Contenu connexe Similaire à Waterfall Security Solutions Overview Q1 2012 (20) Waterfall Security Solutions Overview Q1 20121. ®
®
Utilizing Unidirectional Security Gateways
to Achieve Cyber Security
January 2012, Israel
Danny Berko
Waterfall Security Solutions
© Copyright 2012 by Waterfall Security Solutions 1
2. ®
Today’s Agenda
● Waterfall Security Solutions Ltd. Introduction
● The Need: Protecting Critical National Infrastructure
Facilities
● How threats impact us - threats scenarios
● Meeting threats - Cyber Security Best Practices
● Unidirectional Security Gateways ™
● Use Cases
● Summary
© Copyright 2012 by Waterfall Security Solutions 2
3. ®
Waterfall Allows Information Flow from Protected
Network to External Network with NO Return Path
● Industrial ● Business
● Protected Network ● External Network
© Copyright 2012 by Waterfall Security Solutions
4. ®
Waterfall Security Solutions Introduction
● Located in Israel, local office and subsidiary in NY, USA
● Product core developed at 2004 and is evolving since
● US Patent 7,649,452
● Hundreds of installations in North America (USA and Canada), Europe,
Israel and Asia
● Technology and Business Focus for SCADA Networks, Industrial Control
networks, Utilities and Critical Infrastructures
● Strategic cooperation with industry leaders such as OSIsoft, GE, Siemens,
Westinghouse, Nitro/McAfee and many more
● Tight and continuous relationships with relevant regulators and authorities
● First and Sole INL assessed solution
© Copyright 2012 by Waterfall Security Solutions 4
5. ®
Waterfall’s Unique Value Proposition
● What do we do:
• Pioneer and Market Leader for Unidirectional Security Gateway Solutions.
• We provide absolute security of any cyber attack from external networks into critical networks.
• We offer end-to-end solutions for seamless, industrial grade, out-of-the-box integration and
connectivity to existing infrastructures, industrial applications and SCADA protocols.
● What makes Waterfall Security Solutions so unique:
• Pike Research named Waterfall as key player in the cyber security market.
• Robust, reliable, manageable, unidirectional security gateways.
• Only solution to support High-Availability, Gigabit connectivity and Many-to-One architecture
• Stronger than firewalls – no remote hacking to your industrial network
• Assist achieving compliance to NERC, NRC, CFATS and other relevant regulations
• Installed base includes any industrial, critical or operational environment types
• Power generation (Nuclear, Fossil, etc.), pipelines, refineries, petro-chemical, oil & gas,
water, transportation, governmental and more.
© Copyright 2012 by Waterfall Security Solutions 5
6. ®
®
The Need: Protecting Critical National
Infrastructure Facilities
© Copyright 2012 by Waterfall Security Solutions 6
7. ®
Protecting CNI from Threats
Waterfall assist in avoiding cyber threats to CNIs
● Trivial threats or not as trivial
● Human errors, viruses propagation
● “Boasting rights” hackers: targeted, amateur, resource-poor
● Anonymous attacks on HB Gary, MasterCard, PayPal, Sony
● Insiders: amateur, targeted, have credentials,
positioned well for social engineering
● Organized crime: professional, opportunistic
● Botnets, identity theft, money laundering
● Nationstate militaries/intelligence agencies, professional, targeted, resource-rich
● Shady RAT, Night Dragon, Remote Administration Tools = remote control
● Stuxnet is in a league of its own – sabotage of Iranian uranium enrichment
● Traversed firewalls on connections “essential” to operation of control system
© Copyright 2012 by Waterfall Security Solutions 7
8. ®
Standard Hacking Skills Suffice
● Persistent, targeted attacks
Internet
● Facebook, Linkedin homework
● Emailed PDF files Firewall
● High success rate Corporate
● Hacking skill sets Network
● Downloaded tools, recompiled to evade Anti-Virus Firewall
● Plant firewalls are no real barrier
Plant
● Remote control Network
Firewall
Control
Network
© Copyright 2012 by Waterfall Security Solutions 8
9. ®
The Threats are Real
© Copyright 2012 by Waterfall Security Solutions
10. ®
Stuxnet Worm
● Strong circumstantial evidence: target was Natanz Iranian gas centrifuge
uranium enrichment site
● Almost no evidence, but widespread speculation: authors were Israeli or
US intelligence agencies, or militaries
● PLC code slows centrifuges down until they are ineffective, speeds them
up to damage them, and changes rotation speed fast enough to destroy
power supplies or centrifuges
● Estimates of between 200 and 5000 centrifuges
damaged, out of inventory of 5000 units
● Stuxnet proved the concept.
