Stronger Than Firewalls: Unidirectional Security Gateways

Transcription

1 UNIDIRECTIONAL SECURITY GATEWAYS Stronger Than Firewalls: Unidirectional Security Gateways Colin Blou VP Sales Waterfall Security Solutions Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 2013

2 Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable you can send data out, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Absolute protection against online attacks from external networks Industrial Network Corporate Network Waterfall TX Server Waterfall RX Server Waterfall TX appliance Waterfall RX appliance Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 2

3 Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 3

4 Waterfall Security Solutions Only unidirectional technology on Department of Homeland Security s National SCADA Security Test Bed Hold US patents for SCADA/control networks security using Unidirectional Gateways Only unidirectional technology to pass a cyber security assessment by Idaho National Laboratories Certified Common Criteria EAL4+ (High Attack Potential) Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 4

5 Industrial Network Connectivity: Drivers and Risks Predictive maintenance: crew scheduling, HR integration, spare parts inventories and ordering Just-in-time manufacturing, real-time inventories, batch records, LIMS integration, production planning, SAP/ERP integration Centralized support: more effective use of skilled personnel, critical mass of current experts next decade s experts But industrial network connects to business network, which connects to Internet & other networks These connections let attackers target critical network with remote, online attacks Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 5

6 Firewalls at Critical Network Perimeters Attack Type UGW Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 4 2 2) Social engineering steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller create ICS host or firewall account 4 2 4) Attack exposed servers SQL injection / DOS / buffer-overflowd 4 2 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking MIM / steal HTTP cookies / command injection 4 2 7) Piggy-back on VPN split tunneling / malware propagation 4 2 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 4 2 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls ) Forge an IP address firewall rules are IP-based ) Bypass network perimeter cabling/ rogue wireless / dial-up ) Physical access to firewall local admin / no passwd / modify hardware ) Sneakernet removable media / untrusted laptops 1 1 Total Score: Photo: Red Tiger Security Attack Success Rate: Impossible Extremely Difficult Difficult Straight- Forward Firewalls too weak to deploy without compensating measures Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 6

7 Emerging Threat: Remote Monitoring and Diagnostics Control system / equipment / turbine vendor site monitors many customer sites, in many countries Central vendor site configured for occasional remote control Industrial network exposed to attack from central site and from other customers / countries Remote control attacks, virus propagation Vendor connection bypasses corporate security protections Industrial network is completely dependent on vendor security Central Monitoring Site Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 7

8 Secure Historian Replication Hardware-enforced unidirectional historian replication Replica historian contains all data and functionality of original Corporate workstations communicate only with replica historian Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Corporate Network Workstations PLCs RTUs Historian Queries, Responses TX Agent Host RX Agent Host Commands, Responses Replica Historian TX HW Module RX HW Module Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 8

9 Secure OPC Replication OPC-DA protocol is complex: based on DCOM object model intensely bi-directional TX agent is OPC client. RX agent is OPC server OPC protocol is used only in production network, and business network, but not across unidirectional gateways Industrial Network Corporate Network Workstations PLCs RTUs OPC Server OPC Polls, Responses TX Agent OPC Client TX HW Module RX Agent OPC Server RX HW Module OPC Polls, Responses Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 9

10 Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians OSIsoft PI, PI AF, GE ihistorian, GE ifix Scientech R*Time, Instep edna, GE OSM Siemens: WinCC, SINAUT/Spectrum Emerson Ovation, Wonderware Historian SQLServer, Oracle, MySQL, SAP AspenTech, Matrikon Alert Manager Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG CA Unicenter, CA SIM, HP OpenView, IBM Tivoli HP ArcSight SIEM, McAfee ESM SIEM File/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCP Leading Industrial Protocols OPC: DA, HDA, A&E, UA DNP3, ICCP, Modbus Remote Access Remote Screen View Secure Manual Uplink Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM MQ series, Microsoft MSMQ Antivirus updater, patch (WSUS) updater Remote print server Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 10

11 Waterfall's Mission: Replace ICS Firewalls Firewalls do not move data they expose systems Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Many: Examples: Substations Generation Not For IT Offshore BES Control Batch Processing Water Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure In/Out FLIP Unidirectional Bypass Configurations Security Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 11

12 Waterfall FLIP Unidirectional Gateway whose direction can be reversed: Regular and randomized security updates & AV signatures Chemicals / refining / mining / pharmaceuticals: batch instructions Substations, pumping stations, remote, unstaffed sites Variety of triggering options When flipped incoming unidirectional gateway replicates servers: no TCP/IP, no remote control attacks Stronger than firewalls, stronger than removable media Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 12

