Waterfall for NRC Compliance with. regard to NIST and

Transcription

1 Waterfall for NRC Compliance with regard to NIST and Using Waterfall s Unidirectional Security Solution to Achieve True Security & NRC Compliance Ver. 1.4 Date: Sep The material in this document is proprietary to Waterfall Security Solutions Ltd. No part of this document may be passed to any third party, copied, reproduced or stored on any type of media or otherwise used in any way without the express, prior, written consent of authorized officers and/or executives of Waterfall Security Solutions Ltd.

2 Abstract Critical National Infrastructure is under a constant, yet invisible, threat from cyber hacking and cyber terror attempts that are being launched from external networks. These attacks (mainly - from the Internet) are targeting industrial Process Control Networks (PCN), Supervisory Control and Data Acquisition (SCADA) Networks and lower level Distributed Control Systems (DCS) and Process Control Systems (PCS) networks. In the Nuclear Electricity Utilities domain, these critical networks control and operate the very machinery which powers modern day civilization. Throughout North America, electricity utilities are challenged with the task of complying with the reliability standards mandated by NRC (Nuclear Regulatory Commission). The NRC standards, pertaining to the protection of digital computer and communication systems and networks, are defined within RG 5.71 which has yet to be finalized. This Regulatory Guide is derived from two documents that have been published by NIST known as , Security Controls for Federal Information Systems and Organizations. and , Guide to Industrial Control Systems (ICS) Security. NIST , which provides federal information systems and organizations with a set of controls to be implemented to meet security compliance, follows on from FIPS200 and FIPS 199 which mandated the security requirements as well as security categorizations for information systems in federal organizations. NIST provides guidance for establishing secure industrial control systems (ICS) and its recommendations are referenced in terms of the controls determined in as per the risks associated with ICS systems. The following whitepaper introduces the reader to the Waterfall One-Way unidirectional cyber security solution, and explains its ideal fit for achieving both powerful cyber-security as well as NRC compliance. The whitepaper is built according to the template of controls found in NIST and the recommendations of NIST and relates specifically to those controls and recommendations which are relevant to the Waterfall One-Way unidirectional cyber security solution. Page 2 of 40

3 Table of Contents Abstract... 2 About Waterfall Security Solutions... 6 ( 6 Waterfall One-Way for NRC Compliance and NIST and NIST Adherence 7 Introducing Waterfall One-Way Waterfall One-Way Customer Benefits Annex Waterfall One-Way for NRC Compliance Network Architecture samples Waterfall One-Way Defining High Assurance with Adequate Protection Transporting Files using the Waterfall File Transfer Enabler (WF-FTE) Historian Replication using the Waterfall SCADA Monitoring Enabler (WF-SME) Industrial Protocol Gateway using the Waterfall WF-SME Waterfall One-Way Response to relevant NRC and NIST Compliance Requirements Access Control (AC) NIST AC-3 ACCESS ENFORCEMENT (NIST ) AC-4 INFORMATION FLOW ENFORCEMENT (NIST ) AC-6 LEAST PRIVILEGE (NIST ) AC-17 REMOTE ACCESS (NIST ) NIST AC-20 USE OF EXTERNAL INFORMATION SYSTEMS (NIST ) Audit and Accountability (AU) AU-9 PROTECTION OF AUDIT INFORMATION (NIST800.53) Security Assessment and Authorization (CA) CA-3 INFORMATION SYSTEM CONNECTIONS (NIST ) Configuration Management (CM) CM-5 ACCESS RESTRICTIONS FOR CHANGE (NIST800.53) CM-7 LEAST FUNCTIONALITY (NIST )... 21

4 Contingency Planning (CP) NIST CP-9 INFORMATION SYSTEM BACKUP (NIST ) NIST CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION(NIST800.53) Media Protection (MP) MP-2 MEDIA ACCESS (NIST ) Physical and Environmental Protection (PE) PE-19 INFORMATION LEAKAGE (NIST ) System and Services Acquisition (SA) SA-13 TRUSTWORTHINESS (NIST ) System and Communications Protection (SC) SC-2 APPLICATION PARTITIONING (NIST ) NIST SC-3 SECURITY FUNCTION ISOLATION (NIST ) SC-4 INFORMATION IN SHARED RESOURCES (NIST ) SC-5 DENIAL OF SERVICE PROTECTION (NIST ) SC-7 BOUNDARY PROTECTION (NIST ) NIST SC-8 TRANSMISSION INTEGRITY (NIST ) NIST SC-9 TRANSMISSION CONFIDENTIALITY (NIST ) SC-11TRUSTED PATH (NIST ) SC-23 SESSION AUTHENTICITY (NIST ) SC-25 THIN NODES (NIST ) SC-27 OPERATING SYSTEM-INDEPENDENT APPLICATIONS (NIST ) SC-28 PROTECTION OF INFORMATION AT REST (NIST ) SC-30 VIRTUALIZATION TECHNIQUES (NIST ) SC-32 INFORMATION SYSTEM PARTITIONING (NIST ) SC-33 TRANSMISSION PREPARATION INTEGRITY (NIST ) SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS (NIST ) Page 4 of 40

