Transcription
Cybersecurityfor PI ServersSimple, powerful, unidirectionalprotection at the IT/OT interfaceCYBERSECURITY FOR PI SERVERS
TABLE OF CONTENTSCYBERSECURITY FOR PI SERVERS3THE PROBLEM WITH DMZS4THE UNIDIRECTIONAL ALTERNATIVE6STRONG SECURITY FOR OSISOFT PI INSTALLATIONS8WATERFALL UNIDIRECTIONAL SECURITY GATEWAYS9Waterfall’s products are covered by U.S. Patents 7,649,452, 8,223,205, and by other pending patent applicationsin the US and other countries. “Waterfall”, the Waterfall Logo, “Stronger than Firewalls”, “In Logs We Trust”,“Unidirectional CloudConnect”, and “CloudConnect, and “One Way to Connect” are trademarks of WaterfallSecurity Solutions Ltd. All other trademarks mentioned above are the property of their respective owners.Waterfall Security reserves the right to change the content at any time without notice. Waterfall Securitymakes no commitment to update content and assumes no responsibility for any mistakes in this document.Copyright 2021 Waterfall Security Solutions Ltd. All Rights Reserved. www.waterfall-security.comCYBERSECURITY FOR PI SERVERS2
CYBERSECURITY FOR PI SERVERSSimple, powerful, unidirectional protection at the IT/OT interfaceOSIsoft PI servers are integral to IT/OT integration and to OT or industrialcybersecurity programs. PI servers enable countless efficiencies by providing data,insights and analytics to enterprise networks, cloud-based systems and OT / ICSnetworks. These efficiencies come with a cost though – increased cybersecurity risk.In this eBook we review cyber risks and examine a simple solution to the problem ofIT/OT integration risk – unidirectional gateways. Unidirectional gateways provideimportant OT and industrial networks with hardware-enforced, unhackableprotection from even the most sophisticated of online attacks, while continuing toenable the full functionality of PI servers and providing enterprises with efficiencyenabling industrial data.Unidirectional gateways provideimportant OT and industrialnetworks with hardwareenforced, unhackable protectionfrom even the mostsophisticated of online attacksCYBERSECURITY FOR PI SERVERS3
THE PROBLEM WITH DMZSClassic IT/OT integration connects networks with firewalls, often with two layers offirewalls and a demilitarized zone (DMZ) between the firewalls. When there is a PIserver in the plant, it is generally located within the DMZ, reaching through afirewall to the industrial network, and accessible to the enterprise network throughanother firewall. Figure (1) illustrates this scenario. In the figure the PI server pullsOPC and other data from the control system network.FirewallFirewallOPCControl SystemPI ServerPI ClientsIndustrial NetworkDMZ NetworkEnterprise NetworkFigure (1) PI Server in a DMZWhen there is no PI server in a plant, but the server is in the enterprise, there isgenerally an interface node in the DMZ, pulling data from the plant network andpushing the data to the enterprise or cloud-based PI server, as in Figure (2).FirewallFirewallOPCControl SystemPI Interface NodeEnterprise PI ServerIndustrial NetworkDMZ NetworkEnterprise NetworkFigure (2) Enterprise PI ServerCYBERSECURITY FOR PI SERVERS4
While a single server is illustrated in thediagrams for simplicity, DMZ networksgenerallycontainmanyservers,including Active Directory Servers,WSUS servers, anti-virus servers, fileservers, and/or automation web servers.The problem with these DMZ designs isthe firewalls. Many practitioners havethe impression that firewalls protectnetworks while still providing access tovital industrial data. In fact, firewalls donot provide access to data – theyprovide access to systems. A stolenpassword or a compromised enterpriseworkstation provides threat actors withaccess to PI, OPC and other systemsright through firewalls.Why is this? At their core, all firewalls arerouters – they forward network trafficfrom one network to another. Firewallsare not merely routers, of course.Firewalls have additional software thatseeks to inspect and to some degreeunderstand the network traffic. If thatsoftware determines that a particularnetwork message is permitted, thefirewall forwards the message to asystem in the DMZ or in the industrialnetwork. This means that when anattacker can persuade the firewall thatan attack message is permitted, thenthe firewall happily forwards thatmessage right into the network that thefirewall was meant to protect. This isfundamental – firewalls are and alwayswill be routers. There is no escapingthese kinds of attack paths throughfirewalls. Most modern cyber attacks onboth enterprise and industrial / OTnetworks pass through