Webinar: Development with Agile, Waterfall and Agile-Waterfall Hybrid
Waterfall Security Solutions Overview Q1 2012
-
Upload
henkpieper -
Category
Documents
-
view
1.214 -
download
2
description
Transcript of Waterfall Security Solutions Overview Q1 2012
© Copyright 2012 by Waterfall Security Solutions
®
1
®
Utilizing Unidirectional Security Gateways to Achieve Cyber Security January 2012, Israel
Danny Berko Waterfall Security Solutions
© Copyright 2012 by Waterfall Security Solutions
®
© Copyright 2012 by Waterfall Security Solutions
®
2
®
Today’s Agenda
● Waterfall Security Solutions Ltd. Introduction
● The Need: Protecting Critical National Infrastructure
Facilities
● How threats impact us - threats scenarios
● Meeting threats - Cyber Security Best Practices
● Unidirectional Security Gateways ™
● Use Cases
● Summary
®
Waterfall Allows Information Flow from Protected Network to External Network with NO Return Path
● Industrial
● Business
© Copyright 2012 by Waterfall Security Solutions
● Protected Network
● External Network
© Copyright 2012 by Waterfall Security Solutions
®
4
®
Waterfall Security Solutions Introduction
● Located in Israel, local office and subsidiary in NY, USA
● Product core developed at 2004 and is evolving since
● US Patent 7,649,452
● Hundreds of installations in North America (USA and Canada), Europe,
Israel and Asia
● Technology and Business Focus for SCADA Networks, Industrial Control
networks, Utilities and Critical Infrastructures
● Strategic cooperation with industry leaders such as OSIsoft, GE, Siemens,
Westinghouse, Nitro/McAfee and many more
● Tight and continuous relationships with relevant regulators and authorities
● First and Sole INL assessed solution
© Copyright 2012 by Waterfall Security Solutions
®
5
®
Waterfall’s Unique Value Proposition
● What do we do:
• Pioneer and Market Leader for Unidirectional Security Gateway Solutions.
• We provide absolute security of any cyber attack from external networks into critical networks.
• We offer end-to-end solutions for seamless, industrial grade, out-of-the-box integration and
connectivity to existing infrastructures, industrial applications and SCADA protocols.
● What makes Waterfall Security Solutions so unique:
• Pike Research named Waterfall as key player in the cyber security market.
• Robust, reliable, manageable, unidirectional security gateways.
• Only solution to support High-Availability, Gigabit connectivity and Many-to-One architecture
• Stronger than firewalls – no remote hacking to your industrial network
• Assist achieving compliance to NERC, NRC, CFATS and other relevant regulations
• Installed base includes any industrial, critical or operational environment types
• Power generation (Nuclear, Fossil, etc.), pipelines, refineries, petro-chemical, oil & gas,
water, transportation, governmental and more.
© Copyright 2012 by Waterfall Security Solutions
®
6
®
The Need: Protecting Critical National Infrastructure Facilities
© Copyright 2012 by Waterfall Security Solutions
®
© Copyright 2012 by Waterfall Security Solutions
®
7
®
Protecting CNI from Threats
Waterfall assist in avoiding cyber threats to CNIs
● Trivial threats or not as trivial
● Human errors, viruses propagation
● “Boasting rights” hackers: targeted, amateur, resource-poor
● Anonymous attacks on HB Gary, MasterCard, PayPal, Sony
● Insiders: amateur, targeted, have credentials, positioned well for social engineering
● Organized crime: professional, opportunistic
● Botnets, identity theft, money laundering
● Nationstate militaries/intelligence agencies, professional, targeted, resource-rich
● Shady RAT, Night Dragon, Remote Administration Tools = remote control
● Stuxnet is in a league of its own – sabotage of Iranian uranium enrichment
● Traversed firewalls on connections “essential” to operation of control system
© Copyright 2012 by Waterfall Security Solutions
®
8
®
Standard Hacking Skills Suffice
● Persistent, targeted attacks
● Facebook, Linkedin homework
● Emailed PDF files
● High success rate
● Hacking skill sets
● Downloaded tools, recompiled to evade Anti-Virus
● Plant firewalls are no real barrier
● Remote control
Internet
Corporate Network
Plant Network
Firewall
Firewall
Control Network
Firewall
®
The Threats are Real
© Copyright 2012 by Waterfall Security Solutions
© Copyright 2012 by Waterfall Security Solutions
®
10
®
Stuxnet Worm
● Strong circumstantial evidence: target was Natanz Iranian gas centrifuge uranium enrichment site
● Almost no evidence, but widespread speculation: authors were Israeli or US intelligence agencies, or militaries
● PLC code slows centrifuges down until they are ineffective, speeds them up to damage them, and changes rotation speed fast enough to destroy power supplies or centrifuges
● Estimates of between 200 and 5000 centrifuges
damaged, out of inventory of 5000 units
● Stuxnet proved the concept.
