NERC-CIP CAN-0024: Securing Critical Cyber Assets with Data Diodes

Similar documents
ICALEPCS 2013 San Francisco

NERC Issues CAN-0024: Guidance for Unidirectional, Routable Communications

13 Ways Through A Firewall What you don t know will hurt you

Data Diode Cybersecurity Implementation Protects SCADA Network and Facilitates Transfer of Operations Information to Business Users

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

IEC Vaasa Seminar 21st October Contents

Lesson Learned CIP Version 5 Transition Program CIP : Communications and Networking Cyber Assets Version: October 6, 2015

Securing Power Generation with Unidirectional Security Gateways

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

OpenWay by Itron Security Overview

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

SEL-3620 ETHERNET SECURITY GATEWAY

Lesson Learned CIP Version 5 Transition Program

CIP V5 Implementation Study SMUD s Experience

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Unofficial Comment Form Project Modifications to CIP Standards Virtualization in the CIP Environment

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Merge physical security and cybersecurity for field operations.

Connectivity 101 for Remote Monitoring Systems

RasGas Use Case: Owl DualDiode Solution

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Smart Grid vs. The NERC CIP

ABB Inc. April 20, 2011 Slide 1

What s new in PI System Security?

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Standard Development Timeline

Waterfall for NRC Compliance with. regard to NIST and

Lesson Learned CIP Version 5 Transition Program

Implementation Plan. Project CIP Version 5 Revisions. January 23, 2015

Standard CIP Cyber Security Electronic Security Perimeter(s)

Technical Questions and Answers CIP Version 5 Standards Version: June 13, 2014

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Implementation Plan. Project CIP Version 5 Revisions 1. January 23, 2015

N-Dimension n-platform 340S Unified Threat Management System

Designing Secure Remote Access Solutions for Substations

playbook OpShield for NERC CIP 5 sales PlAy

I Want to Be Secure: Best Practices for Securing Your PI System

T22 - Industrial Control System Security

Industrial Defender ASM. for Automation Systems Management

NERC Compliance Use Cases

Peter Kreutzer, PSSAM/Automation Power World 2011 New Delhi, Secure and reliable Redundant communication network and cyber security

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

IC32E - Pre-Instructional Survey

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

CIP Cyber Security Systems Security Management

Industrial Defender Global Leader in Automation Systems Management:

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Centralized Threat Management

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

The Claroty Difference

Cyber Security and Substation Equipment Overview

Cyber security for digital substations. IEC Europe Conference 2017

Securely Deliver Remote Monitoring and Service to Critical Systems. A White Paper from the Experts in Business-Critical Continuity TM

What I learned about Firewalls:

What Protection Engineers Need to Know About Networking. ANCA CIORACA, ILIA VOLOH, MARK ADAMIAK Markham, ON, CA King of Prussia, PA GE Digital Energy

RKNEAL Verve Security Center Supports Effective, Efficient Cybersecurity Management

Creating a Dynamic Serial Edge For Integrated Industrial Networks

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

SIEM Product Comparison

Cyber Threats? How to Stop?

Detection and Analysis of Threats to the Energy Sector (DATES)

Industrial Automation Automation Industrielle Industrielle Automation. 4 Access to devices. 4.3 OPC (Open Process Control ) 4.3.

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Features. HDX WAN optimization. QoS

Frequently Asked Questions CIP Version 5 Standards April 1, 2015

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP 005 R2: Electronic Access Controls

IPM Secure Hardening Guidelines

Standard CIP Cyber Security Critical Cyber As s et Identification

GE Intelligent Platforms

Implementation Plan for Version 5 CIP Cyber Security Standards

RUGGEDCOM CROSSBOW. Secure Access Management Solution. Brochure 10/2017. siemens.com/ruggedcom

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

Field Agents* Secure Deployment Guide

Standard CIP Cyber Security Electronic Security Perimeter(s)

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

CIP V5 Updates Midwest Energy Association Electrical Operations Conference

CYBER SECURITY POLICY REVISION: 12

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Cyber Security Requirements for Electronic Safety and Security

CompTIA Network+ Study Guide Table of Contents

CIP Cyber Security Security Management Controls. A. Introduction

Project CIP Modifications

Standard CIP Cyber Security Critical Cyber Asset Identification

CyberArk Solutions for Secured Remote Interactive Access. Addressing NERC Remote Access Guidance Industry Advisory

Cybersecurity for the Electric Grid

NERC CIP Compliance Matrix of RUGGEDCOM ROX II Operating System

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Standard CIP Cyber Security Critical Cyber Asset Identification

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Industrial Security Getting Started

Cyber Security Solutions for Industrial Controls

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Transcription:

NERC-CIP CAN-0024: Securing Critical Cyber Assets with Data Diodes Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2012 2011 by Waterfall Security Solutions Ltd. 2012

Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable you can send data out, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Server replication, not protocol emulation Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 2

Firewalls Are Not Enough Only essential connections allowed You trust the users, but should you trust their workstations? Their cell phones? Firewalls are software - even firewalls have vulnerabilities and zero days Errors and omissions Insider attack from business network with legitimate credentials Costly: procedures, training, management, log reviews, audits, assessments Vulnerable: just ask for the password... Photo: Red Tiger Security Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 3

Historian Replication TX agent is conventional historian client request copy of new data as it arrives in historian RX agent is conventional historian collector drops new data into replica as it arrives from TX TX agent sends historical data and metadata to RX using nonroutable, point-to-point protocol Complete replica, tracks all changes, new tags, alerts in replica Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 4

