WIXLIB

Proprietary Information – Copyright 2015 by Waterfall Security Solutions Ltd.7 / 21Modern Protections: Unidirectional GatewaysAdvice for the protection of control system networks is being updated to reflect thestronger-than-firewall protections afforded by a family of technologies based on andcomplementing Unidirectional Security curity GatewayUnidirectional Security Gateways are used when data flows out ofa critical network routinely, and when updates are required backinto that network only rarely. Unidirectional Gateways permit datato flow out of critical networks into less-trusted networks, butphysically prevent any attack, any message and any signalwhatsoever from passing back into reliability-critical networks.Waterfall FLIPThe Waterfall FLIP is used when data flows out of a criticalnetwork routinely, and when updates must flow back into thatnetwork frequently and periodically. The FLIP is a UnidirectionalSecurity Gateway whose orientation can periodically reverse. TheFLIP hardware makes remote-control persistent targeted attacksphysically d Unidirectional Gateways are used whencontinuous data flows are necessary both out of and into criticalnetworks. Two completely independent Unidirectional Gatewaysystems are deployed to support the continuous data flows.Application DataControlApplication Data Control is a software add-on to all of the aboveproducts providing policy-based controls over industrial dataflows, even for encrypted, compressed, proprietary andundocumented industrial protocols. This represents an extra layerof fine-grained control, in addition to the hardware-basedunidirectional protections.Secure BypassSecure Bypass is an electromechanical switch, able to electricallyconnect and disconnect two copper network cables. The defaultmode for the switch is the disconnected state. In reliabilityemergencies, the switch can be manually activated to permitconventional interactive remote access for the duration of thedeclared emergency.Table (1) Unidirectional Security Gateway TechnologiesWaterfall Security Solutions’ family of Unidirectional Security Gateway products allprovide stronger-than-firewall protections for control system networks, and are designedspecifically to defeat modern, professional-grade, targeted attacks.Waterfall Security Solutions Ltd.21 Hamelacha St. Afek Industrial Park,Rosh Ha’ayin, 48091 IsraelOffice: 972-3-9003700 ; Fax: 972-3-9003707North America Offices,Waterfall Security Solutions USA.1133 Broadway, Suite 708, New York, NY, 10010Office: (212) 714-6058 ; Fax: (212) 465-3497www.waterfall-security.com

Proprietary Information – Copyright 2015 by Waterfall Security Solutions Ltd.8 / 21Use Case: Safe IT/OT IntegrationThe most common use of Unidirectional Security Gateways in power plants is to enablesafe IT/OT integration. The gateways generally replace unacceptably-vulnerable1 firewallbased integrations of networks and applications.Historian and Database ReplicationThe most common unidirectionalIT/OT integration architecture is aUnidirectional Security Gatewayintegrating plant IT and OTnetworks via a historian database, orrelational database. When there is ahistorian or other database on theplantnetwork, the gatewayreplicates the plant database to thecorporate network, where corporateFigure (3) Safe IT/OT Integrationusers and applications can query thereplica without any threat to the control system network. When there is only an enterprisedatabase, the gateways replicate Modbus, OPC and other servers and devices to thecorporate network, so that the corporate historian or other database applications can acquiredata from the control system data source replicas.Optional: Security UpdatesWhen regular anti-virus updates, WSUS or other security updates must be sent into theplant network, a Waterfall FLIP can be substituted for the Unidirectional Security Gateway.The FLIP provides for a disciplined flow of such updates into plant networks, without everintroducing the vulnerabilities that always accompany firewall deployments.Optional: SIEM and Other IT IntegrationsWaterfall’s Unidirectional Gateway-based products are often configured to replicate avariety of IT-centric data sources from plant networks to corporate networks as well. Fileservers can be replicated, to simplify reporting, debugging and other file transfers fromplant networks to corporate and so minimize the use of removable media. Syslog serversand SNMP data sources can be replicated to Security Information and Event Management(SIEM) systems in corporate SOCs and NOCs. When branch SIEMs have been deployedon control system networks, Unidirectional Gateway products are able to replicate thosebranch SIEMs as well, aggregating plant information into an enterprise SIEM.1See IT/OT Integration Done Right and Done Wrong, UTC Journal, 2nd Quarter 2014, athttp://www.bluetoad.com/publication/?i 218589&p 19 for a detailed example.Waterfall Security Solutions Ltd.21 Hamelacha St. Afek Industrial Park,Rosh Ha’ayin, 48091 IsraelOffice: 972-3-9003700 ; Fax: 972-3-9003707North America Offices,Waterfall Security Solutions USA.1133 Broadway, Suite 708, New York, NY, 10010Office: (212) 714-6058 ; Fax: (212) 465-3497www.waterfall-security.com

