waterfall for nrc compliance with regard to nist 800.53 ... for nrc... · waterfall for nrc...

- Proprietary Information -

Waterfall for NRC Compliance with

regard to NIST 800.53 and 800.82

Using Waterfall’s Unidirectional Security Solution to Achieve True Security & NRC Compliance

Ver. 1.4 Date: Sep. 2009

The material in this document is proprietary to Waterfall Security Solutions Ltd. No part of this document may be passed to any third party, copied, reproduced or stored on any type of media or otherwise used in any way without the express, prior, written consent of authorized officers and/or executives of Waterfall Security Solutions Ltd.


of 40

Abstract Critical National Infrastructure is under a constant, yet invisible, threat from cyber hacking and cyber terror attempts that are being launched from external networks. These attacks (mainly - from the Internet) are targeting industrial Process Control Networks (PCN), Supervisory Control and Data Acquisition (SCADA) Networks and lower level Distributed Control Systems (DCS) and Process Control Systems (PCS) networks. In the Nuclear Electricity Utilities’ domain, these critical networks control and operate the very machinery which powers modern day civilization. Throughout North America, electricity utilities are challenged with the task of complying with the reliability standards mandated by NRC (Nuclear Regulatory Commission). The NRC standards, pertaining to the “protection of digital computer and communication systems and networks”, are defined within RG 5.71 which has yet to be finalized. This Regulatory Guide is derived from two documents that have been published by NIST known as 800.53, “Security Controls for Federal Information Systems and Organizations.” and 800.82, “Guide to Industrial Control Systems (ICS) Security”. NIST 800.53, which provides federal information systems and organizations with a set of controls to be implemented to meet security compliance, follows on from FIPS200 and FIPS 199 which mandated the security requirements as well as security categorizations for information systems in federal organizations. NIST 800.82 provides guidance for establishing secure industrial control systems (ICS) and its recommendations are referenced in terms of the controls determined in 800.53 as per the risks associated with ICS systems. The following whitepaper introduces the reader to the Waterfall One-Way™ unidirectional cyber security solution, and explains its ideal fit for achieving both powerful cyber-security as well as NRC compliance. The whitepaper is built according to the template of controls found in NIST 800.53 and the recommendations of NIST 800.82 and relates specifically to those controls and recommendations which are relevant to the Waterfall One-Way™ unidirectional cyber security solution.


Table of Contents Abstract .............................................................................................................................. 2

About Waterfall Security Solutions ..................................................................................... 6

(www.waterfall-security.com): ........................................................................................... 6

Waterfall One-Way™ for NRC Compliance and NIST 800.53 and NIST 800.82 Adherence 7

Introducing Waterfall One-Way™ ..................................................................................... 10 Waterfall One-Way™ Customer Benefits ......................................................................................... 11

Annex ................................................................................................................................ 12 Waterfall One-Way™ for NRC Compliance – Network Architecture samples ....................................... 12

Waterfall One-Way™ Defining High Assurance with Adequate Protection .......................................... 12

Transporting Files using the Waterfall File Transfer Enabler (WF-FTE) ................................................ 13

Historian Replication using the Waterfall SCADA Monitoring Enabler (WF-SME) ................................. 14

Industrial Protocol Gateway using the Waterfall WF-SME ................................................................. 14

Waterfall One-Way™ Response to relevant NRC and NIST Compliance Requirements ......................... 16

Access Control (AC) ........................................................................................................................ 16

NIST 800.82.............................................................................................................. 16

AC-3 ACCESS ENFORCEMENT (NIST 800.53) ................................................ 17

AC-4 INFORMATION FLOW ENFORCEMENT (NIST 800.53) ........................... 17

AC-6 LEAST PRIVILEGE (NIST 800.53) ............................................................... 17

AC-17 REMOTE ACCESS (NIST 800.53) ............................................................ 18

NIST 800.82.............................................................................................................. 18

AC-20 USE OF EXTERNAL INFORMATION SYSTEMS (NIST 800.53) ................ 19

Audit and Accountability (AU) ........................................................................................................ 19

