SlideShare une entreprise Scribd logo

Waterfall Security Solutions Overview Q1 2012

H
henkpieper

This document discusses utilizing unidirectional security gateways to achieve cyber security. It introduces Waterfall Security Solutions, which provides unidirectional gateway technology. These gateways allow information to flow from protected industrial networks to external networks like business networks, preventing any return path for attacks. The document outlines the need to protect critical infrastructure from cyber threats and presents scenarios where gateways can help. It then reviews limitations of traditional IT security practices and how the Waterfall solution meets best practices. Real-world use cases and benefits like compliance, cost recovery and support for industrial applications/protocols are also covered.

1  sur  38
Télécharger pour lire hors ligne
® ® Utilizing Unidirectional Security Gateways to Achieve Cyber Security January 2012, Israel Danny Berko Waterfall Security Solutions © Copyright 2012 by Waterfall Security Solutions 1
® Today’s Agenda ● Waterfall Security Solutions Ltd. Introduction ● The Need: Protecting Critical National Infrastructure Facilities ● How threats impact us - threats scenarios ● Meeting threats - Cyber Security Best Practices ● Unidirectional Security Gateways ™ ● Use Cases ● Summary © Copyright 2012 by Waterfall Security Solutions 2
® Waterfall Allows Information Flow from Protected Network to External Network with NO Return Path ● Industrial ● Business ● Protected Network ● External Network © Copyright 2012 by Waterfall Security Solutions
® Waterfall Security Solutions Introduction ● Located in Israel, local office and subsidiary in NY, USA ● Product core developed at 2004 and is evolving since ● US Patent 7,649,452 ● Hundreds of installations in North America (USA and Canada), Europe, Israel and Asia ● Technology and Business Focus for SCADA Networks, Industrial Control networks, Utilities and Critical Infrastructures ● Strategic cooperation with industry leaders such as OSIsoft, GE, Siemens, Westinghouse, Nitro/McAfee and many more ● Tight and continuous relationships with relevant regulators and authorities ● First and Sole INL assessed solution © Copyright 2012 by Waterfall Security Solutions 4
® Waterfall’s Unique Value Proposition ● What do we do: • Pioneer and Market Leader for Unidirectional Security Gateway Solutions. • We provide absolute security of any cyber attack from external networks into critical networks. • We offer end-to-end solutions for seamless, industrial grade, out-of-the-box integration and connectivity to existing infrastructures, industrial applications and SCADA protocols. ● What makes Waterfall Security Solutions so unique: • Pike Research named Waterfall as key player in the cyber security market. • Robust, reliable, manageable, unidirectional security gateways. • Only solution to support High-Availability, Gigabit connectivity and Many-to-One architecture • Stronger than firewalls – no remote hacking to your industrial network • Assist achieving compliance to NERC, NRC, CFATS and other relevant regulations • Installed base includes any industrial, critical or operational environment types • Power generation (Nuclear, Fossil, etc.), pipelines, refineries, petro-chemical, oil & gas, water, transportation, governmental and more. © Copyright 2012 by Waterfall Security Solutions 5
® ® The Need: Protecting Critical National Infrastructure Facilities © Copyright 2012 by Waterfall Security Solutions 6
® Protecting CNI from Threats Waterfall assist in avoiding cyber threats to CNIs ● Trivial threats or not as trivial ● Human errors, viruses propagation ● “Boasting rights” hackers: targeted, amateur, resource-poor ● Anonymous attacks on HB Gary, MasterCard, PayPal, Sony ● Insiders: amateur, targeted, have credentials, positioned well for social engineering ● Organized crime: professional, opportunistic ● Botnets, identity theft, money laundering ● Nationstate militaries/intelligence agencies, professional, targeted, resource-rich ● Shady RAT, Night Dragon, Remote Administration Tools = remote control ● Stuxnet is in a league of its own – sabotage of Iranian uranium enrichment ● Traversed firewalls on connections “essential” to operation of control system © Copyright 2012 by Waterfall Security Solutions 7
® Standard Hacking Skills Suffice ● Persistent, targeted attacks Internet ● Facebook, Linkedin homework ● Emailed PDF files Firewall ● High success rate Corporate ● Hacking skill sets Network ● Downloaded tools, recompiled to evade Anti-Virus Firewall ● Plant firewalls are no real barrier Plant ● Remote control Network Firewall Control Network © Copyright 2012 by Waterfall Security Solutions 8
® The Threats are Real © Copyright 2012 by Waterfall Security Solutions
