Cyber Security Summit Milano, IT



Similar documents
New Technologies for Substation Cyber Hardening

Stronger Than Firewalls: Unidirectional Security Gateways

Safe Network Integration

UNIDIRECTIONAL SECURITY GATEWAYS. Utilizing Unidirectional Security Gateways to Achieve Cyber Security for Industrial Environments

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways

An Analysis of the Capabilities Of Cybersecurity Defense

13 Ways Through A Firewall What you don t know will hurt you

Introduction to Waterfall Unidirectional Security Gateways: True Unidirectionality, True Security

13 Ways Through A Firewall

CRITICAL INFRASTRUCTURE

How To Protect Your Network From Attack From A Hacker (For A Fee)

Stronger than Firewalls And Cheaper Too

An International Perspective on Security and Compliance

Remote Access Considered Dangerous. Andrew Ginter, VP Industrial Security Waterfall Security Solutions

Waterfall for NERC-CIP Compliance

Using Tofino to control the spread of Stuxnet Malware

Applying NERC-CIP CAN-0024 Guidance for Data Diodes To Unidirectional Security Gateways

IT Security and OT Security. Understanding the Challenges

Experience with Unidirectional Security Gateways Protecting Industrial Control Systems

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Locking down a Hitachi ID Suite server

Innovative Defense Strategies for Securing SCADA & Control Systems

Cyber Essentials. Test Specification

How We're Getting Creamed

NERC CIP Version 5 and the PI System

APT Advanced Persistent Threat Time to rethink?

Holistic View of Industrial Control Cyber Security

Advanced Endpoint Protection Overview

The Information Revolution for the Enterprise

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Protecting Your Organisation from Targeted Cyber Intrusion

First Line of Defense to Protect Critical Infrastructure

Certified Ethical Hacker Exam Version Comparison. Version Comparison

The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

Where every interaction matters.

Effective Methods to Detect Current Security Threats

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Effective Methods to Detect Current Security Threats

On-Premises DDoS Mitigation for the Enterprise

A Case for Managed Security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

RuggedCom Solutions for

March 2010 Webcasting: Dealing with significant audiences behind the corporate firewall

Scalable Secure Remote Access Solutions

Beyond the Hype: Advanced Persistent Threats

Chapter 9 Firewalls and Intrusion Prevention Systems

Fighting Advanced Threats

OPC & Security Agenda

PCN Cyber-security Considerations for Manufacturers. Based on Chevron Phillips Chemical Company PCN Architecture Design and Philosophy

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

Cyber Security for NERC CIP Version 5 Compliance

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Defending Against Cyber Attacks with SessionLevel Network Security

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

Lesson 5: Network perimeter security

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Gateway Security at Stateful Inspection/Application Proxy

Penetration Testing with Kali Linux

Enterprise Cybersecurity: Building an Effective Defense

Lessons Learned from AMI Pioneers Follow the Path to Success

Missing the Obvious: Network Security Monitoring for ICS

Section 12 MUST BE COMPLETED BY: 4/22

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Using Remote Desktop Clients

SCADA Cyber Security

All Information is derived from Mandiant consulting in a non-classified environment.

Alert (TA14-212A) Backoff Point-of-Sale Malware

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Networking for Caribbean Development

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

GoToMyPC Corporate Advanced Firewall Support Features

Security Testing in Critical Systems

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Modular Network Security. Tyler Carter, McAfee Network Security

Detailed Description about course module wise:

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

HoneyBOT User Guide A Windows based honeypot solution

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Enterprise Cybersecurity: Building an Effective Defense

For paid computer support call

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Learn Ethical Hacking, Become a Pentester

High End Information Security Services

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

IBM Internet Security Systems

Transcription:

UNIDIRECTIONAL SECURITY GATEWAYS Cyber Security Summit Milano, IT Advanced Threats Require Advanced Defenses Michael A. Piccalo, CISSP Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2015 by Waterfall Security Solutions

Unidirectional Security Gateways Software and hardware-based security solution TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Laser in TX, photocell in RX, fiber optic cable defined data goes out, but nothing can get back into the protected network Industrial Network Corporate Network Waterfall TX Server Waterfall RX Server Waterfall TX Module Waterfall RX Module Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 2

Where Does This Fit? Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between IT and OT networks Firewalls are software-basedsolutions and thus are vulnerable to cyber attacks and to compromise Industrial Network (OT) Corporate Network (IT) Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 3

Where Does This Fit? Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between the IT and OT networks Eliminates allinbound access from external networks providing absoluteprotection against online attacks from external networks where the vast majority of cyber attacks come from Industrial Network (OT) Corporate Network (IT) Waterfall TX Server Waterfall RX Server Waterfall TX Module Waterfall RX Module Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 4

