Page 1
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions
UNIDIRECTIONAL SECURITY GATEWAYS™
New Technologies forSubstation Cyber Hardening
2014Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions Ltd.
Andrew GinterVP Industrial SecurityWaterfall Security Solutions
Page 2
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2
Waterfall's Mission: Replace ICS Firewalls
● Waterfall’s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls
● Enables safe IT/OT integration, remote services, industrial cloud
Routers Firewalls UnidirectionalSecurity
Gateways
WaterfallFLIPTM
Secure Inbound / Outbound
SecureBypass
Substations, Generation,Not For IT Offshore BES Control Batch Processing, Primary Production,Security Networks Platforms Centers Refining Safety Systems
Page 3
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 3
Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat firewalls
Firewalls at Cyber Perimeters – Really?
Photo: Red Tiger Security
Attack Success Rate:
Impossible DifficultStraight-Forward
Attack Type UGW Fwall
1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2
2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1
3) Compromise domain controller – create ICS host or firewall account 4 2
4) Attack exposed servers – SQL injection / DOS / buffer-overflowd 4 2
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2
6) Session hijacking – MIM / steal HTTP cookies / command injection 4 2
7) Piggy-back on VPN – split tunneling / malware propagation 4 2
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 4 2
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 4 2
10) Forge an IP address – firewall rules are IP-based 4 2
Total Score: 40 19
Page 4
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 4
Emerging Threat: Targeted Attacks
● Use “spear phishing” to punch through corporate firewalls – or sometimes more conventional attacks on web & other servers
● Use custom malware to evade anti-virus
● Operate malware by interactive remote control
● Steal administrator passwords / password hashes
● Create new administrator accounts on domain controller
● Use new accounts to log in – no need to “break in” any more – defeatssoftware update programs
Bypasses standard IT securitycontrols: firewalls, encryption, AV,security updates
Page 5
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 5
Waterfall's Mission: Replace ICS Firewalls
● Waterfall’s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls
● Enables safe IT/OT integration, remote services, industrial cloud
Routers Firewalls UnidirectionalSecurity
Gateways
WaterfallFLIPTM
Secure Inbound / Outbound
SecureBypass
Substations, Generation,Not For IT Offshore BES Control Batch Processing, Primary Production,Security Networks Platforms Centers Refining Safety Systems
Page 6
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 6
Conventional Network Integration
● Corporate users reach into plant historian through firewall
● Corporate users send queries/requests, historian responds
PLCs
RTUs
WorkstationsCorporate NetworkIndustrial Network
HistorianF
irew
all
Page 7
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 7
PLCs
RTUs
Historian
Server
Workstations
Replica
ServerWaterfall
TX agent
Waterfall
RX agent
Corporate NetworkIndustrial Network
Unidirectional Historian replication
Waterfall
TX applianceWaterfall
RX appliance
Unidirectional Security Gateways
● Hardware-enforced unidirectional server replication
● Replica server contains all data and functionality of original
● Corporate workstations communicate only with replica server
● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack
Page 8
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 8
RTUs
Substation
ControllerWaterfall
TX agent
Waterfall
RX agent
Corporate NetworkIndustrial Network
Waterfall
TX applianceWaterfall
RX appliance
DNP3 Replication
● TX agent is DNP3 master – polls substation & accepts exception reports
● RX agent is DNP3 slave – responds to EMS polls and sends report by exception reports to EMS
● No DNP3 packets pass through gateway
DNP3 DNP3
WAN
EMS
Page 9
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 9
Leading Industrial Applications/Historians
● OSIsoft PI, PI AF, GE iHistorian, GE iFIX
● Scientech R*Time, Instep eDNA, GE OSM
● Siemens: WinCC/SINAUT/Spectrum
● Emerson Ovation, Wonderware Historian
● SQLServer, Oracle, MySQL, Postgres, SAP
● AspenTech IP21, Matrikon Alert Manager
● Schneider ClearSCADA
Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG
● CA Unicenter, CA SIM, HP OpenView,IBM Tivoli
● HP ArcSight SIEM , McAfee ESM SIEM
File/Folder Mirroring
● Folder, tree mirroring, remote folders (CIFS)
● FTP/FTFP/SFTP/TFPS/RCP
Leading Industrial Protocols
● OPC: DA, HDA, A&E, UA
● DNP3, ICCP, Modbus
● GENA, IEC 60870-5-104, IEC 61850
Remote Access
● Remote Screen View™
● Secure Bypass
Other connectors
● UDP, TCP/IP
● NTP, Multicast Ethernet
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM MQ series, Microsoft MSMQ