® Stuxnet Worm ● Strong circumstantial evidence: target was Natanz Iranian gas centrifuge uranium enrichment site ● Almost no evidence, but widespread speculation: authors were Israeli or US intelligence agencies, or militaries ● PLC code slows centrifuges down until they are ineffective, speeds them up to damage them, and changes rotation speed fast enough to destroy power supplies or centrifuges ● Estimates of between 200 and 5000 centrifuges damaged, out of inventory of 5000 units ● Stuxnet proved the concept. © Copyright 2012 by Waterfall Security Solutions 10
® ® Threats scenarios that Waterfall addresses © Copyright 2012 by Waterfall Security Solutions 11
® Main Threat Scenarios: ● Let’s focus on two main threat scenarios: © Copyright 2012 by Waterfall Security Solutions 12
® Scenario I – Linking Critical and Business Networks  The critical (operational, industrial) network is required to send real- time information to business/administrative networks  Plant and production information  Operational monitoring and status information  Equipment usage, conditional monitoring, service levels for important customers, spare parts inventories, raw materials and finished goods inventories, etc.  Alerts and events  The business network is commonly connected to other networks, including the Internet  Via these connections, attackers can gain access to the critical network and carry out remote, online attacks into it © Copyright 2012 by Waterfall Security Solutions 13
® Scenario II – Remote Monitoring of Critical Networks  A Control Center or Operations Center is remotely monitoring a critical network or an equipment within it  This can be a 3rd party vendor or service provider monitoring equipment for maintenance and service level  The Control Center usually monitors many other networks, from other facilities and other countries  Critical network now exposed to threats originating from each and every network which is monitored by this Control Center Internet/ Public network Central Monitoring Site © Copyright 2012 by Waterfall Security Solutions 14
® ® Meeting threats - Best Practices © Copyright 2012 by Waterfall Security Solutions 15
® IT security “Best Practices” ● Firewalls ● Patching ● Anti-virus ● Host hardening © Copyright 2012 by Waterfall Security Solutions 16
® IT/Software Based Security “What you must learn is that these rules are no different than the rules of a computer system. Some of them can be bent. Others can be broken. Understand?” (Morpheus; The Matrix, chapter 15) © Copyright 2012 by Waterfall Security Solutions 17
® The Problem with Firewalls ● Firewalls make use of Code, OS and Configuration – all have breaches (miss configuration/human errors) ● Viruses propagate across many VPN connections. You trust the users, but should you trust their workstations? Their cell phones? ● Keeping complex firewalls / VPNs secure is hard – Errors and omissions – Open/Close ports for illustrations, pilots and repairs ● Only “essential” connections allowed ● Insider attack from business network – with legitimate credentials ● Costly: procedures, training, management, log reviews, audits, assessments ● Prohibited by Regulation for Air Gap connectivity © Copyright 2012 by Waterfall Security Solutions 18
® ® Waterfall One-Way™ Solution © Copyright 2012 by Waterfall Security Solutions 2011 19
® The Challenge ● Business Processes and plant data are too valuable not to use Internet ● Critical decisions by key personnel while away… Firewall ● Vendors maintenance or critical Corporate Network intervention while not on premise… ● Process assets are too valuable to Plant Data put at risk Plant Network © Copyright 2012 by Waterfall Security Solutions 20
® Unidirectional Security Gateway, an Innovative Solution © Copyright 2012 by Waterfall Security Solutions 21
® Common (Insecure) Topology Industrial Network Corporate Network User’s Stations Historian PLCs RTUs etc ● Critical assets are located in the industrial network ● The corporate network is considered as an insecure and is usually connected to the Internet ● Corporate User’s stations are located in the corporate network ● The user’s stations communicate directly with the Historian at the industrial network ! The Industrial Network and critical assets are accessible from the corporate network and thus at risk. Side # 22
® Common (Insecure) Topology Industrial Network Corporate Network User’s Stations Historian PLCs RTUs etc ● Critical assets are located in the industrial network ● The corporate network is considered as an insecure and is usually connected to the Internet ● Corporate User’s stations are located in the corporate network ● The user’s stations communicate directly with the Historian at the industrial network ! The Industrial Network and critical assets are accessible from the corporate network and thus at risk. Side # 23
