NERC Issues CAN-0024: Guidance for Unidirectional, Routable Communications

Transcription

1 NERC Issues CAN-0024: Guidance for Unidirectional, Routable Communications Andrew Ginter Director of Industrial Security Waterfall Security Solutions Mark Simon Senior Consultant Encari Joel Langill The SCADAhacker SCADAhacker Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 2012

2 Andrew Ginter, Waterfall Security Solutions Introduction to unidirectional communications and Unidirectional Security Gateways Mark Simon, Encari NERC-CIP compliance guidance in CAN-0024 CIP-002 R3 Routable Protocols and Data Diode Devices Joel Langill, The SCADAhacker Strong security with hardware-enforced unidirectional communications Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 2

3 Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable you can send data out, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Server replication, not protocol emulation Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 3

4 Historian Server Replication TX agent is historian client requests a copy of all new data as it arrives, using proprietary historian libraries and IP-based protocol RX agent is historian collector stores new data into replica historian, using proprietary historian libraries and IP-based protocol TX agent sends historical data and metadata to RX agent via unidirectional gateways, embedding OSI layer 7 data into layer 2 frame Neither TX/RX agent hosts nor gateway appliances have IP addresses or IP protocol stacks on network interfaces in unidirectional subsystem Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 4

5 OPC Server Replication OPC-DA protocol is complex: based on DCOM object model overlaid on IP intensely bi-directional TX agent is true OPC client: gathers device data from production OPC servers RX agent is true OPC server: serves device data to business OPC clients TX agent sends device data and metadata to RX agent via unidirectional gateways, embedding OSI layer 7 data into layer 2 frame OPC protocol is used only in production network, and business network, not across unidirectional link Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 5

6 Issue in CAN-0024 Issue: Can communication characteristics of data diode devices allow a Cyber Asset to be excluded from NERC Critical Infrastructure Protection (CIP) Standards? Compliance Enforcement Authorities (CEAs) are instructed to find that data diode devices that use routable protocols [to communicate outside the ESP] cannot be used as a rationale in the methodology of designating CCAs to exclude assets from compliance with CIP standards. Note that CAN-0024 only applies to Cyber Assets not located at control centers. 6

7 CIP-002 R3: Critical Cyber Assets CIP-002 R3: Critical Cyber Assets are further qualified to be those having at least one of the following characteristics: R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, R3.2. The Cyber Asset uses a routable protocol within a control center; or, R3.3. The Cyber Asset is dial-up accessible. Routable and dial-up communications are higher risk than non-routable communications CIP was written before unidirectional communications were in widespread use 7

8 CIP-002 R3: Routable Protocols Routable Protocol: Routable protocols use addresses and require those addresses to have at least two parts: A network address and a device address. Routable protocols allow devices to communicate between two different networks by forwarding packets between the two networks. In general, if the communication uses IP ( Internet protocol ) or IPX/SPX ( Internetwork Packet Exchange/Sequenced Packet Exchange ), it is considered routable; if the communication does not use IP or IPX/SPX, it is not routable. How do data diodes move data from a control network to a corporate network? Are they using a routable protocol to do so? 8

9 What Should CEAs Look For? Presumed compliant a data diode device without an assigned IP address; there is no routable addressing scheme encapsulated when sending data from one network to another. Problematic a stand-alone data diode device with an IP address that receives and transmits data through a network connection that relies on or encapsulates the IP protocol. IP v4 (RFC 791) 9

10 Non-Routable Protocol Non-routable protocol means that the routing protocol used cannot be 'resolved' by other computers to determine a communication path. 10

11 CAN-0024: Stand-Alone Devices Routable Communications 11

12 Waterfall Unidirectional Gateways TX and RX appliances use proprietary non-routable communication; no layer 3 network path determination or logical IP addressing exists. Non- Routable Communications 12

13 Embedded NICs CAN-0024: Another type of data diode device consists of network interface cards that are installed into existing Cyber Assets, and which provide the same uni-directional communication as stand-alone data diode devices. CAN-0024 presumes the data does not use a routable connection to cross the ESP. 13

14 Firewalls are No Longer Enough Intended for only essential communications but what is essential? Users are authenticated but what about their devices? Firewalls are software - even firewalls have vulnerabilities and zero days Configuration errors are one of the leading sources of perimeter access violations Firewall management is often costly, and therefore centrally administered Firewalls are rarely tested to make sure they work as intended Think like a hacker 14 Proprietary property of SCADAhacker.com All rights reserved.

15 Today s ICS Cyber Threats Proactive security controls protect against both external and internal threats Most likely payload designed to establish remote command and control capabilities Firewalls only provide an obstacle that can be penetrated Payloads exist that exploit a firewall s ability to track state Protected Network Outbound Only Pivot Covert Public Network Infect Overt External Network Outbound Only C&C Think like a hacker 15 Proprietary property of SCADAhacker.com All rights reserved.

16 You can t attack if you can t communicate! Unidirectional Security Gateway creates an effective sandbox between an exploited host and additional vulnerable victims Stand-alone devices with IP addresses provide an opportunity for vulnerabilities to be exploited Local ICS exploits must be very targeted Protected Network TX Agent One-Way RX Agent External Network Overt Outbound Only Public Network Think like a hacker 16 Proprietary property of SCADAhacker.com All rights reserved.

17 Summary: CAN-0024 Recognizes growing use of unidirectional communications at NERC-CIP sites Some data diodes use routable communications, others do not: Key test: do they use IP? Or any other routable protocol? Waterfall Unidirectional Gateways do not use routable communications Hardware-enforced unidirectional communications are strong security Stronger than firewalls Stronger than serial connections Absolute protection from network attacks originating on external networks Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 17

18 For More Information Detailed whitepaper: waterfall-security.com/whitepapers/wf-can-24-wp.pdf Or contact any of: Andrew Ginter Waterfall Security Solutions waterfall-security.com Mark Simon Encari encari.com Joel Langill SCADAhacker joelj@ scadahacker.com Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 18