRC attacks and still lets data flow into protected networks Application Data Control delivers on the promises long made by next-gen firewalls Hardware-enforced unidirectional protections are today s best practices Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 13

14 THANK YOU Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 14