cyber security summit –milano, it · 2017-01-23 · 9) errors and omissions–bad fw...

16
Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions UNIDIRECTIONAL SECURITY GATEWAYSCyber Security Summit – Milano, IT Michael A. Piccalo, CISSP Director of Industrial Security Waterfall Security Solutions Advanced Threats Require Advanced Defenses

Upload: others

Post on 06-Jul-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions

UNIDIRECTIONAL SECURITY GATEWAYS™

Cyber Security Summit – Milano, IT

Michael A. Piccalo, CISSPDirector of Industrial SecurityWaterfall Security Solutions

Advanced Threats Require Advanced Defenses

Page 2: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 2

Industrial Network Corporate Network

Unidirectional Security Gateways

Waterfall TX Server

Waterfall RXServer

Waterfall TX Module

Waterfall RX Module

● Software and hardware-based security solution

● TX uses 2-way protocols to gather data from protected network

● RX uses 2-way protocols to publish data to external network

● Laser in TX, photocell in RX, fiber optic cable – defined data goes out, but nothing can get back into the protected network

Page 3: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 3

Industrial Network (OT) Corporate Network (IT)

Where Does This Fit?

● Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between IT and OT networks

● Firewalls are software-based solutions and thus are vulnerable to cyber attacks and to compromise

Page 4: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 4

Where Does This Fit?

● Unidirectional Security Gateways generally replace ICS firewalls that provide the ingress/egress point between the IT and OT networks

● Eliminates all inbound access from external networks providing absolute protection against online attacks from external networks where the vast majority of cyber attacks come from

Industrial Network (OT) Corporate Network (IT)

Waterfall TX Server

Waterfall RXServer

Waterfall TX Module

Waterfall RX Module

Page 5: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 5

Why Are We Doing All This Security?

In a nutshell, our security technology and practices are no longer effective against the sophisticated threat landscape today

● Attacks against our critical control systems are becoming increasingly more common and more targeted

Source: Cisco Systems

Changes are needed in order to keep up with the evolving threats

Page 6: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 6

How Secure are Firewalls Really?

Photo: Red Tiger Security

Attack Success Rate:

Impossible Routine Easy

Attack Type UGW FW

1) Phishing / drive-by-download – victim pulls your attack through firewall

2) Social engineering – steal a password / keystroke logger / shoulder surf

3) Compromise domain controller – create ICS host or firewall account

4) Attack exposed servers – SQL injection / DOS / buffer-overflows

5) Attack exposed clients – compromised web svrs/ file svrs / buffer overflows

6) Session hijacking – MIM / steal HTTP cookies / command injection

7) Piggy-back on VPN – split tunneling / malware propagation

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns

9) Errors and omissions – bad FW rules/configs / IT reaches through FWs

10) Forge an IP address – firewall rules are IP-based

Firewalls have been with us for almost 30 years now.Good guys and bad guys both know how to defeat them.

Page 7: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 7

Common Attack Pattern – Persistent, Targeted Attacks

● Use “spear phishing” to punch through corporate firewalls

● Use custom malware to evade anti-virus

● Operate malware by interactive remote control

● Steal administrator passwords / password hashes

● Create new administrator accounts on domain controller

● Use new accounts to log in – no need to “break in” any more –defeats software update programs

Bypasses standard IT security controls to include firewalls,

encryption, AV, and security updates

Page 8: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 8

PLCs RTUs

HistorianServer

HistorianServer

HistorianServer

Workstations

ReplicaServer

ReplicaServer

ReplicaServer

WaterfallTX agentWaterfallTX agentWaterfallTX agent

Waterfall RX agentWaterfall RX agentWaterfall RX agent

Corporate Network (IT)Industrial Network (OT)

Unidirectional Historian Replication

Waterfall TX Module

Waterfall RX Module

Secure Integration of Historian Data

● Hardware-enforced unidirectional server replication

● Replica server contains all data and functionality of original

● Corporate workstations communicate only with replica server

● Industrial network and critical assets are physically inaccessible from corporate network and secure from external online attacks

Page 9: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 9

Waterfall FLIP™

● Unidirectional Gateway whose direction can be reversed

� File transfers, AV signatures, security updates, system updates, etc.