Proprietary Information – Copyright 2015 by Waterfall Security Solutions Ltd.9 / 21When additional protections are required to prevent data exfiltration, or to prevent malwarefrom moving from plant networks to the corporate network, the Application Data Controloption can be applied to the Unidirectional Security Gateway or Waterfall FLIPdeployment.Waterfall Security Solutions provides a wide array of both industrial and IT-centricreplications in order to make Unidirectional Gateway deployments a seamless replacementfor IT/OT firewalls.Security BenefitsIn all these examples, a layer of physical security in the form of the Unidirectional SecurityGateway hardware is introduced between the high-risk corporate network and reliabilitycritical control system networks, breaking the online path of attack for attacks originatingon the Internet or on other external networks. No fuzzing attack, no targeted remote controlattack, and no virus or botnet however sophisticated can penetrate the physical protectionprovided by Unidirectional Security Gateways.A related security benefit of this architecture is that with Unidirectional Security Gatewaytechnology in place, there is no possibility that reliability-critical systems can depend onpotentially-compromised IT systems, such as corporate Active Directory servers, DNSservers, documentation web servers, file servers and many other single points ofcompromise on untrusted corporate networks. Safe IT/OT integration via UnidirectionalSecurity Gateways renders such unsafe dependencies impossible.Waterfall Security Solutions Ltd.21 Hamelacha St. Afek Industrial Park,Rosh Ha’ayin, 48091 IsraelOffice: 972-3-9003700 ; Fax: 972-3-9003707North America Offices,Waterfall Security Solutions USA.1133 Broadway, Suite 708, New York, NY, 10010Office: (212) 714-6058 ; Fax: (212) 465-3497www.waterfall-security.com

Proprietary Information – Copyright 2015 by Waterfall Security Solutions Ltd.10 / 21Use Case: Vendor Remote MonitoringAt most power plants, there is a need to support control system vendor “monitoring anddiagnostics” programs. This is especially true for turbine vendors, since such vendorsgenerally honor hardware warrantees and support agreements only when the vendors havecontinuous access to vibration, heat distribution and other detailed data about theperformance of rotating equipment. Turbine and other ICS vendors generally also requireoccasional opportunities to adjust control-system components to address problems as theydevelop, and so prevent serious failures later on.Vendor MonitoringGenerating sites address this need by deploying aUnidirectional Gateway to replicate control-systemservers from a reliability-critical network to a vendorDMZ. The DMZ is connected by the vendor to thevendor’s central management system, most often viaa VPN across the Internet. The replicas are faithfulcopies of plant systems and provide the vendor fullvisibility into the status and condition of generatingplant systems.Optional: Remote AdjustmentIf the vendor needs to adjust control system or turbineFigure (4) ICS VendorMonitoring and Diagnosticsparameters from time to time, the vendor schedulestime with site personnel. At the appointed time, sitepersonnel sit down in front of a workstation with Waterfall’s Remote Screen View clientinstalled, enable screen mirroring through a Unidirectional Security Gateway, and call thevendor. The vendor is able to view the screen of the plant workstation via a video feedstreamed through the Unidirectional Gateway, without any ability to send any command orquery into the workstation. The vendor is able to verbally guide site personnel through aprocess of adjusting the control system and verify that corrections have been made to thevendor’s satisfaction.A secondary benefit of this approach to remote adjustment is that plant personnel are ableto supervise the adjustment process. Plant records of such adjustments can bring value toany disputes with vendors over the management of generating plant assets.Security BenefitsVendor monitoring was traditionally enabled with firewalls and VPN connections. TheVPN connections deployed between central vendor monitoring sites and generating unitsare encrypted, but encryption provides no protection from compromised vendor networks.Even connections claiming to be “monitor only” almost always enable the vendor softwareWaterfall Security Solutions Ltd.21 Hamelacha St. Afek Industrial Park,Rosh Ha’ayin, 48091 IsraelOffice: 972-3-9003700 ; Fax: 972-3-9003707North America Offices,Waterfall Security Solutions USA.1133 Broadway, Suite 708, New York, NY, 10010Office: (212) 714-6058 ; Fax: (212) 465-3497www.waterfall-security.com

Proprietary Information – Copyright 2015 by Waterfall Security Solutions Ltd.11 / 21to query control system equipment for data, and are always over a bi-directionalcommunications channel. A compromised vendor monitoring system can be used to pivotan attack across bi-directional “monitor only” links with buffer over flows and othermalicious messages sent instead of legitimate queries.Attacks work the other way as well - the central vendor site is itself at risk of attack fromall control system networks to which the vendor’s site is connected via VPNs. Vendorsmake such connections in both the friendliest and un-friendliest of geographies, and to boththe best-secured and the worst-secured control systems in their geographies.With Unidirectional Security Gateways in place, electric generators are protectedabsolutely from compromised vendor machines and networks. The vendors can monitorthe turbines continuously, but no network attack can reach back from the vendor’s centralsite into the power plant’s control system.Waterfall Security Solutions Ltd.21 Hamelacha St. Afek Industrial Park,Rosh Ha’ayin, 48091 IsraelOffice: 972-3-9003700 ; Fax: 972-3-9003707North America Offices,Waterfall Security Solutions USA.1133 Broadway, Suite 708, New York, NY, 10010Office: (212) 714-6058 ; Fax: (212) 465-3497www.waterfall-security.com