5 System and Information Integrity (SI) SI-3 MALICIOUS CODE PROTECTION (NIST ) SI-9 INFORMATION INPUT RESTRICTIONS (NIST ) Controls: Supported but not implemented by Waterfall One-Way AC-7 UNSUCCESSFUL LOGIN ATTEMPTS AC-8 SYSTEM USE NOTIFICATION AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION AC-11 SESSION LOCK AC-16 SECURITY ATTRIBUTES AU-8 TIME STAMPS AU-10 NON-REPUDIATION AU-12 AUDIT GENERATION AU-14 SESSION AUDIT CM-3 CONFIGURATION CHANGE CONTROL CM-6 CONFIGURATION SETTINGS IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION SI-4 INFORMATION SYSTEM MONITORING SI-8 SPAM PROTECTION Table of compliance by Waterfall One Way Page 5 of 40

6 About Waterfall Security Solutions ( Waterfall Security Solutions Ltd. is the leading provider of secure unidirectional connectivity for Process Control systems, Industrial Networks, SCADA systems, Remote Monitoring and Segregated Networks. Waterfall s products have been deployed in many critical national infrastructures, homeland security agencies and mission critical organizations in North America, Europe and Israel, and include security solutions for leading industrial applications such as Historian systems and Remote Monitoring platforms as well as leading industrial protocols such as OPC, Modbus, DNP3 and ICCP. Page 6 of 40

7 Waterfall One-Way for NRC Compliance and NIST and NIST Adherence NRC RG 5.71, currently in its Draft Final Rule, spells out the requirements for a cyber security plan to be submitted by the licensees for the NRC s review and approval. The licensee is required to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in Title 10 of the Code of Federal regulations (10CFR) Part73, Section The provisions in RG 5.71 require protection of all critical systems and networks and require of the licensee to implement controls that will defend these systems against any cyber attack that would adversely affect the availability, integrity and confidentiality of the critical system s assets and data. The protection of critical assets and data is to be achieved through the, implementation of state-of-the-art defense-in depth protective strategies RG 5.71 c (2), whose aim to ensure that the functions or tasks required to be performed by the critical assets are maintained and carried out RG 5.71 c (4) and to prevent adverse effects from cyber attacks (RG5.71 c (3)). The controls referred to in NIST and the recommendations relevant to those controls found in NIST , are defined in terms of three distinct classes; management, operational and technical. Each class is further divided into families of controls as per the table below. IDENTIFIER FAMILY CLASS AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Security Assessment and Management Authorization CM Configuration Management Operational CP Contingency Planning Operational IA Identification and Authentication Technical IR Incident Response Operational MA Maintenance Operational MP Media Protection Operational PE Physical and Environmental Operational Protection PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Services Acquisition Management SC System and Communications Technical Protection SI System and Information Integrity Operational PM Program Management Management TABLE 1-1: SECURITY CONTROL CLASSES, FAMILIES, AND IDENTIFIERS Page 7 of 40

