Unidirectional Security Gateways · 3.1 Server Replication ... In practice, there is a wide variety...
Transcript of Unidirectional Security Gateways · 3.1 Server Replication ... In practice, there is a wide variety...
WWW.WATERFALL-SECURITY.COM
Unidirectional Security Gateways: NOT your grandma’s data diodes
by Andrew Ginter, VP Industrial Security
Waterfall Security Solutions
Page 2 of 12 WWW.WATERFALL-SECURITY.COM
Executive Summary Waterfall’s Unidirectional Security Gateways, which protect the safe and reliable operation of industrial control
systems, are sometimes referred to as "data diodes" by security practitioners. However, there are big
differences between the two technologies. Data diodes (historically used in a military or defense context) and
unidirectional gateways differ in terms of their hardware, the strength of the unidirectional protection offered,
the breadth their software, the wide array of functionality and supported use cases, as well as in the array of
industrial systems supported.
Waterfall Unidirectional
Security Gateways Data Diodes
Purpose Built Yes – motherboards, hardware modules, and software
Varies
Electrical vs Optical Hardware Gold-Standard Optical Varies
Data Integrity High quality hardware and software supporting all integrity techniques
Varies widely
Certifications and Security Assessments
Common Criteria, ANSSI, NITES, NISA, ISO 9001, US DHS, Idaho National Laboratories, Digital Bond Laboratories
Rarely
COTS Software World’s largest library of COTS support for industrial, IT and other systems
Rarely
COTS vs Custom Engineering 100% COTS, no custom development costs
Custom software + additional costs
Table 1: Unidirectional Gateways vs. Data Diodes
Waterfall’s Unidirectional Gateways and related products lead the field of industrial unidirectional
communications in every way. Unidirectional gateways are an evolution of data diode technology offering a
combination of hardware and software – the hardware is physically able to transmit information in only one
direction, and the software makes copies of servers and emulates devices in real-time. Unidirectional gateways
have been deployed for a decade as safe IT/OT integration at industrial sites, enabling enterprises to monitor
industrial control system (ICS) networks without exposing those networks to cyber threats.
This eBook explores the difference between data diodes and unidirectional gateway technologies and illustrates
how Waterfall Security Solutions’ family of Unidirectional Security Gateway products is advancing the state of
the art for stronger-than-firewall protections for industrial networks.
Page 3 of 12 WWW.WATERFALL-SECURITY.COM
Legal Notice & Disclaimer
Any and all third-party intangible and/or proprietary and/or intellectual property rights ("Third Parties’ Rights"),
mentioned herein, whether registered or not, including, without limitation, patents, trademarks, service marks,
trade names, copyrights and computer applications, belong to their respective owners. Waterfall Security
Solutions Ltd. disclaims any and all interest in all such Third Parties’ Rights. It is forbidden to copy, modify,
amend, delete, augment, publish, transmit, create derivative works of, create or sell products derived from,
display or post, or in any other way exploit or use such Third Parties’ Rights without the express authorization of
their respective owners.
Except as specified herein, Waterfall Security Solutions Ltd. does not guarantee nor make any representations
with regard to any and all third party tangible and/or intangible and/or proprietary and/or intellectual property
("Third Party Property") mentioned herein. Waterfall Security Solutions Ltd. does not endorse nor makes
warranties as to the completeness, accuracy or reliability of such Third Party Property, and all such warranties
are hereby expressly and strictly disclaimed.
