Perimeter protection is part of every industrial cybersecurity strategy. Companies create demilitarized zones (DMZs) to isolate control and corporate systems and use sophisticated, next-generation firewalls (NGFW) to prevent malicious intrusions from external networks. Virtual private networks (VPNs) are commonly used to manage control system connections with remote engineering offices and service providers.
While powerful, none of these approaches is foolproof. DMZs can be compromised. Attackers bypass firewalls with camouflaged malware. VPN connections provide no protection against infections in remote endpoint devices. At a minimum, each of these approaches requires additional protection and ongoing maintenance.
Many organizations recognize that hardware-enforced, unidirectional communications can provide an effective way to address these issues. This was the focus of a recent briefing for ARC Advisory Group analysts by executives of Waterfall Security Solutions. The company's broad portfolio of unidirectional security gateway solutions are specifically designed to help industrial organizations overcome the weaknesses of conventional perimeter defense strategies. This report summarizes the key features of Waterfall's technology and discusses how these solutions might resolve end user concerns about one-way communications that have arisen in various ARC Advisory Group industrial cybersecurity research studies.
More than Just "One-Way" Technology
Waterfall offers a broad and comprehensive family of unidirectional security gateway solutions. The core of these products is a unique, non-routable hardware-enforced, unidirectional communication technology that provides high-speed, real-time one-way information transfer from a sending network to a receiving network. This technology is designed to physically block all attempts to send messages in the reverse direction and protect the confidentiality of the information in-transit. While there are many applications for this technology, the use-case discussed in this report is the connection of industrial control systems (sending network) to external systems like corporate IT networks and devices connected to public networks (receiving network).
Waterfall Unidirectional Security Gateway
Agents Supervise Information Transfers
Sending and receiving software agents pre-define and tightly control information transferred across the Waterfall link. These agents create real-time "mirror images" of the sending environment in the receiving environment. They also add three additional security benefits. First, they defend against exfiltration of any data that is not intended to be shared. Second, and more important for many industrial plants, they limit the ability of any malware already in the control system to communicate with external command and control servers. This extends security benefits by reducing the effectiveness of malware that may have entered the control system through infected USBs or other portable devices. Finally, with external threats under control, companies can take full advantage of technologies like intrusion detection and have more time and resources to address the equally important issue of internal threats.
Off-the-shelf Solutions for Common Industrial Needs
Waterfall provides a variety of off-the-shelf software agents for common industrial information transfer needs. This includes agents designed specifically for popular HMIs and historians (e.g., OSIsoft PI, GE Proficy, Siemens WinCC), database replication (e.g. Oracle, SQL), industrial protocols (e.g. OPC DA/UA, Modbus), and secure file transfers. The company's portfolio also includes products to help ensure secure transfer of security management files like anti-virus updates, and secure remote access (e.g. Remote Viewing, FLIP, and Secure Bypass).
End User Concerns
ARC conducted industrial cybersecurity research surveys in 2013 and 2014 that included questions about unidirectional communications. Companies that had already deployed this technology were quite pleased with their decision. Companies that evaluated the technology and decided not to apply it had two primary reasons for their decision: a belief that this level of security is only required for ultra-high security facilities, like nuclear plants; and, a belief that their organization could not tolerate the perceived limitations of one-way communications, despite the recognized security benefits.
We Don't Need High Security
Clearly nuclear plants need to be as secure as possible, but this does not mean that other plants can accept less security. It depends upon the potential impact of a cyber intrusion. If a compromised system might lead to a refinery explosion, a chemical plant disaster, or other life-threatening incident, the system needs the best possible cybersecurity. This also applies (to a somewhat lesser extent) to situations where a successful intrusion could significantly affect the company's supply chain, financial performance, or reputation.
Most people understand the potential impact of cyber incidents, but justify less security based on the perceived low likelihood of an intrusion. This reflects an "expected value" (Risk = Likelihood x Impact) view of risk management. This approach might be reasonable for an accountant evaluating the financial risks of a cyber intrusion, but not for someone responsible for personal and process safety. Even accountants recognize that outcomes with major negative impact deserve maximum avoidance efforts regardless of their likelihood (Black Swan events). Industrial companies need to take the same approach to cybersecurity defenses.
