Page 1
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions
UNIDIRECTIONAL SECURITY GATEWAYS™
2014
Challenges of Cybersecurity Implementations for Process Control Systems
Michael Firstenberg, Director of Industrial SecurityWaterfall Security Solutions
Page 2
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2
● 1M ICS hosts on the Internet? 500K in NA? Really only 7,000
● Heartbleed – encryption in lots of products, websites & VPNs broken
● NSA supply chain revelations. Does anyone really believe it was only the NSA?
● Always more ICS vulnerabilities found, andpatching change-controlled network is slow
Heartbleed drives home the point: allsoftware has bugs. Some bugs aresecurity holes. So in practice, all softwarecan be hacked
Security Landscape
Page 3
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions
Threat Resources Methods
Existing
Protection Examples
Nation-state,
sleeper insiders
High Highly targeted,
autonomous
none Stuxnet, NSA
supply chain
Targeted Persistent
Attacks
Medium Targeted, manual
remote control
NEI Aurora, Night
Dragon, Shady
Rat, Ghostnet,
Disgruntled insider
with access to ICS
Low Targeted: social
engineering
ISA, API,
NERC-CIP
Maroochy
Insider with access
to IT network
Low Targeted: social
engineering
NIST IT examples
Organized crime Medium Highly volume,
automated
ISA, API,
NERC-CIP
Zeus, Conflicker
Who Are We Worried About?
Page 4
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 4
Targeted Persistent Attacks
● Use “spear phishing” or server attacks to punch through firewalls
● Use custom malware to evade anti-virus
● Operate malware by interactive remote control
● Steal administrator passwords / password hashes
● Create new administrator accounts on domain controller
● Use new accounts to log in – no need to “break in” any more –defeats software update programs
IT teams are unable to blockthese targeted attacks at thecorporate perimeter.
Page 5
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 5
IT vs ICS - Safety, Reliability, Confidentiality
Attribute Enterprise / IT Control System
Scale Huge – 100,000’s of devices 100-500 devices per DCS
Priority Confidentiality Safety and reliability
Target Data Equipment
Exposure Constant exposure to Internet
content / attacks
Exposed to business
network, not Internet
Equipment
lifecycle
3-5 years 10-20 years
Security
discipline:
Speed / aggressive change – stay
ahead of the threats
Security is an aspect of safety
- Engineering Change Control
(ECC)
The difference between IT and ICS is control
Page 6
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 6
Reliability + Safety Risks = Soft ICS Interior
● Cyber safety and reliability risks arise from ability to control physical equipment
● Testing security updates and AV updates for reliability and safety takes longer – sometimes much longer
● There are tens of thousands of vulnerabilities are waiting to be discovered in ICS software
● Old, out-of-support hardware and software
● Encrypted/authenticated communications debatefor critical devices may never be resolved
Strong perimeter protection will always be disproportionately important in ICS defense-in-depth programs
Page 7
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 7
● Strictly control access to critical ICS computers
● Reduce risks due to USB, CD-ROMS, cell phone connections and other removable media / networking
● Reduce risks due to rogue laptops & other equipment plugged into ICS / safety networks
● Entire ICS network must lie within physical security perimeter
● No silver bullet:
● Insider threat is still real
● Distant adversaries cancompromise equipmentover Internet / remotecontrol
Physical Security
Photo: Idaho National Labs
Page 8
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 8
Sneakernet
● Device control – low-impact software to control which users and ports can accept which kinds of USB / CD / DVD device
● Network Access Control – refuses access to unauthorized laptops
● Supply chain - offline scans of hard disks of new equipment, physical inspections
● The most cautious firms purchase USB peripherals from distant, random locations
● Training & Awareness
Be paranoid.Everything that crosses the physicalor cyber perimeter is a threat
Page 9
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 9
● Whitelisting: strictly control what software is allowed to run where
● Currently used more for “devices” with complex embedded operating systems than for entire ICS systems
● Device control: forbid entirely the execution of software from removable media, control what kinds of USB devices (keyboards, mice) are allowed to be connected to which ports
● Less intrusive than whitelisting, applied more commonly to larger parts of ICS systems
● No silver bullet:
● Cannot prevent remote controlof legitimate applications
Device Control & Whitelisting
Page 10
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 10
Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat them
Cyber Perimeter - How Secure are Firewalls Really?
