Stronger Than Firewalls: Unidirectional Security Gateways



Similar documents
New Technologies for Substation Cyber Hardening

Cyber Security Summit Milano, IT

Safe Network Integration

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways

UNIDIRECTIONAL SECURITY GATEWAYS. Utilizing Unidirectional Security Gateways to Achieve Cyber Security for Industrial Environments

13 Ways Through A Firewall What you don t know will hurt you

13 Ways Through A Firewall

An Analysis of the Capabilities Of Cybersecurity Defense

Introduction to Waterfall Unidirectional Security Gateways: True Unidirectionality, True Security

How To Protect Your Network From Attack From A Hacker (For A Fee)

CRITICAL INFRASTRUCTURE

Applying NERC-CIP CAN-0024 Guidance for Data Diodes To Unidirectional Security Gateways

Waterfall for NERC-CIP Compliance

An International Perspective on Security and Compliance

IT Security and OT Security. Understanding the Challenges

Stronger than Firewalls And Cheaper Too

Experience with Unidirectional Security Gateways Protecting Industrial Control Systems

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

Using Tofino to control the spread of Stuxnet Malware

Industrial Security for Process Automation

RuggedCom Solutions for

OPC & Security Agenda

NERC CIP Version 5 and the PI System

Cyber Security for NERC CIP Version 5 Compliance

Innovative Defense Strategies for Securing SCADA & Control Systems

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

SCADA Security Training

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

PCN Cyber-security Considerations for Manufacturers. Based on Chevron Phillips Chemical Company PCN Architecture Design and Philosophy

Verve Security Center

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Security Testing in Critical Systems

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Remote Access Considered Dangerous. Andrew Ginter, VP Industrial Security Waterfall Security Solutions

Lessons Learned from AMI Pioneers Follow the Path to Success

On-Premises DDoS Mitigation for the Enterprise

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Chapter 9 Firewalls and Intrusion Prevention Systems

Scalable Secure Remote Access Solutions

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

Holistic View of Industrial Control Cyber Security

Critical Controls for Cyber Security.

Increasing Situational Awareness and Multi-zone Protection of Utility Infrastructure

SecFlow Security Appliance Review

Locking down a Hitachi ID Suite server

Ovation Security Center Data Sheet

OWL PERIMETER DEFENSE SOLUTION INSTALLATION AT SAUDI ARABIAN FERTILIZER COMPANY (SAFCO)

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

SCADA SYSTEMS AND SECURITY WHITEPAPER

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

New Era in Cyber Security. Technology Development

OWL PERIMETER DEFENSE SOLUTION (OPDS) INSTALLATION AT SAFCO

Network Security Infrastructure Testing

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Barracuda Web Filter Administrator s Guide

Symphony Plus Cyber security for the power and water industries

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

IBM. Vulnerability scanning and best practices

Gateway Security at Stateful Inspection/Application Proxy

The Information Revolution for the Enterprise

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Networking for Caribbean Development

The Importance of Cybersecurity Monitoring for Utilities

Ovation Security Center Data Sheet

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Reclamation Manual Directives and Standards

OPCNet Broker TM for Industrial Network Security and Connectivity

Secure Substation Automation for Operations & Maintenance

SCADA Cyber Security

Cyber Security nei prodotti di automazione

Designing a security policy to protect your automation solution

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

GE Measurement & Control. Cyber Security for NEI 08-09

Securely Connect, Network, Access, and Visualize Your Data

Barracuda Link Balancer

SANS Top 20 Critical Controls for Effective Cyber Defense

Achieving PCI-Compliance through Cyberoam

RUGGEDCOM CROSSBOW. Secure Access Management Solution. siemens.com/ruggedcom. Edition 10/2014. Brochure

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Introduction of Intrusion Detection Systems

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Transcription:

UNIDIRECTIONAL SECURITY GATEWAYS Stronger Than Firewalls: Unidirectional Security Gateways Colin Blou VP Sales Waterfall Security Solutions Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 2013

Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable you can send data out, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Absolute protection against online attacks from external networks Industrial Network Corporate Network Waterfall TX Server Waterfall RX Server Waterfall TX appliance Waterfall RX appliance Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 2

Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 3

Waterfall Security Solutions Only unidirectional technology on Department of Homeland Security s National SCADA Security Test Bed Hold US patents for SCADA/control networks security using Unidirectional Gateways Only unidirectional technology to pass a cyber security assessment by Idaho National Laboratories Certified Common Criteria EAL4+ (High Attack Potential) Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 4

Industrial Network Connectivity: Drivers and Risks Predictive maintenance: crew scheduling, HR integration, spare parts inventories and ordering Just-in-time manufacturing, real-time inventories, batch records, LIMS integration, production planning, SAP/ERP integration Centralized support: more effective use of skilled personnel, critical mass of current experts next decade s experts But industrial network connects to business network, which connects to Internet & other networks These connections let attackers target critical network with remote, online attacks Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 5

Firewalls at Critical Network Perimeters Attack Type UGW Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 4 2 2) Social engineering steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller create ICS host or firewall account 4 2 4) Attack exposed servers SQL injection / DOS / buffer-overflowd 4 2 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking MIM / steal HTTP cookies / command injection 4 2 7) Piggy-back on VPN split tunneling / malware propagation 4 2 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 4 2 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls 4 2 10) Forge an IP address firewall rules are IP-based 4 2 11) Bypass network perimeter cabling/ rogue wireless / dial-up 1 1 12) Physical access to firewall local admin / no passwd / modify hardware 3 2 13) Sneakernet removable media / untrusted laptops 1 1 Total Score: 45 23 Photo: Red Tiger Security Attack Success Rate: Impossible Extremely Difficult Difficult Straight- Forward Firewalls too weak to deploy without compensating measures Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 6

Emerging Threat: Remote Monitoring and Diagnostics Control system / equipment / turbine vendor site monitors many customer sites, in many countries Central vendor site configured for occasional remote control Industrial network exposed to attack from central site and from other customers / countries Remote control attacks, virus propagation Vendor connection bypasses corporate security protections Industrial network is completely dependent on vendor security Central Monitoring Site Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 7

Secure Historian Replication Hardware-enforced unidirectional historian replication Replica historian contains all data and functionality of original Corporate workstations communicate only with replica historian Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Corporate Network Workstations PLCs RTUs Historian Queries, Responses TX Agent Host RX Agent Host Commands, Responses Replica Historian TX HW Module RX HW Module Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 8

Secure OPC Replication OPC-DA protocol is complex: based on DCOM object model intensely bi-directional TX agent is OPC client. RX agent is OPC server OPC protocol is used only in production network, and business network, but not across unidirectional gateways Industrial Network Corporate Network Workstations PLCs RTUs OPC Server OPC Polls, Responses TX Agent OPC Client TX HW Module RX Agent OPC Server RX HW Module OPC Polls, Responses Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 9

Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians OSIsoft PI, PI AF, GE ihistorian, GE ifix Scientech R*Time, Instep edna, GE OSM Siemens: WinCC, SINAUT/Spectrum Emerson Ovation, Wonderware Historian SQLServer, Oracle, MySQL, SAP AspenTech, Matrikon Alert Manager Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG CA Unicenter, CA SIM, HP OpenView, IBM Tivoli HP ArcSight SIEM, McAfee ESM SIEM File/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCP Leading Industrial Protocols OPC: DA, HDA, A&E, UA DNP3, ICCP, Modbus Remote Access Remote Screen View Secure Manual Uplink Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM MQ series, Microsoft MSMQ Antivirus updater, patch (WSUS) updater Remote print server Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 10

Waterfall's Mission: Replace ICS Firewalls Firewalls do not move data they expose systems Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Many: Examples: Substations Generation Not For IT Offshore BES Control Batch Processing Water Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure In/Out FLIP Unidirectional Bypass Configurations Security Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 11

Waterfall FLIP Unidirectional Gateway whose direction can be reversed: Regular and randomized security updates & AV signatures Chemicals / refining / mining / pharmaceuticals: batch instructions Substations, pumping stations, remote, unstaffed sites Variety of triggering options When flipped incoming unidirectional gateway replicates servers: no TCP/IP, no remote control attacks Stronger than firewalls, stronger than removable media Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 12

Waterfall Flip - Normal Operation Waterfall TX agent Critical Network Waterfall RX agent TX Module RX Module Waterfall TX agent Waterfall RX agent External Network Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 13

Waterfall Flip - Reversed Waterfall TX agent Critical Network Waterfall RX agent TX Module RX Module Waterfall TX agent Waterfall RX agent External Network Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 14