Some people will also use the existence of safety systems to help justify their decision to accept lesser levels of cybersecurity. Certainly safety systems can reduce the likelihood that a compromise will lead to significant damage to physical equipment. But, safety and security are not same thing and a cleverly-designed, cyber intrusion might exploit safety systems to cause spurious shutdowns of all operations. Furthermore, Stuxnet taught us that knowledgeable, cyberwarfare attackers can overcome every safety measure that a plant employs. These kinds of advanced persistent threats (APTs) are clearly growing and must be considered in cybersecurity strategies.
Also consider that that while nuclear plants have the most sophisticated safety systems possible, they still use unidirectional cybersecurity technology to avoid cyber intrusions. They recognize that safety systems and cybersecurity are complementary strategies for preventing catastrophes.
We Need Two-Way Communications
Many plants need to interface with external systems. They receive production orders electronically from corporate planning systems and provide detailed product and process data to corporate quality, compliance, and performance management programs. Many plants also rely upon remote groups for asset management, process optimization, and IT support and this will likely increase as companies adopt trends like Industrial IoT.
Clearly these cases require two-way communications. But this does not mean that these companies have to accept the significant risks of conventional, bi-directional security strategies. Instead, they can use unidirectional communications for all transfers out of the control system and tightly controlled bi-directional channels for incoming communications. This has the benefit of isolating "insecurity" to specific communications and specific periods of time. As the bulk of communications in most plants are outbound, the net effect is a much higher level of security than is possible using conventional, bi-directional methods for all communications.
We discussed the incoming communication needs of many of our industrial clients with Waterfall and learned that the company has solid solutions for the most common use cases. The solution they recommend depends upon the frequency of incoming messages. Four use cases follow.
Continuous Bi-directional Information Exchanges
Continuous, bi-directional information exchanges occur when a facility's operation is continuously managed remotely. For example, a peaking power plant depends upon frequent setpoint updates from a central dispatching system. In these cases, Waterfall recommends that a unidirectional link be used for each direction. This ensures that each link is individually protected against an external attack. It also prevents any attempts to use cross-link communications to create a bi-directional channel without the assistance of someone inside the facility (equivalent to an insider attack). Waterfall also recommends that care be taken when designing such implementations, as there are "right" and "wrong" ways to do it.
Periodic Information Downloads
Periodic information downloads are common in plants that receive production orders from corporate systems. Recognizing the prevalence of these situations, Waterfall developed FLIP, a reversible unidirectional solution. This product periodically reverses the orientation of unidirectional information flow with physical switches that simultaneously block any information flow in the opposite direction (see Digital Bond Labs Assessment Report). All information transfers are also disciplined under the supervision of unidirectional Gateway agents that block malicious messages.
Emergency Support and Scheduled Updates
Waterfall offers a Secure Bypass switch that can be used to enable bidirectional communications in emergency situations and allow supervised access by remote support personnel for troubleshooting and updates. This switch is locally activated by a technician with a physical key with a built-in timeout feature. This switch is normally configured in line with a conventional, VPN-capable firewall to provide security during use.
Ad-hoc Access by Corporate Engineering and IT Staff
Many large companies have centralized groups that provide specialized support to individual plants. These groups often require full bi-directional, ad-hoc access to control system resources. This situation represents many different topologies and use cases, so there is no single solution. However, a combination of Waterfall technologies, with other technologies and security processes (e.g., VPN-connected devices in "secure rooms") can offer a better alternative than simply resorting to traditional firewall-based solutions that typically leave plants open to intrusions. A properly-designed, combined approach will limit the opportunities and pathways for attacks during bi-directional communication to a significant degree and still provide all the benefits of unidirectional communications for normal information flows.
It appears that that Waterfall Security Solutions can provide a solid, straightforward solution to help block external cyberattacks on industrial facilities. ARC was impressed with the company's comprehensive portfolio of unidirectional networking products and recommends that industrial companies consider the risk-reduction benefits they can provide, particularly in facilities with critical, potentially life-threatening processes and/or with specific regulatory requirements for cybersecurity.
All signed-in ARC Advisory Group clients can view this report in pdf format at this Link
If you would like to buy this report or obtain information about how to become a client, please Request ARC Info
Keywords: Industrial Cyber Security, Risk Management, Unidirectional Security Gateways, ARC Advisory Group.