© Copyright 2012 by Waterfall Security Solutions
®
11
®
Threats scenarios that Waterfall addresses
© Copyright 2012 by Waterfall Security Solutions
®
© Copyright 2012 by Waterfall Security Solutions
®
12
®
Main Threat Scenarios:
● Let’s focus on two main threat scenarios:
© Copyright 2012 by Waterfall Security Solutions
®
13
®
Scenario I – Linking Critical and Business Networks
The critical (operational, industrial) network is required to send real-time information to business/administrative networks
Plant and production information
Operational monitoring and status information Equipment usage, conditional monitoring, service levels for important customers, spare
parts inventories, raw materials and finished goods inventories, etc.
Alerts and events
The business network is commonly connected to other networks, including the Internet
Via these connections, attackers can gain access to the critical network and carry out remote, online attacks into it
© Copyright 2012 by Waterfall Security Solutions
®
14
®
Scenario II – Remote Monitoring of Critical Networks
A Control Center or Operations Center is remotely monitoring a critical network or an equipment within it
This can be a 3rd party vendor or service provider monitoring equipment for maintenance and service level
The Control Center usually monitors many other networks, from other facilities and other countries
Critical network now exposed to threats originating from each and every network which is monitored by this Control Center
Internet/
Public network
Central Monitoring Site
© Copyright 2012 by Waterfall Security Solutions
®
15
®
Meeting threats - Best Practices
© Copyright 2012 by Waterfall Security Solutions
®
© Copyright 2012 by Waterfall Security Solutions
®
16
®
IT security “Best Practices”
● Firewalls
● Patching
● Anti-virus
● Host hardening
© Copyright 2012 by Waterfall Security Solutions
®
17
®
“What you must learn is that these rules are no
different than the rules of a computer system.
Some of them can be bent.
Others can be broken.
Understand?”
(Morpheus; The Matrix, chapter 15)
IT/Software Based Security
© Copyright 2012 by Waterfall Security Solutions
®
18
®
The Problem with Firewalls
● Firewalls make use of Code, OS and Configuration – all have breaches (miss configuration/human errors)
● Viruses propagate across many VPN connections. You trust the users, but should you trust their workstations? Their cell phones?
● Keeping complex firewalls / VPNs secure is hard – Errors and omissions – Open/Close ports for illustrations, pilots and repairs
● Only “essential” connections allowed
● Insider attack from business network – with legitimate credentials
● Costly: procedures, training, management, log reviews, audits, assessments
● Prohibited by Regulation for Air Gap connectivity
© Copyright 2012 by Waterfall Security Solutions
®
19
®
Waterfall One-Way™ Solution
© Copyright 2011 by Waterfall Security Solutions
®
© Copyright 2012 by Waterfall Security Solutions
®
20
®
Internet
Corporate Network
Plant Network
Firewall
Plant Data
The Challenge
● Business Processes and plant data are too valuable not to use
● Critical decisions by key personnel while away…
● Vendors maintenance or critical intervention while not on premise…
● Process assets are too valuable to put at risk
© Copyright 2012 by Waterfall Security Solutions
®
21
®
Unidirectional Security Gateway, an Innovative Solution
®
Common (Insecure) Topology
Side # 22
● Critical assets are located in the industrial network
● The corporate network is considered as an insecure and is usually connected to the Internet
● Corporate User’s stations are located in the corporate network
● The user’s stations communicate directly with the Historian at the industrial network
! The Industrial Network and critical assets are accessible from the corporate network and thus at risk.
PLCs
RTUs etc
Historian
Corporate Network Industrial Network User’s Stations
®
Common (Insecure) Topology
Side # 23
● Critical assets are located in the industrial network
● The corporate network is considered as an insecure and is usually connected to the Internet
● Corporate User’s stations are located in the corporate network
● The user’s stations communicate directly with the Historian at the industrial network
! The Industrial Network and critical assets are accessible from the corporate network and thus at risk.
