Transcription
NERC Issues CAN-0024: Guidance forUnidirectional, Routable CommunicationsAndrew GinterDirector of Industrial SecurityWaterfall Security SolutionsMark SimonSenior ConsultantEncariProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.Joel LangillThe SCADAhackerSCADAhacker2012
Andrew Ginter, Waterfall Security SolutionsIntroduction to unidirectional communications and UnidirectionalSecurity GatewaysMark Simon, EncariNERC-CIP compliance guidance in CAN-0024 CIP-002 R3 RoutableProtocols and Data Diode DevicesJoel Langill, The SCADAhackerStrong security with hardware-enforced unidirectionalcommunicationsProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.2
Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable – you can send dataout, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Server replication, not protocol emulationProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.3
Historian Server Replication TX agent is historian client – requests a copy of all new data as it arrives,using proprietary historian libraries and IP-based protocol RX agent is historian collector – stores new data into replica historian, usingproprietary historian libraries and IP-based protocol TX agent sends historical data and metadata to RX agent via unidirectionalgateways, embedding OSI layer 7 data into layer 2 frame Neither TX/RX agent hosts nor gateway appliances have IP addresses or IPprotocol stacks on network interfaces in unidirectional subsystemProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.4
OPC Server Replication OPC-DA protocol is complex: based on DCOM object model overlaid on IP –intensely bi-directional TX agent is true OPC client: gathers device data from production OPC servers RX agent is true OPC server: serves device data to business OPC clients TX agent sends device data and metadata to RX agent via unidirectionalgateways, embedding OSI layer 7 data into layer 2 frame OPC protocol is used only in production network, and business network, notacross unidirectional linkProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.5
www.encari.comIssue in CAN-0024 Issue: Can communication characteristics of data diode devicesallow a Cyber Asset to be excluded from NERC CriticalInfrastructure Protection (CIP) Standards? Compliance Enforcement Authorities (CEAs) are instructed to find thatdata diode devices that use routable protocols [to communicateoutside the ESP] cannot be used as a rationale in the methodology ofdesignating CCAs to exclude assets from compliance with CIP standards. Note that CAN-0024 only applies to Cyber Assets not located at controlcenters.6
www.encari.comCIP-002 R3: Critical Cyber Assets CIP-002 R3: Critical Cyber Assets are further qualified to be those having atleast one of the following characteristics: R3.1. The Cyber Asset uses a routable protocol to communicate outsidethe Electronic Security Perimeter; or,R3.2. The Cyber Asset uses a routable protocol within a control center; or,R3.3. The Cyber Asset is dial-up accessible. Routable and dial-up communications are higher risk than non-routablecommunications CIP was written before unidirectional communications were inwidespread use7
www.encari.comCIP-002 R3: Routable Protocols Routable Protocol: Routable protocols use addresses and require those In general, if the communication uses “IP” (“Internet protocol”) orIPX/SPX (“Internetwork Packet Exchange/Sequenced Packet Exchange”),it is considered routable; if the communication does not use IP orIPX/SPX, it is not routable. How do data diodes move data from a control network to a corporatenetwork? Are they using a routable protocol to do so?addresses to have at least two parts: A “network” address and a “device”address. Routable protocols allow devices to communicate between two differentnetworks by forwarding packets between the two networks.8
www.encari.comWhat Should CEAs Look For? Presumed compliant – a datadiode device without anassigned IP address; there is noroutable addressing schemeencapsulated when sendingdata from one network toanother. Problematic – a stand-alonedata diode device with an IPaddress that receives andtransmits data through anetwork connection that relieson or encapsulates the IPprotocol.IP v4 (RFC 791)9
www.encari.comNon-Routable Protocol Non-routable protocol meansthat the routing protocol usedcannot be 'resolved' by othercomputers to determine acommunication path.10
www.encari.comCAN-0024: Stand-Alone DevicesRoutableCommunications11
www.encari.comWaterfall Unidirectional Gateways TX and RX appliances use proprietary non-routable communication; nolayer 3 network path determination or logical IP addressing exists.Non- Routable Communications12
www.encari.comEmbedded NICs CAN-0024: Another type of data diode device consists of network interfacecards that are installed into existing Cyber Assets, and which provide the sameuni-directional communication as stand-alone data diode devices. CAN-0024 presumes the data does not use a routable connection to cross theESP.13
Firewalls are No Longer Enough Intended for only “essential” communications – but whatis “essential”? Users are authenticated – but what about their devices? Firewalls are software - even firewalls havevulnerabilities and “zero days” Configuration errors are one of theleading sources of perimeter accessviolations Firewall management is often costly,and therefore centrally administered Firewalls are rarely tested to makesure they work as intendedThink like a hacker 14Proprietary property of SCADAhacker.com – All rights reserved.
Today’s ICS Cyber Threats Proactive security controls protect against both “external” and“internal” threats Most likely payload designed to establish remote commandand control capabilities Firewalls only provide an obstacle that can be penetrated Payloads exist that exploit a firewall’s ability to track yCovertInfectThink like a hacker OvertExternalNetworkOutboundOnlyC&C15Proprietary property of SCADAhacker.com – All rights reserved.
You can’t “attack” if you can’t “communicate”! Unidirectional Security Gateway creates an effective“sandbox” between an “exploited host” and additional“vulnerable victims” “Stand-alone” devices with IP addresses provide anopportunity for vulnerabilities to be exploited Local ICS exploits must be very targetedProtectedNetworkTXAgent Think like a hacker PublicNetworkOne-WayOvertRXAgent ExternalNetwork OutboundOnly16Proprietary property of SCADAhacker.com – All rights reserved.
Summary: CAN-0024 Recognizes growing use of unidirectional communications at NERC-CIP sites Some data diodes use routable communications, others do not: Key test: do they use IP? Or any other routable protocol? Waterfall Unidirectional Gateways do not use routable communications Hardware-enforced unidirectional communications are strong security Stronger than firewalls Stronger than serial connections Absolute protection from network attacks originatingon external networksProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.17
For More InformationDetailed whitepaper: fOr contact any of:Andrew GinterWaterfall Security SolutionsMark SimonEncariJoel LangillSCADAhackerProprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd.andrew.ginter @ waterfall-security.com 1 403 264 6002www.waterfall-security.commsimon @ encari.com 1 312 985 7346www.encari.comjoel @ scadahacker.com 1 623 476 9667www.scadahacker.comj18
www.encari.com Issue: Can communication characteristics of data diode devices allow a Cyber Asset to be excluded from NERC Critical Infrastructure Protection (CIP) Standards? Compliance Enforcement Authorities (CEAs) are instructed to find that data diode devices that use routable protocols [to communicate outside the ESP] cannot be used as a rationale in the methodology of
