Unidirectional Security Gateways · 3.1 Server Replication ... In practice, there is a wide variety...

WWW.WATERFALL-SECURITY.COM

Unidirectional Security Gateways: NOT your grandma’s data diodes

by Andrew Ginter, VP Industrial Security

Waterfall Security Solutions

of 12 WWW.WATERFALL-SECURITY.COM

Executive Summary Waterfall’s Unidirectional Security Gateways, which protect the safe and reliable operation of industrial control

systems, are sometimes referred to as "data diodes" by security practitioners. However, there are big

differences between the two technologies. Data diodes (historically used in a military or defense context) and

unidirectional gateways differ in terms of their hardware, the strength of the unidirectional protection offered,

the breadth their software, the wide array of functionality and supported use cases, as well as in the array of

industrial systems supported.

Waterfall Unidirectional

Security Gateways Data Diodes

Purpose Built Yes – motherboards, hardware modules, and software

Varies

Electrical vs Optical Hardware Gold-Standard Optical Varies

Data Integrity High quality hardware and software supporting all integrity techniques

Varies widely

Certifications and Security Assessments

Common Criteria, ANSSI, NITES, NISA, ISO 9001, US DHS, Idaho National Laboratories, Digital Bond Laboratories

Rarely

COTS Software World’s largest library of COTS support for industrial, IT and other systems

Rarely

COTS vs Custom Engineering 100% COTS, no custom development costs

Custom software + additional costs

Table 1: Unidirectional Gateways vs. Data Diodes

Waterfall’s Unidirectional Gateways and related products lead the field of industrial unidirectional

communications in every way. Unidirectional gateways are an evolution of data diode technology offering a

combination of hardware and software – the hardware is physically able to transmit information in only one

direction, and the software makes copies of servers and emulates devices in real-time. Unidirectional gateways

have been deployed for a decade as safe IT/OT integration at industrial sites, enabling enterprises to monitor

industrial control system (ICS) networks without exposing those networks to cyber threats.

This eBook explores the difference between data diodes and unidirectional gateway technologies and illustrates

how Waterfall Security Solutions’ family of Unidirectional Security Gateway products is advancing the state of

the art for stronger-than-firewall protections for industrial networks.


Legal Notice & Disclaimer

Any and all third-party intangible and/or proprietary and/or intellectual property rights ("Third Parties’ Rights"),

mentioned herein, whether registered or not, including, without limitation, patents, trademarks, service marks,

trade names, copyrights and computer applications, belong to their respective owners. Waterfall Security

Solutions Ltd. disclaims any and all interest in all such Third Parties’ Rights. It is forbidden to copy, modify,

amend, delete, augment, publish, transmit, create derivative works of, create or sell products derived from,

display or post, or in any other way exploit or use such Third Parties’ Rights without the express authorization of

their respective owners.

Except as specified herein, Waterfall Security Solutions Ltd. does not guarantee nor make any representations

with regard to any and all third party tangible and/or intangible and/or proprietary and/or intellectual property

("Third Party Property") mentioned herein. Waterfall Security Solutions Ltd. does not endorse nor makes

warranties as to the completeness, accuracy or reliability of such Third Party Property, and all such warranties

are hereby expressly and strictly disclaimed.


Table of Contents 1. Background ........................................................................................................................................................5

2. Data Diodes ........................................................................................................................................................5

2.1 Inconsistent Hardware ....................................................................................................................................5

2.2 Limited to Local Vendors .................................................................................................................................5

2.3 Limited or No Software ...................................................................................................................................6

3. Unidirectional Gateways – Hardware & Software ...........................................................................................6

3.1 Server Replication ............................................................................................................................................6

3.2 Device Emulation .............................................................................................................................................7

4. Waterfall Unidirectional Security Gateways.....................................................................................................8

4.1 Off-The-Shelf Replication and Emulation Connectors ....................................................................................8

4.2 Data Integrity ...................................................................................................................................................9

4.3 Robust Unidirectionality ..................................................................................................................................9

5. Waterfall Leads Industrial Cybersecurity ....................................................................................................... 12

6. About Waterfall .............................................................................................................................................. 12


1. Background Data diodes are hardware components that transmit information in only one direction. The diodes have been used

in military applications for decades, sending information into classified networks with no risk of leaking

information out of those networks.

Unidirectional gateways are an evolution of data diode technology. The gateways are a combination of hardware

and software – the hardware is physically able to transmit information in only one direction, and the software

makes copies of servers and emulates devices in real-time. Unidirectional gateways have been deployed for a

decade as safe IT/OT integration at industrial sites, enabling enterprises to monitor industrial control system (ICS)

networks without exposing those networks to cyber threats.