8 The controls selected are a function of the mitigation they offer to the risk associated with the specific categorization of the information system and the level of impact in the event of its compromise. Of particular interest to the Waterfall One-Way unidirectional cyber security solution, are the families of controls specifically related to Access, Protection and Integrity (AC, AU, CA, CM, CP, MP, PE,SA, SI and SC). Each of the specific controls within these families will be discussed further. NIST Section 5 Network Architecture describes a number of possibilities for separating the ICS network from the corporate network. This section clearly demonstrates that the connection between the two networks is a significant security risk. Section 5 continues by stating, If the networks must be connected, it is strongly recommended that only minimal (single if possible) connections be allowed and that the connection is through a firewall and a DMZ. The network segregated architectures, including the most sophisticated, which is termed as Firewall with DMZ between Corporate Network and Control Network ; is inherently vulnerable given that in this type of architecture if a computer in the DMZ is compromised, then it can be used to launch an attack against the control network via application traffic permitted from the DMZ to the control network. This risk can be greatly reduced if a concerted effort is made to harden and actively patch the servers in the DMZ and if the firewall rules set permits only connections between the control network and DMZ that are initiated by control network devices. Other concerns with this architecture are the added complexity and the potential increased cost of firewalls with several ports. For more critical systems, however, the improved security should more than offset these disadvantages. While traditional (i.e. software based) IT Security products or systems (firewalls, intrusion detection systems, anti-malware etc.) can be used, they are vulnerable to the same risks and dangers targeting the CCAs themselves: Firewalls can be hacked, IPSs and IDSs must be patched and updated, zero-day exploits are a permanent risk, configuration is tiresome and prone to mistakes. When seeking a NRC solution, one that indeed achieves compliance while realizing the true spirit of high assurance and defense in depth, it is evident that traditional, software-based protection solutions are not enough. This is especially true when considering the immense implications of a successful cyber-attack on a major nuclear electricity utility. Waterfall One-Way is a consolidated hardware and software security solution that provides the most powerful defense of the critical network. Affording an unparalleled level of protection to all Critical Digital Assets residing within critical infrastructure network perimeter(s), Waterfall One-Way provides a solid foundation for the NRC compliance framework. It addresses the NRC compliance framework requirements by supplying a true level of security at all layers of the networks communications protocols, enforcing the controls in accordance with NIST requirements and NIST recommendations and by providing robust and truly unidirectional Page 8 of 40

9 communication to devices outside the critical network. In addition successful implementation of NERC-CIP-007, detailing the required Systems Security Management within the electronic security perimeter and at its access points, is much easier, cost effective, and immediate to achieve with Waterfall One-Way integrated into the critical infrastructures cyber security framework. In fact, Waterfall One-Way potentially eliminates access points and supporting critical cyber assets. The importance of the reliability of the bulk electric system to our modern way of life is central and undisputed. The imminent dangers of cyber terror and cyber hacking activities are clear and publicly known. Waterfall Security Solutions supplies a win-win solution which not only provides a unique and robust foundation for NRC compliance, but true and unparalleled security against all external cyber threats. Page 9 of 40

10 Introducing Waterfall One-Way Waterfall s hardware based unidirectional core is shared by all of its products and solutions. The core is coupled with software agents that mediate its integration into the surrounding environments, while providing added functionalities and flexibility. The basic Waterfall architecture is as follows: Figure 1 Basic Waterfall One-Way Architecture The basic components are: A Waterfall Tx Software Agent, residing on a host which is part of the sending network. The agent interacts with applications (e.g. OSIsoft PI, GE Proficy ) and protocols (e.g. OPC, Modbus, DNP3) on the network, receives the relevant information and mediates the connection of the Waterfall One-Way with the sending network. Designated data is passed, in real-time, from the Tx software agent to the Waterfall Tx appliance. An appliance pair comprised of: o A Waterfall Tx Appliance, transmitting information from the Tx software agent via a single fiber optic cable to the Waterfall Rx Appliance. o A Waterfall Rx Appliance, receiving information from the Waterfall Tx appliance and transmitting it to the Waterfall Rx software agent, residing on a host which is part of the receiving network. A Waterfall Rx Software Agent, residing on a host which is part of the receiving network. The agent receives data from the Waterfall Rx appliance, mediates the connection of the Waterfall One-Way with the receiving network and interacts Page 10 of 40

11 as required with applications and nodes on the receiving network, passing the designated data into the receiving network. Waterfall One-Way Customer Benefits The unique Waterfall architecture and its attributes provide two basic benefits for all Waterfall One-Way installations and deployments: Complete protection against external cyber attacks hacking sessions are an interactive process in which a hacker initiates a working session with his target node, elicits a response, and accordingly makes his next move. When trying to hack across a Waterfall One-Way, the hacker will be unable to initiate a successful session. No data backflow The hardware based appliance core of the Waterfall One- Way enforces unidirectional data flow at the physical layer (Layer 1 of the OSI model), which in turn ensures unidirectional communication will be totally preserved at all higher layers of the protocol stack, regardless of the communication protocol chosen and the applications being used. Thus, regardless of networks and applications used, there will be no data backflow across a Waterfall One-Way. Waterfall One-Way provides customers with the most powerful electronic security perimeter available, enforced by hardware, software and the very basic laws of physics. This unique technology and architecture helps ensure that compliance with NRC, NIST requirements is fully reached, while providing true cyber-security to all critical assets and cyber assets residing within the Waterfall defined electronic security perimeter. As an added benefit, Waterfall installations provide a hassle-free and zero-maintenance implementation of an electronic security perimeter, requiring a one-time configuration with no need for follow-up configurations, patches or updates. Thus overhead and related investments are minimized. Only Waterfall can provide full visibility into the critical infrastructure networks running the bulk electric system, while still fully segregating them from any externally generated activities, in essence effectively air-gapping them to achieve unprecedented protection and security. Page 11 of 40