Page 4 of 12 WWW.WATERFALL-SECURITY.COM
Table of Contents 1. Background ........................................................................................................................................................5
2. Data Diodes ........................................................................................................................................................5
2.1 Inconsistent Hardware ....................................................................................................................................5
2.2 Limited to Local Vendors .................................................................................................................................5
2.3 Limited or No Software ...................................................................................................................................6
3. Unidirectional Gateways – Hardware & Software ...........................................................................................6
3.1 Server Replication ............................................................................................................................................6
3.2 Device Emulation .............................................................................................................................................7
4. Waterfall Unidirectional Security Gateways.....................................................................................................8
4.1 Off-The-Shelf Replication and Emulation Connectors ....................................................................................8
4.2 Data Integrity ...................................................................................................................................................9
4.3 Robust Unidirectionality ..................................................................................................................................9
5. Waterfall Leads Industrial Cybersecurity ....................................................................................................... 12
6. About Waterfall .............................................................................................................................................. 12
Page 5 of 12 WWW.WATERFALL-SECURITY.COM
1. Background Data diodes are hardware components that transmit information in only one direction. The diodes have been used
in military applications for decades, sending information into classified networks with no risk of leaking
information out of those networks.
Unidirectional gateways are an evolution of data diode technology. The gateways are a combination of hardware
and software – the hardware is physically able to transmit information in only one direction, and the software
makes copies of servers and emulates devices in real-time. Unidirectional gateways have been deployed for a
decade as safe IT/OT integration at industrial sites, enabling enterprises to monitor industrial control system (ICS)
networks without exposing those networks to cyber threats.
2. Data Diodes In principle, a data diode is any component that can transmit information in only one direction. In practice, data
diodes have a poor reputation in the eyes of most security practitioners for three reasons: inconsistent
implementations, limited choice of vendors and most importantly, limited or no software support.
2.1 Inconsistent Hardware In practice, there is a wide variety of technologies and products that are called data diodes, with varying levels of
enforcement of unidirectionality:
Serial connections and twisted-pair ethernet connections with only one pair of signalling wires are
thought by many to be unidirectional, but such connections, even with a single pair of signalling wires,
are easily compromised, bi-directional connections.
Hardware solutions based on a variety of one-way electrical signalling mechanisms are often sold as
data diodes, but all electric circuits are circular, and it is impossible to enforce a truly unidirectional
connection with a circular flow of electricity.
Optical isolation with both transmitting and receiving functions on the same circuit board is
considered stronger than electrical data diodes, but again, it can be difficult for auditors and
certification bodies to verify that there is no return path for information embedded in the board’s
internal circuit routing.
Customers considering data diode equipment must study their vendors’ offerings very carefully to determine
whether such “diode” offerings really are unidirectional.
Note: Practitioners new to the concept of unidirectional communications sometimes imagine that they can create
a “unidirectional firewall.” All TCP and other connections through firewalls are intrinsically bidirectional. There is
no such thing as a “unidirectional firewall”.
2.2 Limited to Local Vendors Data diodes are used most commonly for high-security government and military networks. Government and
military customers often have a requirement to purchase their diodes from local vendors with a local, militarily-
Page 6 of 12 WWW.WATERFALL-SECURITY.COM
certified supply chain. Such vendors generally sell lower volumes of their products than suppliers with a large,
international market, and so are not able to benefit from economies of scale in design or manufacturing.
As a result, commercial off-the-shelf data diode offerings tend to be very basic, with an expectation that additional
sophisticated features required by the customer are produced on a custom engineered basis.
2.3 Limited or No Software Data diode software is universally primitive. Some diodes are sold with no software at all – just a pair of network
appliances with twisted-pair ethernet interfaces on either side and a short fiber in the middle. In practice, such
solutions are used nearly-exclusively to transmit UDP/IP broadcast packets between two switched Ethernet
networks. Since no normal communications protocols use such broadcasts, all useful data transfer across such
diodes involves custom software.
Other diodes might be supported by software able to do primitive TCP proxying or simple file transfers. TCP
proxying though, is much less useful than it sounds. Even with such proxying, custom software is almost always
required for data transfer more complex than a simple file transfer. With limited software support, data diode
implementations are unable to participate effectively in a modern, IT or ICS ecosystem of standard operating
systems, applications and communications protocols.
3. Unidirectional Gateways – Hardware & Software The National Institute of Standards and Technology (NIST) in their 2015 Special Publication 800-82 Revision 2
Guide to Industrial Control Systems (ICS) Security defines a unidirectional gateway as:
Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from
one network to another, but is physically unable to send any information at all back into the source network. The
software replicates databases and emulates protocol servers and devices.