PLCs
RTUs etc
Historian
Corporate Network Industrial Network User’s Stations
®
© Copyright 2012 by Waterfall Security Solutions
Waterfall Based (Secure) Topology
Side # 24
● The Waterfall Gateway enforces a unidirectional replication of the Historian to a Replica Historian
● The Replica Historian contains all data and functionalities of the Historian
● The user’s stations communicate ONLY with the Replica Historian
The Industrial Network and critical assets are physically inaccessible from the business network and thus 100% secure from any online attack
Compliance with NERC, NRC, NIST and CFATS regulations – easily met
The corporate users can continue to utilize the Historian data as they used to do before
PLCs
RTUs etc
Historian
User’s Stations
Waterfall
RX appliance
Waterfall
TX appliance
Replica
Historian
Waterfall
TX agent
Waterfall
RX agent
Corporate Network Industrial Network
Waterfall Unidirectional Gateway Hardware Based Unidirectional
Security Gateway
Transmitter Receiver
Photocell– Receive Only
Laser – Transmit Only
© Copyright 2012 by Waterfall Security Solutions
®
25
®
Use Cases
© Copyright 2012 by Waterfall Security Solutions
®
© Copyright 2012 by Waterfall Security Solutions
®
26
®
Usage Scenarios – Supporting Any Need
● Replicating applications and historian systems
● Transferring SCADA protocols
● Integrated/Ref. Architecture
● Remote View and Remote Assistance
®
© Copyright 2012 by Waterfall Security Solutions 27
Real-time Replication of Historian systems
© Copyright 2012 by Waterfall Security Solutions
®
28
®
Real-time Transfer of SCADA protocols
© Copyright 2012 by Waterfall Security Solutions
®
29
®
Integrated Use Case
● Production information replicated to corporate network via plant historian
● Security information routed to corporate SOC via embedded SIEM
● Remote vendor and IT support enabled via Remote Screen View
● Conventional firewall protects data confidentiality on corporate network
© Copyright 2012 by Waterfall Security Solutions
®
30
®
Remote Monitoring and Remote Assistance ● Vendors can see control system screens in web browser
● Remote support is under control of on-site personnel
● Any changes to software or devices are carried out by on-site personnel, supervised by vendor personnel who can see site screens in real-time
● Vendors feel they are supervising site personnel
● Site people feel they are supervising the vendors
© Copyright 2012 by Waterfall Security Solutions
®
31
®
Industrial Grade Solution
● Waterfall Gateway is a critical mission “ready” solution
● High availability implemented in the hardware (dual NICs)
● Cluster support by the software
● Inherent archiving and elastic buffering
● Dual power supply
© Copyright 2012 by Waterfall Security Solutions
®
32
®
Summary
© Copyright 2012 by Waterfall Security Solutions
®
© Copyright 2012 by Waterfall Security Solutions
®
33
®
Waterfall One-Way™ selected list of connectors
Leading Industrial Applications/Historians
● OSISoft PI, GE iHistorian, GE iFIX,
● Scientech R*Time, Instep eDNA, GE OSM,
● Siemens WinCC, SINAUT, Wonderware
● GE Bentley Nevada System One
Leading IT Monitoring Applications
● SNMP, SYSLOG, CA Unicenter/SIM
● HP OpenView, Matrikon Alert Manager
● Areva Powerplex/Powertrax
● Westinghouse Beacon/WCMS/Log Transfer
File/Folder Mirroring
● Folder, tree mirroring, remote folders (CIFS)
● FTP/FTFP/SFTP/TFPS/RCP
Remote Screen View
Leading Industrial Protocols
● Modbus, OPC (DA, HDA, A&&E)
● DNP3, ICCP
IT connectors
● Database (SQL) Replication
● NTP, Multicast Ethernet, Rsync
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM Websphere MQ, MSMQ, Tibco EMS
● Antivirus updater, patch (WSUS) updater
● Remote Print server
● UDP, TCP/IP
®
Cost Recovery
● Most sites report 12-24 months cost recovery:
● Reduced firewall management costs
● Reduced DMZ equipment management costs
● Reduced audit and compliance documentation costs
● Reduced remote access training costs
● Reduced remote access management costs
© Copyright 2012 by Waterfall Security Solutions
© Copyright 2012 by Waterfall Security Solutions
®
35
®
Regulation and Authorities Recognition
● Selected by US Department of Homeland Security, for its National Cyber
Security Test-bed.
● Waterfall gateways first and sole to be assessed by Idaho National Labs
● No side channels, no back channels
● No “acknowledgement channel” which advanced adversaries can turn into a remote-control-command back-channel
Two appliances mean no shared grounds, no shared power, or other shared components which can make back-channels difficult to identify
© Copyright 2012 by Waterfall Security Solutions
®
36
®
Waterfall Security Solution Differentiators
Unidirectional Security Gateway™ - provides a full solution, out of the box
100% protection from remote hacking into your industrial network
US Patent covering SCADA/Control Networks security
Designed and built to meet Critical Infrastructure and Utilities needs
Off the shelf integral support for Historians, SCADA protocols, file transfers,
streaming. Strategic partnership and cooperation leading industrial vendors
Enables compliance with NERC-CIP, NIST 800.53 and 800.82, RG 5.71
Pike Research named Waterfall as key player in the cyber security market
Worldwide installations for industrial, critical and operational environments
Host hardware invariance and compatibility
Unique High Availability, 1GB support and Many-to-One architecture support
®
Hundreds of Installations Worldwide
© Copyright 2012 by Waterfall Security Solutions
®
Questions? THANK YOU !
© Copyright 2012 by Waterfall Security Solutions