AU-9 PROTECTION OF AUDIT INFORMATION (NIST800.53) ............................ 19

Security Assessment and Authorization (CA) .................................................................................... 20

CA-3 INFORMATION SYSTEM CONNECTIONS (NIST 800.53) ........................ 20

Configuration Management (CM) ................................................................................................... 20

CM-5 ACCESS RESTRICTIONS FOR CHANGE (NIST800.53) .............................. 20

CM-7 LEAST FUNCTIONALITY (NIST 800.53) ....................................................... 21


of 40

Contingency Planning (CP) ............................................................................................................. 21

NIST800.82 .............................................................................................................. 21

CP-9 INFORMATION SYSTEM BACKUP (NIST 800.53) ................................... 21

NIST 800.82.............................................................................................................. 22

CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION(NIST800.53) .......................................................................... 23

Media Protection (MP)................................................................................................................... 23

MP-2 MEDIA ACCESS (NIST 800.53) .................................................................... 23

Physical and Environmental Protection (PE) ..................................................................................... 23

PE-19 INFORMATION LEAKAGE (NIST 800.53) ...................................................... 23

System and Services Acquisition (SA) ............................................................................................... 24

SA-13 TRUSTWORTHINESS (NIST 800.53) ........................................................... 24

System and Communications Protection (SC) ................................................................................... 24

SC-2 APPLICATION PARTITIONING (NIST 800.53) .............................................. 24

NIST 800.82.............................................................................................................. 24

SC-3 SECURITY FUNCTION ISOLATION (NIST 800.53) .................................. 25

SC-4 INFORMATION IN SHARED RESOURCES (NIST 800.53) ......................... 26

SC-5 DENIAL OF SERVICE PROTECTION (NIST 800.53) ................................ 26

SC-7 BOUNDARY PROTECTION (NIST 800.53) .................................................... 26

NIST 800.82.............................................................................................................. 27

SC-8 TRANSMISSION INTEGRITY (NIST 800.53) ............................................ 28

NIST 800.82.............................................................................................................. 28

SC-9 TRANSMISSION CONFIDENTIALITY (NIST 800.53) ............................... 29

SC-11TRUSTED PATH (NIST 800.53) .................................................................... 30

SC-23 SESSION AUTHENTICITY (NIST 800.53) ................................................. 30

SC-25 THIN NODES (NIST 800.53) ......................................................................... 30

SC-27 OPERATING SYSTEM-INDEPENDENT APPLICATIONS (NIST 800.53) ..... 31

SC-28 PROTECTION OF INFORMATION AT REST (NIST 800.53) .................... 31

SC-30 VIRTUALIZATION TECHNIQUES (NIST 800.53) ........................................... 31

SC-32 INFORMATION SYSTEM PARTITIONING (NIST 800.53) ........................ 32

SC-33 TRANSMISSION PREPARATION INTEGRITY (NIST 800.53) .................... 32

SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS (NIST 800.53) .................. 32


of 40

System and Information Integrity (SI) .............................................................................................. 33

SI-3 MALICIOUS CODE PROTECTION (NIST 800.53)........................................... 33

SI-9 INFORMATION INPUT RESTRICTIONS (NIST 800.53) .................................. 34

Controls: Supported but not implemented by Waterfall One-Way™ ................................................... 35

AC-7 UNSUCCESSFUL LOGIN ATTEMPTS .......................................................... 35

AC-8 SYSTEM USE NOTIFICATION ...................................................................... 35

AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION ........................................... 36

AC-11 SESSION LOCK ........................................................................................... 36

AC-16 SECURITY ATTRIBUTES............................................................................. 36

AU-8 TIME STAMPS ............................................................................................... 36

AU-10 NON-REPUDIATION .................................................................................... 36

AU-12 AUDIT GENERATION .................................................................................. 36

AU-14 SESSION AUDIT .......................................................................................... 37

CM-3 CONFIGURATION CHANGE CONTROL ...................................................... 37

CM-6 CONFIGURATION SETTINGS ...................................................................... 37

IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION ...................................... 37