firewalls.Most modern cyber attackson both enterpriseandindustrial / OT networkspass through firewalls.CYBERSECURITY FOR PI SERVERSFirewalls do not provideaccess to data – theyprovide access to systemsA confusing fact about firewalls is thatsome practitioners describe them asunidirectional.Theydefineaunidirectional firewall as one whereconnections through the firewall can beestablished only from inside theprotected industrial or DMZ network.The problem is that once a TCPconnectionisestablished,thatconnection is always two-way. Considera simple example – imagine a laptop ina DMZ protected by a “unidirectionalfirewall.” The laptop connects to anenterprise email server from the DMZ –this direction of connection is what“unidirectional” firewalls permit. Onceestablishedandencrypted,thatconnection lets the laptop pull emailfrom the enterprise network. If a pieceof mail includes a malicious attachment,the laptop pulls the malware rightthrough the allegedly unidirectionalfirewall. In practice, all ulnerable.Another problem with firewalls is thatfirewalls are software, and all softwarehassecurityvulnerabilities,bothdiscovered and undiscovered. Forevidence of these vulnerabilities, visityour favorite firewall vendor’s websiteand count how many security updateswere issued recently. Now - to be fair,most industrial security programsinvolve more than just firewalls, but theother elements of those programs aregenerally also software. Again – allsoftware has defects and securityvulnerabilities. We may be aware ofsome of those vulnerabilities and havesecurity updates for them. Othervulnerabilities our enemies may havediscovered and may be activelyexploiting without our knowledge.5
THE UNIDIRECTIONAL ALTERNATIVESecure industrial sites use more than firewalls – such sites use at least one layer ofunidirectional gateways in their defense-in-depth network security designs. Thegateways are deployed either at the “top” of the DMZ – at the enterprise networkinterface - or at the “bottom” of the DMZ – at the ICS/OT network interface. A trulyunidirectional gateway is physically able to send information in only one direction –generally from a protected industrial network out to an enterprise network, orstraight out to the Internet. High quality gateways use optical isolation to guaranteeunidirectionality at the hardware level.Unidirectional gateway software makescopies of servers. For example, Waterfall’sUnidirectional Security Gateway productsroutinely make copies of OPC-DA, UA, A&Eand HDA servers. Those servers are generallycopied from industrial networks into a DMZcontaining either a PI server as in Figure (3)or a PI Interface node as in Figure (4).Unidirectional GatewayHigh quality gatewaysuse hardware opticalisolation to guaranteeunidirectionality at theIT/OT perimeterFirewallOPCControl SystemPI ServerPI ClientsIndustrial NetworkDMZ NetworkEnterprise NetworkFigure (3) OPC Replication to PI ServerUnidirectional GatewayFirewallOPCControl SystemPI Interface NodeEnterprise PI ServerIndustrial NetworkDMZ NetworkEnterprise NetworkFigure (4) OPC Replication to PI Interface NodeCYBERSECURITY FOR PI SERVERS6
In addition, if there is a PI server in both a plant and the enterprise, that server isgenerally located in an existing DMZ. A unidirectional gateway may be deployed atthe interface between the DMZ network and the enterprise network as in Figure (5).In this case, the gateway replaces the PI-to-PI software that connects the enterprisePI Server to the plant PI Server through the firewall.FirewallUnidirectional GatewayOPCControl SystemPI ServerIndustrial NetworkDMZ NetworkEnterpriseServerPI ClientsEnterprise NetworkFigure (5) Unidirectional PI-to-PI replicationIn all cases, the unidirectional gateway is deployed in the connectivity path betweenthe enterprise network and the industrial / OT network. The gateway hardwareprevents all attack packets from reaching industrial targets, no matter howsophisticated those attacks may be and no matter how cleverly the attacks havebeen disguised as normal, permitted traffic. All cyber attacks on industrial networksare information – when the gateway hardware blocks all packets, it blocks allattacks.The gateway hardware prevents allattack packets from reachingindustrial targets, no matter howsophisticated those attacks may beCYBERSECURITY FOR PI SERVERS7
