New Technologies for Substation Cyber Hardening

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions

UNIDIRECTIONAL SECURITY GATEWAYS™

New Technologies forSubstation Cyber Hardening

2014Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions Ltd.

Andrew GinterVP Industrial SecurityWaterfall Security Solutions

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2

Waterfall's Mission: Replace ICS Firewalls

● Waterfall’s mission: revolutionize ICS perimeter security with technologies that are stronger than firewalls

● Enables safe IT/OT integration, remote services, industrial cloud

Routers Firewalls UnidirectionalSecurity

Gateways

WaterfallFLIPTM

Secure Inbound / Outbound

SecureBypass

Substations, Generation,Not For IT Offshore BES Control Batch Processing, Primary Production,Security Networks Platforms Centers Refining Safety Systems


Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat firewalls

Firewalls at Cyber Perimeters – Really?

Photo: Red Tiger Security

Attack Success Rate:

Impossible DifficultStraight-Forward

Attack Type UGW Fwall

1) Phishing / drive-by-download – victim pulls your attack through firewall 4 2

2) Social engineering – steal a password / keystroke logger / shoulder surf 4 1

3) Compromise domain controller – create ICS host or firewall account 4 2

4) Attack exposed servers – SQL injection / DOS / buffer-overflowd 4 2

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows 4 2

6) Session hijacking – MIM / steal HTTP cookies / command injection 4 2

7) Piggy-back on VPN – split tunneling / malware propagation 4 2

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns 4 2

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls 4 2

10) Forge an IP address – firewall rules are IP-based 4 2

Total Score: 40 19


Emerging Threat: Targeted Attacks

● Use “spear phishing” to punch through corporate firewalls – or sometimes more conventional attacks on web & other servers

● Use custom malware to evade anti-virus

● Operate malware by interactive remote control

● Steal administrator passwords / password hashes

● Create new administrator accounts on domain controller

● Use new accounts to log in – no need to “break in” any more – defeatssoftware update programs

Bypasses standard IT securitycontrols: firewalls, encryption, AV,security updates






Gateways

WaterfallFLIPTM


SecureBypass



Conventional Network Integration

● Corporate users reach into plant historian through firewall

● Corporate users send queries/requests, historian responds

PLCs

RTUs

WorkstationsCorporate NetworkIndustrial Network

HistorianF

irew

all

http://findicons.com/icon/30863/display_off?id=340728







PLCs

RTUs

Historian

Server

Workstations

Replica

ServerWaterfall

TX agent

Waterfall

RX agent

Corporate NetworkIndustrial Network

Unidirectional Historian replication

Waterfall

TX applianceWaterfall

RX appliance

Unidirectional Security Gateways

● Hardware-enforced unidirectional server replication

● Replica server contains all data and functionality of original

● Corporate workstations communicate only with replica server

● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack








RTUs

Substation

ControllerWaterfall

TX agent

Waterfall

RX agent

Corporate NetworkIndustrial Network

Waterfall

TX applianceWaterfall

RX appliance

DNP3 Replication

● TX agent is DNP3 master – polls substation & accepts exception reports

● RX agent is DNP3 slave – responds to EMS polls and sends report by exception reports to EMS

● No DNP3 packets pass through gateway

DNP3 DNP3

WAN

EMS


Leading Industrial Applications/Historians

● OSIsoft PI, PI AF, GE iHistorian, GE iFIX

● Scientech R*Time, Instep eDNA, GE OSM

● Siemens: WinCC/SINAUT/Spectrum

● Emerson Ovation, Wonderware Historian

● SQLServer, Oracle, MySQL, Postgres, SAP

● AspenTech IP21, Matrikon Alert Manager

● Schneider ClearSCADA

Leading IT Monitoring Applications

● Log Transfer, SNMP, SYSLOG

● CA Unicenter, CA SIM, HP OpenView,IBM Tivoli

● HP ArcSight SIEM , McAfee ESM SIEM

File/Folder Mirroring

● Folder, tree mirroring, remote folders (CIFS)