That is – a unidirectional gateway uses strong data diode style hardware; hardware that is physically able to
transmit information in only one direction, as well as specialized software. It is the software that is the most
important part of this definition. It is the real-time server replication and device emulation software that makes a
unidirectional gateway so compatible with modern IT and ICS servers, applications and query/response
communications.
3.1 Server Replication Server replication software replicates database and other servers from industrial networks to enterprise networks
through unidirectional gateway hardware. Users and other applications interact naturally with the replica servers
in normal enterprise IT environments.
For example, a unidirectional gateway transmitting information from an industrial network to an enterprise
network is often used to replicate a historian database, relational database or other server. The gateway software
on the industrial network is a normal database client which queries the server for data. The software transmits
data through the unidirectional hardware to the gateway software on the enterprise network. There, the gateway
Page 7 of 12 WWW.WATERFALL-SECURITY.COM
software logs into an identical database server, inserts the data into the replica server and keeps the two
synchronized. The replica database is a fully functional database and participates normally in the enterprise IT
ecosystem.
3.2 Device Emulation Device emulation polls industrial devices on industrial networks and then emulates those devices to enterprise
networks through unidirectional gateway hardware. Users and applications interact naturally with the emulated
devices in normal enterprise environments.
For example, a unidirectional gateway at the IT/OT interface might be configured to gather device information
from one or more OPC-UA servers on the industrial network. The gateway software is a standard OPC-UA client
issuing normal OPC-UA HTTPS/SOAP to the server. The gateway client typically queries the OPC-UA servers for all
their data, once per second. The software then transmits the data through the gateway hardware to the enterprise
network. The gateway software on the enterprise network implements one or more standard OPC-UA servers,
that serve responses to OPC-UA queries. The emulated devices are standard industrial protocol servers and
participate normally and naturally in the enterprise IT ecosystem.
Waterfall Unidirectional Security Gateways
Data Diodes
Unidirectionality Gold-standard optical Varies
Vendor Global industry leader Small, local
Industrial Server Replication Software World’s largest library of industrial server replication software
No
Industrial Device Emulation Software World’s largest library of industrial device emulation software
No
COTS Software All hardware and software products are COTS
None or almost none
Custom Engineering Costs No Yes
Table 2: Waterfall Unidirectional Gateways as SOTA
Page 8 of 12 WWW.WATERFALL-SECURITY.COM
4. Waterfall Unidirectional Security Gateways Waterfall Security Solutions is the industry leader for unidirectional gateway technology, serving an international
market across all sectors. Waterfall provides a portfolio of high-quality, feature-rich products that are based on
or complement our flagship Unidirectional Security Gateway product. Waterfall’s products and technologies
represent the state-of-the-art in unidirectional hardware, software, features and use cases. In this section, we
explore the needs of a wide variety of industrial control system and how Waterfall technology and business
practices address those needs.
4.1 Off-The-Shelf Replication and Emulation Connectors Waterfall has the world’s largest set of unidirectional, industrial server replication and device emulation software
connectors. All of these software products, as well as Waterfall’s hardware products are commercial off-the-shelf
(COTS) products. Waterfall has a host of enterprise-software connectors as well. While industrial connectors and
replications may be the primary reason for purchasing and deploying Unidirectional Security Gateways, IT-style
connectors, such as Syslog, electronic mail and others are often needed to keep corporate infrastructure
components working on industrial networks just as effectively as they do on enterprise networks.
When customers need additional connectors or connector features, Waterfall builds those capabilities into
standard product offerings available to all customers. Unlike government and military customers who may
tolerate costly, feature-poor, custom-built and maintained solutions, industrial customers demand off-the-shelf,
commercially supported functionality.
