«Proprietary Information – Copyright © 2011 by Waterfall Security Solutions Ltd. Waterfall Security Solutions Ltd. Introduction to Waterfall ...»
Proprietary Information – Copyright © 2011 by Waterfall Security Solutions Ltd.
Waterfall Security Solutions Ltd.
Introduction to Waterfall
Unidirectional Security Gateways:
True Unidirectionality, True Security
Date: August, 2012
Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd.
- Legal Notice & Disclaimer This document contains text, images and other information and/or materials which are proprietary to Waterfall Security Solutions Ltd., and constitute valuable intellectual property of Waterfall Security Solutions Ltd., protected by applicable patent, copyright and trade secret laws and by international treaty provisions. This document shall not be used in any manner that violates or misappropriates or could result in a violation or misappropriation of intellectual property rights of Waterfall Security Solutions Ltd., including, without limitation, copyrights, trademarks, trade secrets and/or patent rights. Under no circumstances shall any ownership rights in the content of this document be asserted nor Water Security Solutions Ltd.’s intellectual property rights be contested in any action or proceeding of whatever kind or nature, nor shall any action be taken that may prejudice, render generic, weaken or diminish the good will associated with Waterfall Security Solutions Ltd.’s intellectual property rights. Waterfall Security Solutions Ltd. reserves the right, without further notice, to pursue to the fullest extent permitted by law any and all criminal and civil remedies for the violations of its rights.
All information in this document is provided on an “AS IS” basis, and Waterfall Security Solutions Ltd.
makes no warranties or representations and assumes no liability whatsoever as to the accuracy or completeness of the information presented in this document.
Any and all third party intangible and/or proprietary and/or intellectual property rights ("Third Parties’ Rights"), mentioned herein, whether registered or not, including, without limitation, patents, trademarks, service marks, trade names, copyrights and computer applications, belong to their respective owners.
Waterfall Security Solutions Ltd. disclaims any and all interest in all such Third Parties’ Rights. It is forbidden to copy, modify, amend, delete, augment, publish, transmit, create derivative works of, create or sell products derived from, display or post, or in any other way exploit or use such Third Parties’ Rights without the express authorization of their respective owners.
Except as specified herein, Waterfall Security Solutions Ltd. does not guarantee nor make any representations with regard to any and all third party tangible and/or intangible and/or proprietary and/or intellectual property ("Third Party Property") mentioned herein. Waterfall Security Solutions Ltd. does not endorse nor makes warranties as to the completeness, accuracy or reliability of such Third Party Property, and all such warranties are hereby expressly and strictly disclaimed.
- Table of Contents – INTRODUCTION
STANDARDS AND REGULATORY COMPLIANCE
UNIDIRECTIONAL GATEWAY SOFTWARE
REPLICATING HISTORIAN SERVERS
REPLICATING OPC SOURCES
UNIDIRECTIONAL GATEWAY HARDWARE
BROAD APPLICATION SUPPORT
Introduction Historically industrial sites were secured by so-called “air gaps.” Most control system networks were not connected to any public network at all, and so the spread of malware over connections from public networks to control networks was impossible, as was the remote control of industrial control systems by adversaries using public networks. That changed in the mid-1990's – operators of these sites learned there were significant profits possible from the use of real-time inventory data, equipment usage data and other information drawn from control systems. Sites started connecting their control system networks to their corporate networks, exposing the formerlyisolated control networks to attack. For the last decade, securing these connections between control networks and external networks has received steadily increasing attention.
In the last 24 months, high-profile "advanced persistent threat" attacks have successfully compromised an appalling number of seemingly well-secured critical infrastructures and utilities, as well as military, government and corporate networks. Imagine learning that parts of your safety-critical control system are under the thumb of adversaries on the other side of the planet.
In response to these trends, corporate security teams increasingly deploy Waterfall’s Unidirectional Security Gateways. A Unidirectional Gateway is simple in concept - a transmitting (TX) appliance in the control system network contains a laser, and a receiving (RX) appliance in the corporate network contains a photocell. The TX can send to the RX, but not vice-versa.
The gateways push real-time data to the corporate network where the business functions of the industrial site need it, but no attacks, no viruses, nothing at all in fact, can get back through the gateway hardware to influence or threaten the control system. Contrast this with firewalls, which are software systems. The software in firewalls looks at every message trying to pass through, and decides whether to let it pass. Every software has vulnerabilities and advanced threats exploit
those vulnerabilities. Unidirectional Gateways are not vulnerable to such attacks – the security is at the physical level. There are no return channels in the hardware.
Waterfall’s Unidirectional Gateways are deployed routinely in arenas where security is paramount – industrial and production networks of critical infrastructures. For example, the latest Nuclear Energy Institute guidelines for the cyber security of reactor control networks give two choices: either no connections at all across the perimeter of the most sensitive networks, or unidirectional connections only. Other industries are taking note. No one wants to put at risk a power grid, a water treatment plant, an oil pipeline, or a chemical plant.
Think about the consequences of two recent industrial disasters the nation and the world have seen: the Gulf oil spill and the tsunami at the Fukishima reactors. Now consider that advanced threats regularly compromise the best-protected corporate and control system networks. Put this together and utilities increasingly conclude the risk is unacceptable. Utilities and industrial sites are looking seriously at once more isolating their control networks. Unidirectional Gateways provide the same protections as complete network isolation, without cutting off access to the most valuable real-time data.
