Cyber Security Summit Milano, IT

Transcription

1 UNIDIRECTIONAL SECURITY GATEWAYS Cyber Security Summit Milano, IT Advanced Threats Require Advanced Defenses Michael A. Piccalo, CISSP Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2015 by Waterfall Security Solutions

2 Unidirectional Security Gateways Software and hardware-based security solution TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Laser in TX, photocell in RX, fiber optic cable defined data goes out, but nothing can get back into the protected network Industrial Network Corporate Network Waterfall TX Server Waterfall RX Server Waterfall TX Module Waterfall RX Module Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 2

3 Where Does This Fit? Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between IT and OT networks Firewalls are software-basedsolutions and thus are vulnerable to cyber attacks and to compromise Industrial Network (OT) Corporate Network (IT) Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 3

4 Where Does This Fit? Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between the IT and OT networks Eliminates allinbound access from external networks providing absoluteprotection against online attacks from external networks where the vast majority of cyber attacks come from Industrial Network (OT) Corporate Network (IT) Waterfall TX Server Waterfall RX Server Waterfall TX Module Waterfall RX Module Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 4

5 Why Are We Doing All This Security? In a nutshell, our security technology and practices are no longer effective against the sophisticated threat landscape today Source: Cisco Systems Attacks against our critical control systems are becoming increasingly more common and more targeted Changes are needed in order to keep up with the evolving threats Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 5

6 How Secure are Firewalls Really? Attack Type UGW FW 1) Phishing / drive-by-download victim pulls your attack through firewall 2) Social engineering steal a password / keystroke logger / shoulder surf 3) Compromise domain controller create ICS host or firewall account 4) Attack exposed servers SQL injection / DOS / buffer-overflows 5) Attack exposed clients compromised web svrs/ file svrs / buffer overflows 6) Session hijacking MIM / steal HTTP cookies / command injection 7) Piggy-back on VPN split tunneling / malware propagation 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 9) Errors and omissions bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address firewall rules are IP-based Attack Success Rate: Impossible Routine Easy Photo: Red Tiger Security Firewalls have been with us for almost 30 years now. Good guys and bad guys both know how to defeat them. Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 6

7 Common Attack Pattern Persistent, Targeted Attacks Use spear phishing to punch through corporate firewalls Use custom malware to evade anti-virus Operate malware by interactive remote control Steal administrator passwords / password hashes Create new administrator accounts on domain controller Use new accounts to log in no need to break in any more defeats software update programs Bypasses standard IT security controls to include firewalls, encryption, AV, and security updates Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 7

8 Secure Integration of Historian Data Hardware-enforced unidirectional server replication Replica server contains all data and functionality of original Corporate workstations communicate only with replica server Industrial network and critical assets are physically inaccessible from corporate network and secure from external online attacks Industrial Network (OT) Historian Waterfall Server TX agent Corporate Network (IT) Waterfall Replica RX agent Server Workstations PLCs RTUs Waterfall TX Module Waterfall RX Module Unidirectional Historian Replication Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 8

9 Waterfall FLIP Unidirectional Gateway whose direction can be reversed File transfers, AV signatures, security updates, system updates, etc. Useful in remote unstaffed sites like substations, pumping stations, etc. Triggered on-demand or on a pre-defined schedule Still unidirectional Prevents interactive remote control it cannot flip fast enough to permit Remote Desktop or interactive SSH sessions No protocol-level attacks pass through No fuzzing attacks or buffer overflows All communication sessions terminate in agent hosts FLIP: Stronger than firewalls; stronger than removable media Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 9

10 Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians Schneider ClearSCADA, Instep edna OSIsoftPI, PI AF, GE ihistorian, GE ifix Scientech R*Time, GE OSM, Bently-Nevada Siemens: WinCC/SINAUT/Spectrum Emerson Ovation, Wonderware Historian SQLServer, Oracle, MySQL, Postgres, SAP AspenTech IP21, Matrikon Alert Manager Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG CA Unicenter, CA SIM, HP OpenView, IBM Tivoli HP ArcSightSIEM, McAfee ESM SIEM File/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCP Leading Industrial Protocols OPC: DA, HDA, A&E, UA DNP3, ICCP, Modbus GENA, IEC , IEC Remote Access Remote Screen View Secure Bypass Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM MQ series, Microsoft MSMQ Antivirus / Patch (WSUS) updaters Remote print server World s largest collection of COTS industrial server replications Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 10

11 Best Practices Continue to Evolve Unidirectional gateways defeat targeted attacks, insider attacks, and malware propagation Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 11

12 Flexible Solutions Secure Bypass Inbound / Outbound Gateways FLIP Unidirectional Security Gateways Application Data Control (ADC) Remote Screen View (RSV) Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 12

13 Which Networks are Expendable? Attacks only become more sophisticated over time Modern attacks routinely defeat firewalls and security software As malware evolves, best practices evolve hardware-enforced Unidirectional Security Gateways are stronger than firewalls Absolute protection from external network attacks So, which of your networks are expendable enough to protect with software alone? Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 13

14 Waterfall Security Solutions Headquarters in Israel with sales and operations office in the US Hundreds of global deployments in all critical infrastructure sectors Industry leaders with analyst recognition: 2012, 2013, and 2014 Best Practice Awards for Industrial Network Security and Oil & Gas Security practices IT and OT security architects should consider Waterfall for their Operations networks. Waterfall solutions deliver an innovative, well thought-out fast-track solution for quickly securing OT infrastructures against ever-changing cyber-threats. Strategic partnership agreements and cooperation with OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 14

15 Contact Info Michael A. Piccalo, CISSP Phone: Web: Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 15

16 Data Integrity High quality optical hardware Forward error correcting codes Able to send every message multiple times duplicates discarded Sequence numbers, heartbeats prompt error detection Throughput tuning Buffers at every stage of transmission Backfill: manual retransmission High availability no single point of failure impairs data movement Automatic, periodic backfill In practice, less than 5% of users purchase high-availability Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 16