FLIP: Stronger than Firewalls Outbound data flows are absolutely secure temporary in-bound flows are the concern Remote control is practically impossible there are never in-bound and out-bound data flows simultaneously Gateways replicate servers / terminate protocol sessions no packets forwarded Stronger than firewalls: 100% secure 99% of the time. Still stronger than a firewall the rest of the time Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 15

FLIP for Substations Designed for smaller, un-staffed sites Contains the FLIP and two computers in one 1U Waterfall Cabinet Unidirectional Gateway whose orientation flips occasionally Eg: To allow RESET command after lightning strike To allow occasional security updates or anti-virus updates Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 16

Waterfall FLIP and NERC CIP CIP V3+V4 Non-routable communications All inter-module connections are visible via front panel CIP V5 All communications across ESP are unidirectional Temporary inbound communications are stronger than a firewall Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 17

Waterfall's Mission: Replace ICS Firewalls Firewalls do not move data they expose systems Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Many: Examples: Substations Generation Not For IT Offshore BES Control Batch Processing Water Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure In/Out FLIP Unidirectional Bypass Configurations Security Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 18

Balancing Authority / Control Center Solution Gateways send commands out to partner utilities. Second channel polls/reports data in Multiply redundant automatic at site, manual fail-over between sites Some ICCP reconfiguration needed channels are independent Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 19

Security: Stronger Than Firewalls In-bound connection is the concern No protocol-level attack passes through the gateways Gateways replicate ICCP servers / terminate ICCP sessions No packets forwarded have to hack each layer in turn Independent unidirectional channels: flying blind - no feedback during attacks Hacking through multiple layers of hosts while flying blind is difficult almost to the point of impossibility Diodes in reverse direction may not be secure, but specific configurations such as ICCP Gateways are much stronger than firewalls Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 20

Perimeter Security Attack Tree Analysis Attack Type BES CC Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 4 2 2) Social engineering steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller create ICS host or firewall account 4 2 4) Attack exposed servers SQL injection / DOS / buffer-overflow 3 2 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking MIM / steal HTTP cookies / command injection 3 2 7) Piggy-back on VPN split tunneling / malware propagation 4 2 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 3 2 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls 3 2 10) Forge an IP address firewall rules are IP-based 4 2 11) Bypass network perimeter cabling/ rogue wireless / dial-up 1 1 12) Physical access to firewall local admin / no passwd / modify hardware 3 2 13) Sneakernet removable media / untrusted laptops 1 1 Total Score: 41 23 Attack Success Rate: Impossible Extremely Difficult Difficult Straight- Forward Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 21

Waterfall's Mission: Replace ICS Firewalls Firewalls do not move data they expose systems Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Many: Examples: Substations Generation Not For IT Offshore BES Control Batch Processing Water Security Networks Platforms Centers Refining Safety Systems Routers Firewalls Secure Secure In/Out FLIP Unidirectional Bypass Configurations Security Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 22

Waterfall Secure Bypass Temporary bypass of security perimeter Hardware enforced: relays connect and disconnect Variety of trigger mechanisms Deployed in parallel with Unidirectional GW: Emergency remote access: offshore platform evacuation Temporary remote access, controlled from the plant side Modular configuration with embedded PC: firewalled and whitelisted 100% secure, 99% of the time As secure as a firewall, 1% of the time Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 23

True Remote Control: Secure Manual Uplink Physically connects/disconnects copper network cables Automatically disconnects again after programmable interval Activation modes: Physical key Electronic key Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 24

Temporary Remote Control On-site personnel decide when to grant access 100% secure, 99% of the time As secure as a firewall the rest of the time Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 25

Waterfall's Mission: Replace ICS Firewalls Waterfall s new mission: revolutionize ICS perimeter security with technologies stronger than firewalls Look for additional product announcements over the next 12 months Substations, Generation, Not For IT Offshore BES Control Batch Processing, Water, Security Networks Platforms Centers Refining, Safety Systems Routers Firewalls Secure WF for BES Waterfall Unidirectional Bypass Control FLIP TM Security Centers Gateways Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 26

Secure Application Integration Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security Costs: reduces security operating costs improves security and saves money in the long run Waterfall s unique solutions have the potential to be the industry s next game changing standard Market leader for unidirectional server replication in industrial environments Proprietary Information -- Copyright 2013 by Waterfall Security Solutions 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information