12 Annex Waterfall One-Way for NRC Compliance Network Architecture samples Below are several examples of network architectures implementing Waterfall One- Way to define Critical Digital Asset Protection compliance within NRC and NIST. All are meant to provide a more in-depth technical view into the logic and structure of Waterfall One-Way deployment in critical industrial environments. The basic layout of a NRC, NIST compliant Waterfall deployment is presented, followed by several examples of how this basic architecture is leveraged to provide different solutions and flexible applications & protocols support. Waterfall One-Way Defining High Assurance with Adequate Protection The most common NRC, NIST compliant basic architecture is as follows: Figure 2 Basic Waterfall One-Way NRC, NIST Compliant Architecture This architecture allows data and information to be exported and transmitted from the security enclave within the Critical network towards all external data consumers, Page 12 of 40

13 without exposing critical assets and cyber assets to any external dangers. Full visibility to the critical information is afforded to all external users. This basic architecture can be leveraged in several different possible sub-architectures, employing different Waterfall-based solutions which transport different types of data across the waterfall link, from the industrial control network towards the external networks. Transporting Files using the Waterfall File Transfer Enabler (WF-FTE) This is a common Waterfall security solution for transferring files from a security enclave, across the critical network perimeter to external networks. The following diagram shows the general layout involving dedicated file servers (which are not a part of the Waterfall One-Way ): Figure 3 Waterfall File Transfer Enabler (WF-FTE) In this configuration, files are simply being transported from the origin server to the destination server. The Tx file server is completely secured from external attacks, while the files themselves can be further protected by encryption (for example Waterfall s FTE supports FTP as well as SFTP and TFTP). Page 13 of 40

14 Historian Replication using the Waterfall SCADA Monitoring Enabler (WF-SME) In this scenario, an operational Historian is replicated from the secured critical network to a replica Historian residing on the corporate or external network. Waterfall performs this replication by leveraging the Historian s low level API in order to achieve maximum performance and real-time high throughput. Supported Historians today include the OSIsoft PI Historian, GE s Proficy Historian and others. The basic architecture for a Historian replication would look as follows: Figure 4 Basic Historian replication via Waterfall One-Way Although all Historian data would be readily available to corporate users, external hackers cannot reach the operational Historian residing within the secure industrial network. Hackers may be able to impact the replica Historian, but the operational processes related to the critical operational Historian will continue unharmed. Industrial Protocol Gateway using the Waterfall WF-SME In this architecture, a Waterfall One-Way is used as a unidirectional gateway which enables extraction and export of messages, data and information from within industrial networks, carried upon industrial protocols, to external networks. This allows reuse of HMI displays and reporting services, within external or public networks, without the risk of command and control. The following diagram shows a DNP3 unidirectional gateway utilizing the WF-SME for DNP3: Page 14 of 40

15 Figure 5 Waterfall WF-SME as a DNP3 unidirectional protocol Gateway Waterfall supports additional industrial protocols, such as Modbus, OPC, ICCP and others, and performs custom development of protocol support according to specific customer requirements and requests. Page 15 of 40

16 Waterfall One-Way Response to relevant NRC and NIST Compliance Requirements As mentioned earlier in this paper, the Waterfall One-Way unidirectional cyber security solution provides specific responses to the control families mentioned in the following sections: Access Control, Audit and Accountability, Configuration Management, Media Protection, System and Information Integrity, System and Services Acquisition, Security Assessment and Authorization, Contingency Planning, Physical and Environmental Protection, System and Communications Protection. (AC, AU, CA, CM, CP, MP, PE, SA, SI and SC). Each of the relevant specific controls within these families as well as relevant recommendations made in NIST will be discussed herein together with its corollary Waterfall One-Way response. Please note that the controls, can be either directly relevant to Waterfall One Way technology, or supported by the technology but not directly linked to it or totally irrelevant and relate to other aspects of security. The following will discuss only the directly relevant controls which Waterfall One Way technology directly provides an answer to. Access Control (AC) NIST Recommendation: Role based access control can be used to provide a uniform means to manage access to ICS devices while reducing the cost of maintaining individual device access levels and minimizing errors. RBAC should be used to restrict ICS user privileges to only those that are required to perform each person s job (i.e., configuring each role based on the principle of least privilege). SCADA and historian software vendors typically provide Web servers as a product option so that users outside the control room can access ICS information. In many cases, software components such as ActiveX controls or Java applets must be installed or downloaded onto each client machine accessing the Web server. Some products, such as PLCs and other control devices, are available with embedded Web, FTP, and servers to make them easier to configure remotely and allow them to generate notifications and reports when certain conditions occur. When feasible, use HTTPS rather than HTTP, use SFTP or SCP rather than FTP, block inbound FTP and traffic, etc. Page 16 of 40

