New Technologies for Substation Cyber Hardening

UNIDIRECTIONAL SECURITY GATEWAYS New Technologies for Substation Cyber Hardening Andrew Ginter VP Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2014 by Waterfall Security Solutions Ltd. 2014

Waterfall's Mission: Replace ICS Firewalls Waterfall s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls Enables safe IT/OT integration, remote services, industrial cloud Substations, Generation, Not For IT Offshore BES Control Batch Processing, Primary Production, Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure Inbound / Waterfall Unidirectional Bypass Outbound FLIP TM Security Gateways Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 2

Firewalls at Cyber Perimeters Really? Attack Type UGW Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 4 2 2) Social engineering steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller create ICS host or firewall account 4 2 4) Attack exposed servers SQL injection / DOS / buffer-overflowd 4 2 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking MIM / steal HTTP cookies / command injection 4 2 7) Piggy-back on VPN split tunneling / malware propagation 4 2 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 4 2 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls 4 2 10) Forge an IP address firewall rules are IP-based 4 2 Total Score: 40 19 Attack Success Rate: Impossible Difficult Straight- Forward Photo: Red Tiger Security Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat firewalls Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 3

Emerging Threat: Targeted Attacks Use spear phishing to punch through corporate firewalls or sometimes more conventional attacks on web & other servers Use custom malware to evade anti-virus Operate malware by interactive remote control Steal administrator passwords / password hashes Create new administrator accounts on domain controller Use new accounts to log in no need to break in any more defeats software update programs Bypasses standard IT security controls: firewalls, encryption, AV, security updates Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 4

Waterfall's Mission: Replace ICS Firewalls Waterfall s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls Enables safe IT/OT integration, remote services, industrial cloud Substations, Generation, Not For IT Offshore BES Control Batch Processing, Primary Production, Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure Inbound / Waterfall Unidirectional Bypass Outbound FLIP TM Security Gateways Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 5

Firewall Conventional Network Integration Corporate users reach into plant historian through firewall Corporate users send queries/requests, historian responds Industrial Network Corporate Network Workstations Historian PLCs RTUs Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 6

Unidirectional Security Gateways Hardware-enforced unidirectional server replication Replica server contains all data and functionality of original Corporate workstations communicate only with replica server Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Historian Server Waterfall TX agent Corporate Network Waterfall RX agent Replica Server Workstations PLCs RTUs Waterfall TX appliance Waterfall RX appliance Unidirectional Historian replication Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 7

DNP3 Replication TX agent is DNP3 master polls substation & accepts exception reports RX agent is DNP3 slave responds to EMS polls and sends report by exception reports to EMS No DNP3 packets pass through gateway Industrial Network Substation Controller Waterfall TX agent Corporate Network Waterfall RX agent EMS RTUs DNP3 Waterfall TX appliance Waterfall RX appliance DNP3 WAN Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 8

Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians OSIsoft PI, PI AF, GE ihistorian, GE ifix Scientech R*Time, Instep edna, GE OSM Siemens: WinCC/SINAUT/Spectrum Emerson Ovation, Wonderware Historian SQLServer, Oracle, MySQL, Postgres, SAP AspenTech IP21, Matrikon Alert Manager Schneider ClearSCADA Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG CA Unicenter, CA SIM, HP OpenView, IBM Tivoli HP ArcSight SIEM, McAfee ESM SIEM File/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCP Leading Industrial Protocols OPC: DA, HDA, A&E, UA DNP3, ICCP, Modbus GENA, IEC 60870-5-104, IEC 61850 Remote Access Remote Screen View Secure Bypass Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM MQ series, Microsoft MSMQ Antivirus updater, patch (WSUS) updater Remote print server World s largest collection of COTS industrial server replications Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 9

Waterfall's Mission: Replace ICS Firewalls Waterfall s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls Enables safe IT/OT integration, remote services, industrial cloud Substations, Generation, Not For IT Offshore BES Control Batch Processing, Primary Production, Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure Inbound / Waterfall Unidirectional Bypass Outbound FLIP TM Security Gateways Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 10

Waterfall FLIP Contains: TX module, RX Module, Trigger Controller (CPU) Trigger: button / key, schedule FLIP is a Unidirectional Gateway which can flip over Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 11

Waterfall Flip - Reversing Orientation Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 12

Waterfall Flip - Replicate to WAN Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 13

Waterfall Flip - Replicate to Substation Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 14

Possible FLIP States Relays: one way, other way, or neither way Nine possible states TX State: RX State Inside Inside Outside Disconnected Internal network is connected to internal network No connection to external network No harm done Outside network sends data unidirectionally to internal network Normal operation Networks are disconnected No harm done Outside Internal network sends data unidirectionally to external network Normal operation External network is connected to external network No connection to internal network No harm done Networks are disconnected No harm done Disconnected Networks are disconnected Networks are disconnected Networks are disconnected Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 15

FLIP: Stronger than Firewalls Designed to prevent interactive remote control: cannot allow data to flow both ways at once Trigger mechanism cannot be subverted by data passing through Firewalls forward messages, FLIP & Gateways do not TX Agents are clients. They ask for data and forward the answers/data No protocol-level attacks pass through no fuzzing/buffer overflows. All comms sessions terminate in agent hosts. FLIP: Stronger than firewalls Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 16

Firewall Use Case: Protecting Protection Equipment Deployed between protective relays and rest of substation Continuous monitoring of relays FLIP every 2 months or so send batch of new passwords and possibly new firmware into batch-mode update mechanism No interactive remote control for relays Substation Electronic Security Perimeter Relays FLIP RTUs WAN EMS Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 17

Use Case: Protecting Entire Substation Continuous monitoring of substation via DNP3 FLIP periodically new passwords, firmware, configurations, setpoints No interactive remote control for entire substation Substation Electronic Security Perimeter FLIP EMS Relays RTUs WAN Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 18

Evolving Best Practices New best practice: unidirectional gateways & FLIP defeat targeted attacks, insider attacks & malware propagation Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 19

Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors 2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 The only unidirectional technology on US Department of Homeland Security s National SCADA Security Test Bed, and Japanese CSSC Test Bed Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 20

Waterfall Product Accreditations Only unidirectional technology with a cyber security assessment by Idaho National Laboratories Certified Common Criteria EAL4+ (High Attack Potential) Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors Hold US patents for SCADA/control networks security using Unidirectional Gateways Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 21

Improving BES Reliability Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security Costs: reduces security operating costs improves security and saves money in the long run Waterfall s unique solutions have the potential to be the industry s next game changing standard BES will be measurably more reliable when Unidirectional Gateways are deployed more widely Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 22