13 Waterfall Flip - Normal Operation Waterfall TX agent Critical Network Waterfall RX agent TX Module RX Module Waterfall TX agent Waterfall RX agent External Network Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 13

14 Waterfall Flip - Reversed Waterfall TX agent Critical Network Waterfall RX agent TX Module RX Module Waterfall TX agent Waterfall RX agent External Network Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 14

15 FLIP: Stronger than Firewalls Outbound data flows are absolutely secure temporary in-bound flows are the concern Remote control is practically impossible there are never in-bound and out-bound data flows simultaneously Gateways replicate servers / terminate protocol sessions no packets forwarded Stronger than firewalls: 100% secure 99% of the time. Still stronger than a firewall the rest of the time Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 15

16 FLIP for Substations Designed for smaller, un-staffed sites Contains the FLIP and two computers in one 1U Waterfall Cabinet Unidirectional Gateway whose orientation flips occasionally Eg: To allow RESET command after lightning strike To allow occasional security updates or anti-virus updates Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 16

17 Waterfall FLIP and NERC CIP CIP V3+V4 Non-routable communications All inter-module connections are visible via front panel CIP V5 All communications across ESP are unidirectional Temporary inbound communications are stronger than a firewall Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 17

18 Waterfall's Mission: Replace ICS Firewalls Firewalls do not move data they expose systems Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Many: Examples: Substations Generation Not For IT Offshore BES Control Batch Processing Water Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure In/Out FLIP Unidirectional Bypass Configurations Security Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 18

19 Balancing Authority / Control Center Solution Gateways send commands out to partner utilities. Second channel polls/reports data in Multiply redundant automatic at site, manual fail-over between sites Some ICCP reconfiguration needed channels are independent Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 19

20 Security: Stronger Than Firewalls In-bound connection is the concern No protocol-level attack passes through the gateways Gateways replicate ICCP servers / terminate ICCP sessions No packets forwarded have to hack each layer in turn Independent unidirectional channels: flying blind - no feedback during attacks Hacking through multiple layers of hosts while flying blind is difficult almost to the point of impossibility Diodes in reverse direction may not be secure, but specific configurations such as ICCP Gateways are much stronger than firewalls Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 20

21 Perimeter Security Attack Tree Analysis Attack Type BES CC Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 4 2 2) Social engineering steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller create ICS host or firewall account 4 2 4) Attack exposed servers SQL injection / DOS / buffer-overflow 3 2 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking MIM / steal HTTP cookies / command injection 3 2 7) Piggy-back on VPN split tunneling / malware propagation 4 2 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 3 2 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls ) Forge an IP address firewall rules are IP-based ) Bypass network perimeter cabling/ rogue wireless / dial-up ) Physical access to firewall local admin / no passwd / modify hardware ) Sneakernet removable media / untrusted laptops 1 1 Total Score: Attack Success Rate: Impossible Extremely Difficult Difficult Straight- Forward Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 21

22 Waterfall's Mission: Replace ICS Firewalls Firewalls do not move data they expose systems Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Many: Examples: Substations Generation Not For IT Offshore BES Control Batch Processing Water Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure In/Out FLIP Unidirectional Bypass Configurations Security Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 22

23 Waterfall Secure Bypass Temporary bypass of security perimeter Hardware enforced: relays connect and disconnect Variety of trigger mechanisms Deployed in parallel with Unidirectional GW: Emergency remote access: offshore platform evacuation Temporary remote access, controlled from the plant side Modular configuration with embedded PC: firewalled and whitelisted 100% secure, 99% of the time As secure as a firewall, 1% of the time Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 23

24 True Remote Control: Secure Manual Uplink Physically connects/disconnects copper network cables Automatically disconnects again after programmable interval Activation modes: Physical key Electronic key Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 24

25 Temporary Remote Control On-site personnel decide when to grant access 100% secure, 99% of the time As secure as a firewall the rest of the time Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 25

26 Waterfall's Mission: Replace ICS Firewalls Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Look for additional product announcements over the next 12 months Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining, Safety Systems Routers Firewalls Secure WF for BES Waterfall Unidirectional Bypass Control FLIP TM Security Centers Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 26

27 Secure Application Integration Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security Costs: reduces security operating costs improves security and saves money in the long run Waterfall s unique solutions have the potential to be the industry s next game changing standard Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 27