Waterfall Security Solutions Overview Q1 2012

© Copyright 2012 by Waterfall Security Solutions

®

1

®

Utilizing Unidirectional Security Gateways to Achieve Cyber Security January 2012, Israel

Danny Berko Waterfall Security Solutions


®


®

2

®

Today’s Agenda

● Waterfall Security Solutions Ltd. Introduction

● The Need: Protecting Critical National Infrastructure

Facilities

● How threats impact us - threats scenarios

● Meeting threats - Cyber Security Best Practices

● Unidirectional Security Gateways ™

● Use Cases

● Summary

®

Waterfall Allows Information Flow from Protected Network to External Network with NO Return Path

● Industrial

● Business


● Protected Network

● External Network


®

4

®

Waterfall Security Solutions Introduction

● Located in Israel, local office and subsidiary in NY, USA

● Product core developed at 2004 and is evolving since

● US Patent 7,649,452

● Hundreds of installations in North America (USA and Canada), Europe,

Israel and Asia

● Technology and Business Focus for SCADA Networks, Industrial Control

networks, Utilities and Critical Infrastructures

● Strategic cooperation with industry leaders such as OSIsoft, GE, Siemens,

Westinghouse, Nitro/McAfee and many more

● Tight and continuous relationships with relevant regulators and authorities

● First and Sole INL assessed solution


®

5

®

Waterfall’s Unique Value Proposition

● What do we do:

• Pioneer and Market Leader for Unidirectional Security Gateway Solutions.

• We provide absolute security of any cyber attack from external networks into critical networks.

• We offer end-to-end solutions for seamless, industrial grade, out-of-the-box integration and

connectivity to existing infrastructures, industrial applications and SCADA protocols.

● What makes Waterfall Security Solutions so unique:

• Pike Research named Waterfall as key player in the cyber security market.

• Robust, reliable, manageable, unidirectional security gateways.

• Only solution to support High-Availability, Gigabit connectivity and Many-to-One architecture

• Stronger than firewalls – no remote hacking to your industrial network

• Assist achieving compliance to NERC, NRC, CFATS and other relevant regulations

• Installed base includes any industrial, critical or operational environment types

• Power generation (Nuclear, Fossil, etc.), pipelines, refineries, petro-chemical, oil & gas,

water, transportation, governmental and more.


®

6

®

The Need: Protecting Critical National Infrastructure Facilities


®


®

7

®

Protecting CNI from Threats

Waterfall assist in avoiding cyber threats to CNIs

● Trivial threats or not as trivial

● Human errors, viruses propagation

● “Boasting rights” hackers: targeted, amateur, resource-poor

● Anonymous attacks on HB Gary, MasterCard, PayPal, Sony

● Insiders: amateur, targeted, have credentials, positioned well for social engineering

● Organized crime: professional, opportunistic

● Botnets, identity theft, money laundering

● Nationstate militaries/intelligence agencies, professional, targeted, resource-rich

● Shady RAT, Night Dragon, Remote Administration Tools = remote control

● Stuxnet is in a league of its own – sabotage of Iranian uranium enrichment

● Traversed firewalls on connections “essential” to operation of control system


®

8

®

Standard Hacking Skills Suffice

● Persistent, targeted attacks

● Facebook, Linkedin homework

● Emailed PDF files

● High success rate

● Hacking skill sets

● Downloaded tools, recompiled to evade Anti-Virus

● Plant firewalls are no real barrier

● Remote control

Internet

Corporate Network

Plant Network

Firewall

Firewall

Control Network

Firewall

®

The Threats are Real



®

10

®

Stuxnet Worm

● Strong circumstantial evidence: target was Natanz Iranian gas centrifuge uranium enrichment site

● Almost no evidence, but widespread speculation: authors were Israeli or US intelligence agencies, or militaries

● PLC code slows centrifuges down until they are ineffective, speeds them up to damage them, and changes rotation speed fast enough to destroy power supplies or centrifuges

● Estimates of between 200 and 5000 centrifuges

damaged, out of inventory of 5000 units

● Stuxnet proved the concept.