SI-4 INFORMATION SYSTEM MONITORING ........................................................ 38

SI-8 SPAM PROTECTION ...................................................................................... 38

Table of compliance by Waterfall One Way™ ................................................................................... 39


of 40

About Waterfall Security Solutions

(www.waterfall-security.com): Waterfall Security Solutions Ltd. is the leading provider of secure unidirectional connectivity for Process Control systems, Industrial Networks, SCADA systems, Remote Monitoring and Segregated Networks. Waterfall’s products have been deployed in many critical national infrastructures, homeland security agencies and mission critical organizations in North America, Europe and Israel, and include security solutions for leading industrial applications such as Historian systems and Remote Monitoring platforms as well as leading industrial protocols such as OPC, Modbus, DNP3 and ICCP.

http://www.waterfall-security.com/�


of 40

Waterfall One-Way™ for NRC Compliance and NIST 800.53 and NIST 800.82 Adherence NRC RG 5.71, currently in its Draft Final Rule, spells out the requirements for a cyber security plan to be submitted by the licensees for the NRC’s review and approval. The licensee is required to “provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in Title 10 of the Code of Federal regulations (10CFR) Part73, Section 73.1.”

The provisions in RG 5.71 require protection of all critical systems and networks and require of the licensee to implement controls that will defend these systems against any cyber attack that would adversely affect the availability, integrity and confidentiality of the critical system’s assets and data. The protection of critical assets and data is to be achieved through the, “implementation of state-of-the-art defense-in–depth protective strategies” RG 5.71 c (2), whose aim “to ensure that the functions or tasks required to be performed by the critical assets … are maintained and carried out” RG 5.71 c (4) and “to prevent adverse effects from cyber attacks” (RG5.71 c (3)). The controls referred to in NIST 800.53 and the recommendations relevant to those controls found in NIST 800.82, are defined in terms of three distinct classes; management, operational and technical. Each class is further divided into families of controls as per the table below.

TABLE 1-1: SECURITY CONTROL CLASSES, FAMILIES, AND IDENTIFIERS

IDENTIFIER FAMILY CLASS AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Security Assessment and

Authorization Management

CM Configuration Management Operational CP Contingency Planning Operational IA Identification and Authentication Technical IR Incident Response Operational

MA Maintenance Operational MP Media Protection Operational PE Physical and Environmental

Protection Operational

PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Services Acquisition Management SC System and Communications

Protection Technical

SI System and Information Integrity Operational PM Program Management Management


of 40

The controls selected are a function of the mitigation they offer to the risk associated with the specific categorization of the information system and the level of impact in the event of its compromise. Of particular interest to the Waterfall One-Way™ unidirectional cyber security solution, are the families of controls specifically related to Access, Protection and Integrity (AC, AU, CA, CM, CP, MP, PE,SA, SI and SC). Each of the specific controls within these families will be discussed further. NIST 800.82 Section 5 “Network Architecture” describes a number of possibilities for separating the ICS network from the corporate network. This section clearly demonstrates that the connection between the two networks is a “significant security risk”. Section 5 continues by stating,” If the networks must be connected, it is strongly recommended that only minimal (single if possible) connections be allowed and that the connection is through a firewall and a DMZ.” The network segregated architectures, including the most sophisticated, which is termed as “Firewall with DMZ between Corporate Network and Control Network “; is inherently vulnerable given that “in this type of architecture … if a computer in the DMZ is compromised, then it can be used to launch an attack against the control network via application traffic permitted from the DMZ to the control network. This risk can be greatly reduced if a concerted effort is made to harden and actively patch the servers in the DMZ and if the firewall rules set permits only connections between the control network and DMZ that are initiated by control network devices. Other concerns with this architecture are the added complexity and the potential increased cost of firewalls with several ports. For more critical systems, however, the improved security should more than offset these disadvantages.” While traditional (i.e. software based) IT Security products or systems (firewalls, intrusion detection systems, anti-malware etc.) can be used, they are vulnerable to the same risks and dangers targeting the CCAs themselves: Firewalls can be hacked, IPSs and IDSs must be patched and updated, zero-day exploits are a permanent risk, configuration is tiresome and prone to mistakes. When seeking a NRC solution, one that indeed achieves compliance while realizing the true spirit of high assurance and defense in depth, it is evident that traditional, software-based protection solutions are not enough. This is especially true when considering the immense implications of a successful cyber-attack on a major nuclear electricity utility. Waterfall One-Way™ is a consolidated hardware and software security solution that provides the most powerful defense of the critical network. Affording an unparalleled level of protection to all Critical Digital Assets residing within critical infrastructure network perimeter(s), Waterfall One-Way™ provides a solid foundation for the NRC compliance framework. It addresses the NRC compliance framework requirements by supplying a true level of security at all layers of the networks’ communications protocols, enforcing the controls in accordance with NIST 800.53 requirements and NIST 800.82 recommendations and by providing robust and truly unidirectional