17 ACCESS INFORMATION - Proprietary Information - VLANs have been effectively deployed in ICS networks, with each automation cell assigned to a single VLAN to limit unnecessary traffic flooding and allow network devices on the same VLAN to span multiple switches [34]. UAC-3 U ENFORCEMENT (NIST ) Control: The information system enforces approved authorizations for logical access to the system in accordance with applicable policy. Waterfall technology enforces physical separation between networks, therefore approved authorization for logical access is implemented on the physical layer and unauthorized personal are unable to access the logical units whatsoever. UAC-4 U FLOW ENFORCEMENT (NIST ) Control: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Waterfall SME products provide physical segregation between the control network and the corporate network and therefore access to the SCADA and historian servers is not possible from the corporate network in any way. Waterfall simply eliminates this risk elegantly and efficiently. AC-6 LEAST PRIVILEGE (NIST ) Control: The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. As mentioned in AC-3, the outcome of the physical network separation between the control network and the corporate network limits access to sensitive control systems by authorized users only from the control location. Waterfall, in this case enforces access control to authorized people only on the highest security level possible the physical layer. Page 17 of 40

18 UAC-17U REMOTE ACCESS (NIST ) Control: The organization: Documents allowed methods of remote access to the information system; Establishes usage restrictions and implementation guidance for each allowed remote access method; Monitors for unauthorized remote access to the information system; Authorizes remote access to the information system prior to connection; and Enforces requirements for remote connections to the information system. NIST Recommendation: Another issue for ICS firewall design is user and/or vendor remote access into the control network. Any users accessing the control network from remote networks should be required to authenticate using an appropriately strong mechanism such as token-based authentication. While it is possible for the controls group to set up their own remote access system with multi-factor authentication on the DMZ, in most organizations it is typically more efficient to use existing systems set up by the IT department. In this case a connection through the firewall from the IT remote access server is needed. Remote support personnel connecting over the Internet or via dialup modems should use an encrypted protocol, such as running a corporate VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme, in order to connect to the general corporate network. Once connected, they should be required to authenticate a second time at the control network firewall using a strong mechanism, such as a token based multi-factor authentication scheme, to gain access to the control network. For organizations that do not allow any control traffic to traverse the corporate network in the clear, this could require a cascading, or secondary tunneling solutions, to gain access to the control network, such as a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) VPN inside an IPsec VPN. In most cases, remote support is provided by sending monitoring information to the vendor or the external entity and receiving orders and guidance by phone. Waterfall (please refer to the SMU application and Waterfall Remote Screen viewing) enables such unidirectional information flow without compromising the control or the corporate network. In addition, if bidirectional communication is unavoidable, Waterfall offers the WF-SMU (Manual Uplink) which allows for controlled bi-directionality and is used in Page 18 of 40

19 parallel with existing authentication and encryption methods. The WF-SMU prevents any human errors and assists in enforcing organizational security policy. AC-20 USE OF EXTERNAL INFORMATION SYSTEMS (NIST ) Control: The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from the external information systems; and Process, store, and/or transmit organization-controlled information using the external information systems. In most cases, remote support or the use of external services is provided by sending monitoring information to the vendor/ external entity and receiving orders and guidance by phone. Waterfall (please refer to the SMU application and Waterfall Remote Screen viewing) enables such unidirectional information flow without compromising the control or the corporate network. In addition, if bidirectional communication is unavoidable, on top of all the authentication and encryption methods it would be wise to use the WF-SMU, to prevent any human errors and enforce organization policy. In the event that the information feed is from an external source outside of the organization such as weather forecasts, pollution level data, consumption levels etc, Waterfall One-Way may be installed to enable a unidirectional flow of information in that will ensure that no online cyber attack is possible and no threat of data leakage from the organization to the outside world is possible. Audit and Accountability (AU) AU-9 PROTECTION OF AUDIT INFORMATION (NIST800.53) Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Page 19 of 40