© Copyright 2012 by Waterfall Security Solutions 10
11. ®
®
Threats scenarios that Waterfall addresses
© Copyright 2012 by Waterfall Security Solutions 11
12. ®
Main Threat Scenarios:
● Let’s focus on two main threat scenarios:
© Copyright 2012 by Waterfall Security Solutions 12
13. ®
Scenario I – Linking Critical and Business Networks
The critical (operational, industrial) network is required to send real-
time information to business/administrative networks
Plant and production information
Operational monitoring and status information
Equipment usage, conditional monitoring, service levels for important customers, spare
parts inventories, raw materials and finished goods inventories, etc.
Alerts and events
The business network is commonly connected to other networks,
including the Internet
Via these connections, attackers can
gain access to the critical network
and carry out remote, online attacks
into it
© Copyright 2012 by Waterfall Security Solutions 13
14. ®
Scenario II – Remote Monitoring of Critical Networks
A Control Center or Operations Center is remotely monitoring a critical
network or an equipment within it
This can be a 3rd party vendor or service provider monitoring equipment
for maintenance and service level
The Control Center usually monitors many other networks, from other
facilities and other countries
Critical network now exposed to threats
originating from each and every network
which is monitored by this Control Center
Internet/
Public network
Central Monitoring Site
© Copyright 2012 by Waterfall Security Solutions 14
15. ®
®
Meeting threats - Best Practices
© Copyright 2012 by Waterfall Security Solutions 15
16. ®
IT security “Best Practices”
● Firewalls
● Patching
● Anti-virus
● Host hardening
© Copyright 2012 by Waterfall Security Solutions 16
17. ®
IT/Software Based Security
“What you must learn is that these rules are no
different than the rules of a computer system.
Some of them can be bent.
Others can be broken.
Understand?”
(Morpheus; The Matrix, chapter 15)
© Copyright 2012 by Waterfall Security Solutions 17
18. ®
The Problem with Firewalls
● Firewalls make use of Code, OS and Configuration –
all have breaches (miss configuration/human errors)
● Viruses propagate across many VPN connections.
You trust the users, but should you trust their
workstations? Their cell phones?
● Keeping complex firewalls / VPNs secure is hard –
Errors and omissions – Open/Close ports for
illustrations, pilots and repairs
● Only “essential” connections allowed
● Insider attack from business network – with
legitimate credentials
● Costly: procedures, training, management, log
reviews, audits, assessments
● Prohibited by Regulation for Air Gap connectivity
© Copyright 2012 by Waterfall Security Solutions 18
19. ®
®
Waterfall One-Way™ Solution
© Copyright 2012 by Waterfall Security Solutions
2011 19
20. ®
The Challenge
● Business Processes and plant data
are too valuable not to use
Internet
● Critical decisions by key
personnel while away… Firewall
● Vendors maintenance or critical Corporate
Network
intervention while not on
premise…
● Process assets are too valuable to Plant Data
put at risk
Plant
Network
© Copyright 2012 by Waterfall Security Solutions 20
22. ®
Common (Insecure) Topology
Industrial Network Corporate Network User’s Stations
Historian
PLCs
RTUs etc
● Critical assets are located in the industrial network
● The corporate network is considered as an insecure and is usually connected to the Internet
● Corporate User’s stations are located in the corporate network
● The user’s stations communicate directly with the Historian at the industrial network
! The Industrial Network and critical assets are accessible from the corporate network and thus at
risk.
Side # 22
23. ®
Common (Insecure) Topology
Industrial Network Corporate Network User’s Stations
Historian
PLCs
RTUs etc
● Critical assets are located in the industrial network
● The corporate network is considered as an insecure and is usually connected to the Internet
● Corporate User’s stations are located in the corporate network
● The user’s stations communicate directly with the Historian at the industrial network
! The Industrial Network and critical assets are accessible from the corporate network and thus at
risk.