of 40

communication to devices outside the critical network. In addition successful implementation of NERC-CIP-007, detailing the required Systems Security Management within the electronic security perimeter and at its access points, is much easier, cost effective, and immediate to achieve with Waterfall One-Way™ integrated into the critical infrastructures’ cyber security framework. In fact, Waterfall One-Way™ potentially eliminates access points and supporting critical cyber assets.

The importance of the reliability of the bulk electric system to our modern way of life is central and undisputed. The imminent dangers of cyber terror and cyber hacking activities are clear and publicly known. Waterfall Security Solutions supplies a win-win solution which not only provides a unique and robust foundation for NRC compliance, but true and unparalleled security against all external cyber threats.


of 40

Introducing Waterfall One-Way™ Waterfall’s hardware based unidirectional core is shared by all of its products and solutions. The core is coupled with software agents that mediate its integration into the surrounding environments, while providing added functionalities and flexibility. The basic Waterfall architecture is as follows:

Figure 1 – Basic Waterfall One-Way™ Architecture The basic components are:

• A Waterfall Tx Software Agent, residing on a host which is part of the sending network. The agent interacts with applications (e.g. OSIsoft PI™, GE Proficy™) and protocols (e.g. OPC, Modbus, DNP3) on the network, receives the relevant information and mediates the connection of the Waterfall One-Way™ with the sending network. Designated data is passed, in real-time, from the Tx software agent to the Waterfall Tx appliance.

• An appliance pair comprised of: o A Waterfall Tx Appliance, transmitting information from the Tx software

agent via a single fiber optic cable to the Waterfall Rx Appliance. o A Waterfall Rx Appliance, receiving information from the Waterfall Tx

appliance and transmitting it to the Waterfall Rx software agent, residing on a host which is part of the receiving network.

• A Waterfall Rx Software Agent, residing on a host which is part of the receiving network. The agent receives data from the Waterfall Rx appliance, mediates the connection of the Waterfall One-Way™ with the receiving network and interacts


of 40

as required with applications and nodes on the receiving network, passing the designated data into the receiving network.

Waterfall One-Way™ Customer Benefits The unique Waterfall architecture and its attributes provide two basic benefits for all Waterfall One-Way™ installations and deployments:

• Complete protection against external cyber attacks – hacking sessions are an interactive process in which a hacker initiates a working session with his target node, elicits a response, and accordingly makes his next move. When trying to hack across a Waterfall One-Way™, the hacker will be unable to initiate a successful session.

• No data backflow – The hardware based appliance core of the Waterfall One-Way™ enforces unidirectional data flow at the physical layer (Layer 1 of the OSI model), which in turn ensures unidirectional communication will be totally preserved at all higher layers of the protocol stack, regardless of the communication protocol chosen and the applications being used. Thus, regardless of networks and applications used, there will be no data backflow across a Waterfall One-Way™.

Waterfall One-Way™ provides customers with the most powerful electronic security perimeter available, enforced by hardware, software and the very basic laws of physics. This unique technology and architecture helps ensure that compliance with NRC, NIST requirements is fully reached, while providing true cyber-security to all critical assets and cyber assets residing within the Waterfall defined electronic security perimeter.