True Unidirectionality The Waterfall Unidirectional Gateway is a true unidirectional system, composed of a TX hardware appliance and an RX hardware appliance connected solely by a single fiber-optic cable.
The TX appliance contains a laser, but no photocell, and so can transmit information over the fiber-optic cable, but is physically incapable of receiving any information from the cable. The RX appliance contains a photocell, but no laser. The RX appliance is therefore physically incapable of sending any information to the TX appliance over the fiber-optic cable. The system is referred to as a “unidirectional medium.” Information passes from the TX appliance to the RX appliance exclusively.
Unidirectional Gateways provide a way to send application data out of critical networks, while protecting the integrity of the critical network by segregating it from any external networks. This absolute level of unidirectional communication eliminates all online network attacks originated from an external network, since no communication, “good” or “bad”, including attack packets, viruses, or information of any sort can pass from the external network hosting the RX appliance back to the sending network hosting the TX appliance.
In 2009, Idaho National Labs (INL) assessed the Waterfall Unidirectional Gateway technology in
depth and concluded:
The assessment verified that the Waterfall system provides one-way communications between two different security zones. The physics of the system prevent any data transmission from the low security enclave to the high security enclave. Waterfall’s methodology of protecting an industrial network from an external connection to a lower security zone was verified by the assessment.
True Security The unique Waterfall architecture restores to industrial sites the benefits of time-tested, airgapped network designs, without sacrificing modern business requirements for access to accurate
and timely data from real-time systems. Specifically, a Waterfall solution configured as
Complete isolation from external threats – nothing - not data, commands, or even protocol signaling from the outside can enter a protected network over Unidirectional Security Gateways. The gateway is physically incapable of transferring anything “back” from the external network.
Complete protection against external cyber-attacks – when an attacker on an external network attempts access through a Waterfall security gateway to a protected network to take remote control of cyber assets, that attack fails.
Complete protection from external denial of service attacks against protected assets – when an attacker on an external network tries to transmit traffic through the Waterfall Unidirectional Gateway to impair the operation of control system assets, none of those packets arrive on the control system network. The gateway hardware is incapable of transmitting anything back to the control system.
Complete protection from sophisticated worms and other malware which propagate across networks. No set of un-patched, zero-day or other vulnerabilities can cause the receiving gateway hardware to transmit malware or other information into the protected network.
Protection from malware which takes instructions from command and control servers over public networks. Much modern malware is designed to be under the continuous control of central servers on the open internet. However, the one-way appliances make it impossible to receive commands from command and control servers on untrusted networks.
In addition, it should be noted that a preferred tactic of Advanced Persistent Threats and other sophisticated threats is remote-control attacks. While Unidirectional Gateways do not address all possible security threats at a site, they do eliminate entirely the risk of a remote control attack or other network-based attack on protected assets from external networks via the Unidirectional Gateways.
Standards and Regulatory Compliance Waterfall Unidirectional Security Gateways have been assessed against many industrial cyber security regulations, including: NIST 800-53, NERC-CIP and NEI 08-09 standards. The gateway solutions directly address many requirements related to network segmentation, network access protections and remote access controls. Indirectly, the gateway solutions substantially simplify overall security programs, because they are simpler and more secure than conventional firewalls.
Pass-through user accounts, open ports, access logging, denied access attempt logging, and many other concepts either do not apply at all to Unidirectional Gateway solutions, or are substantially
simplified when gateways are deployed. As a result:
Total security program documentation volumes tend to be reduced,
Internal audit costs are reduced: there is less documentation to check, the security configurations are simpler and so faster to audit, and there are fewer logs to examine, There are no remote access logs or attempted remote access logs to examine – no remote control of protected assets is possible, nor are such access attempts.
Periodic vulnerability assessment costs are reduced, because there are no complex firewall configurations to examine for communications paths an attacker might use, and External audit costs are reduced, because fewer logs, less documentation and simpler security configurations mean external auditors need to spend fewer escorted days on site.
Finally, training costs are reduced with Unidirectional Gateways as well. Conventional firewall training requires up to several weeks of full-time instruction. Conventional firewalls have many features and are difficult to keep configured correctly and safely. Unidirectional Gateway training is typically one to two days long, depending on the solutions deployed, and is carried out on site, during installation. Errors in the configuration and maintenance of Unidirectional Gateways do not lead to compromise of protected systems. If the gateway solution is moving data out of your protected network, then it is by definition configured so that no attack can reach your protected assets.
Detailed whitepapers, including detailed information regarding the assessment of the Waterfall Unidirectional Security Gateways for NIST 800-53, NERC-CIP and NEI 08-09 are available.
Unidirectional Gateway Software Waterfall Security’s Unidirectional Gateways generally do not attempt to emulate bidirectional or routable protocols over unidirectional media. Instead, they extract data and pass it out to a destination application. The most common configuration of Unidirectional Gateways is as illustrated in Figure (1). The solution consists of a pair of software applications running on conventional computers, and two specialized unidirectional appliances. The “gather/TX” application gathers information from systems on a protected network and transmits this information over the unidirectional subsystem. The “publish/RX” application publishes the information to other systems on an external network.
Figure (1): Data Movement Application
The “gather/TX” application gathers data from a specific server or application on the protected network using conventional, bi-directional, routable protocols. Routable communications sessions on the source network terminate in the “gather” application. On the other side of the