STRONG SECURITY FOR OSISOFT PI INSTALLATIONSWaterfall Security Solutions has beena strong OSIsoft PI partner for longerthan any other unidirectional vendor.We work shoulder-to-shoulder withOSIsoft sales, support and partnerpersonnel to provide the strongestpractical network security options forindustrialnetworksandPIinstallations.Waterfall Security Solutionshas been a strong OSIsoft PIpartner for longer than anyother unidirectional vendorFirewalls are limited, but do notmisunderstand – firewalls have theirplace. Unidirectional Gateways donot replace all firewalls in a networkarchitecture, far from it. Thegatewaysgenerallyreplaceoraugment exactly one layer offirewalls in a defense-in-depthindustrial / OT network architecture,generally either at the top or bottomof the DMZ network.With at least one layer of Waterfall’sUnidirectional Security erprisescanbeconfident of taking advantage of theIT/OTintegrationefficienciesenabled by OSIsoft PI installations,without the risk that comes fromfirewall-only communications pathsfrom the open Internet into the mostsensitive of industrial networks.To dig deeper, please feel free tocontact Waterfall and request a free,no obligation consultation with a OTsecuritysolutionsarchitecttoexplore how your security programmight benefit from UnidirectionalSecurity Gateways.CYBERSECURITY FOR PI SERVERS8
WATERFALL UNIDIRECTIONAL SECURITY GATEWAYSWaterfall is the world’s leading producer of Unidirectional Security Gateways.Waterfall’s product hardware is certified to be truly unidirectional, even in the faceof the most sophisticated of adversaries. Waterfall’s software connectors of coursereplicate OSIsoft PI, Asset Framework and OPC servers. Our connectors replicate anenormous array of other kinds of protocols, systems, databases, servers and othercomponents as well:Historians and Databases OSIsoft: PI System, PI AssetFramework, PI BackfillGE: iHistorian, iHistorian Backfill, OSM,iFix, Bently-Nevada System1Schneider-Electric: WonderwareeDNA, Wonderware Historian,SCADA Expert, ClearSCADAAspenTech IP.21, Rockwell FactoryTalkHistorian, Honeywell Alarm Manager,Scientech R*TimeMicrosoft SQL Server, Oracle,MySQL, PostgreSQLEnterprise Monitoring FireEye: Helix & Managed DefenseEmail/SMTP, SNMP, SyslogHP ArcSight, Splunk, Splunk UniversalForwarder, IBM QRadar, McAfee ESM,CyberX, Radiflow iSID, ForeScoutSilent Defence, Dragos, IndegyMSMQ, IBM MQ, AMQP, TIBCOSolarWinds Orion, Thales Aramis,IOSight, PanoramaIndustrial Applications and Protocols Siemens S7, PCS7 HistorianOPC DA, A&E, HDA, HDA Backfilland OPC UAEmerson: EDS Yokogawa OPC Modbus, DNP3, ICCP IEC 60870-5-104, OmniFlow Other Connectors Remote AccessFile Transfer TimeSync, NetflowVideo & audio streamingKaspersky, Norton, FortiGate,Check Point, McAfee andOPSWAT Anti-virus updatersWSUS and Linux RepositoryupdatersTenable Nessus Network Monitor,Nessus Security Center UpdatesRemote printingFolder mirroring, Local FoldersFTP/S, SFTP, TFTP, SMB, CIFS, NFSHTTP POSTLog Mirroring Remote Screen ViewSecure BypassTable (1) Waterfall Connector SoftwareCYBERSECURITY FOR PI SERVERS9
INDUSTRY-LEADINGFEATURES OFWATERFALL PRODUCTSINCLUDE: Optional high availability, with nosingle point of failure, for all softwareconnectors, Detailed diagnostics, reporting andremote management features tosimplify deployment and troubleshooting, Integrated thin-client, web-baseduser interface for all configuration,monitoring and management tasks, Routinesupportforbackfilloperations – filling in missing data inreplicasafterscheduledandunscheduled downtime – for servers,protocols and systems that are ableto backfill, The ability to run on Windows andLinux, and in some cases on Solaris,AIX and VxWorks as well, The ability to run on Waterfallhardwaremodules,customersupplied computer hardware andvirtual machines, No limits on the number of industrialdatabases, protocols and otherservers that can be replicatedthrough the Unidirectional Gatewayhardware, other than bandwidthlimitations, 1Gbps throughput standard on allWaterfall hardware products, The ability to deploy multiple 1Gbpsconnections in parallel to increasethroughput,CYBERSECURITY FOR PI SERVERSThesefeaturesandconnectivitygenerally extend to Waterfall’s entirefamily of hardware products, includingWaterfall’s DIN-rail units, FLIP, SecureBypass, Unidirectional CloudConnectand BlackBox tamper-proof forensicsdevice. And all this is to say nothing ofWaterfall’s legendary support services,which are of course what you expect ofthe industry leader.In short, Waterfall’s UnidirectionalSecurity Gateways and related productsare comprehensive – meeting securecommunications and secure IT/OTintegration needs in all industrialoperations and plants in modernindustrial enterprises.10
CYBERSECURITY FOR PI SERVERS 4 Classic IT/OT integration connects networks with firewalls, often with two layers of firewa