Why Are We Doing All This Security? In a nutshell, our security technology and practices are no longer effective against the sophisticated threat landscape today Source: Cisco Systems Attacks against our critical control systems are becoming increasingly more common and more targeted Changes are needed in order to keep up with the evolving threats Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 5

How Secure are Firewalls Really? Attack Type UGW FW 1) Phishing / drive-by-download victim pulls your attack through firewall 2) Social engineering steal a password / keystroke logger / shoulder surf 3) Compromise domain controller create ICS host or firewall account 4) Attack exposed servers SQL injection / DOS / buffer-overflows 5) Attack exposed clients compromised web svrs/ file svrs / buffer overflows 6) Session hijacking MIM / steal HTTP cookies / command injection 7) Piggy-back on VPN split tunneling / malware propagation 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 9) Errors and omissions bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address firewall rules are IP-based Attack Success Rate: Impossible Routine Easy Photo: Red Tiger Security Firewalls have been with us for almost 30 years now. Good guys and bad guys both know how to defeat them. Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 6

Common Attack Pattern Persistent, Targeted Attacks Use spear phishing to punch through corporate firewalls Use custom malware to evade anti-virus Operate malware by interactive remote control Steal administrator passwords / password hashes Create new administrator accounts on domain controller Use new accounts to log in no need to break in any more defeats software update programs Bypasses standard IT security controls to include firewalls, encryption, AV, and security updates Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 7

Secure Integration of Historian Data Hardware-enforced unidirectional server replication Replica server contains all data and functionality of original Corporate workstations communicate only with replica server Industrial network and critical assets are physically inaccessible from corporate network and secure from external online attacks Industrial Network (OT) Historian Waterfall Server TX agent Corporate Network (IT) Waterfall Replica RX agent Server Workstations PLCs RTUs Waterfall TX Module Waterfall RX Module Unidirectional Historian Replication Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 8

Waterfall FLIP Unidirectional Gateway whose direction can be reversed File transfers, AV signatures, security updates, system updates, etc. Useful in remote unstaffed sites like substations, pumping stations, etc. Triggered on-demand or on a pre-defined schedule Still unidirectional Prevents interactive remote control it cannot flip fast enough to permit Remote Desktop or interactive SSH sessions No protocol-level attacks pass through No fuzzing attacks or buffer overflows All communication sessions terminate in agent hosts FLIP: Stronger than firewalls; stronger than removable media Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 9

Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians Schneider ClearSCADA, Instep edna OSIsoftPI, PI AF, GE ihistorian, GE ifix Scientech R*Time, GE OSM, Bently-Nevada Siemens: WinCC/SINAUT/Spectrum Emerson Ovation, Wonderware Historian SQLServer, Oracle, MySQL, Postgres, SAP AspenTech IP21, Matrikon Alert Manager Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG CA Unicenter, CA SIM, HP OpenView, IBM Tivoli HP ArcSightSIEM, McAfee ESM SIEM File/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCP Leading Industrial Protocols OPC: DA, HDA, A&E, UA DNP3, ICCP, Modbus GENA, IEC 60870-5-104, IEC 61850 Remote Access Remote Screen View Secure Bypass Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM MQ series, Microsoft MSMQ Antivirus / Patch (WSUS) updaters Remote print server World s largest collection of COTS industrial server replications Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 10

Best Practices Continue to Evolve Unidirectional gateways defeat targeted attacks, insider attacks, and malware propagation Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 11

Flexible Solutions Secure Bypass Inbound / Outbound Gateways FLIP Unidirectional Security Gateways Application Data Control (ADC) Remote Screen View (RSV) Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 12

Which Networks are Expendable? Attacks only become more sophisticated over time Modern attacks routinely defeat firewalls and security software As malware evolves, best practices evolve hardware-enforced Unidirectional Security Gateways are stronger than firewalls Absolute protection from external network attacks So, which of your networks are expendable enough to protect with software alone? Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 13

Waterfall Security Solutions Headquarters in Israel with sales and operations office in the US Hundreds of global deployments in all critical infrastructure sectors Industry leaders with analyst recognition: 2012, 2013, and 2014 Best Practice Awards for Industrial Network Security and Oil & Gas Security practices IT and OT security architects should consider Waterfall for their Operations networks. Waterfall solutions deliver an innovative, well thought-out fast-track solution for quickly securing OT infrastructures against ever-changing cyber-threats. Strategic partnership agreements and cooperation with OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 14

Contact Info Michael A. Piccalo, CISSP Email: michaelp@waterfall-security.com Phone: 1-832-707-4080 Web: www.waterfall-security.com Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 15

Data Integrity High quality optical hardware Forward error correcting codes Able to send every message multiple times duplicates discarded Sequence numbers, heartbeats prompt error detection Throughput tuning Buffers at every stage of transmission Backfill: manual retransmission High availability no single point of failure impairs data movement Automatic, periodic backfill In practice, less than 5% of users purchase high-availability Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information