2. Data Diodes In principle, a data diode is any component that can transmit information in only one direction. In practice, data

diodes have a poor reputation in the eyes of most security practitioners for three reasons: inconsistent

implementations, limited choice of vendors and most importantly, limited or no software support.

2.1 Inconsistent Hardware In practice, there is a wide variety of technologies and products that are called data diodes, with varying levels of

enforcement of unidirectionality:

Serial connections and twisted-pair ethernet connections with only one pair of signalling wires are

thought by many to be unidirectional, but such connections, even with a single pair of signalling wires,

are easily compromised, bi-directional connections.

Hardware solutions based on a variety of one-way electrical signalling mechanisms are often sold as

data diodes, but all electric circuits are circular, and it is impossible to enforce a truly unidirectional

connection with a circular flow of electricity.

Optical isolation with both transmitting and receiving functions on the same circuit board is

considered stronger than electrical data diodes, but again, it can be difficult for auditors and

certification bodies to verify that there is no return path for information embedded in the board’s

internal circuit routing.

Customers considering data diode equipment must study their vendors’ offerings very carefully to determine

whether such “diode” offerings really are unidirectional.

Note: Practitioners new to the concept of unidirectional communications sometimes imagine that they can create

a “unidirectional firewall.” All TCP and other connections through firewalls are intrinsically bidirectional. There is

no such thing as a “unidirectional firewall”.

2.2 Limited to Local Vendors Data diodes are used most commonly for high-security government and military networks. Government and

military customers often have a requirement to purchase their diodes from local vendors with a local, militarily-


certified supply chain. Such vendors generally sell lower volumes of their products than suppliers with a large,

international market, and so are not able to benefit from economies of scale in design or manufacturing.

As a result, commercial off-the-shelf data diode offerings tend to be very basic, with an expectation that additional

sophisticated features required by the customer are produced on a custom engineered basis.

2.3 Limited or No Software Data diode software is universally primitive. Some diodes are sold with no software at all – just a pair of network

appliances with twisted-pair ethernet interfaces on either side and a short fiber in the middle. In practice, such

solutions are used nearly-exclusively to transmit UDP/IP broadcast packets between two switched Ethernet

networks. Since no normal communications protocols use such broadcasts, all useful data transfer across such

diodes involves custom software.

Other diodes might be supported by software able to do primitive TCP proxying or simple file transfers. TCP

proxying though, is much less useful than it sounds. Even with such proxying, custom software is almost always

required for data transfer more complex than a simple file transfer. With limited software support, data diode

implementations are unable to participate effectively in a modern, IT or ICS ecosystem of standard operating

systems, applications and communications protocols.

3. Unidirectional Gateways – Hardware & Software The National Institute of Standards and Technology (NIST) in their 2015 Special Publication 800-82 Revision 2

Guide to Industrial Control Systems (ICS) Security defines a unidirectional gateway as:

Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from

one network to another, but is physically unable to send any information at all back into the source network. The

software replicates databases and emulates protocol servers and devices.

That is – a unidirectional gateway uses strong data diode style hardware; hardware that is physically able to

transmit information in only one direction, as well as specialized software. It is the software that is the most

important part of this definition. It is the real-time server replication and device emulation software that makes a

unidirectional gateway so compatible with modern IT and ICS servers, applications and query/response

communications.

3.1 Server Replication Server replication software replicates database and other servers from industrial networks to enterprise networks

through unidirectional gateway hardware. Users and other applications interact naturally with the replica servers

in normal enterprise IT environments.

For example, a unidirectional gateway transmitting information from an industrial network to an enterprise

network is often used to replicate a historian database, relational database or other server. The gateway software

on the industrial network is a normal database client which queries the server for data. The software transmits

data through the unidirectional hardware to the gateway software on the enterprise network. There, the gateway


software logs into an identical database server, inserts the data into the replica server and keeps the two

synchronized. The replica database is a fully functional database and participates normally in the enterprise IT

ecosystem.

3.2 Device Emulation Device emulation polls industrial devices on industrial networks and then emulates those devices to enterprise

networks through unidirectional gateway hardware. Users and applications interact naturally with the emulated

devices in normal enterprise environments.

For example, a unidirectional gateway at the IT/OT interface might be configured to gather device information

from one or more OPC-UA servers on the industrial network. The gateway software is a standard OPC-UA client

issuing normal OPC-UA HTTPS/SOAP to the server. The gateway client typically queries the OPC-UA servers for all

their data, once per second. The software then transmits the data through the gateway hardware to the enterprise

network. The gateway software on the enterprise network implements one or more standard OPC-UA servers,

that serve responses to OPC-UA queries. The emulated devices are standard industrial protocol servers and

participate normally and naturally in the enterprise IT ecosystem.