Side # 23
24. ®
Waterfall Based (Secure) Topology
Industrial Network Corporate Network User’s Stations
Waterfall Waterfall Replica
Historian
TX agent RX agent Historian
Transmitter Receiver
PLCs
RTUs etc
Waterfall Waterfall
TX appliance RX appliance
Hardware Based Unidirectional
Waterfall Unidirectional Gateway
Security Gateway
● The Waterfall Gateway enforces a unidirectional replication of the Historian to a Replica Historian
● Laser – Photocell–
The Replica Historian contains all data and functionalities of the Historian
●
Transmit Only
The user’s stations communicate ONLY with the Replica Historian
Receive Only
The Industrial Network and critical assets are physically inaccessible from the business network
and thus 100% secure from any online attack
Compliance with NERC, NRC, NIST and CFATS regulations – easily met
The corporate users can continue to utilize the Historian data as they used to do before
© Copyright 2012 by Waterfall Security Solutions Side # 24
25. ®
®
Use Cases
© Copyright 2012 by Waterfall Security Solutions 25
26. ®
Usage Scenarios – Supporting Any Need
● Replicating applications and
historian systems
● Transferring SCADA protocols
● Integrated/Ref. Architecture
● Remote View and Remote
Assistance
© Copyright 2012 by Waterfall Security Solutions 26
29. ®
Integrated Use Case
● Production information replicated to corporate network via plant historian
● Security information routed to corporate SOC via embedded SIEM
● Remote vendor and IT support enabled via Remote Screen View
● Conventional firewall protects data confidentiality on corporate network
© Copyright 2012 by Waterfall Security Solutions 29
30. ®
Remote Monitoring and Remote Assistance
● Vendors can see control system screens in web browser
● Remote support is under control of on-site personnel
● Any changes to software or devices are carried out by on-site personnel,
supervised by vendor personnel who can see site screens in real-time
● Vendors feel they are
supervising site personnel
● Site people feel they are
supervising the vendors
© Copyright 2012 by Waterfall Security Solutions 30
31. ®
Industrial Grade Solution
● Waterfall Gateway is a critical mission “ready” solution
● High availability implemented in the hardware (dual NICs)
● Cluster support by the software
● Inherent archiving and elastic buffering
● Dual power supply
© Copyright 2012 by Waterfall Security Solutions 31
32. ®
®
Summary
© Copyright 2012 by Waterfall Security Solutions 32
33. ®
Waterfall One-Way™ selected list of connectors
Leading Industrial Applications/Historians Remote Screen View
● OSISoft PI, GE iHistorian, GE iFIX, Leading Industrial Protocols
● Scientech R*Time, Instep eDNA, GE OSM, ● Modbus, OPC (DA, HDA, A&&E)
● Siemens WinCC, SINAUT, Wonderware ● DNP3, ICCP
● GE Bentley Nevada System One IT connectors
Leading IT Monitoring Applications ● Database (SQL) Replication
● SNMP, SYSLOG, CA Unicenter/SIM ● NTP, Multicast Ethernet, Rsync
● HP OpenView, Matrikon Alert Manager ● Video/Audio stream transfer
● Areva Powerplex/Powertrax ● Mail server/mail box replication
● Westinghouse Beacon/WCMS/Log Transfer ● IBM Websphere MQ, MSMQ, Tibco EMS
File/Folder Mirroring ● Antivirus updater, patch (WSUS) updater
● Folder, tree mirroring, remote folders (CIFS) ● Remote Print server
● FTP/FTFP/SFTP/TFPS/RCP ● UDP, TCP/IP
© Copyright 2012 by Waterfall Security Solutions 33
34. ®
Cost Recovery
● Most sites report 12-24 months cost recovery:
● Reduced firewall management costs
● Reduced DMZ equipment management costs
● Reduced audit and compliance documentation costs
● Reduced remote access training costs
● Reduced remote access management
costs
© Copyright 2012 by Waterfall Security Solutions
35. ®
Regulation and Authorities Recognition
● Selected by US Department of Homeland Security, for its National Cyber
Security Test-bed.
● Waterfall gateways first and sole to be assessed by Idaho National Labs
● No side channels, no back channels
● No “acknowledgement channel” which advanced adversaries can turn into a
remote-control-command back-channel
Two appliances mean no shared
grounds, no shared power, or other
shared components which can make
back-channels difficult to identify
© Copyright 2012 by Waterfall Security Solutions 35
36. ®
Waterfall Security Solution Differentiators
Unidirectional Security Gateway™ - provides a full solution, out of the box
100% protection from remote hacking into your industrial network
US Patent covering SCADA/Control Networks security
Designed and built to meet Critical Infrastructure and Utilities needs
Off the shelf integral support for Historians, SCADA protocols, file transfers,
streaming. Strategic partnership and cooperation leading industrial vendors
Enables compliance with NERC-CIP, NIST 800.53 and 800.82, RG 5.71
Pike Research named Waterfall as key player in the cyber security market
Worldwide installations for industrial, critical and operational environments
Host hardware invariance and compatibility
Unique High Availability, 1GB support and Many-to-One architecture support
© Copyright 2012 by Waterfall Security Solutions 36
38. ®
Questions?
THANK YOU !
© Copyright 2012 by Waterfall Security Solutions