®

11

®

Threats scenarios that Waterfall addresses


®


®

12

®

Main Threat Scenarios:

● Let’s focus on two main threat scenarios:


®

13

®

Scenario I – Linking Critical and Business Networks

The critical (operational, industrial) network is required to send real-time information to business/administrative networks

Plant and production information

Operational monitoring and status information Equipment usage, conditional monitoring, service levels for important customers, spare

parts inventories, raw materials and finished goods inventories, etc.

Alerts and events

The business network is commonly connected to other networks, including the Internet

Via these connections, attackers can gain access to the critical network and carry out remote, online attacks into it


®

14

®

Scenario II – Remote Monitoring of Critical Networks

A Control Center or Operations Center is remotely monitoring a critical network or an equipment within it

This can be a 3rd party vendor or service provider monitoring equipment for maintenance and service level

The Control Center usually monitors many other networks, from other facilities and other countries

Critical network now exposed to threats originating from each and every network which is monitored by this Control Center

Internet/

Public network

Central Monitoring Site


®

15

®

Meeting threats - Best Practices


®


®

16

®

IT security “Best Practices”

● Firewalls

● Patching

● Anti-virus

● Host hardening


®

17

®

“What you must learn is that these rules are no

different than the rules of a computer system.

Some of them can be bent.

Others can be broken.

Understand?”

(Morpheus; The Matrix, chapter 15)

IT/Software Based Security


®

18

®

The Problem with Firewalls

● Firewalls make use of Code, OS and Configuration – all have breaches (miss configuration/human errors)

● Viruses propagate across many VPN connections. You trust the users, but should you trust their workstations? Their cell phones?

● Keeping complex firewalls / VPNs secure is hard – Errors and omissions – Open/Close ports for illustrations, pilots and repairs

● Only “essential” connections allowed

● Insider attack from business network – with legitimate credentials

● Costly: procedures, training, management, log reviews, audits, assessments

● Prohibited by Regulation for Air Gap connectivity


®

19

®

Waterfall One-Way™ Solution


®


®

20

®

Internet

Corporate Network

Plant Network

Firewall

Plant Data

The Challenge

● Business Processes and plant data are too valuable not to use

● Critical decisions by key personnel while away…

● Vendors maintenance or critical intervention while not on premise…

● Process assets are too valuable to put at risk


®

21

®

Unidirectional Security Gateway, an Innovative Solution

®

Common (Insecure) Topology

Side # 22

● Critical assets are located in the industrial network

● The corporate network is considered as an insecure and is usually connected to the Internet

● Corporate User’s stations are located in the corporate network

● The user’s stations communicate directly with the Historian at the industrial network

! The Industrial Network and critical assets are accessible from the corporate network and thus at risk.

PLCs

RTUs etc

Historian

Corporate Network Industrial Network User’s Stations

http://findicons.com/icon/30863/display_off?id=340728



http://www.fotosearch.com/bthumb/CSP/CSP065/k0658067.jpg


®

Common (Insecure) Topology

Side # 23

● Critical assets are located in the industrial network

● The corporate network is considered as an insecure and is usually connected to the Internet

● Corporate User’s stations are located in the corporate network

● The user’s stations communicate directly with the Historian at the industrial network

! The Industrial Network and critical assets are accessible from the corporate network and thus at risk.

PLCs

RTUs etc

Historian

Corporate Network Industrial Network User’s Stations






®


Waterfall Based (Secure) Topology

Side # 24

● The Waterfall Gateway enforces a unidirectional replication of the Historian to a Replica Historian

● The Replica Historian contains all data and functionalities of the Historian

● The user’s stations communicate ONLY with the Replica Historian

The Industrial Network and critical assets are physically inaccessible from the business network and thus 100% secure from any online attack

Compliance with NERC, NRC, NIST and CFATS regulations – easily met

The corporate users can continue to utilize the Historian data as they used to do before