® Waterfall Based (Secure) Topology Industrial Network Corporate Network User’s Stations Waterfall Waterfall Replica Historian TX agent RX agent Historian Transmitter Receiver PLCs RTUs etc Waterfall Waterfall TX appliance RX appliance Hardware Based Unidirectional Waterfall Unidirectional Gateway Security Gateway ● The Waterfall Gateway enforces a unidirectional replication of the Historian to a Replica Historian ● Laser – Photocell– The Replica Historian contains all data and functionalities of the Historian ● Transmit Only The user’s stations communicate ONLY with the Replica Historian Receive Only  The Industrial Network and critical assets are physically inaccessible from the business network and thus 100% secure from any online attack  Compliance with NERC, NRC, NIST and CFATS regulations – easily met  The corporate users can continue to utilize the Historian data as they used to do before © Copyright 2012 by Waterfall Security Solutions Side # 24
® ® Use Cases © Copyright 2012 by Waterfall Security Solutions 25
® Usage Scenarios – Supporting Any Need ● Replicating applications and historian systems ● Transferring SCADA protocols ● Integrated/Ref. Architecture ● Remote View and Remote Assistance © Copyright 2012 by Waterfall Security Solutions 26
® Real-time Replication of Historian systems © Copyright 2012 by Waterfall Security Solutions 27
® Real-time Transfer of SCADA protocols © Copyright 2012 by Waterfall Security Solutions 28
® Integrated Use Case ● Production information replicated to corporate network via plant historian ● Security information routed to corporate SOC via embedded SIEM ● Remote vendor and IT support enabled via Remote Screen View ● Conventional firewall protects data confidentiality on corporate network © Copyright 2012 by Waterfall Security Solutions 29
® Remote Monitoring and Remote Assistance ● Vendors can see control system screens in web browser ● Remote support is under control of on-site personnel ● Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time ● Vendors feel they are supervising site personnel ● Site people feel they are supervising the vendors © Copyright 2012 by Waterfall Security Solutions 30
® Industrial Grade Solution ● Waterfall Gateway is a critical mission “ready” solution ● High availability implemented in the hardware (dual NICs) ● Cluster support by the software ● Inherent archiving and elastic buffering ● Dual power supply © Copyright 2012 by Waterfall Security Solutions 31
® ® Summary © Copyright 2012 by Waterfall Security Solutions 32
® Waterfall One-Way™ selected list of connectors Leading Industrial Applications/Historians Remote Screen View ● OSISoft PI, GE iHistorian, GE iFIX, Leading Industrial Protocols ● Scientech R*Time, Instep eDNA, GE OSM, ● Modbus, OPC (DA, HDA, A&&E) ● Siemens WinCC, SINAUT, Wonderware ● DNP3, ICCP ● GE Bentley Nevada System One IT connectors Leading IT Monitoring Applications ● Database (SQL) Replication ● SNMP, SYSLOG, CA Unicenter/SIM ● NTP, Multicast Ethernet, Rsync ● HP OpenView, Matrikon Alert Manager ● Video/Audio stream transfer ● Areva Powerplex/Powertrax ● Mail server/mail box replication ● Westinghouse Beacon/WCMS/Log Transfer ● IBM Websphere MQ, MSMQ, Tibco EMS File/Folder Mirroring ● Antivirus updater, patch (WSUS) updater ● Folder, tree mirroring, remote folders (CIFS) ● Remote Print server ● FTP/FTFP/SFTP/TFPS/RCP ● UDP, TCP/IP © Copyright 2012 by Waterfall Security Solutions 33
® Cost Recovery ● Most sites report 12-24 months cost recovery: ● Reduced firewall management costs ● Reduced DMZ equipment management costs ● Reduced audit and compliance documentation costs ● Reduced remote access training costs ● Reduced remote access management costs © Copyright 2012 by Waterfall Security Solutions
® Regulation and Authorities Recognition ● Selected by US Department of Homeland Security, for its National Cyber Security Test-bed. ● Waterfall gateways first and sole to be assessed by Idaho National Labs ● No side channels, no back channels ● No “acknowledgement channel” which advanced adversaries can turn into a remote-control-command back-channel Two appliances mean no shared grounds, no shared power, or other shared components which can make back-channels difficult to identify © Copyright 2012 by Waterfall Security Solutions 35
® Waterfall Security Solution Differentiators  Unidirectional Security Gateway™ - provides a full solution, out of the box  100% protection from remote hacking into your industrial network  US Patent covering SCADA/Control Networks security  Designed and built to meet Critical Infrastructure and Utilities needs  Off the shelf integral support for Historians, SCADA protocols, file transfers, streaming. Strategic partnership and cooperation leading industrial vendors  Enables compliance with NERC-CIP, NIST 800.53 and 800.82, RG 5.71  Pike Research named Waterfall as key player in the cyber security market  Worldwide installations for industrial, critical and operational environments  Host hardware invariance and compatibility  Unique High Availability, 1GB support and Many-to-One architecture support © Copyright 2012 by Waterfall Security Solutions 36
® Hundreds of Installations Worldwide © Copyright 2012 by Waterfall Security Solutions
® Questions? THANK YOU ! © Copyright 2012 by Waterfall Security Solutions

