Strong Security in NERC CIP Version 5: Unidirectional Security Gateways

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways Chris Humphreys CEO The Anfield Group Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 2013

13 Ways Through a Firewall 1) Phishing / drive-by-download victim pulls attack 2) Social engineering / steal a password / keylogger 3) Compromise domain controller create fwall acct 4) Attack exposed servers SQL injection / DOS / etc 5) Attack exposed clients compromise web servers 6) Session hijacking MIM / steal HTTP cookies 7) Piggy-back on VPN split tunnelling / viruses 8) Firewall vulnerabilities zero-days / design vulns 9) Errors and omissions bad rules / IT errors 10) Forge an IP address rules are IP-based 11) Bypass network perimeter eg: rogue wireless 12) Physical access to firewall reset to fact defaults 13) Sneakernet removable media / laptops Keeping a firewall secure takes people and processes Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 2 Photo: Red Tiger Security

Targeted Attacks = Manual Remote Control Spear phishing pulls attack through firewall Low-volume RAT evades anti-virus Steal/create passwords: keystroke logger, pass-the-hash, compromise domain With passwords: explore networks, firewalls, systems at leisure IT teams have admitted they are unable to block targeted attacks at the corporate perimeter. Control system networks are simpler, and generally are still protectable. Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 3

Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable you can send data out, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Defeats advanced / remote control attacks Server replication, not protocol emulation Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 4

Historian Replication at Generator Site TX agent is conventional historian client request copy of new data as it arrives in historian RX agent is conventional historian collector drops new data into replica as it arrives from TX TX agent sends historical data and metadata to RX using nonroutable, point-to-point protocol Complete replica, tracks all changes, new tags, alerts in replica Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 5

OPC Replication OPC-DA protocol is complex: based on DCOM object model intensely bi-directional TX agent is OPC client: gathers data from production OPC servers RX agent is OPC server: serves data to business OPC clients TX agent sends only OPC data and metadata to RX OPC protocol is used only in production network, and business network, but not across unidirectional link Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 6

Unidirectional Gateway Deployments Deployed routinely in generators Deployed routinely where plant network connects to business net Deployed less commonly: Where generating unit control network connects to plant network In substations and control centers Most commonly replicates: Historian servers OPC servers File servers Remote Screen View Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 7

Turbine Management Turbines: steam, water, combustion (gas) Eventual performance degradation Gas: blade fouling, corrosion, erosion Steam: scale, corrosion, chipping Water: pitting, metal fatigue, erosion Condition monitoring very effective when malfunctions are found before serious failure occurs Temperatures, pressures, vibration, cavitation, lubricant temperatures Turbine vendor support programs require remote monitoring and remote control Photo courtesy: Siemens Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 8

Remote Screen View Vendors can see control system screens in web browser Remote support is under control of on-site personnel Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time Vendors supervise site personnel Site people supervise the vendors Each perspective is legitimate, both needs are met Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 9

True Remote Control: Secure Manual Uplink Physically connects/disconnects copper network cables Automatically disconnects again after programmable interval Activation modes: Physical key Electronic key Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 10

Temporary Remote Control 100% secure, 99% of the time As secure as a firewall the rest of the time On-site personnel decide when to grant access Remote access further controlled by conventional firewalls, VPNs, etc. Temporary Remote Control Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 11

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways By: Chris Humphreys CEO/Director

Overview - NERC CIP Version 5 Firewall Changes - External Routable Connectivity Defined - Remote Support Options

High/Med/Low Impact Cyber Systems - High Impact control centers - Medium Impact analogous to V4 CCAs outside of control centers, including assets in generating plants - Low Impact other systems at bright line facilities

Firewall Changes for CIP V5 - Electronic Security Perimeter still required - Electronic Access Point defined only for assets with External Routable Connectivity - Electronic Access Points in Control Centers must use network intrusion detection systems

External Routable Connectivity The ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection - Unidirectional Gateways are not bidirectional. The hardware can only communicate in one direction. - Common Criteria EAL4+ certification attests to this

Standard ERC Exemptions Requirements Med Impact with ERC Exempted High Impact with ERC Exempted 002 BES Cyber System Categorization 7 - - 003 Security Management Controls 4 - - 004 Personnel & Training 19 15-005 Electronic Security Perimeters 8 5 3 006 Physical Security 14 12-007 Systems Security Management 20 5-008 Incident Reporting & Resp. Planning 9 - - 009 Recovery Plans 10 - - 010 Change Mgmt & Vuln Assessments 10 - - 011 Information Protection 4 - - Totals: 103 37 3 Plus: many exemptions for Physical Access Control Systems without External Routable Connectivity

Interactive Remote Access User-initiated access by a person employing a remote access client or other remote access technology using a routable protocol - Remote Screen View is not access - RSV is equivalent to remote video viewing - SMU is very likely remote access, even though it is temporary

Strong Security - Unidirectional Security Gateways integrate systems without the vulnerabilities of firewalls - CIP V5 includes provisions encouraging the use of Unidirectional Gateways this is not accidental - A CIP program should be about security. Compliance is a natural consequence of strong security.

Strong Security Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks Compliance: best-practice guidance, standards and regulations are evolving to recognize and encourage strong security Costs: reduces security / firewall operating costs improves security and saves money in the long run When you are considering security for your control networks, you need to keep in mind innovative security technologies such as unidirectional gateways Tim Roxey, NERC CSSO Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 20