20 Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Related controls: AC-3, AC-6. Protecting confidential and critical information for audit purposes (which may disclose vulnerabilities) requires state of the art data protection. By storing this information behind Waterfall, using the DRE (Date Retention Enabler) topology, the confidential information is kept behind a physical barrier and access to the storage media is physically restricted to authorized personnel. Writing to the storage depository is possible by logical access as with any other logical authentication and access control procedure but reading, deleting, modifying is possible only by having physical access to the storage media. Security Assessment and Authorization (CA) UCA-3 UINFORMATION SYSTEM CONNECTIONS (NIST ) Control: The organization: Authorizes connections from the information system to other information systems outside of the authorization boundary through the use of Interconnection Security Agreements; Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and Monitors the information system connections on an ongoing basis verifying enforcement of security requirements. All this risk, hassle and paper work become redundant when utilizing Waterfall as external connections to the control network are impossible! Configuration Management (CM) CM-5 ACCESS RESTRICTIONS FOR CHANGE (NIST800.53) Control: The organization defines documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. After defining and documenting the approvals, the ultimate enforcement of this policy is obtained by Waterfall as physical separation between the networks is achieved. After Page 20 of 40

21 INFORMATION - Proprietary Information - installing the Waterfall between the higher level security network and the lower level security network (with regard to level 4 and level 3) it is clear that no access from level 3 users will be possible to any equipment residing on level 4 whatsoever. CM-7 LEAST FUNCTIONALITY (NIST ) Control: The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services]. Waterfall One-Way technology typically replicates online historian and SCADA information from the control network to lower security level networks. As a result all ports and functions that were open to users to receive this information are now blocked by a physical, unbreakable hurdle and restricted function open ports and protocols are no longer relevant as all these vulnerabilities and weak points are eliminated through the use of Waterfall. Contingency Planning (CP) NIST Recommendation: Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all nonessential interferences and connections that could permit cyber security intrusions, and alternatives to achieve necessary interfaces and coordination. Employees should be trained and familiar with the contents of the contingency plans. Contingency plans should be periodically reviewed with employees responsible for restoration of the ICS, and tested to ensure that they continue to meet their objectives. Organizations also have business continuity plans and disaster recovery plans that are closely related to contingency plans. Because business continuity and disaster recovery plans are particularly important for ICS, they are described in more detail in the sections to follow. UCP-9 U SYSTEM BACKUP (NIST ) Control: The organization: Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; Page 21 of 40

22 Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and Protects the confidentiality and integrity of backup information at the storage location. NIST Recommendation: Redundancy and Fault Tolerance - ICS components or networks that are classified as critical to the organization have high availability requirements. One method of achieving high availability is through the use of redundancy. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS, or does not cause another problem elsewhere, such as a cascading event. The control system should have the ability to execute an appropriate fail-safe process upon the loss of communications with the ICS or the loss of the ICS itself. The organization should define what "loss of communications" means (e.g., 5 seconds, 5 minutes, etc. without communications). The organization should then, based on potential consequences, define the appropriate fail-safe process for their industry. Backups should be performed using the backup-in-depth approach, with layers of backups (e.g., local, facility, disaster) that are time-sequenced such that rapid recent local backups are available for immediate use and secure backups are available to recover from a massive security incident. A mixture of backup/restore approaches and storage methods should be used to ensure that backups are rigorously produced, securely stored, and appropriately accessible for restoration. Waterfall One Way technology, besides the capability to perform in a redundant topology in its own right, provides the organization with important tools to a safe redundancy by buffering SCADA and historian data in case of a fail over. Waterfall provides additional answers to the redundancy and high availability issue as in most cases, when using a Waterfall, the topology structure behooves an additional historian server or HMI so the system availability is doubled. This means, when using a Waterfall system, you inherently increase the control system availability. Furthermore, in some cases, availability means keeping a safe copy of the data. Waterfall can provide, with our DRE topology a safe write-only memory deposit that can be accessed only locally and ensures that the records are untouchable, genuine and available. Page 22 of 40

23 INFORMATION - Proprietary Information - CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION (NIST800.53) Control: The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. One of the most common uses of Waterfall technology is to replicate historian servers and deliver SCADA information in a unidirectional fashion. Keeping replica servers enables the organization to prevent effectively any disruption and if occurred to recover quickly using the replica configuration and data. In addition, keeping configuration templates of all systems in the treatment of confidential data, behind a Waterfall, in DRE (Data Retention Enabler) ensures effective recovery and reconstitution. Media Protection (MP) MP-2 MEDIA ACCESS (NIST ) Control: The organization restricts access to [Assignment: organization-defined types of digital and non-digital media] to [Assignment: organization-defined list of authorized individuals] using [Assignment: organization-defined security measures]. Waterfall technology enforces physical separation between networks. Consequently the organization obtains restriction access to the digital/cyber and control equipment, logically and physically. Physical and Environmental Protection (PE) UPE-19 U LEAKAGE (NIST ) Control: The organization protects the information system from information leakage due to electromagnetic signals emanations. Waterfall One Way technology is implemented with two separated boxes (TX and RX) with a single fiber optic cord between them. As a consequence, no electromagnetic emanation is possible between the protected network and the other network. Page 23 of 40