Waterfall Unidirectional Security Gateways

Data Diodes

Unidirectionality Gold-standard optical Varies

Vendor Global industry leader Small, local

Industrial Server Replication Software World’s largest library of industrial server replication software

No

Industrial Device Emulation Software World’s largest library of industrial device emulation software

No

COTS Software All hardware and software products are COTS

None or almost none

Custom Engineering Costs No Yes

Table 2: Waterfall Unidirectional Gateways as SOTA


4. Waterfall Unidirectional Security Gateways Waterfall Security Solutions is the industry leader for unidirectional gateway technology, serving an international

market across all sectors. Waterfall provides a portfolio of high-quality, feature-rich products that are based on

or complement our flagship Unidirectional Security Gateway product. Waterfall’s products and technologies

represent the state-of-the-art in unidirectional hardware, software, features and use cases. In this section, we

explore the needs of a wide variety of industrial control system and how Waterfall technology and business

practices address those needs.

4.1 Off-The-Shelf Replication and Emulation Connectors Waterfall has the world’s largest set of unidirectional, industrial server replication and device emulation software

connectors. All of these software products, as well as Waterfall’s hardware products are commercial off-the-shelf

(COTS) products. Waterfall has a host of enterprise-software connectors as well. While industrial connectors and

replications may be the primary reason for purchasing and deploying Unidirectional Security Gateways, IT-style

connectors, such as Syslog, electronic mail and others are often needed to keep corporate infrastructure

components working on industrial networks just as effectively as they do on enterprise networks.

When customers need additional connectors or connector features, Waterfall builds those capabilities into

standard product offerings available to all customers. Unlike government and military customers who may

tolerate costly, feature-poor, custom-built and maintained solutions, industrial customers demand off-the-shelf,

commercially supported functionality.

HISTORIANS & INDUSTRIAL APPLICATIONS • OSIsoft: PI System, PI Asset

Framework, PI Backfill • GE: iHistorian, iHistorian Backfill,

OSM, Bently-Nevada System1, Proficy HMI

• Schneider-Electric: Instep eDNA, Wonderware Historian, Wonderware Historian Backfill, ClearSCADA

• Siemens: SIMATIC, WinCC, WinTS, SINAUT, Spectrum

• Emerson: Ovation, EDS, EMS • Areva: PowerPlex, PowerTrax

• AspenTech IP.21, Rockwell FactoryTalk Historian, Honeywell Alarm Manager, Scientech R*Time

IT APPLICATIONS • FireEye: TAP, Helix, NX

and FaaS • Log Files, SMTP, SNMP,

Syslog • HP Openview, IBM Tivoli,

HP ArcSight, McAfee ESM, Splunk, Qradar, CA Unicenter, CA SIM

• MSMQ, IBM Websphere MQ, Active Message Queue, TIBCO

OTHER CONNECTORS • UDP, TCP, NTP, Multicast

Ethernet • Video & audio streaming • Anti-virus updater, WSUS

updater, OPSWAT updater

• Remote printing

RELATIONAL DATABASES • Microsoft SQL Server, Oracle • MySQL, PostgreSQL

INDUSTRIAL PROTOCOLS • OPC DA, A&E, HDA, HDA Backfill and

UA • Siemens S7 • Modbus, Modbus Plus, DNP3, ICCP,

IEC 60870-5-104, IEC 61850, Omniflow

REMOTE ACCESS • Remote Screen View • Secure Bypass

FILE TRANSFER • Folder mirroring, Rsync, Local Folders • FTP, FTPS, SFTP, TFTP, RCP, SMB,

HTTPFS • NFS, CIFS


4.2 Data Integrity In truly unidirectional systems, there is no way for receivers to signal that they successfully received a message or

request retransmission for messages back to the transmitter. It is therefore vital that a unidirectional solution

provide data integrity mechanisms. Waterfall’s standard support for such protection includes:


Data Diodes

Forward Error Correction Always Rarely

High Availability Standard Option Rarely

Backfill Standard Option Rarely

Table 3: Data Integrity

4.3 Robust Unidirectionality Data diode manufacturers often take shortcuts and liberties with their unidirectional hardware. They may take

standard network interface circuit boards or cards and disable functionality, cut wires on the boards, or otherwise

modify bi-directional boards for one-way information flow. Vendors using this method of manufacturing are

gambling with their customer’s security.


Data Diodes

Purpose-Built Boards Always Varies

Electrical vs Optical Optical Varies

Table 4: Hardware-enforced Unidirectionality

Such diode manufacturers may also design “acknowledgement circuits” or other mechanisms to permit the

receiving system to signal receipt of communications and/or request retransmission of failed messages. This of

course is not a unidirectional system at all, but a bi-directional one. Even if the return channel is limited, attackers

can use this channel as a covert means for bi-directional communications. Waterfall’s Unidirectional Gateways

never provide such covert channels.