PLCs

RTUs etc

Historian

User’s Stations

Waterfall

RX appliance

Waterfall

TX appliance

Replica

Historian

Waterfall

TX agent

Waterfall

RX agent

Corporate Network Industrial Network

Waterfall Unidirectional Gateway Hardware Based Unidirectional

Security Gateway

Transmitter Receiver

Photocell– Receive Only

Laser – Transmit Only





®

25

®

Use Cases


®


®

26

®

Usage Scenarios – Supporting Any Need

● Replicating applications and historian systems

● Transferring SCADA protocols

● Integrated/Ref. Architecture

● Remote View and Remote Assistance

®

© Copyright 2012 by Waterfall Security Solutions 27

Real-time Replication of Historian systems


®

28

®

Real-time Transfer of SCADA protocols


®

29

®

Integrated Use Case

● Production information replicated to corporate network via plant historian

● Security information routed to corporate SOC via embedded SIEM

● Remote vendor and IT support enabled via Remote Screen View

● Conventional firewall protects data confidentiality on corporate network


®

30

®

Remote Monitoring and Remote Assistance ● Vendors can see control system screens in web browser

● Remote support is under control of on-site personnel

● Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time

● Vendors feel they are supervising site personnel

● Site people feel they are supervising the vendors


®

31

®

Industrial Grade Solution

● Waterfall Gateway is a critical mission “ready” solution

● High availability implemented in the hardware (dual NICs)

● Cluster support by the software

● Inherent archiving and elastic buffering

● Dual power supply


®

32

®

Summary


®


®

33

®

Waterfall One-Way™ selected list of connectors

Leading Industrial Applications/Historians

● OSISoft PI, GE iHistorian, GE iFIX,

● Scientech R*Time, Instep eDNA, GE OSM,

● Siemens WinCC, SINAUT, Wonderware

● GE Bentley Nevada System One

Leading IT Monitoring Applications

● SNMP, SYSLOG, CA Unicenter/SIM

● HP OpenView, Matrikon Alert Manager

● Areva Powerplex/Powertrax

● Westinghouse Beacon/WCMS/Log Transfer

File/Folder Mirroring

● Folder, tree mirroring, remote folders (CIFS)

● FTP/FTFP/SFTP/TFPS/RCP

Remote Screen View

Leading Industrial Protocols

● Modbus, OPC (DA, HDA, A&&E)

● DNP3, ICCP

IT connectors

● Database (SQL) Replication

● NTP, Multicast Ethernet, Rsync

● Video/Audio stream transfer

● Mail server/mail box replication

● IBM Websphere MQ, MSMQ, Tibco EMS

● Antivirus updater, patch (WSUS) updater

● Remote Print server

● UDP, TCP/IP

®

Cost Recovery

● Most sites report 12-24 months cost recovery:

● Reduced firewall management costs

● Reduced DMZ equipment management costs

● Reduced audit and compliance documentation costs

● Reduced remote access training costs

● Reduced remote access management costs



®

35

®

Regulation and Authorities Recognition

● Selected by US Department of Homeland Security, for its National Cyber

Security Test-bed.

● Waterfall gateways first and sole to be assessed by Idaho National Labs

● No side channels, no back channels

● No “acknowledgement channel” which advanced adversaries can turn into a remote-control-command back-channel

Two appliances mean no shared grounds, no shared power, or other shared components which can make back-channels difficult to identify


®

36

®

Waterfall Security Solution Differentiators

Unidirectional Security Gateway™ - provides a full solution, out of the box

100% protection from remote hacking into your industrial network

US Patent covering SCADA/Control Networks security

Designed and built to meet Critical Infrastructure and Utilities needs

Off the shelf integral support for Historians, SCADA protocols, file transfers,

streaming. Strategic partnership and cooperation leading industrial vendors

Enables compliance with NERC-CIP, NIST 800.53 and 800.82, RG 5.71

Pike Research named Waterfall as key player in the cyber security market

Worldwide installations for industrial, critical and operational environments

Host hardware invariance and compatibility

Unique High Availability, 1GB support and Many-to-One architecture support

®

Hundreds of Installations Worldwide


®

Questions? THANK YOU !


Documents

Waterfall Security Solutions Overview Q1 2012