cyber security summit –milano, it · 2017-01-23 · 9) errors and omissions–bad fw...
TRANSCRIPT
![Page 1: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/1.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions
UNIDIRECTIONAL SECURITY GATEWAYS™
Cyber Security Summit – Milano, IT
Michael A. Piccalo, CISSPDirector of Industrial SecurityWaterfall Security Solutions
Advanced Threats Require Advanced Defenses
![Page 2: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/2.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 2
Industrial Network Corporate Network
Unidirectional Security Gateways
Waterfall TX Server
Waterfall RXServer
Waterfall TX Module
Waterfall RX Module
● Software and hardware-based security solution
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Laser in TX, photocell in RX, fiber optic cable – defined data goes out, but nothing can get back into the protected network
![Page 3: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/3.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 3
Industrial Network (OT) Corporate Network (IT)
Where Does This Fit?
● Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between IT and OT networks
● Firewalls are software-based solutions and thus are vulnerable to cyber attacks and to compromise
![Page 4: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/4.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 4
Where Does This Fit?
● Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between the IT and OT networks
● Eliminates all inbound access from external networks providing absolute protection against online attacks from external networks where the vast majority of cyber attacks come from
Industrial Network (OT) Corporate Network (IT)
Waterfall TX Server
Waterfall RXServer
Waterfall TX Module
Waterfall RX Module
![Page 5: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/5.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 5
Why Are We Doing All This Security?
In a nutshell, our security technology and practices are no longer effective against the sophisticated threat landscape today
● Attacks against our critical control systems are becoming increasingly more common and more targeted
Source: Cisco Systems
Changes are needed in order to keep up with the evolving threats
![Page 6: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/6.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 6
How Secure are Firewalls Really?
Photo: Red Tiger Security
Attack Success Rate:
Impossible Routine Easy
Attack Type UGW FW
1) Phishing / drive-by-download – victim pulls your attack through firewall
2) Social engineering – steal a password / keystroke logger / shoulder surf
3) Compromise domain controller – create ICS host or firewall account
4) Attack exposed servers – SQL injection / DOS / buffer-overflows
5) Attack exposed clients – compromised web svrs/ file svrs / buffer overflows
6) Session hijacking – MIM / steal HTTP cookies / command injection
7) Piggy-back on VPN – split tunneling / malware propagation
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns
9) Errors and omissions – bad FW rules/configs / IT reaches through FWs
10) Forge an IP address – firewall rules are IP-based
Firewalls have been with us for almost 30 years now.Good guys and bad guys both know how to defeat them.
![Page 7: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/7.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 7
Common Attack Pattern – Persistent, Targeted Attacks
● Use “spear phishing” to punch through corporate firewalls
● Use custom malware to evade anti-virus
● Operate malware by interactive remote control
● Steal administrator passwords / password hashes
● Create new administrator accounts on domain controller
● Use new accounts to log in – no need to “break in” any more –defeats software update programs
Bypasses standard IT security controls to include firewalls,
encryption, AV, and security updates
![Page 8: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/8.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 8
PLCs RTUs
HistorianServer
HistorianServer
HistorianServer
Workstations
ReplicaServer
ReplicaServer
ReplicaServer
WaterfallTX agentWaterfallTX agentWaterfallTX agent
Waterfall RX agentWaterfall RX agentWaterfall RX agent
Corporate Network (IT)Industrial Network (OT)
Unidirectional Historian Replication
Waterfall TX Module
Waterfall RX Module
Secure Integration of Historian Data
● Hardware-enforced unidirectional server replication
● Replica server contains all data and functionality of original
● Corporate workstations communicate only with replica server
● Industrial network and critical assets are physically inaccessible from corporate network and secure from external online attacks
![Page 9: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/9.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 9
Waterfall FLIP™
● Unidirectional Gateway whose direction can be reversed
� File transfers, AV signatures, security updates, system updates, etc.
