Safe Network Integration

Similar documents
New Technologies for Substation Cyber Hardening

Cyber Security Summit Milano, IT

Stronger Than Firewalls: Unidirectional Security Gateways

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways

An International Perspective on Security and Compliance

An Analysis of the Capabilities Of Cybersecurity Defense

13 Ways Through A Firewall What you don t know will hurt you

13 Ways Through A Firewall

How To Protect Your Network From Attack From A Hacker (For A Fee)

UNIDIRECTIONAL SECURITY GATEWAYS. Utilizing Unidirectional Security Gateways to Achieve Cyber Security for Industrial Environments

Stronger than Firewalls And Cheaper Too

Waterfall for NERC-CIP Compliance

Applying NERC-CIP CAN-0024 Guidance for Data Diodes To Unidirectional Security Gateways

Using Tofino to control the spread of Stuxnet Malware

SCADA Security Training

NERC CIP Version 5 and the PI System

Innovative Defense Strategies for Securing SCADA & Control Systems

Remote Access Considered Dangerous. Andrew Ginter, VP Industrial Security Waterfall Security Solutions

PCN Cyber-security Considerations for Manufacturers. Based on Chevron Phillips Chemical Company PCN Architecture Design and Philosophy

The Importance of Cybersecurity Monitoring for Utilities

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

Redesigning automation network security

Experience with Unidirectional Security Gateways Protecting Industrial Control Systems

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

A Case for Managed Security

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Introduction to Waterfall Unidirectional Security Gateways: True Unidirectionality, True Security

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

SCADA Security: Challenges and Solutions

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Where every interaction matters.

Critical Controls for Cyber Security.

Enterprise Cybersecurity: Building an Effective Defense

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

SCADA SYSTEMS AND SECURITY WHITEPAPER

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

future data and infrastructure

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Cyber Security for NERC CIP Version 5 Compliance

Jort Kollerie SonicWALL

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

Computer Security Literacy

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

A Concise Model to Evaluate Security of SCADA Systems based on Security Standards

EC-Council. Certified Ethical Hacker. Program Brochure

An Evaluation of Security Posture Assessment Tools on a SCADA Environment

ISACA rudens konference

Fighting Advanced Threats

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants

DeltaV System Cyber-Security

Using ISA/IEC Standards to Improve Control System Security

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Beyond the Hype: Advanced Persistent Threats

Network Cyber Security. Presented by: Motty Anavi RFL Electronics

This is a preview - click here to buy the full publication

RuggedCom Solutions for

Cloud Services Prevent Zero-day and Targeted Attacks

OPC & Security Agenda

SCADA Cyber Security

Enterprise Cybersecurity: Building an Effective Defense

Protecting Your Organisation from Targeted Cyber Intrusion

NERC CIP VERSION 5 COMPLIANCE

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Locking down a Hitachi ID Suite server

Making the most out of substation IEDs in a secure, NERC compliant manner

Smart Grid Cybersecurity

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

SANS SCADA and Process Control Security Survey

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Managing Web Security in an Increasingly Challenging Threat Landscape

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Securing Your Business with DNS Servers That Protect Themselves

WHITE PAPER PROTECTING OUR CRITICAL UTILITIES WITH INTEGRATED CONTROL SYSTEMS PROTECTING OUR CRITICAL UTILITIES WITH INTEGRATED CONTROL SYSTEMS

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

SCADA/Business Network Separation: Securing an Integrated SCADA System

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Comprehensive Advanced Threat Defense

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Professional Services Overview

State of the State of Control System Cyber Security

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Course Content: Session 1. Ethics & Hacking

Transcription:

UNIDIRECTIONAL SECURITY GATEWAYS Safe Network Integration Stronger than Firewalls Shaul Pescovsky, Sales Director Waterfall Security Solutions shaul@waterfall-security.com Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 2014

Security Landscape 1M ICS hosts on the Internet? 500K in NA? Really only 7,000 Heartbleed encryption in lots of products, websites & VPNs broken NSA supply chain revelations. Does anyone really believe it was only the NSA? Always more ICS vulnerabilities found, and patching change-controlled network is slow Heartbleed drives home the point: all software has bugs. Some bugs are security holes. So in practice, all software can be hacked Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 2