Recommandé

How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
Community Protection Forum
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
Digital Bond
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014
iotisrael
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 

Recommandé

How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
Community Protection Forum
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
Digital Bond
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014
iotisrael
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Digital Bond
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Honeywell
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
Three Networks, Different Risks - IT, OT and Engineering
Three Networks, Different Risks - IT, OT and EngineeringThree Networks, Different Risks - IT, OT and Engineering
Three Networks, Different Risks - IT, OT and Engineering
Waterfall Security Solutions
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
Digital Bond
 
Fore scout nac-datasheet
Fore scout nac-datasheetFore scout nac-datasheet
Fore scout nac-datasheet
Khoa Nguyen Hong Nguyen
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg
TI Safe
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-Segmentation
Westermo Network Technologies
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas
TI Safe
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel Linares[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel Linares
TI Safe
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
EnergySec
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
Ajit Dadresa
 
Навальный. Отчет о предвыборной кампании в мэры Москвы 2013
Навальный. Отчет о предвыборной кампании в мэры Москвы 2013Навальный. Отчет о предвыборной кампании в мэры Москвы 2013
Навальный. Отчет о предвыборной кампании в мэры Москвы 2013
Segrey Nikishov - @n_grey
 

Contenu connexe

Tendances

Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-Segmentation
Westermo Network Technologies
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
EnergySec
 

Tendances (20)

Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Three Networks, Different Risks - IT, OT and Engineering
Three Networks, Different Risks - IT, OT and EngineeringThree Networks, Different Risks - IT, OT and Engineering
Three Networks, Different Risks - IT, OT and Engineering
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Fore scout nac-datasheet
Fore scout nac-datasheetFore scout nac-datasheet
Fore scout nac-datasheet
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-Segmentation
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel Linares[CLASS 2014] Palestra Técnica - Samuel Linares
[CLASS 2014] Palestra Técnica - Samuel Linares
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and EducationOpen Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 

En vedette

Hanemaaijer governance nieuw
Hanemaaijer governance nieuwHanemaaijer governance nieuw
Hanemaaijer governance nieuw
Atrivé
 
Internet Filtering In South Korea
Internet Filtering In South KoreaInternet Filtering In South Korea
Internet Filtering In South Korea
michroeder
 
Slides anu talkwebarchivingaug2012
Slides anu talkwebarchivingaug2012Slides anu talkwebarchivingaug2012
Slides anu talkwebarchivingaug2012
Roxanne Missingham
 
19-B-4 開発品質向上のための、ASQ/ALMソリューション
19-B-4 開発品質向上のための、ASQ/ALMソリューション19-B-4 開発品質向上のための、ASQ/ALMソリューション
19-B-4 開発品質向上のための、ASQ/ALMソリューション
Developers Summit
 
Presentazione GJAV SANA Bologna 2012
Presentazione GJAV SANA Bologna 2012Presentazione GJAV SANA Bologna 2012
Presentazione GJAV SANA Bologna 2012
GJAV
 

En vedette (20)

Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
Навальный. Отчет о предвыборной кампании в мэры Москвы 2013
Навальный. Отчет о предвыборной кампании в мэры Москвы 2013Навальный. Отчет о предвыборной кампании в мэры Москвы 2013
Навальный. Отчет о предвыборной кампании в мэры Москвы 2013
 
Energiebesparing Rijkswaterstaat, eenvoudig en doeltreffend
Energiebesparing Rijkswaterstaat, eenvoudig en doeltreffendEnergiebesparing Rijkswaterstaat, eenvoudig en doeltreffend
Energiebesparing Rijkswaterstaat, eenvoudig en doeltreffend
 
Herijking richtlijn energieprestatie van gebouwen
Herijking richtlijn energieprestatie van gebouwenHerijking richtlijn energieprestatie van gebouwen
Herijking richtlijn energieprestatie van gebouwen
 
Feature
FeatureFeature
Feature
 
De Vernieuwde Installatie Performance Scan
De Vernieuwde Installatie Performance ScanDe Vernieuwde Installatie Performance Scan
De Vernieuwde Installatie Performance Scan
 