Proprietary Information – Copyright 2015 by Waterfall Security Solutions Ltd.12 / 21Use Case: Control Center CommunicationsBase-load plants frequently need to communicate with regional authorities such as thepower utility’s generation-dispatch control center. The protocol of choice is often ICCP,but may also be any of DNP3, IEC 60870-5-104, or 61850 MMS. For some base-loadplants, this communications is purely a reporting function; change orders from the regionalauthority are infrequent and are accomplished through schedules agreed to long in advance.Base load plants can be secured by outbound-oriented Unidirectional Security Gateways,as described in the IT/OT use case above.Secure Control of Peaking PlantsPeaking plants are more complex. Peaking plants require continuous reporting to ageneration dispatch center, and require a continuous, second-by-second stream of newsetpoints from the dispatch center.Unidirectional Security Gateways replicating thepower plant’s ICCP slave or other protocol slavedevices to a generating dispatch center meet the needsof some base load plants, and inbound/outboundUnidirectional Gateways can be deployed to meet theneeds of all remaining plants. The outbound Unidirectional Gateway replicates the plant’s ICCP server tothe corporate network or to a dedicated DMZ, so thatthe dispatch center’s EMS/SCADA master can poll theplant replica. The inbound Unidirectional Gatewayreplicates the EMS ICCP server back into the plantwhere plant systems query the replica for new setpoints.Figure (5) Control CenterCommunicationsSecurity BenefitsAll control centers and generating dispatch centers areattractive targets for cyber-sabotage attacks. A compromised control center is able to misoperate the grid, cause outages, and possibly cause cascading outages. A compromisedcontrol center can also be used as a platform to “pivot” attacks into partner utilities.Unidirectional Security Gateways provide absolute protection from external attacks forplants that do not require continuous commands from a control center, andinbound/outbound gateway configurations are much stronger than firewalls 1 for all otherplants. For inbound/outbound configurations, the Waterfall’s Application Data Controloption can be deployed for additional security, to permit only reasonable setpoint values toenter the plant control system from generation-dispatch control centers.1Rashiduzzaman Bulbul, Pingal Sapkota, Chee-Wooi Ten, Lingfeng Wang, and Andrew Ginter, "IntrusionEvaluation of Communication Network Architectures for Power Substations," IEEE Transactions on PowerDelivery, June 2015.Waterfall Security Solutions Ltd.21 Hamelacha St. Afek Industrial Park,Rosh Ha’ayin, 48091 IsraelOffice: 972-3-9003700 ; Fax: 972-3-9003707North America Offices,Waterfall Security Solutions USA.1133 Broadway, Suite 708, New York, NY, 10010Office: (212) 714-6058 ; Fax: (212) 465-3497www.waterfall-security.com

Proprietary Information – Copyright 2015 by Waterfall Security Solutions Ltd.13 / 21Use Case: Protecting Relay and Safety NetworksSafety equipment and protective relays are software components that are essential tomodern reliability and safety programs. These components become ineffective whencompromised, and so protecting these components is vital.Secure Monitoring of Safety and Protection SystemsUnidirectionalSecurityGateways are routinely deployedto replicate devices fromprotection and safety networks tocontrol networks for continuousmonitoring. These replicationsuse DNP3, IEC 60870, IEC61850, Modbus and otherFigure (6) Protecting Safety and Protection Networksprotocol connectors. SNMP trapsand syslog data sources may also be replicated to central Network and Security OperationsCenters for additional reliability or security monitoring. Continuous monitoring is essentialto all of security programs, process and employee safety programs, and electric systemreliability programs.These Unidirectional Gateway deployments may be the only unidirectional protections forthe safety systems, or the gateways may be deployed as a second layer of security. In thelatter case, the gateways protect safety systems from attack by plant insiders, and fromattack by malware that may have reached reliability-critical control system networks viaUSB Flash sticks and other removable media.Security BenefitsUnidirectional Gateways prevent all remote adversaries, no matter how sophisticated, fromreaching through intermediate networks into protection and safety networks. With a plant’sprotection and safety equipment safe from such attacks, utilities can be confident th

Reduced NERC CIP V5 and V6 compliance costs Given that unidirectional, stronger-than-firewall protections and architectures exist and are in widespread use, we all must begin asking: "which of our turbines, generators and indeed entire power plants are expendable enough to protect with firewalls and software alone?"