Transcription
NERC-CIP CAN-0024:Securing Critical Cyber Assets with “Data Diodes”Andrew GinterDirector of Industrial SecurityWaterfall Security SolutionsProprietary Information -- Copyright 20112012 by Waterfall Security Solutions Ltd.2012
Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable – you can send dataout, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Server replication, not protocol emulationProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.2
Firewalls Are Not Enough Only “essential” connections allowed You trust the users, but should you trust theirworkstations? Their cell phones? Firewalls are software - even firewalls havevulnerabilities and “zero days” Errors and omissions Insider attack from business network – withlegitimate credentials Costly: procedures, training, management, logreviews, audits, assessments Vulnerable: just ask for the password.Photo: Red Tiger SecurityProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.3
Historian Replication TX agent is conventional historian client – request copy of new dataas it arrives in historian RX agent is conventional historian collector – drops new data intoreplica as it arrives from TX TX agent sends historical data and metadata to RX using nonroutable, point-to-point protocol Complete replica, tracks all changes, new tags, alerts in replicaProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.4
Unidirectional Communications in the Smart Grid Conventional generators – business network interface Nuclear generators – safety, control and business networkinterfaces Transmission and distribution systems – business network interface Smart meters – back office data flow controlsProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.5
CIP-002 R3: Critical Cyber Assets CIP-002 R3: Critical Cyber Assets are further qualified to be those having at leastone of the following characteristics:R3.1. The Cyber Asset uses a routable protocol to communicate outside theElectronic Security Perimeter; or,R3.2. The Cyber Asset uses a routable protocol within a control center; or,R3.3. The Cyber Asset is dial-up accessible. CIP R1-R4 apply only to highest-risk “Critical Cyber Assets” Routable and dial-up communications are higher risk than non-routablecommunications CIP was written before unidirectional communications were in widespreaduseProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.6
CIP-002 R3: Control Centers Control Center: A Control Center is capable of performing one or more of thefunctions listed below for multiple (i.e., two or more) BPS assets, such as generationplants and transmission substations. Not all control systems, even those using routable protocols internally, areBulk Electric System Control CentersProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.7
CIP-002 R3: Routable Protocols Routable Protocol: Routable protocols use addresses and require those addressesto have at least two parts: A “network” address and a “device” address. Routableprotocols allow devices to communicate between two different networks by forwardingpackets between the two networks. Ethernet frames stay within local network – hardware device (MAC)addresses are meaningless outside the local network Internet Protocol (IP) packets are contained inside Ethernet frames in localnetworks, other kinds of encapsulation in wide area networks Internet addresses are recognized throughout the WANInternet Protocol packet inside an Ethernet FrameProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.8
CAN-0024: Stand-Alone Devices Stand-alone “data diode” appliances: network in, network out – lookfrom the outside like firewall appliances If the stand-alone data diode device has one or more IP addresses, it is“using” a routable protocol for communication. No IP addresses generally mean the equipment is not using routableprotocols for communication.RoutableCommunicationsProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.9
Unidirectional Gateways: Pairs of Stand-Alone Devices Dual-ported agent hosts use IP within protected and external networks But: Gateway appliances have no IP addresses, no IP stack Copper connections use raw Ethernet frames with custom protocol – no IPpayload or embedded network addresses Fiber connection through ESP uses proprietary point-to-point data transferformatNon- Routable CommunicationsProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.10
Embedded Network Interface Cards: Unclear CAN-0024: Another type of data diode device consists of network interfacecards that are installed into existing Cyber Assets, and which provide the sameuni-directional communication as stand-alone data diode devices. In this case,the data does not use a routable connection to cross the ESP, and the CyberAssets do not meet the connectivity requirement. Contradicts CIP-002 R3: embedded NICs are not routable, even if theyhave IP addresses and use the routable IP protocol Expect some confusion regarding embedded NICsProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.11
NERC-CIP R5 Draft – Routable Communications Low / Medium / High Impact Cyber Assets – not determined by dial-upor routable communications Distribution Providers now covered by the standard External Connectivity routable or dial-up communications through anElectronic Security Perimeter CIP-005 R5 Draft – requirements apply only to Electronic Access Pointsand remote access systems with routable or dial-up connectivity Some requirements for Medium Impact Cyber Assets apply only toassets associated with External Connectivity Less training, documentation and testing requirements if unidirectional,non-routable communications result in the elimination of ElectronicAccess Points.Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.12
Reduced Security Costs Eligible sites: reduced CCA documentation and other costs Most sites: 12-24 months cost recovery Reduced firewall management costs Reduced DMZ equipment management costs Reduced audit and compliance documentation costs Reduced remote access training costs Reduced remote access managementcosts20% of NERC-CIP R3 requirementsrevolve around firewalls. Keepingfirewalls secure is difficult andexpensive.Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.13
Strong Security Gateway hardware is gate-array programmed - no CPUs, no software, no wayfor a vulnerability to give an adversary control of the hardware Entire gateway solution assessed by Idaho National Labs: no back channels,no side channels, no way back into protected network Protection from even advanced, targeted threats and their RemoteAdministration Tools More secure than firewalls and serialconnectionsTwo appliances (TX/RX) means noshared grounds, no shared power,or other shared components whichcan mask back-channelsProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.14
Waterfall Unidirectional Gateway ConnectorsLeading Industrial Applications/HistoriansLeading Industrial Protocols OSIsoft PI, Scientech R*Time, Instep eDNA Modbus, OPC (DA, HDA, A&E) GE: iHistorian, iFIX, OSM DNP3, ICCP Siemens: WinCC, SINAUT/SpectrumRemote Access Emerson Ovation, Matrikon Alert Manager Remote Screen View Microsoft SQLServer, Wonderware Historian Secure Manual UplinkLeading IT Monitoring ApplicationsOther connectors Log Transfer, SNMP, SYSLOG UDP, TCP/IP CA Unicenter, CA SIM, HP OpenView NTP, Multicast Ethernet Nitro SIEM Video/Audio stream transferFile/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCPProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. Mail server/mail box replication IBM Websphere MQ series Antivirus updater, patch (WSUS) updater Remote print server15
Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA, installedworld-wide in all critical infrastructure sectors Focused exclusively on industrial markets and industrial server replication World’s largest suite of industrial replication solutions, patent protected Nuclear market: 80% of decided sites chose Waterfall, 60% are deployedalready Pike Research: Waterfall is key player in the cyber security market Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens,and many other major industrial vendorsMarket leader for serverreplication in industrialenvironmentsProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.16
Unidirectional Security Gateways CAN-0024 guidance identifies Unidirectional Gateways as non-routable Unidirectional Gateways reduce the cost of security programs Less complex configuration than firewalls Lower maintenance costs, less configuration, less to get wrong Lower audit costs: less documentation, no remote access, fewer logs Unidirectional Gateways are strong security Absolute protection from external network attacks Stronger than firewalls, stronger than serial connections Protects against errors and omissions Eliminates remote-control attacksCAN-0024 guidance recognizes that NERC auditorsencounter unidirectional communications equipmentin multiple geographiesProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.17
Modbus, OPC (DA, HDA, A&E) DNP3, ICCP Remote Access Remote Screen View Secure Manual Uplink Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM Websphere MQ series Antivirus updater, patch (WSUS) updater Remote print server