● FTP/FTFP/SFTP/TFPS/RCP

Leading Industrial Protocols

● OPC: DA, HDA, A&E, UA

● DNP3, ICCP, Modbus

● GENA, IEC 60870-5-104, IEC 61850

Remote Access

● Remote Screen View™

● Secure Bypass

Other connectors

● UDP, TCP/IP

● NTP, Multicast Ethernet

● Video/Audio stream transfer

● Mail server/mail box replication

● IBM MQ series, Microsoft MSMQ

● Antivirus updater, patch (WSUS) updater

● Remote print server

Waterfall Unidirectional Gateway Connectors

World’s largest collection of COTS industrial server replications






Gateways

WaterfallFLIPTM


SecureBypass



Waterfall FLIP™

● Contains: TX module, RX Module, Trigger Controller (CPU)

● Trigger: button / key, schedule

FLIP is aUnidirectionalGateway which can“flip over”


Waterfall Flip™ - Reversing Orientation


Waterfall Flip™ - Replicate to WAN


Waterfall Flip™ - Replicate to Substation


Possible FLIP States

● Relays: one way,other way, orneither way

● Nine possiblestates

TX State:

RX State

Inside Outside Disconnected

Inside Internal network

is connected to

internal network

No connection to

external network

No harm done

Outside network

sends data

unidirectionally

to internal

network

Normal operation

Networks are

disconnected

No harm done

Outside Internal network

sends data

unidirectionally

to external

network

Normal operation

External network

is connected to

external network

No connection to

internal network

No harm done

Networks are

disconnected

No harm done

Disconnected Networks are

disconnected

Networks are

disconnected

Networks are

disconnected


FLIP: Stronger than Firewalls

● Designed to prevent interactive remote control: cannot allow data to flow both ways at once

● Trigger mechanism cannot be subverted by data passing through

● Firewalls forward messages, FLIP & Gateways do not

● TX Agents are clients. They ask for data and forward the answers/data

● No protocol-level attacks pass through – no fuzzing/buffer overflows. All comms sessions terminate in agent hosts.

FLIP: Stronger than firewalls


Use Case: Protecting Protection Equipment

● Deployed between protective relays and rest of substation

● Continuous monitoring of relays

● FLIP every 2 months or so – send batch of new passwords and possibly new firmware into batch-mode update mechanism

● No interactive remote control for relays

Relays RTUs

FLIP

SubstationElectronic Security Perimeter

Firew

all

WAN

EMS


Use Case: Protecting Entire Substation

● Continuous monitoring of substation via DNP3

● FLIP periodically – new passwords, firmware, configurations, setpoints

● No interactive remote control for entire substation

Relays RTUs

SubstationElectronic Security Perimeter

EMSFLIP

WAN


Evolving Best Practices

New best practice: unidirectional gateways & FLIP defeattargeted attacks, insider attacks & malware propagation


● Headquarters in Israel, sales and operations office in the USA

● Hundreds of sites deployed in all critical infrastructure sectors

2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice

IT and OT security architects should consider Waterfall for their operations networks

Waterfall is key player in the cyber security market –2010, 2011, & 2012

● The only unidirectional technology onUS Department of Homeland Security’sNational SCADA Security Test Bed,and Japanese CSSC Test Bed

Waterfall Security Solutions


● Only unidirectional technology with a cyber security assessment by Idaho National Laboratories

● Certified Common Criteria EAL4+ (High Attack Potential)

● Strategic partnership agreements / cooperation with: OSIsoft, GE, Schneider Electric, Westinghouse, and many other industrial vendors

● Hold US patents for SCADA/controlnetworks security using Unidirectional Gateways

Market leader for unidirectionalserver replication in industrial environments

Waterfall Product Accreditations


Improving BES Reliability

● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks

● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security

● Costs: reduces security operating costs – improves security and saves money in the long run

“Waterfall’s unique solutions have thepotential to be the industry’s next game changing standard”

BES will be measurably morereliable when Unidirectional Gatewaysare deployed more widely

New Technologies for Substation Cyber Hardening

Documents