Cyber Perimeter - How Secure are Firewalls Really? Attack Type UGW Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 2) Social engineering steal a password / keystroke logger / shoulder surf 3) Compromise domain controller create ICS host or firewall account 4) Attack exposed servers SQL injection / DOS / buffer-overflowd 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 6) Session hijacking MIM / steal HTTP cookies / command injection 7) Piggy-back on VPN split tunneling / malware propagation 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls 10) Forge an IP address firewall rules are IP-based Attack Success Rate: Impossible Routine Easy Photo: Red Tiger Security Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat them Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 3

Risk-Based Best Practice Security Attacks only become more sophisticated 2007 s pervasive threat: professional-grade organized-crime botnets Best-practice defense: security updates, firewalls, anti-virus 2014 s pervasive threat: professional-grade remote-control targeted attacks Best-practice: Unidirectional hardware protections Emerging threat: cloud control Security best practices must evolve as threats evolve Business Objectives Drive Risk Assessments Drive Best Practice Security Drive Compliance Proprietary Information -- Copyright 2014 by Waterfall Security Solutions

Waterfall s Technology Standards & Guidelines ENISA - unidirectional gateways provide better protection than firewalls Unidirectional gateways limit the propagation of malicious code (ISA SP- 99-3-3 / IEC 62443-3-3) ANSSI Cybersecurity for ICS many requirments for hardware-enforced unidirectionality DHS recommends unidirectional gateways in security assessments (ICS CERT) NRC & NEI exempts unidirectionally-protected sites from 21 of 26 cyber-perimeter rules Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 5 NERC CIP exempts unidirectionallyprotected sites from over 35% of requirements

Safe IT/OT Integration: Historian Replication Hardware-enforced unidirectional server replication Replica server contains all data and functionality of original Corporate workstations communicate only with replica server Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Historian Server Waterfall TX agent Corporate Network Waterfall RX agent Replica Server Workstations PLCs RTUs Waterfall TX Module Waterfall RX Module Unidirectional Historian replication Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 6

Safe IT/OT Integration: OPC Replication OPC-DA protocol is complex: based on DCOM object model intensely bi-directional TX agent is OPC client. RX agent is OPC server OPC protocol is used only in production network, and business network, but not across unidirectional gateways Industrial Network OPC Server TX agent / OPC Client Corporate Network RX agent / OPC Server Corporate Historian Workstations PLCs RTUs OPC Waterfall TX Module Waterfall RX Module OPC Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 7

Use Case: Protecting Entire Substation Continuous monitoring of substation via DNP3 / IEC 60870-5-104 FLIP on demand when commands come through FLIP trigger raises alarm if too many FLIPs Trigger controller cannot be compromised by network attack Substation Electronic Security Perimeter FLIP EMS How many FLIPs are normal, not suspicious? Relays RTUs WAN Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 8

Use Case: Continuous Adjustment Continuous monitoring of substation via DNP3 / IEC 60870-5-104 Continuous command channel Separate channels, not command/response Unlike firewall, do not forward messages, resists fuzzing & bufferoverflow attacks Substation Electronic Security Perimeter RTUs EMS Separate channels Relays WAN Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 9

Waterfall's Mission: Replace ICS Firewalls Waterfall s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls Enables safe IT/OT integration, remote services, industrial cloud Substations, Generation, Not For IT Offshore BES Control Batch Processing, Primary Production, Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure Inbound / Waterfall Unidirectional Bypass Outbound FLIP TM Security Gateways Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 10

Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Deployed world-wide in all critical infrastructure sectors 2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 Only unidirectional technology on US Department of Homeland Security s National SCADA Security Test Bed, and Japanese CSSC Test Bed Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 11

Waterfall Product Accreditations Only unidirectional technology with cyber security assessment by Idaho National Laboratories Certified Common Criteria EAL4+ (High Attack Potential) Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors Recognized as an industrial cyber-security best-practice by DHS, NERC CIP, NRC, industry analysts & leading industrial cyber-security experts Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 12

Safe, Hardware-Enforced IT/OT/Network Integration All software can be hacked. Which of our control equipment is so expendable that we are willing to protect it with software only? Unidirectional Gateways defeat modern interactive remote control (IRC) attacks Disciplined remote support is possible: RSV, Secure Bypass & parallel IT/OT WANs The FLIP defeats IRC attacks and still lets data flow into protected networks Application Data Control delivers on the promises long made by next-gen firewalls Hardware-enforced unidirectional protections are today s best practices Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 13

THANK YOU Proprietary Information -- Copyright 2014 by Waterfall Security Solutions 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information