securing critical cyber assets with ... - waterfall security

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 2012

NERC-CIP CAN-0024: Securing Critical Cyber Assets with “Data Diodes”

Andrew Ginter Director of Industrial Security Waterfall Security Solutions

Proprietary Information -- Copyright © 2011 by Waterfall Security Solutions Ltd.


Unidirectional Security Gateways

● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network

● TX uses 2-way protocols to gather data from protected network

● RX uses 2-way protocols to publish data to external network

● Server replication, not protocol emulation


Firewalls Are Not Enough

● Only “essential” connections allowed

● You trust the users, but should you trust their workstations? Their cell phones?

● Firewalls are software - even firewalls have vulnerabilities and “zero days”

● Errors and omissions

● Insider attack from business network – with legitimate credentials

● Costly: procedures, training, management, log reviews, audits, assessments

● Vulnerable: just ask for the password...

Photo: Red Tiger Security


Historian Replication

● TX agent is conventional historian client – request copy of new data as it arrives in historian

● RX agent is conventional historian collector – drops new data into replica as it arrives from TX

● TX agent sends historical data and metadata to RX using non-routable, point-to-point protocol

● Complete replica, tracks all changes, new tags, alerts in replica


Unidirectional Communications in the Smart Grid

● Conventional generators – business network interface

● Nuclear generators – safety, control and business network interfaces

● Transmission and distribution systems – business network interface

● Smart meters – back office data flow controls


CIP-002 R3: Critical Cyber Assets

● CIP-002 R3: Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:

R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, R3.2. The Cyber Asset uses a routable protocol within a control center; or, R3.3. The Cyber Asset is dial-up accessible.

● CIP R1-R4 apply only to highest-risk “Critical Cyber Assets”

● Routable and dial-up communications are higher risk than non-routable communications

● CIP was written before unidirectional communications were in widespread use


CIP-002 R3: Control Centers

● Control Center: A Control Center is capable of performing one or more of the functions listed below for multiple (i.e., two or more) BPS assets, such as generation plants and transmission substations.

● Not all control systems, even those using routable protocols internally, are Bulk Electric System Control Centers


CIP-002 R3: Routable Protocols

● Routable Protocol: Routable protocols use addresses and require those addresses to have at least two parts: A “network” address and a “device” address. Routable protocols allow devices to communicate between two different networks by forwarding packets between the two networks.

● Ethernet frames stay within local network – hardware device (MAC) addresses are meaningless outside the local network

● Internet Protocol (IP) packets are contained inside Ethernet frames in local networks, other kinds of encapsulation in wide area networks

● Internet addresses are recognized throughout the WAN

Internet Protocol packet inside an Ethernet Frame


CAN-0024: Stand-Alone Devices

● Stand-alone “data diode” appliances: network in, network out – look from the outside like firewall appliances

● If the stand-alone data diode device has one or more IP addresses, it is “using” a routable protocol for communication.

● No IP addresses generally mean the equipment is not using routable protocols for communication.

Routable

Communications


Unidirectional Gateways: Pairs of Stand-Alone Devices

● Dual-ported agent hosts use IP within protected and external networks

● But: Gateway appliances have no IP addresses, no IP stack

● Copper connections use raw Ethernet frames with custom protocol – no IP payload or embedded network addresses

● Fiber connection through ESP uses proprietary point-to-point data transfer format

Non- Routable Communications


Embedded Network Interface Cards: Unclear

● CAN-0024: Another type of data diode device consists of network interface cards that are installed into existing Cyber Assets, and which provide the same uni-directional communication as stand-alone data diode devices. … In this case, the data does not use a routable connection to cross the ESP, and the Cyber Assets do not meet the connectivity requirement.

● Contradicts CIP-002 R3: embedded NICs are not routable, even if they have IP addresses and use the routable IP protocol

● Expect some confusion regarding embedded NICs


NERC-CIP R5 Draft – Routable Communications

● Low / Medium / High Impact Cyber Assets – not determined by dial-up or routable communications

● Distribution Providers now covered by the standard

● External Connectivity = routable or dial-up communications through an Electronic Security Perimeter

● CIP-005 R5 Draft – requirements apply only to Electronic Access Points and remote access systems with routable or dial-up connectivity

● Some requirements for Medium Impact Cyber Assets apply only to assets associated with External Connectivity

● Less training, documentation and testing requirements if unidirectional, non-routable communications result in the elimination of Electronic Access Points.


Reduced Security Costs

● Eligible sites: reduced CCA documentation and other costs

● Most sites: 12-24 months cost recovery

● Reduced firewall management costs

● Reduced DMZ equipment management costs

● Reduced audit and compliance documentation costs

● Reduced remote access training costs

● Reduced remote access management costs

20% of NERC-CIP R3 requirements revolve around firewalls. Keeping firewalls secure is difficult and expensive.


Strong Security

● Gateway hardware is gate-array programmed - no CPUs, no software, no way for a vulnerability to give an adversary control of the hardware

● Entire gateway solution assessed by Idaho National Labs: no back channels, no side channels, no way back into protected network

● Protection from even advanced, targeted threats and their Remote Administration Tools

● More secure than firewalls and serial connections

Two appliances (TX/RX) means no shared grounds, no shared power, or other shared components which can mask back-channels


Waterfall Unidirectional Gateway Connectors

Leading Industrial Applications/Historians

● OSIsoft PI, Scientech R*Time, Instep eDNA

● GE: iHistorian, iFIX, OSM

● Siemens: WinCC, SINAUT/Spectrum

● Emerson Ovation, Matrikon Alert Manager

● Microsoft SQLServer, Wonderware Historian

Leading IT Monitoring Applications

● Log Transfer, SNMP, SYSLOG

● CA Unicenter, CA SIM, HP OpenView

● Nitro SIEM

File/Folder Mirroring

● Folder, tree mirroring, remote folders (CIFS)

● FTP/FTFP/SFTP/TFPS/RCP

Leading Industrial Protocols

● Modbus, OPC (DA, HDA, A&E)

● DNP3, ICCP

Remote Access

● Remote Screen View™

● Secure Manual Uplink

Other connectors

● UDP, TCP/IP

● NTP, Multicast Ethernet

● Video/Audio stream transfer

● Mail server/mail box replication

● IBM Websphere MQ series

● Antivirus updater, patch (WSUS) updater

● Remote print server


Waterfall Security Solutions

● Headquarters in Israel, sales and operations office in the USA, installed world-wide in all critical infrastructure sectors

● Focused exclusively on industrial markets and industrial server replication

● World’s largest suite of industrial replication solutions, patent protected

● Nuclear market: 80% of decided sites chose Waterfall, 60% are deployed already

● Pike Research: Waterfall is key player in the cyber security market

● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors

Market leader for server replication in industrial environments


● CAN-0024 guidance identifies Unidirectional Gateways as non-routable

● Unidirectional Gateways reduce the cost of security programs

● Less complex configuration than firewalls

● Lower maintenance costs, less configuration, less to get wrong

● Lower audit costs: less documentation, no remote access, fewer logs

● Unidirectional Gateways are strong security

● Absolute protection from external network attacks

● Stronger than firewalls, stronger than serial connections

● Protects against errors and omissions

● Eliminates remote-control attacks

CAN-0024 guidance recognizes that NERC auditors encounter unidirectional communications equipment in multiple geographies

Unidirectional Security Gateways

securing critical cyber assets with ... - waterfall security

Documents