Photo: Red Tiger Security
Attack Success Rate:
Impossible Routine Easy
Attack Type UGW Fwall
1) Phishing / drive-by-download – victim pulls your attack through firewall
2) Social engineering – steal a password / keystroke logger / shoulder surf
3) Compromise domain controller – create ICS host or firewall account
4) Attack exposed servers – SQL injection / DOS / buffer-overflowd
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows
6) Session hijacking – MIM / steal HTTP cookies / command injection
7) Piggy-back on VPN – split tunneling / malware propagation
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls
10) Forge an IP address – firewall rules are IP-based
Page 11
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 11
Technical Shortcomings of Firewalls
● Well short of secure initially
● The “deny any any” rule
● Order of your firewall ruleset
● Multiple administration services
● Multiple passwords
A Tufin Technologies survey found that 86% of hackers believe that they can break through any firewall.
Photo: Idaho National Labs
Page 12
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 12
Technical Shortcomings – Part 2
● Software and hardware issues (e.g. code updates, loose power cables) can affect ops and business.
● May not be able to operate in harsher conditions of plants and need to be replaced more often
● Dependencies on corporate network, where SLAs are not as high
● New vulnerabilities are introduced with new software
Firewalls have external dependencies which affect their capabilities.
Page 13
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 13
Technical Shortcomings Part 3
All TCP connections through the firewall are bi-directional
Outbound access = Inbound C&C
?
Page 14
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 14
Technical Shortcomings Part 3
All TCP connections through the firewall are bi-directional
Outbound access = Inbound C&C
Page 15
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 15
PLCs RTUs
HistorianHistorianHistorian
Workstations
ReplicaHistorianReplicaHistorianReplicaHistorian
WaterfallTX agentWaterfallTX agentWaterfallTX agent
Waterfall RX agentWaterfall RX agentWaterfall RX agent
Corporate NetworkIndustrial Network
Unidirectional Historian replication
Waterfall TX appliance
Waterfall RX appliance
Unidirectional Security Gateways: Server Replication
● Hardware-enforced unidirectional server replication
● Replica server contains all data and functionality of original
● External clients communicate only with replica historian
● 100% secure from online attacks from external networks
● Replicate historian servers, OPC servers, RDB servers, Modbus, etc.
Page 16
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 16
Waterfall FLIP™ Defeats Interactive Remote Control
● Unidirectional Gateway whose direction can be reversed:
● Chemicals / refining / mining / pharmaceuticals: batch instructions
● Water systems: periodic security updates & anti-virus signatures
● Remote unstaffed sites: substations, pumping stations
● Trigger: button / key, schedule
● Stronger than firewalls, stronger than removable media
The FLIP is aUnidirectionalGateway thatcan “flip over”
Page 17
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 17
Deep Content Control
● Trend in firewalls for 30 years is towards increasingly deep understanding, inspection of, and control of communications protocols
● Deep content control inspects and controls individual fields, tags, values, flags & files passing between networks
● Supports open protocols, proprietary protocols, ICS protocols, fragmented protocols – anything that an endpoint can make sense of
● DCC is generally a client, pulling only desired data. Servers try to sort out anything a client/attacker sends them.
Deep Content Controlprotects both ICS networksfrom IT networks, and ITnetworks from ICS networks
Page 18
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 18
Evolving Best Practices – Unidirectional Gateways
NERC CIP exempts unidirectionally-protected sites from over 35% of requirements
DHS recommends unidirectional gateways in security assessments (ICS CERT)
NRC & NEI exempts unidirectionally-protected sites from 21 of 26 cyber-perimeter rules
Unidirectional gateways –limit the propagation of malicious code (ISA SP-99-3-3 / IEC 62443-3-3)
ENISA - unidirectional gateways provide better protection than firewalls
NIST - unidirectional gateways prevent any connectivity of trafficbetween domains (800-82)
Page 19
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 19
Best Practices Continue to Evolve
Unidirectional gateways defeat targeted attacks, insider attacks & malware propagation
Page 20
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 20
● Headquarters in Israel, sales and operations office in the USA
● Hundreds of sites deployed in all critical infrastructure sectors
2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice
IT and OT security architects should consider Waterfall for their operations networks
Waterfall is key player in the cyber security market –2010, 2011, & 2012
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors
Waterfall Security Solutions
Page 21
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 21
ICS Relies Heavily on Perimeter Protection
● If IT protections cannot prevent modern attacks from breaching IT networks, why are they adequate for ICS networks?
● Unidirectional Gateways defeat modern interactive remote control attacks
● Everything crossing physical or cyber perimeters is a threat
● Deep Content Control supports open protocols as well as proprietary, industrial protocols
Hardware-enforced unidirectionalprotections are today’s best practices