HISTORIANS & INDUSTRIAL APPLICATIONS • OSIsoft: PI System, PI Asset
Framework, PI Backfill • GE: iHistorian, iHistorian Backfill,
OSM, Bently-Nevada System1, Proficy HMI
• Schneider-Electric: Instep eDNA, Wonderware Historian, Wonderware Historian Backfill, ClearSCADA
• Siemens: SIMATIC, WinCC, WinTS, SINAUT, Spectrum
• Emerson: Ovation, EDS, EMS • Areva: PowerPlex, PowerTrax
• AspenTech IP.21, Rockwell FactoryTalk Historian, Honeywell Alarm Manager, Scientech R*Time
IT APPLICATIONS • FireEye: TAP, Helix, NX
and FaaS • Log Files, SMTP, SNMP,
Syslog • HP Openview, IBM Tivoli,
HP ArcSight, McAfee ESM, Splunk, Qradar, CA Unicenter, CA SIM
• MSMQ, IBM Websphere MQ, Active Message Queue, TIBCO
OTHER CONNECTORS • UDP, TCP, NTP, Multicast
Ethernet • Video & audio streaming • Anti-virus updater, WSUS
updater, OPSWAT updater
• Remote printing
RELATIONAL DATABASES • Microsoft SQL Server, Oracle • MySQL, PostgreSQL
INDUSTRIAL PROTOCOLS • OPC DA, A&E, HDA, HDA Backfill and
UA • Siemens S7 • Modbus, Modbus Plus, DNP3, ICCP,
IEC 60870-5-104, IEC 61850, Omniflow
REMOTE ACCESS • Remote Screen View • Secure Bypass
FILE TRANSFER • Folder mirroring, Rsync, Local Folders • FTP, FTPS, SFTP, TFTP, RCP, SMB,
HTTPFS • NFS, CIFS
Page 9 of 12 WWW.WATERFALL-SECURITY.COM
4.2 Data Integrity In truly unidirectional systems, there is no way for receivers to signal that they successfully received a message or
request retransmission for messages back to the transmitter. It is therefore vital that a unidirectional solution
provide data integrity mechanisms. Waterfall’s standard support for such protection includes:
Waterfall Unidirectional Security Gateways
Data Diodes
Forward Error Correction Always Rarely
High Availability Standard Option Rarely
Backfill Standard Option Rarely
Table 3: Data Integrity
4.3 Robust Unidirectionality Data diode manufacturers often take shortcuts and liberties with their unidirectional hardware. They may take
standard network interface circuit boards or cards and disable functionality, cut wires on the boards, or otherwise
modify bi-directional boards for one-way information flow. Vendors using this method of manufacturing are
gambling with their customer’s security.
Waterfall Unidirectional Security Gateways
Data Diodes
Purpose-Built Boards Always Varies
Electrical vs Optical Optical Varies
Table 4: Hardware-enforced Unidirectionality
Such diode manufacturers may also design “acknowledgement circuits” or other mechanisms to permit the
receiving system to signal receipt of communications and/or request retransmission of failed messages. This of
course is not a unidirectional system at all, but a bi-directional one. Even if the return channel is limited, attackers
can use this channel as a covert means for bi-directional communications. Waterfall’s Unidirectional Gateways
never provide such covert channels.
Page 10 of 12 WWW.WATERFALL-SECURITY.COM
4.4 Layers of Unidirectionality
Diode manufacturers frequently include only a single layer of unidirectionality in their product designs to reduce
their hardware costs. Waterfall’s product designs include multiple layers of unidirectionality, including all of the
below:
Waterfall Unidirectional Security Gateways
Data Diodes
Both Unidirectional Transmitter and Unidirectional Receiver
Always Sometimes
Internal Electrical Isolation Always Rarely
Optical Isolation Always Sometimes
Software Doing Low-Level Unidirectional Control
Never – all Waterfall boards use gate array logic, not CPUs
Almost Always
Separate TX/RX Circuit Boards Always Sometimes
Separate Power Supplies Always Sometimes
Separate Appliances Customer configurable Sometimes
Table 5: Layers of Unidirectionality
Multiple layers of unidirectionality increase confidence in Waterfall’s solutions, dramatically reduce audit and
certification costs, and reflect robust defense-in-depth practices.