● Antivirus updater, patch (WSUS) updater
● Remote print server
Waterfall Unidirectional Gateway Connectors
World’s largest collection of COTS industrial server replications
Page 10
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 10
Waterfall's Mission: Replace ICS Firewalls
● Waterfall’s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls
● Enables safe IT/OT integration, remote services, industrial cloud
Routers Firewalls UnidirectionalSecurity
Gateways
WaterfallFLIPTM
Secure Inbound / Outbound
SecureBypass
Substations, Generation,Not For IT Offshore BES Control Batch Processing, Primary Production,Security Networks Platforms Centers Refining Safety Systems
Page 11
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 11
Waterfall FLIP™
● Contains: TX module, RX Module, Trigger Controller (CPU)
● Trigger: button / key, schedule
FLIP is aUnidirectionalGateway which can“flip over”
Page 12
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 12
Waterfall Flip™ - Reversing Orientation
Page 13
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 13
Waterfall Flip™ - Replicate to WAN
Page 14
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 14
Waterfall Flip™ - Replicate to Substation
Page 15
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 15
Possible FLIP States
● Relays: one way,other way, orneither way
● Nine possiblestates
TX State:
RX State
Inside Outside Disconnected
Inside Internal network
is connected to
internal network
No connection to
external network
No harm done
Outside network
sends data
unidirectionally
to internal
network
Normal operation
Networks are
disconnected
No harm done
Outside Internal network
sends data
unidirectionally
to external
network
Normal operation
External network
is connected to
external network
No connection to
internal network
No harm done
Networks are
disconnected
No harm done
Disconnected Networks are
disconnected
Networks are
disconnected
Networks are
disconnected
Page 16
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 16
FLIP: Stronger than Firewalls
● Designed to prevent interactive remote control: cannot allow data to flow both ways at once
● Trigger mechanism cannot be subverted by data passing through
● Firewalls forward messages, FLIP & Gateways do not
● TX Agents are clients. They ask for data and forward the answers/data
● No protocol-level attacks pass through – no fuzzing/buffer overflows. All comms sessions terminate in agent hosts.
FLIP: Stronger than firewalls
Page 17
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 17
Use Case: Protecting Protection Equipment
● Deployed between protective relays and rest of substation
● Continuous monitoring of relays
● FLIP every 2 months or so – send batch of new passwords and possibly new firmware into batch-mode update mechanism
● No interactive remote control for relays
Relays RTUs
FLIP
SubstationElectronic Security Perimeter
Firew
all
WAN
EMS
Page 18
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 18
Use Case: Protecting Entire Substation
● Continuous monitoring of substation via DNP3
● FLIP periodically – new passwords, firmware, configurations, setpoints
● No interactive remote control for entire substation
Relays RTUs
SubstationElectronic Security Perimeter
EMSFLIP
WAN
Page 19
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 19
Evolving Best Practices
New best practice: unidirectional gateways & FLIP defeattargeted attacks, insider attacks & malware propagation
Page 20
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 20
● Headquarters in Israel, sales and operations office in the USA
● Hundreds of sites deployed in all critical infrastructure sectors
2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice
IT and OT security architects should consider Waterfall for their operations networks
Waterfall is key player in the cyber security market –2010, 2011, & 2012
● The only unidirectional technology onUS Department of Homeland Security’sNational SCADA Security Test Bed,and Japanese CSSC Test Bed
Waterfall Security Solutions
Page 21
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 21
● Only unidirectional technology with a cyber security assessment by Idaho National Laboratories
● Certified Common Criteria EAL4+ (High Attack Potential)
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors
● Hold US patents for SCADA/controlnetworks security using Unidirectional Gateways
Market leader for unidirectionalserver replication in industrial environments
Waterfall Product Accreditations
Page 22
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 22
Improving BES Reliability
● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks
● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security
● Costs: reduces security operating costs – improves security and saves money in the long run
“Waterfall’s unique solutions have thepotential to be the industry’s next game changing standard”
BES will be measurably morereliable when Unidirectional Gatewaysare deployed more widely