NERC-CIP CAN-0024: Securing Critical Cyber Assets with Data Diodes Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2012 2011 by Waterfall Security Solutions Ltd. 2012
Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable you can send data out, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Server replication, not protocol emulation Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 2
Firewalls Are Not Enough Only essential connections allowed You trust the users, but should you trust their workstations? Their cell phones? Firewalls are software - even firewalls have vulnerabilities and zero days Errors and omissions Insider attack from business network with legitimate credentials Costly: procedures, training, management, log reviews, audits, assessments Vulnerable: just ask for the password... Photo: Red Tiger Security Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 3
Historian Replication TX agent is conventional historian client request copy of new data as it arrives in historian RX agent is conventional historian collector drops new data into replica as it arrives from TX TX agent sends historical data and metadata to RX using nonroutable, point-to-point protocol Complete replica, tracks all changes, new tags, alerts in replica Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 4
Unidirectional Communications in the Smart Grid Conventional generators business network interface Nuclear generators safety, control and business network interfaces Transmission and distribution systems business network interface Smart meters back office data flow controls Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 5
CIP-002 R3: Critical Cyber Assets CIP-002 R3: Critical Cyber Assets are further qualified to be those having at least one of the following characteristics: R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, R3.2. The Cyber Asset uses a routable protocol within a control center; or, R3.3. The Cyber Asset is dial-up accessible. CIP R1-R4 apply only to highest-risk Critical Cyber Assets Routable and dial-up communications are higher risk than non-routable communications CIP was written before unidirectional communications were in widespread use Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 6
CIP-002 R3: Control Centers Control Center: A Control Center is capable of performing one or more of the functions listed below for multiple (i.e., two or more) BPS assets, such as generation plants and transmission substations. Not all control systems, even those using routable protocols internally, are Bulk Electric System Control Centers Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 7
CIP-002 R3: Routable Protocols Routable Protocol: Routable protocols use addresses and require those addresses to have at least two parts: A network address and a device address. Routable protocols allow devices to communicate between two different networks by forwarding packets between the two networks. Ethernet frames stay within local network hardware device (MAC) addresses are meaningless outside the local network Internet Protocol (IP) packets are contained inside Ethernet frames in local networks, other kinds of encapsulation in wide area networks Internet addresses are recognized throughout the WAN Internet Protocol packet inside an Ethernet Frame Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 8
CAN-0024: Stand-Alone Devices Stand-alone data diode appliances: network in, network out look from the outside like firewall appliances If the stand-alone data diode device has one or more IP addresses, it is using a routable protocol for communication. No IP addresses generally mean the equipment is not using routable protocols for communication. Routable Communications Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 9
Unidirectional Gateways: Pairs of Stand-Alone Devices Dual-ported agent hosts use IP within protected and external networks But: Gateway appliances have no IP addresses, no IP stack Copper connections use raw Ethernet frames with custom protocol no IP payload or embedded network addresses Fiber connection through ESP uses proprietary point-to-point data transfer format Non- Routable Communications Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 10
Embedded Network Interface Cards: Unclear CAN-0024: Another type of data diode device consists of network interface cards that are installed into existing Cyber Assets, and which provide the same uni-directional communication as stand-alone data diode devices. In this case, the data does not use a routable connection to cross the ESP, and the Cyber Assets do not meet the connectivity requirement. Contradicts CIP-002 R3: embedded NICs are not routable, even if they have IP addresses and use the routable IP protocol Expect some confusion regarding embedded NICs Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 11
NERC-CIP R5 Draft Routable Communications Low / Medium / High Impact Cyber Assets not determined by dial-up or routable communications Distribution Providers now covered by the standard External Connectivity = routable or dial-up communications through an Electronic Security Perimeter CIP-005 R5 Draft requirements apply only to Electronic Access Points and remote access systems with routable or dial-up connectivity Some requirements for Medium Impact Cyber Assets apply only to assets associated with External Connectivity Less training, documentation and testing requirements if unidirectional, non-routable communications result in the elimination of Electronic Access Points. Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 12
Reduced Security Costs Eligible sites: reduced CCA documentation and other costs Most sites: 12-24 months cost recovery Reduced firewall management costs Reduced DMZ equipment management costs Reduced audit and compliance documentation costs Reduced remote access training costs Reduced remote access management costs 20% of NERC-CIP R3 requirements revolve around firewalls. Keeping firewalls secure is difficult and expensive. Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 13
Strong Security Gateway hardware is gate-array programmed - no CPUs, no software, no way for a vulnerability to give an adversary control of the hardware Entire gateway solution assessed by Idaho National Labs: no back channels, no side channels, no way back into protected network Protection from even advanced, targeted threats and their Remote Administration Tools More secure than firewalls and serial connections Two appliances (TX/RX) means no shared grounds, no shared power, or other shared components which can mask back-channels Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 14
Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians OSIsoft PI, Scientech R*Time, Instep edna GE: ihistorian, ifix, OSM Siemens: WinCC, SINAUT/Spectrum Emerson Ovation, Matrikon Alert Manager Microsoft SQLServer, Wonderware Historian Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG CA Unicenter, CA SIM, HP OpenView Nitro SIEM File/Folder Mirroring Folder, tree mirroring, remote folders (CIFS) FTP/FTFP/SFTP/TFPS/RCP Leading Industrial Protocols Modbus, OPC (DA, HDA, A&E) DNP3, ICCP Remote Access Remote Screen View Secure Manual Uplink Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer Mail server/mail box replication IBM Websphere MQ series Antivirus updater, patch (WSUS) updater Remote print server Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 15
Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA, installed world-wide in all critical infrastructure sectors Focused exclusively on industrial markets and industrial server replication World s largest suite of industrial replication solutions, patent protected Nuclear market: 80% of decided sites chose Waterfall, 60% are deployed already Pike Research: Waterfall is key player in the cyber security market Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Market leader for server replication in industrial environments Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 16
Unidirectional Security Gateways CAN-0024 guidance identifies Unidirectional Gateways as non-routable Unidirectional Gateways reduce the cost of security programs Less complex configuration than firewalls Lower maintenance costs, less configuration, less to get wrong Lower audit costs: less documentation, no remote access, fewer logs Unidirectional Gateways are strong security Absolute protection from external network attacks Stronger than firewalls, stronger than serial connections Protects against errors and omissions Eliminates remote-control attacks CAN-0024 guidance recognizes that NERC auditors encounter unidirectional communications equipment in multiple geographies Proprietary Information -- Copyright 2012 by Waterfall Security Solutions Ltd. 17