� Useful in remote unstaffed sites like substations, pumping stations, etc.

● Triggered on-demand or on a pre-defined schedule

● Still unidirectional

� Prevents interactive remote control – it cannot “flip” fast enough to permit Remote Desktop or interactive SSH sessions

FLIP: Stronger than firewalls; stronger than removable media

● No protocol-level attacks pass through

� No fuzzing attacks or buffer overflows

� All communication sessions terminate in agent hosts

Page 10: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 10

Leading Industrial Applications/Historians

● Schneider ClearSCADA, Instep eDNA

● OSIsoft PI, PI AF, GE iHistorian, GE iFIX

● Scientech R*Time, GE OSM, Bently-Nevada

● Siemens: WinCC/SINAUT/Spectrum

● Emerson Ovation, Wonderware Historian

● SQLServer, Oracle, MySQL, Postgres, SAP

● AspenTech IP21, Matrikon Alert Manager

Leading IT Monitoring Applications

● Log Transfer, SNMP, SYSLOG

● CA Unicenter, CA SIM, HP OpenView,IBM Tivoli

● HP ArcSight SIEM , McAfee ESM SIEM

File/Folder Mirroring

● Folder, tree mirroring, remote folders (CIFS)

● FTP/FTFP/SFTP/TFPS/RCP

Leading Industrial Protocols

● OPC: DA, HDA, A&E, UA

● DNP3, ICCP, Modbus

● GENA, IEC 60870-5-104, IEC 61850

Remote Access

● Remote Screen View™

● Secure Bypass

Other connectors

● UDP, TCP/IP

● NTP, Multicast Ethernet

● Video/Audio stream transfer

● Mail server/mail box replication

● IBM MQ series, Microsoft MSMQ

● Antivirus / Patch (WSUS) updaters

● Remote print server

Waterfall Unidirectional Gateway Connectors

World’s largest collection of COTS industrial server replications

Page 11: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 11

Best Practices Continue to Evolve

Unidirectional gateways defeat targeted attacks, insider attacks, and malware propagation

Page 12: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 12

Flexible Solutions

● Secure Bypass

● Inbound / Outbound Gateways

● FLIP

● Unidirectional Security Gateways

● Application Data Control (ADC)

● Remote Screen View (RSV)

Page 13: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 13

● Attacks only become more sophisticated over time

● Modern attacks routinely defeat firewalls and security software

● As malware evolves, best practices evolve – hardware-enforcedUnidirectional Security Gateways are stronger than firewalls

● Absolute protection from external network attacks

Which Networks are Expendable?

So, which of your networks are expendable enough to protect with software alone?

Page 14: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 14

● Headquarters in Israel with sales and operations office in the US

● Hundreds of global deployments in all critical infrastructure sectors

● Industry leaders with analyst recognition:

Waterfall Security Solutions

● Strategic partnership agreements and cooperation with OSIsoft, GE, Siemens, and many other major industrial vendors

2012, 2013, and 2014 Best Practice Awards for Industrial Network Security and Oil & Gas Security practices

“IT and OT security architects should consider Waterfall for their Operations networks.”

“Waterfall solutions deliver an innovative, well thought-out fast-track solution for quickly securing OT infrastructures against ever-changing cyber-threats.”

Page 15: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 15

Contact Info…

Michael A. Piccalo, CISSP

Email: [email protected]

Phone: 1-832-707-4080

Web: www.waterfall-security.com

Page 16: Cyber Security Summit –Milano, IT · 2017-01-23 · 9) Errors and omissions–bad FW rules/configs/ IT reaches through FWs 10) Forge an IP address –firewall rules are IP-based

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 16

Data Integrity

● High quality optical hardware

● Forward error correcting codes

● Able to send every message multiple times – duplicates discarded

● Sequence numbers, heartbeats – prompt error detection

● Throughput tuning

● Buffers at every stage of transmission

● Backfill: manual retransmission

● High availability – no single point offailure impairs data movement

● Automatic, periodic backfill

In practice, less than 5% of users purchase high-availability