� Useful in remote unstaffed sites like substations, pumping stations, etc.
● Triggered on-demand or on a pre-defined schedule
● Still unidirectional
� Prevents interactive remote control – it cannot “flip” fast enough to permit Remote Desktop or interactive SSH sessions
FLIP: Stronger than firewalls; stronger than removable media
● No protocol-level attacks pass through
� No fuzzing attacks or buffer overflows
� All communication sessions terminate in agent hosts
![Page 10: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/10.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 10
Leading Industrial Applications/Historians
● Schneider ClearSCADA, Instep eDNA
● OSIsoft PI, PI AF, GE iHistorian, GE iFIX
● Scientech R*Time, GE OSM, Bently-Nevada
● Siemens: WinCC/SINAUT/Spectrum
● Emerson Ovation, Wonderware Historian
● SQLServer, Oracle, MySQL, Postgres, SAP
● AspenTech IP21, Matrikon Alert Manager
Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG
● CA Unicenter, CA SIM, HP OpenView,IBM Tivoli
● HP ArcSight SIEM , McAfee ESM SIEM
File/Folder Mirroring
● Folder, tree mirroring, remote folders (CIFS)
● FTP/FTFP/SFTP/TFPS/RCP
Leading Industrial Protocols
● OPC: DA, HDA, A&E, UA
● DNP3, ICCP, Modbus
● GENA, IEC 60870-5-104, IEC 61850
Remote Access
● Remote Screen View™
● Secure Bypass
Other connectors
● UDP, TCP/IP
● NTP, Multicast Ethernet
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM MQ series, Microsoft MSMQ
● Antivirus / Patch (WSUS) updaters
● Remote print server
Waterfall Unidirectional Gateway Connectors
World’s largest collection of COTS industrial server replications
![Page 11: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/11.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 11
Best Practices Continue to Evolve
Unidirectional gateways defeat targeted attacks, insider attacks, and malware propagation
![Page 12: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/12.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 12
Flexible Solutions
● Secure Bypass
● Inbound / Outbound Gateways
● FLIP
● Unidirectional Security Gateways
● Application Data Control (ADC)
● Remote Screen View (RSV)
![Page 13: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/13.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 13
● Attacks only become more sophisticated over time
● Modern attacks routinely defeat firewalls and security software
● As malware evolves, best practices evolve – hardware-enforcedUnidirectional Security Gateways are stronger than firewalls
● Absolute protection from external network attacks
Which Networks are Expendable?
So, which of your networks are expendable enough to protect with software alone?
![Page 14: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/14.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 14
● Headquarters in Israel with sales and operations office in the US
● Hundreds of global deployments in all critical infrastructure sectors
● Industry leaders with analyst recognition:
Waterfall Security Solutions
● Strategic partnership agreements and cooperation with OSIsoft, GE, Siemens, and many other major industrial vendors
2012, 2013, and 2014 Best Practice Awards for Industrial Network Security and Oil & Gas Security practices
“IT and OT security architects should consider Waterfall for their Operations networks.”
“Waterfall solutions deliver an innovative, well thought-out fast-track solution for quickly securing OT infrastructures against ever-changing cyber-threats.”
![Page 15: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/15.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 15
Contact Info…
Michael A. Piccalo, CISSP
Email: [email protected]
Phone: 1-832-707-4080
Web: www.waterfall-security.com
![Page 16: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based](https://reader035.vdocument.in/reader035/viewer/2022070822/5f2609ca54dad560a750be1b/html5/thumbnails/16.jpg)
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 16
Data Integrity
● High quality optical hardware
● Forward error correcting codes
● Able to send every message multiple times – duplicates discarded
● Sequence numbers, heartbeats – prompt error detection
● Throughput tuning
● Buffers at every stage of transmission
● Backfill: manual retransmission
● High availability – no single point offailure impairs data movement
● Automatic, periodic backfill
In practice, less than 5% of users purchase high-availability