Hanemaaijer governance nieuw
Hanemaaijer governance nieuwHanemaaijer governance nieuw
Hanemaaijer governance nieuw
 
Internet Filtering In South Korea
Internet Filtering In South KoreaInternet Filtering In South Korea
Internet Filtering In South Korea
 
26 1
26 126 1
26 1
 
Stepmother Myth
Stepmother MythStepmother Myth
Stepmother Myth
 
Toezicht op treasury Vestia-dossier
Toezicht op treasury Vestia-dossier Toezicht op treasury Vestia-dossier
Toezicht op treasury Vestia-dossier
 
Slides anu talkwebarchivingaug2012
Slides anu talkwebarchivingaug2012Slides anu talkwebarchivingaug2012
Slides anu talkwebarchivingaug2012
 
Activiteitenbesluit Wet Milieubeheer
Activiteitenbesluit Wet MilieubeheerActiviteitenbesluit Wet Milieubeheer
Activiteitenbesluit Wet Milieubeheer
 
Alianlits missingham
Alianlits missinghamAlianlits missingham
Alianlits missingham
 
ECO - design & ECO - Energy - label
ECO - design & ECO - Energy - labelECO - design & ECO - Energy - label
ECO - design & ECO - Energy - label
 
19-B-4 開発品質向上のための、ASQ/ALMソリューション
19-B-4 開発品質向上のための、ASQ/ALMソリューション19-B-4 開発品質向上のための、ASQ/ALMソリューション
19-B-4 開発品質向上のための、ASQ/ALMソリューション
 
Installatie Prestatie
Installatie PrestatieInstallatie Prestatie
Installatie Prestatie
 
Oracle endeca information discovery v3.0 integration with the obiee 11g bi se...
Oracle endeca information discovery v3.0 integration with the obiee 11g bi se...Oracle endeca information discovery v3.0 integration with the obiee 11g bi se...
Oracle endeca information discovery v3.0 integration with the obiee 11g bi se...
 
Kwaliteitsborging Duurzame Energie installateurs
Kwaliteitsborging Duurzame Energie installateursKwaliteitsborging Duurzame Energie installateurs
Kwaliteitsborging Duurzame Energie installateurs
 
Presentazione GJAV SANA Bologna 2012
Presentazione GJAV SANA Bologna 2012Presentazione GJAV SANA Bologna 2012
Presentazione GJAV SANA Bologna 2012
 

Similaire à Waterfall Security Solutions Overview Q1 2012

Uncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesUncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software Vulnerabilities
SecPod
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Dss Business Overview 2012 01 20
Dss Business Overview 2012 01 20Dss Business Overview 2012 01 20
Dss Business Overview 2012 01 20
Ernie Barber
 
Palo alto safe application enablement
Palo alto safe application enablementPalo alto safe application enablement
Palo alto safe application enablement
responsedatacomms
 
Gettozero stealth industrial
Gettozero stealth industrialGettozero stealth industrial
Gettozero stealth industrial
Sherid444
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
rfragola
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
Belsoft
 

Similaire à Waterfall Security Solutions Overview Q1 2012 (20)

Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud Security
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
 
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater InsanityStopping the Adobe, Apple and Java Software Updater Insanity
Stopping the Adobe, Apple and Java Software Updater Insanity
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Security and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalSecurity and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 final
 
Uncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software VulnerabilitiesUncover Vulnerabilities Beyond Software Vulnerabilities
Uncover Vulnerabilities Beyond Software Vulnerabilities
 
Cyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercatoCyber Warfare e scenari di mercato
Cyber Warfare e scenari di mercato
 
Building A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramBuilding A Cloud-Ready Security Program
Building A Cloud-Ready Security Program
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Dss Business Overview 2012 01 20
Dss Business Overview 2012 01 20Dss Business Overview 2012 01 20
Dss Business Overview 2012 01 20
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Making Network Security Relevant
Making Network Security RelevantMaking Network Security Relevant
Making Network Security Relevant
 
Palo alto safe application enablement
Palo alto safe application enablementPalo alto safe application enablement
Palo alto safe application enablement
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211
 
Gettozero stealth industrial
Gettozero stealth industrialGettozero stealth industrial
Gettozero stealth industrial
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
 