Unidirectional Communications in the Smart Grid Conventional generators business network interface Nuclear generators safety, control and business network interfaces Transmission and distribution systems business network interface Smart meters back office data flow controls Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 5

CIP-002 R3: Critical Cyber Assets CIP-002 R3: Critical Cyber Assets are further qualified to be those having at least one of the following characteristics: R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, R3.2. The Cyber Asset uses a routable protocol within a control center; or, R3.3. The Cyber Asset is dial-up accessible. CIP R1-R4 apply only to highest-risk Critical Cyber Assets Routable and dial-up communications are higher risk than non-routable communications CIP was written before unidirectional communications were in widespread use Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 6

CIP-002 R3: Control Centers Control Center: A Control Center is capable of performing one or more of the functions listed below for multiple (i.e., two or more) BPS assets, such as generation plants and transmission substations. Not all control systems, even those using routable protocols internally, are Bulk Electric System Control Centers Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 7

CIP-002 R3: Routable Protocols Routable Protocol: Routable protocols use addresses and require those addresses to have at least two parts: A network address and a device address. Routable protocols allow devices to communicate between two different networks by forwarding packets between the two networks. Ethernet frames stay within local network hardware device (MAC) addresses are meaningless outside the local network Internet Protocol (IP) packets are contained inside Ethernet frames in local networks, other kinds of encapsulation in wide area networks Internet addresses are recognized throughout the WAN Internet Protocol packet inside an Ethernet Frame Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 8

CAN-0024: Stand-Alone Devices Stand-alone data diode appliances: network in, network out look from the outside like firewall appliances If the stand-alone data diode device has one or more IP addresses, it is using a routable protocol for communication. No IP addresses generally mean the equipment is not using routable protocols for communication. Routable Communications Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 9

Unidirectional Gateways: Pairs of Stand-Alone Devices Dual-ported agent hosts use IP within protected and external networks But: Gateway appliances have no IP addresses, no IP stack Copper connections use raw Ethernet frames with custom protocol no IP payload or embedded network addresses Fiber connection through ESP uses proprietary point-to-point data transfer format Non- Routable Communications Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 10

Embedded Network Interface Cards: Unclear CAN-0024: Another type of data diode device consists of network interface cards that are installed into existing Cyber Assets, and which provide the same uni-directional communication as stand-alone data diode devices. In this case, the data does not use a routable connection to cross the ESP, and the Cyber Assets do not meet the connectivity requirement. Contradicts CIP-002 R3: embedded NICs are not routable, even if they have IP addresses and use the routable IP protocol Expect some confusion regarding embedded NICs Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 11

NERC-CIP R5 Draft Routable Communications Low / Medium / High Impact Cyber Assets not determined by dial-up or routable communications Distribution Providers now covered by the standard External Connectivity = routable or dial-up communications through an Electronic Security Perimeter CIP-005 R5 Draft requirements apply only to Electronic Access Points and remote access systems with routable or dial-up connectivity Some requirements for Medium Impact Cyber Assets apply only to assets associated with External Connectivity Less training, documentation and testing requirements if unidirectional, non-routable communications result in the elimination of Electronic Access Points. Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 12

Reduced Security Costs Eligible sites: reduced CCA documentation and other costs Most sites: 12-24 months cost recovery Reduced firewall management costs Reduced DMZ equipment management costs Reduced audit and compliance documentation costs Reduced remote access training costs Reduced remote access management costs 20% of NERC-CIP R3 requirements revolve around firewalls. Keeping firewalls secure is difficult and expensive. Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 13

Strong Security Gateway hardware is gate-array programmed - no CPUs, no software, no way for a vulnerability to give an adversary control of the hardware Entire gateway solution assessed by Idaho National Labs: no back channels, no side channels, no way back into protected network Protection from even advanced, targeted threats and their Remote Administration Tools More secure than firewalls and serial connections Two appliances (TX/RX) means no shared grounds, no shared power, or other shared components which can mask back-channels Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 14

Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians OSIsoft PI, Scientech R*Time, Instep edna GE: ihistorian, ifix, OSM Siemens: WinCC, SINAUT/Spectrum Emerson Ovation, Matrikon Alert Manager Microsoft SQLServer, Wonderware Historian Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG CA Unicenter, CA SIM, HP OpenView Nitro SIEM File/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCP Leading Industrial Protocols Modbus, OPC (DA, HDA, A&E) DNP3, ICCP Remote Access Remote Screen View Secure Manual Uplink Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM Websphere MQ series Antivirus updater, patch (WSUS) updater Remote print server Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 15

Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA, installed world-wide in all critical infrastructure sectors Focused exclusively on industrial markets and industrial server replication World s largest suite of industrial replication solutions, patent protected Nuclear market: 80% of decided sites chose Waterfall, 60% are deployed already Pike Research: Waterfall is key player in the cyber security market Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Market leader for server replication in industrial environments Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 16

Unidirectional Security Gateways CAN-0024 guidance identifies Unidirectional Gateways as non-routable Unidirectional Gateways reduce the cost of security programs Less complex configuration than firewalls Lower maintenance costs, less configuration, less to get wrong Lower audit costs: less documentation, no remote access, fewer logs Unidirectional Gateways are strong security Absolute protection from external network attacks Stronger than firewalls, stronger than serial connections Protects against errors and omissions Eliminates remote-control attacks CAN-0024 guidance recognizes that NERC auditors encounter unidirectional communications equipment in multiple geographies Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback