Waterfall WECC DEWG-d13

Securing ICCP Connections
with Unidirectional Security Gateways
Andrew Ginter, VP Industrial Security
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
1
Unidirectional Security Gateways – Eg: Database Replication




Hardware-enforced unidirectional server replication
Replica server contains all data and functionality of original
Corporate workstations communicate only with replica server
Industrial network and critical assets are physically inaccessible from corporate
network & 100% secure from any online attack
Absolute protection
from network attacks
originating on
external networks
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
2
The Problem With Firewalls
Attack Type
UGW
Fwall
1) Phishing / drive-by-download – victim pulls your attack through firewall
2) Social engineering – steal a password / keystroke logger / shoulder surf
3) Compromise domain controller – create ICS host or firewall account
4) Attack exposed servers – SQL injection / DOS / buffer-overflow
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows
6) Session hijacking – MIM / steal HTTP cookies / command injection
7) Piggy-back on VPN – split tunneling / malware propagation
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls
10) Forge an IP address – firewall rules are IP-based
Attack
Difficulty:
Impossible
Routine
Easy
Photo: Red Tiger Security
Firewalls are routers – they forward messages into protected networks
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
3
Family of Unidirectional Security Technologies
 Unidirectional Security Gateway – absolute protection
 FLIP – Unidirectional Gateway reverses on a schedule
 Inbound / Outbound – two Unidirectional Gateways
replicating servers independently
 Application Data Control – software add-on for
fine-grained policy-based inspection and control of
application data flows
 Secure Bypass – for emergency access to
unidirectionally-protected networks
All stronger than firewalls
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
4
Inbound / Outbound ICCP Replication – Eg: Balancing Auth
 BA sends ICCP setpoints to partner utilities every 2 seconds + polls utilities for
ICCP data every 2 seconds
 Independent channels – not cmd/response
 Each channel replicates ICCP servers
 Unidirectional communications are not ERC
no requirement for network intrusion detection
NERC CIP is the bare minimum protections
that both large and small utilities must deploy
The most important networks demand additional
protections
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
5
Two Independent ICCP Replications
 No ICCP packets forwarded – protocol level attacks terminate in Agent Hosts
 Attacks on outbound channel cannot affect protected network
 Attacks on inbound channel require three compromised machines, two pivots,
last two compromises are “flying blind”
 Firewalls in contrast – single hop for attacks
Stronger
than
firewalls
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
6
Inbound / Outbound Gateways at Balancing Authority
Perimeter Security Attack Tree
UGW
Firewall
1) Phishing / drive-by-download – victim pulls your attack through firewall
4
2
Attack
Success Rate
2) Social engineering – steal a password / keystroke logger / shoulder surf
4
1
Impossible
3) Compromise domain controller – create ICS host or firewall account
4
2
4) Attack exposed servers – SQL injection / DOS / buffer-overflow
3
2
5) Attack exposed clients – compromised web servers / file svrs / buf-overflows
4
2
6) Session hijacking – MIM / steal HTTP cookies / command injection
3
2
7) Piggy-back on VPN – split tunneling / malware propagation
4
2
8) Firewall vulnerabilities – bugs / zero-days / default passwords/ design vulnerabilities
3
2
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls
3
2
10) Forge an IP address – firewall rules are IP-based
4
2
11) Bypass network perimeter – cabling/ rogue wireless / dial-up
1
1
12) Physical access to firewall – local admin / no passwd / modify hardware
3
2
13) Sneakernet – removable media / untrusted laptops
1
1
41
23
Total Score:
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
Extremely
Difficult
Difficult
Straightforward
7
Remote Screen View – For High-Risk Vendor Connections
 Vendors can see control system screens in web browser
 Remote support is under control of on-site personnel
 Any changes to software or devices are carried out by on-site personnel,
supervised by vendor personnel who can see site screens in real-time
 Vendors supervise site personnel
 Site people supervise the vendors
Each perspective is
legitimate, both needs are met
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
8
NERC CIP V5 & V6 - Unidirectional Gateways “Designed In”
 CIP V5 encourages the use of Unidirectional Security Gateways
 External Routable Connectivity: The ability to access a BES Cyber System that is
accessible from a Cyber Asset that is outside of its associated Electronic Security Perimeter via
a bi-directional routable protocol connection.
 37 of 128 medium-impact requirements do not apply if only communication
through ESP is unidirectional, not ERC
 These are legitimate exemptions, reflecting strong, physical protection
“When you are considering security for your
control networks, keep in mind innovative
technologies such as unidirectional gateways”
Tim Roxey, NERC CSSO
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
9
NERC CIP Auditors Agree
 Q: Is External Routable Connectivity possible through Unidirectional Gateways?
 “No”
 [if an] entity claimed uni-directional communications (therefore out-of-scope for
ERC), … auditors would … seek evidence that supports … that claim”
 “A Unidirectional Gateway configured to allow outbound traffic from the ESP but not
allow inbound traffic to enter the ESP would effectively eliminate External Routable
Connectivity”
 Q: Is Remote Screen View Interactive Remote Access?
 “No”
 “[With RSV] … the user-initiated process to push screen snapshots through the ESP
is originating from within the ESP. By definition, that does not constitute IRA.
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
10
NERC CIP High-Impact and Medium-Impact Exemptions
Standard
002
003
004
005
006
007
008
009
010
011
014
BES Cyber System Categorization
Security Management Controls
Personnel & Training
Electronic Security Perimeters
Physical Security
Systems Security Management
Incident Reporting & Resp. Planning
Recovery Plans
Change Mgmt & Vuln Assessments
Information Protection
Substations
Totals:
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
Rules
Med-Impact
Exemptions
High-Impact
Exemptions
7
4
19
8
14
20
9
10
10
4
23
128
15
6
11
5
37
5
5
11
Protecting Power Generation
 Continuous monitoring of critical systems
 Remote control from generating
dispatch centers
 Safe cloud/services supply chain
integration
Replacing at least one layer
of firewalls with unidirectional
protections breaks the chain
of infection / pivoting attacks
from the Internet
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
12
Segmenting Generating Units
 V5 transition guidance: segmentation makes Medium Impact plants Low Impact
 Strong security: breaks one large target
into many smaller ones
 Using firewalls for segmentation introduces
compliance risk: FERC is considering
a request for interpretation
 The smallest mistake in firewall
configuration can breach segmentation
Unidirectional gateways reduce
compliance costs and compliance risks
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
13
Enabling Turbine Monitoring and Diagnostics





Replicate turbine monitoring data sources to vendor’s central site
No changes needed at central vendor site
When adjustment is needed, vendor schedules RSV appointment
Remote Screen View: “can look, but can’t touch”
CIP-certified site personnel make adjustments – vendor advises / supervises
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
14
Protecting Substations & Relays
 Unidirectional Gateways protect the protective relays
to prevent equipment damage
 FLIP option permits scheduled password changes
 Inbound / outbound protects entire substation – pure monitoring,
or monitor and control
 Protect SCADA system – from substations and WAN
Stronger than firewalls – raises bar to the
point where active assistance by insider is
needed for effective compromise
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
15
Standards - NIST 800-82 Rev 2
 Unidirectional Gateways are “… used in guaranteeing information security or
protection of critical digital systems, such as industrial control systems, from
inbound cyber attacks.”
 Security priorities: “ICS cybersecurity programs should always be part of broader
ICS safety and reliability programs at both industrial sites and enterprise
cybersecurity programs, because cybersecurity is essential to the safe and
reliable operation of modern industrial processes.”
Cyber threats to reliability include
equipment damage due to cyber-sabotage
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
16
Standards: ANSSI Cybersecurity for Control Systems
 Three classes of networks:
 Class 1 “expendable”: IT-style protection
 Class 2 “important”: recommends unidirectional
communications, strongly discourages remote access
 Class 3 “very important”: forbids firewalls, forbids remote
access, permits only unidirectional communications
Which of our ICS networks is
important?
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
17
NERC CIP exempts
unidirectionally-protected
sites from 30% of
requirements
DHS recommends
unidirectional gateways in
three of sever steps to
secure control systems
NIST – gateways are used in
guaranteeing protection
of critical systems
(NIST 800-82 Rev 2)
ANSSI Cybersecurity for
ICS – many requirements
for hardware-enforced
unidirectionality
ENISA - unidirectional
gateways provide
better protection than
firewalls
Unidirectional gateways – limit
the propagation of malicious
code (ISA SP-99-3-3 / IEC
62443-3-3)
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
18
Waterfall Security Solutions
 Headquarters in Israel, sales and operations office in the USA
 Deployed world-wide in all critical infrastructure sectors
Waterfall is a remote access thought leader for high-security applications
Waterfall delivers an innovative solution for securing OT infrastructures
against ever-increasing cyber-threats
IT and OT security architects should
consider Waterfall for OT networks
 Strategic partnerships with Schneider Electric, GE,
Westinghouse, Siemens, OSIsoft, and many others
Market leader for Unidirectional Gateways
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
19
Reduce Costs and Risks With Unidirectional Security Gateways
 Security risks: absolute protection of safety and reliability of control system
assets, from network attacks originating on external networks
 Operating costs: reduce firewall operating costs
 Compliance costs: relief from 37 Medium/ERC, 5 High/ERC rules
 Compliance costs: unidirectionally segmented plants are Low Impact
 Compliance risk: No fumble-fingered firewall
can impair protection – server replication is
intrinsic to Unidirectional Gateways
Which of our networks deserve stronger
protection than firewalls can provide?
Copyright © 2016 Waterfall Security Solutions Ltd. All rights reserved.
20