Waterfall Security Solutions Overview Q1 2012

  • 1. ® ® Utilizing Unidirectional Security Gateways to Achieve Cyber Security January 2012, Israel Danny Berko Waterfall Security Solutions © Copyright 2012 by Waterfall Security Solutions 1
  • 2. ® Today’s Agenda ● Waterfall Security Solutions Ltd. Introduction ● The Need: Protecting Critical National Infrastructure Facilities ● How threats impact us - threats scenarios ● Meeting threats - Cyber Security Best Practices ● Unidirectional Security Gateways ™ ● Use Cases ● Summary © Copyright 2012 by Waterfall Security Solutions 2
  • 3. ® Waterfall Allows Information Flow from Protected Network to External Network with NO Return Path ● Industrial ● Business ● Protected Network ● External Network © Copyright 2012 by Waterfall Security Solutions
  • 4. ® Waterfall Security Solutions Introduction ● Located in Israel, local office and subsidiary in NY, USA ● Product core developed at 2004 and is evolving since ● US Patent 7,649,452 ● Hundreds of installations in North America (USA and Canada), Europe, Israel and Asia ● Technology and Business Focus for SCADA Networks, Industrial Control networks, Utilities and Critical Infrastructures ● Strategic cooperation with industry leaders such as OSIsoft, GE, Siemens, Westinghouse, Nitro/McAfee and many more ● Tight and continuous relationships with relevant regulators and authorities ● First and Sole INL assessed solution © Copyright 2012 by Waterfall Security Solutions 4
  • 5. ® Waterfall’s Unique Value Proposition ● What do we do: • Pioneer and Market Leader for Unidirectional Security Gateway Solutions. • We provide absolute security of any cyber attack from external networks into critical networks. • We offer end-to-end solutions for seamless, industrial grade, out-of-the-box integration and connectivity to existing infrastructures, industrial applications and SCADA protocols. ● What makes Waterfall Security Solutions so unique: • Pike Research named Waterfall as key player in the cyber security market. • Robust, reliable, manageable, unidirectional security gateways. • Only solution to support High-Availability, Gigabit connectivity and Many-to-One architecture • Stronger than firewalls – no remote hacking to your industrial network • Assist achieving compliance to NERC, NRC, CFATS and other relevant regulations • Installed base includes any industrial, critical or operational environment types • Power generation (Nuclear, Fossil, etc.), pipelines, refineries, petro-chemical, oil & gas, water, transportation, governmental and more. © Copyright 2012 by Waterfall Security Solutions 5
  • 6. ® ® The Need: Protecting Critical National Infrastructure Facilities © Copyright 2012 by Waterfall Security Solutions 6
  • 7. ® Protecting CNI from Threats Waterfall assist in avoiding cyber threats to CNIs ● Trivial threats or not as trivial ● Human errors, viruses propagation ● “Boasting rights” hackers: targeted, amateur, resource-poor ● Anonymous attacks on HB Gary, MasterCard, PayPal, Sony ● Insiders: amateur, targeted, have credentials, positioned well for social engineering ● Organized crime: professional, opportunistic ● Botnets, identity theft, money laundering ● Nationstate militaries/intelligence agencies, professional, targeted, resource-rich ● Shady RAT, Night Dragon, Remote Administration Tools = remote control ● Stuxnet is in a league of its own – sabotage of Iranian uranium enrichment ● Traversed firewalls on connections “essential” to operation of control system © Copyright 2012 by Waterfall Security Solutions 7
  • 8. ® Standard Hacking Skills Suffice ● Persistent, targeted attacks Internet ● Facebook, Linkedin homework ● Emailed PDF files Firewall ● High success rate Corporate ● Hacking skill sets Network ● Downloaded tools, recompiled to evade Anti-Virus Firewall ● Plant firewalls are no real barrier Plant ● Remote control Network Firewall Control Network © Copyright 2012 by Waterfall Security Solutions 8
  • 9. ® The Threats are Real © Copyright 2012 by Waterfall Security Solutions
  • 10. ® Stuxnet Worm ● Strong circumstantial evidence: target was Natanz Iranian gas centrifuge uranium enrichment site ● Almost no evidence, but widespread speculation: authors were Israeli or US intelligence agencies, or militaries ● PLC code slows centrifuges down until they are ineffective, speeds them up to damage them, and changes rotation speed fast enough to destroy power supplies or centrifuges ● Estimates of between 200 and 5000 centrifuges damaged, out of inventory of 5000 units ● Stuxnet proved the concept. © Copyright 2012 by Waterfall Security Solutions 10
  • 11. ® ® Threats scenarios that Waterfall addresses © Copyright 2012 by Waterfall Security Solutions 11
  • 12. ® Main Threat Scenarios: ● Let’s focus on two main threat scenarios: © Copyright 2012 by Waterfall Security Solutions 12
  • 13. ® Scenario I – Linking Critical and Business Networks  The critical (operational, industrial) network is required to send real- time information to business/administrative networks  Plant and production information  Operational monitoring and status information  Equipment usage, conditional monitoring, service levels for important customers, spare parts inventories, raw materials and finished goods inventories, etc.  Alerts and events  The business network is commonly connected to other networks, including the Internet  Via these connections, attackers can gain access to the critical network and carry out remote, online attacks into it © Copyright 2012 by Waterfall Security Solutions 13
  • 14. ® Scenario II – Remote Monitoring of Critical Networks  A Control Center or Operations Center is remotely monitoring a critical network or an equipment within it  This can be a 3rd party vendor or service provider monitoring equipment for maintenance and service level  The Control Center usually monitors many other networks, from other facilities and other countries  Critical network now exposed to threats originating from each and every network which is monitored by this Control Center Internet/ Public network Central Monitoring Site © Copyright 2012 by Waterfall Security Solutions 14
  • 15. ® ® Meeting threats - Best Practices © Copyright 2012 by Waterfall Security Solutions 15
  • 16. ® IT security “Best Practices” ● Firewalls ● Patching ● Anti-virus ● Host hardening © Copyright 2012 by Waterfall Security Solutions 16
  • 17. ® IT/Software Based Security “What you must learn is that these rules are no different than the rules of a computer system. Some of them can be bent. Others can be broken. Understand?” (Morpheus; The Matrix, chapter 15) © Copyright 2012 by Waterfall Security Solutions 17
  • 18. ® The Problem with Firewalls ● Firewalls make use of Code, OS and Configuration – all have breaches (miss configuration/human errors) ● Viruses propagate across many VPN connections. You trust the users, but should you trust their workstations? Their cell phones? ● Keeping complex firewalls / VPNs secure is hard – Errors and omissions – Open/Close ports for illustrations, pilots and repairs ● Only “essential” connections allowed ● Insider attack from business network – with legitimate credentials ● Costly: procedures, training, management, log reviews, audits, assessments ● Prohibited by Regulation for Air Gap connectivity © Copyright 2012 by Waterfall Security Solutions 18
  • 19. ® ® Waterfall One-Way™ Solution © Copyright 2012 by Waterfall Security Solutions 2011 19
  • 20. ® The Challenge ● Business Processes and plant data are too valuable not to use Internet ● Critical decisions by key personnel while away… Firewall ● Vendors maintenance or critical Corporate Network intervention while not on premise… ● Process assets are too valuable to Plant Data put at risk Plant Network © Copyright 2012 by Waterfall Security Solutions 20
  • 21. ® Unidirectional Security Gateway, an Innovative Solution © Copyright 2012 by Waterfall Security Solutions 21
  • 22. ® Common (Insecure) Topology Industrial Network Corporate Network User’s Stations Historian PLCs RTUs etc ● Critical assets are located in the industrial network ● The corporate network is considered as an insecure and is usually connected to the Internet ● Corporate User’s stations are located in the corporate network ● The user’s stations communicate directly with the Historian at the industrial network ! The Industrial Network and critical assets are accessible from the corporate network and thus at risk. Side # 22
  • 23. ® Common (Insecure) Topology Industrial Network Corporate Network User’s Stations Historian PLCs RTUs etc ● Critical assets are located in the industrial network ● The corporate network is considered as an insecure and is usually connected to the Internet ● Corporate User’s stations are located in the corporate network ● The user’s stations communicate directly with the Historian at the industrial network ! The Industrial Network and critical assets are accessible from the corporate network and thus at risk. Side # 23
  • 24. ® Waterfall Based (Secure) Topology Industrial Network Corporate Network User’s Stations Waterfall Waterfall Replica Historian TX agent RX agent Historian Transmitter Receiver PLCs RTUs etc Waterfall Waterfall TX appliance RX appliance Hardware Based Unidirectional Waterfall Unidirectional Gateway Security Gateway ● The Waterfall Gateway enforces a unidirectional replication of the Historian to a Replica Historian ● Laser – Photocell– The Replica Historian contains all data and functionalities of the Historian ● Transmit Only The user’s stations communicate ONLY with the Replica Historian Receive Only  The Industrial Network and critical assets are physically inaccessible from the business network and thus 100% secure from any online attack  Compliance with NERC, NRC, NIST and CFATS regulations – easily met  The corporate users can continue to utilize the Historian data as they used to do before © Copyright 2012 by Waterfall Security Solutions Side # 24
