Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 2012
NERC-CIP CAN-0024: Securing Critical Cyber Assets with “Data Diodes”
Andrew Ginter Director of Industrial Security Waterfall Security Solutions
Proprietary Information -- Copyright © 2011 by Waterfall Security Solutions Ltd.
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 2
Unidirectional Security Gateways
● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Server replication, not protocol emulation
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 3
Firewalls Are Not Enough
● Only “essential” connections allowed
● You trust the users, but should you trust their workstations? Their cell phones?
● Firewalls are software - even firewalls have vulnerabilities and “zero days”
● Errors and omissions
● Insider attack from business network – with legitimate credentials
● Costly: procedures, training, management, log reviews, audits, assessments
● Vulnerable: just ask for the password...
Photo: Red Tiger Security
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 4
Historian Replication
● TX agent is conventional historian client – request copy of new data as it arrives in historian
● RX agent is conventional historian collector – drops new data into replica as it arrives from TX
● TX agent sends historical data and metadata to RX using non-routable, point-to-point protocol
● Complete replica, tracks all changes, new tags, alerts in replica
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 5
Unidirectional Communications in the Smart Grid
● Conventional generators – business network interface
● Nuclear generators – safety, control and business network interfaces
● Transmission and distribution systems – business network interface
● Smart meters – back office data flow controls
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 6
CIP-002 R3: Critical Cyber Assets
● CIP-002 R3: Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:
R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, R3.2. The Cyber Asset uses a routable protocol within a control center; or, R3.3. The Cyber Asset is dial-up accessible.
● CIP R1-R4 apply only to highest-risk “Critical Cyber Assets”
● Routable and dial-up communications are higher risk than non-routable communications
● CIP was written before unidirectional communications were in widespread use
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 7
CIP-002 R3: Control Centers
● Control Center: A Control Center is capable of performing one or more of the functions listed below for multiple (i.e., two or more) BPS assets, such as generation plants and transmission substations.
● Not all control systems, even those using routable protocols internally, are Bulk Electric System Control Centers
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 8
CIP-002 R3: Routable Protocols
● Routable Protocol: Routable protocols use addresses and require those addresses to have at least two parts: A “network” address and a “device” address. Routable protocols allow devices to communicate between two different networks by forwarding packets between the two networks.
● Ethernet frames stay within local network – hardware device (MAC) addresses are meaningless outside the local network
● Internet Protocol (IP) packets are contained inside Ethernet frames in local networks, other kinds of encapsulation in wide area networks
● Internet addresses are recognized throughout the WAN
Internet Protocol packet inside an Ethernet Frame
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 9
CAN-0024: Stand-Alone Devices
● Stand-alone “data diode” appliances: network in, network out – look from the outside like firewall appliances
● If the stand-alone data diode device has one or more IP addresses, it is “using” a routable protocol for communication.
● No IP addresses generally mean the equipment is not using routable protocols for communication.
Routable
Communications
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 10
Unidirectional Gateways: Pairs of Stand-Alone Devices
● Dual-ported agent hosts use IP within protected and external networks
● But: Gateway appliances have no IP addresses, no IP stack
● Copper connections use raw Ethernet frames with custom protocol – no IP payload or embedded network addresses
● Fiber connection through ESP uses proprietary point-to-point data transfer format
Non- Routable Communications
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 11
Embedded Network Interface Cards: Unclear
● CAN-0024: Another type of data diode device consists of network interface cards that are installed into existing Cyber Assets, and which provide the same uni-directional communication as stand-alone data diode devices. … In this case, the data does not use a routable connection to cross the ESP, and the Cyber Assets do not meet the connectivity requirement.
● Contradicts CIP-002 R3: embedded NICs are not routable, even if they have IP addresses and use the routable IP protocol
● Expect some confusion regarding embedded NICs
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 12
NERC-CIP R5 Draft – Routable Communications
● Low / Medium / High Impact Cyber Assets – not determined by dial-up or routable communications
● Distribution Providers now covered by the standard
● External Connectivity = routable or dial-up communications through an Electronic Security Perimeter
● CIP-005 R5 Draft – requirements apply only to Electronic Access Points and remote access systems with routable or dial-up connectivity
● Some requirements for Medium Impact Cyber Assets apply only to assets associated with External Connectivity
● Less training, documentation and testing requirements if unidirectional, non-routable communications result in the elimination of Electronic Access Points.
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 13
Reduced Security Costs
● Eligible sites: reduced CCA documentation and other costs
● Most sites: 12-24 months cost recovery
● Reduced firewall management costs
● Reduced DMZ equipment management costs
● Reduced audit and compliance documentation costs
● Reduced remote access training costs
● Reduced remote access management costs
20% of NERC-CIP R3 requirements revolve around firewalls. Keeping firewalls secure is difficult and expensive.
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 14
Strong Security
● Gateway hardware is gate-array programmed - no CPUs, no software, no way for a vulnerability to give an adversary control of the hardware
● Entire gateway solution assessed by Idaho National Labs: no back channels, no side channels, no way back into protected network
● Protection from even advanced, targeted threats and their Remote Administration Tools
● More secure than firewalls and serial connections
Two appliances (TX/RX) means no shared grounds, no shared power, or other shared components which can mask back-channels
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 15
Waterfall Unidirectional Gateway Connectors
Leading Industrial Applications/Historians
● OSIsoft PI, Scientech R*Time, Instep eDNA
● GE: iHistorian, iFIX, OSM
● Siemens: WinCC, SINAUT/Spectrum
● Emerson Ovation, Matrikon Alert Manager
● Microsoft SQLServer, Wonderware Historian
Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG
● CA Unicenter, CA SIM, HP OpenView
● Nitro SIEM
File/Folder Mirroring
● Folder, tree mirroring, remote folders (CIFS)
● FTP/FTFP/SFTP/TFPS/RCP
Leading Industrial Protocols
● Modbus, OPC (DA, HDA, A&E)
● DNP3, ICCP
Remote Access
● Remote Screen View™
● Secure Manual Uplink
Other connectors
● UDP, TCP/IP
● NTP, Multicast Ethernet
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM Websphere MQ series
● Antivirus updater, patch (WSUS) updater
● Remote print server
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 16
Waterfall Security Solutions
● Headquarters in Israel, sales and operations office in the USA, installed world-wide in all critical infrastructure sectors
● Focused exclusively on industrial markets and industrial server replication
● World’s largest suite of industrial replication solutions, patent protected
● Nuclear market: 80% of decided sites chose Waterfall, 60% are deployed already
● Pike Research: Waterfall is key player in the cyber security market
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors
Market leader for server replication in industrial environments
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 17
● CAN-0024 guidance identifies Unidirectional Gateways as non-routable
● Unidirectional Gateways reduce the cost of security programs
● Less complex configuration than firewalls
● Lower maintenance costs, less configuration, less to get wrong
● Lower audit costs: less documentation, no remote access, fewer logs
● Unidirectional Gateways are strong security
● Absolute protection from external network attacks
● Stronger than firewalls, stronger than serial connections
● Protects against errors and omissions
● Eliminates remote-control attacks
CAN-0024 guidance recognizes that NERC auditors encounter unidirectional communications equipment in multiple geographies
Unidirectional Security Gateways