4.4 Layers of Unidirectionality

Diode manufacturers frequently include only a single layer of unidirectionality in their product designs to reduce

their hardware costs. Waterfall’s product designs include multiple layers of unidirectionality, including all of the

below:


Data Diodes

Both Unidirectional Transmitter and Unidirectional Receiver

Always Sometimes

Internal Electrical Isolation Always Rarely

Optical Isolation Always Sometimes

Software Doing Low-Level Unidirectional Control

Never – all Waterfall boards use gate array logic, not CPUs

Almost Always

Separate TX/RX Circuit Boards Always Sometimes

Separate Power Supplies Always Sometimes

Separate Appliances Customer configurable Sometimes

Table 5: Layers of Unidirectionality

Multiple layers of unidirectionality increase confidence in Waterfall’s solutions, dramatically reduce audit and

certification costs, and reflect robust defense-in-depth practices.


4.5 Industrial Fit-For-Purpose

The vast majority of data diode providers design their products for military and government markets, serving the

needs of industrial sites only accidentally, if at all. Waterfall’s Unidirectional Security Gateways are designed

intentionally for industrial sites. In addition to the distinguishing features discussed thus far, Waterfall’s

Unidirectional Security Gateways support:


Data Diodes

Software Hosting Support Waterfall, customer & virtual hosts

Limited

OS Support Windows, Linux, Solaris, AIX, VxWorks and others

Very limited

Modular Hardware Design Always No

DIN Rail Option Yes Rarely

Choice Of 1u, 2u, 4u And Other Hardware Configs

Yes Rarely

Industrial Experience For Installation Engineers

Always Rarely

Industrial Experience For Presales Architects

Always Rarely

Certifications and Security Assessments

Common Criteria, ANSSI, NITES, NISA, ISO 9001, US DHS, Idaho National Laboratories, Digital Bond Laboratories

Rare

Safe Remote Support Yes – Remote Screen View and Secure Bypass

Rarely

Support For Scheduled Updates of ICS Networks

Yes - Waterfall FLIP No

Support For Safe Internet & Cloud Connectivity

Yes – Waterfall Unidirectional CloudConnect

No

Support for Tamper-Proof Unidirectional Forensics

Yes - Waterfall BlackBox No

Free Consultation with Solution Architects

Always Rarely

Table 6: Industrial Fit-For-Purpose


None of this should come as any surprise – Waterfall invented the unidirectional replication of industrial servers

and emulation of industrial devices and has been the market and technology leader for industrial applications of

Unidirectional Security Gateways ever since.

5. Waterfall Leads Industrial Cybersecurity In addition to industry-leading products, technologies and business models, Waterfall Security Solutions is widely

seen as a thought leader for industrial cybersecurity. Waterfall’s leadership activities include:

Contributing widely to security regulations, standards and best-practice advice including NERC CIP,

the Industrial Internet Consortium, ISA SP-99, Australian Rail Industry Safety and Standards Board,

American Waterworks Association, Department of Homeland Security ICS Joint Working Group,

commercial training providers, post-secondary curricula, National Institute of Standards and

Technology, National Cybersecurity Center of Excellence and many more,

Deployed on the US DHS National SCADA Security test bed, the Japanese national CSSC test bed and

the Canadian nuclear generation test bed,

Contributing to and distributing industrial cybersecurity textbooks and other advanced training

materials,

Contributing to peer-reviewed industrial cybersecurity research and research groups, and

Testifying at government hearings regarding the state of industrial cybersecurity.

Waterfall not only contributes expertise, time, resources and equipment to these undertakings, but learns from

these activities as well, as our experts interact with the world’s best and brightest IT, ICS and cybersecurity experts.

Waterfall applies all of this knowledge, experience and expertise to the task of producing the world’s most

advanced COTS unidirectional gateway products and technologies, designed to the stringent requirements of the

most demanding industrial sites.

6. About Waterfall Waterfall Security Solutions is the global leader in industrial cybersecurity technology. Waterfall products, based

on its innovative unidirectional security gateway technology, represent an evolutionary alternative to firewalls.

The company’s expanding array of customers includes national infrastructures, power plants, nuclear plants,

offshore oil and gas facilities, railway networks, refineries, manufacturing plants, utility companies, and many

more. Deployed throughout North America, Europe, the Middle East and Asia, Waterfall products support the

widest range of leading industrial remote monitoring platforms, applications, databases and protocols in the

market. For more information, visit www.waterfall-security.com

http://www.waterfall-security.com/

Unidirectional Security Gateways · 3.1 Server Replication ... In practice, there is a wide variety...

Documents

Transcript of Unidirectional Security Gateways · 3.1 Server Replication ... In practice, there is a wide variety...