24 System and Services Acquisition (SA) SA-13 TRUSTWORTHINESS (NIST ) Control: The organization requires that the information system meets [Assignment: organization-defined level of trustworthiness]. Waterfall One Way technology, especially with the predominant application of control network segregation by physical mean, provides significant enhancement to the information system trustworthiness level by increasing dramatically the security level. In addition, Waterfall One Way topology creates redundancy data bases which also momentous to the information systems trustworthiness. System and Communications Protection (SC) USC-2U APPLICATION PARTITIONING (NIST ) Control: The information system separates user functionality (including user interface services) from information system management functionality. NIST Recommendations: Domain Name System (DNS): Domain Name System (DNS) is primarily used to translate between domain names and IP addresses. For example, a DNS could map a domain name such as control.com to an IP address such as Most Internet services rely heavily on DNS, but its use on the control network is relatively rare at this time. In most cases there is little reason to allow DNS requests out of the control network to the corporate network and no reason to allow DNS requests into the control network. DNS requests from the control network to DMZ should be addressed on a case-by-case basis. Local DNS or the use of host files is recommended. Hypertext Transfer Protocol (HTTP): HTTP is the protocol underlying Web browsing services on the Internet. Like DNS, it is critical to most Internet services. It is seeing increasing use on the plant floor as well as an all-purpose query tool. Unfortunately, it has little inherent security, and many HTTP applications have vulnerabilities that can be Page 24 of 40

25 exploited. HTTP can be a transport mechanism for many manually performed attacks and automated worms. In general, HTTP should not be allowed to cross from the corporate to the control network. If it is, then HTTP proxies should be configured on the firewall to block all inbound scripts and Java applications. Incoming HTTP connections should not be allowed into the control network, as they pose significant security risks. If HTTP services into the control network are absolutely required, it is recommended that the more secure HTTPS be used instead and only to specific devices. FTP and Trivial File Transfer Protocol (TFTP): FTP and Trivial File Transfer Protocol (TFTP) are used for transferring files between devices. They are implemented on almost every platform including many SCADA systems, DCS, PLCs, and RTUs, because they are very well known and use minimum processing power. Unfortunately, neither protocol was created with security in mind; for FTP, the login password is not encrypted, nor for TFTP, no login is required at all. Furthermore, some FTP implementations have a history of buffer overflow vulnerabilities. As a result, all TFTP communications should be blocked, while FTP communications should be allowed for outbound sessions only or if secured with additional token-based multi-factor authentication and an encrypted tunnel. More secure protocols, such as Secure FTP (SFTP) or Secure Copy (SCP), should be employed whenever possible. Telnet: The telnet protocol defines an interactive, text-based communications session between a client and a host. It is mainly used for remote login and simple control services to systems with limited resources or to systems with limited needs for security. It is a severe security risk because all telnet traffic, including passwords, is unencrypted, and it can allow a remote individual considerable control over a device. Inbound telnet sessions from the corporate to the control network should be prohibited unless secured with token-based multi-factor authentication and an encrypted tunnel. Outbound telnet sessions should be allowed only over encrypted tunnels (e.g., VPN) to specific devices. Simple Mail Transfer Protocol (SMTP): SMTP is the primary transfer protocol on the Internet. messages often contain malware, so inbound should not be allowed to any control network device. Outbound SMTP mail messages from the control network to the corporate network are acceptable to send alert messages. Waterfall One Way technology eliminates this risk completely as there is no physical connection between the control network and the corporate network. In addition protocols like FTPS, HTTPS, SFTP and SMTP are supported by the Waterfall and can be delivered in a one way connection fashion. USC-3U SECURITY FUNCTION ISOLATION (NIST ) Control: The information system isolates security functions from non-security functions. Page 25 of 40

26 Waterfall answers this requirement explicitly. As the critical cyber assets are isolated from all other non-critical assets when using the Waterfall system, all data processing, monitoring and viewing becomes available to the corporate users however security related issues can only be performed on the control network and there is no physical possibility to mix them. USC-4U INFORMATION IN SHARED RESOURCES (NIST ) Control: The information system prevents unauthorized and unintended information transfer via shared system resources This risk is completely eliminated when using Waterfall. While the information becomes available to the authorized people in the corporate network the shared resource is by no way a gateway to the control network. Since Waterfall streams the information in a unidirectional manner only no unintended information can be transferred and in consequence tamper with the smooth operation of the control network. USC-5U DENIAL OF SERVICE PROTECTION (NIST ) Control: The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list]. By utilizing Waterfall this risk is completely eliminated as the Physical segregation the Waterfall provides will prevent any DOS or DDOS from reaching the control network. The worst scenario that can result from DOS or DDOS is that the flow of information from the control network to the corporate network will cease. However, the control network will be not be compromised in any way whatsoever. USC-7 UBOUNDARY PROTECTION (NIST ) Control: The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Page 26 of 40