  • 25. ® ® Use Cases © Copyright 2012 by Waterfall Security Solutions 25
  • 26. ® Usage Scenarios – Supporting Any Need ● Replicating applications and historian systems ● Transferring SCADA protocols ● Integrated/Ref. Architecture ● Remote View and Remote Assistance © Copyright 2012 by Waterfall Security Solutions 26
  • 27. ® Real-time Replication of Historian systems © Copyright 2012 by Waterfall Security Solutions 27
  • 28. ® Real-time Transfer of SCADA protocols © Copyright 2012 by Waterfall Security Solutions 28
  • 29. ® Integrated Use Case ● Production information replicated to corporate network via plant historian ● Security information routed to corporate SOC via embedded SIEM ● Remote vendor and IT support enabled via Remote Screen View ● Conventional firewall protects data confidentiality on corporate network © Copyright 2012 by Waterfall Security Solutions 29
  • 30. ® Remote Monitoring and Remote Assistance ● Vendors can see control system screens in web browser ● Remote support is under control of on-site personnel ● Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time ● Vendors feel they are supervising site personnel ● Site people feel they are supervising the vendors © Copyright 2012 by Waterfall Security Solutions 30
  • 31. ® Industrial Grade Solution ● Waterfall Gateway is a critical mission “ready” solution ● High availability implemented in the hardware (dual NICs) ● Cluster support by the software ● Inherent archiving and elastic buffering ● Dual power supply © Copyright 2012 by Waterfall Security Solutions 31
  • 32. ® ® Summary © Copyright 2012 by Waterfall Security Solutions 32
  • 33. ® Waterfall One-Way™ selected list of connectors Leading Industrial Applications/Historians Remote Screen View ● OSISoft PI, GE iHistorian, GE iFIX, Leading Industrial Protocols ● Scientech R*Time, Instep eDNA, GE OSM, ● Modbus, OPC (DA, HDA, A&&E) ● Siemens WinCC, SINAUT, Wonderware ● DNP3, ICCP ● GE Bentley Nevada System One IT connectors Leading IT Monitoring Applications ● Database (SQL) Replication ● SNMP, SYSLOG, CA Unicenter/SIM ● NTP, Multicast Ethernet, Rsync ● HP OpenView, Matrikon Alert Manager ● Video/Audio stream transfer ● Areva Powerplex/Powertrax ● Mail server/mail box replication ● Westinghouse Beacon/WCMS/Log Transfer ● IBM Websphere MQ, MSMQ, Tibco EMS File/Folder Mirroring ● Antivirus updater, patch (WSUS) updater ● Folder, tree mirroring, remote folders (CIFS) ● Remote Print server ● FTP/FTFP/SFTP/TFPS/RCP ● UDP, TCP/IP © Copyright 2012 by Waterfall Security Solutions 33
  • 34. ® Cost Recovery ● Most sites report 12-24 months cost recovery: ● Reduced firewall management costs ● Reduced DMZ equipment management costs ● Reduced audit and compliance documentation costs ● Reduced remote access training costs ● Reduced remote access management costs © Copyright 2012 by Waterfall Security Solutions
  • 35. ® Regulation and Authorities Recognition ● Selected by US Department of Homeland Security, for its National Cyber Security Test-bed. ● Waterfall gateways first and sole to be assessed by Idaho National Labs ● No side channels, no back channels ● No “acknowledgement channel” which advanced adversaries can turn into a remote-control-command back-channel Two appliances mean no shared grounds, no shared power, or other shared components which can make back-channels difficult to identify © Copyright 2012 by Waterfall Security Solutions 35
  • 36. ® Waterfall Security Solution Differentiators  Unidirectional Security Gateway™ - provides a full solution, out of the box  100% protection from remote hacking into your industrial network  US Patent covering SCADA/Control Networks security  Designed and built to meet Critical Infrastructure and Utilities needs  Off the shelf integral support for Historians, SCADA protocols, file transfers, streaming. Strategic partnership and cooperation leading industrial vendors  Enables compliance with NERC-CIP, NIST 800.53 and 800.82, RG 5.71  Pike Research named Waterfall as key player in the cyber security market  Worldwide installations for industrial, critical and operational environments  Host hardware invariance and compatibility  Unique High Availability, 1GB support and Many-to-One architecture support © Copyright 2012 by Waterfall Security Solutions 36
  • 37. ® Hundreds of Installations Worldwide © Copyright 2012 by Waterfall Security Solutions
  • 38. ® Questions? THANK YOU ! © Copyright 2012 by Waterfall Security Solutions