Page 11 of 12 WWW.WATERFALL-SECURITY.COM
4.5 Industrial Fit-For-Purpose
The vast majority of data diode providers design their products for military and government markets, serving the
needs of industrial sites only accidentally, if at all. Waterfall’s Unidirectional Security Gateways are designed
intentionally for industrial sites. In addition to the distinguishing features discussed thus far, Waterfall’s
Unidirectional Security Gateways support:
Waterfall Unidirectional Security Gateways
Data Diodes
Software Hosting Support Waterfall, customer & virtual hosts
Limited
OS Support Windows, Linux, Solaris, AIX, VxWorks and others
Very limited
Modular Hardware Design Always No
DIN Rail Option Yes Rarely
Choice Of 1u, 2u, 4u And Other Hardware Configs
Yes Rarely
Industrial Experience For Installation Engineers
Always Rarely
Industrial Experience For Presales Architects
Always Rarely
Certifications and Security Assessments
Common Criteria, ANSSI, NITES, NISA, ISO 9001, US DHS, Idaho National Laboratories, Digital Bond Laboratories
Rare
Safe Remote Support Yes – Remote Screen View and Secure Bypass
Rarely
Support For Scheduled Updates of ICS Networks
Yes - Waterfall FLIP No
Support For Safe Internet & Cloud Connectivity
Yes – Waterfall Unidirectional CloudConnect
No
Support for Tamper-Proof Unidirectional Forensics
Yes - Waterfall BlackBox No
Free Consultation with Solution Architects
Always Rarely
Table 6: Industrial Fit-For-Purpose
Page 12 of 12 WWW.WATERFALL-SECURITY.COM
None of this should come as any surprise – Waterfall invented the unidirectional replication of industrial servers
and emulation of industrial devices and has been the market and technology leader for industrial applications of
Unidirectional Security Gateways ever since.
5. Waterfall Leads Industrial Cybersecurity In addition to industry-leading products, technologies and business models, Waterfall Security Solutions is widely
seen as a thought leader for industrial cybersecurity. Waterfall’s leadership activities include:
Contributing widely to security regulations, standards and best-practice advice including NERC CIP,
the Industrial Internet Consortium, ISA SP-99, Australian Rail Industry Safety and Standards Board,
American Waterworks Association, Department of Homeland Security ICS Joint Working Group,
commercial training providers, post-secondary curricula, National Institute of Standards and
Technology, National Cybersecurity Center of Excellence and many more,
Deployed on the US DHS National SCADA Security test bed, the Japanese national CSSC test bed and
the Canadian nuclear generation test bed,
Contributing to and distributing industrial cybersecurity textbooks and other advanced training
materials,
Contributing to peer-reviewed industrial cybersecurity research and research groups, and
Testifying at government hearings regarding the state of industrial cybersecurity.
Waterfall not only contributes expertise, time, resources and equipment to these undertakings, but learns from
these activities as well, as our experts interact with the world’s best and brightest IT, ICS and cybersecurity experts.
Waterfall applies all of this knowledge, experience and expertise to the task of producing the world’s most
advanced COTS unidirectional gateway products and technologies, designed to the stringent requirements of the
most demanding industrial sites.
6. About Waterfall Waterfall Security Solutions is the global leader in industrial cybersecurity technology. Waterfall products, based
on its innovative unidirectional security gateway technology, represent an evolutionary alternative to firewalls.
The company’s expanding array of customers includes national infrastructures, power plants, nuclear plants,
offshore oil and gas facilities, railway networks, refineries, manufacturing plants, utility companies, and many
more. Deployed throughout North America, Europe, the Middle East and Asia, Waterfall products support the
widest range of leading industrial remote monitoring platforms, applications, databases and protocols in the
market. For more information, visit www.waterfall-security.com