27 NIST Recommendation: Data Historians - The existence of shared control network/corporate network servers such as data historians and asset management servers can have a significant impact on firewall design and configuration. In three-zone systems the placement of these servers in a DMZ is relatively straightforward, but in two-zone designs the issues become complex. Placing the historian on the corporate side of the firewall means that a number of insecure protocols, such as MODBUS/TCP or DCOM, must be allowed through the firewall and that every control device reporting to the historian is exposed to the corporate side of the network. On the other hand, putting the historian on the control network side means other equally questionable protocols, such as HTTP or SQL, must be allowed through the firewall, and there is now a server accessible to nearly everyone in the organization sitting on the control network. In general, the best solution is to avoid two-zone systems (no DMZ) and use a threezone design, placing the data collector in the control network and the historian component in the DMZ; however, even this can prove problematic in some situations. Heavy access from the large numbers of users on the corporate network to a historian in the DMZ may tax the firewall s throughput capabilities. One potential solution is to install two servers: one on the control network to collect data from the control devices, and a second on the corporate network mirroring the first server and supporting client queries. The issue of how to time synchronize both historians will have to be addressed. This also requires a special hole to be put through the firewall to allow direct server-toserver communications, but if done correctly, this poses only minor risk. Waterfall One Way technology was designed to answer this specific requirement. By locating a Waterfall system between the control network and the corporate network all cumbersome topologies of firewalls, DMZ s, relays, configurations, paperwork become simply unneeded. All monitoring and control information can flow, on an online basis, from the control network to the corporate network while leaving the control network physically disconnected and isolated from the outside world. The Waterfall provides 100% security, eliminates completely the risks and keeps the entire topology simple and efficient. Waterfall supports a variety of Historian servers that can be online replicated across the fiber optic link as well as several SCADA protocols like Modbus, OPC, ICCP and more. Page 27 of 40

28 TRANSMISSION - Proprietary Information - USC-8 U INTEGRITY (NIST ) Control: The information system protects the integrity of transmitted information. NIST Recommendation: Simple Network Management Protocol (SNMP) :SNMP is used to provide network management services between a central management console and network devices such as routers, printers, and PLCs. Although SNMP is an extremely useful service for maintaining a network, it is very weak in security. Versions 1 and 2 of SNMP use unencrypted passwords to both read and configure devices (including devices such as PLCs), and in many cases the passwords are well known and cannot be changed. Version 3 is considerably more secure but is still limited in use. SNMP V1 & V2 commands both to and from the control network should be prohibited unless it is over a separate, secured management network whereas SNMP V3 commands may be able to be sent to the ICS using the security features inherent to V3. Distributed Component Object Model (DCOM): DCOM is the underlying protocol for both OLE for Process Control (OPC) and ProfiNet. It utilizes Microsoft s Remote Procedure Call (RPC) service which, when not patched, has many vulnerabilities. These vulnerabilities were the basis for the Blaster worm exploits. In addition, OPC, which utilizes DCOM, dynamically opens a wide range of ports (1024 to 65535) that can be extremely difficult to filter at the firewall. This protocol should only be allowed between control network and DMZ networks and explicitly blocked between the DMZ and corporate network. Also, users are advised to restrict the port ranges used by making registry modifications on devices using DCOM. SCADA and Industrial Protocols: SCADA and industrial protocols, such as MODBUS/TCP, EtherNet/IP, and DNP317, are critical for communications to most control devices. Unfortunately, these protocols were designed without security built in and do not typically require any authentication to remotely execute commands on a control device. These protocols should only be allowed within the control network and not allowed to cross into the corporate network. Network Address Translation (NAT):Network address translation (NAT) is a service where IP addresses used on one side of a network device can be mapped to a different set on the other side on an as-needed basis. It was originally designed for IP address reduction purposes so that an organization with a large number of devices that occasionally needed Internet access could get by with a smaller set of assigned Internet addresses. To do this, most NAT implementations rely on the premise that not every internal device is actively communicating with external hosts at a given moment. The firewall is configured to have a limited number of outwardly visible IP addresses. When an internal host seeks to communicate to an external host, the firewall remaps the internal IP address and port to one of the currently unused, more limited, public IP Page 28 of 40