As an added benefit, Waterfall installations provide a hassle-free and zero-maintenance implementation of an electronic security perimeter, requiring a one-time configuration with no need for follow-up configurations, patches or updates. Thus overhead and related investments are minimized.

Only Waterfall can provide full visibility into the critical infrastructure networks running the bulk electric system, while still fully segregating them from any externally generated activities, in essence effectively air-gapping them to achieve unprecedented protection and security.


of 40

Annex

Waterfall One-Way™ for NRC Compliance – Network Architecture samples Below are several examples of network architectures implementing Waterfall One-Way™ to define Critical Digital Asset Protection compliance within NRC and NIST. All are meant to provide a more in-depth technical view into the logic and structure of Waterfall One-Way™ deployment in critical industrial environments.

The basic layout of a NRC, NIST compliant Waterfall deployment is presented, followed by several examples of how this basic architecture is leveraged to provide different solutions and flexible applications’ & protocols’ support.

Waterfall One-Way™ Defining High Assurance with Adequate Protection The most common NRC, NIST compliant basic architecture is as follows:

Figure 2 – Basic Waterfall One-Way™ NRC, NIST Compliant Architecture

This architecture allows data and information to be exported and transmitted from the security enclave within the Critical network towards all external data consumers,


of 40

without exposing critical assets and cyber assets to any external dangers. Full visibility to the critical information is afforded to all external users. This basic architecture can be leveraged in several different possible sub-architectures, employing different Waterfall-based solutions which transport different types of data across the waterfall link, from the industrial control network towards the external networks.

Transporting Files using the Waterfall File Transfer Enabler (WF-FTE) This is a common Waterfall security solution for transferring files from a security enclave, across the critical network perimeter to external networks. The following diagram shows the general layout involving dedicated file servers (which are not a part of the Waterfall One-Way™):

Figure 3 – Waterfall File Transfer Enabler (WF-FTE)

In this configuration, files are simply being transported from the origin server to the destination server. The Tx file server is completely secured from external attacks, while the files themselves can be further protected by encryption (for example Waterfall’s FTE supports FTP as well as SFTP and TFTP).


of 40

Historian Replication using the Waterfall SCADA Monitoring Enabler (WF-SME) In this scenario, an operational Historian is replicated from the secured critical network to a replica Historian residing on the corporate or external network. Waterfall performs this replication by leveraging the Historian’s low level API in order to achieve maximum performance and real-time high throughput. Supported Historians today include the OSIsoft PI ™ Historian, GE’s Proficy Historian and others. The basic architecture for a Historian replication would look as follows:

Figure 4 – Basic Historian replication via Waterfall One-Way™ Although all Historian data would be readily available to corporate users, external hackers cannot reach the operational Historian residing within the secure industrial network. Hackers may be able to impact the replica Historian, but the operational processes related to the critical operational Historian will continue unharmed.

Industrial Protocol Gateway using the Waterfall WF-SME In this architecture, a Waterfall One-Way™ is used as a unidirectional gateway which enables extraction and export of messages, data and information from within industrial networks, carried upon industrial protocols, to external networks. This allows reuse of HMI displays and reporting services, within external or public networks, without the risk of command and control. The following diagram shows a DNP3 unidirectional gateway utilizing the WF-SME for DNP3:


of 40

Figure 5 – Waterfall WF-SME as a DNP3 unidirectional protocol Gateway Waterfall supports additional industrial protocols, such as Modbus, OPC, ICCP and others, and performs custom development of protocol support according to specific customer requirements and requests.


of 40

Waterfall One-Way™ Response to relevant NRC and NIST Compliance Requirements

As mentioned earlier in this paper, the Waterfall One-Way™ unidirectional cyber security solution provides specific responses to the control families mentioned in the following sections: Access Control, Audit and Accountability, Configuration Management, Media Protection, System and Information Integrity, System and Services Acquisition, Security Assessment and Authorization, Contingency Planning, Physical and Environmental Protection, System and Communications Protection. (AC, AU, CA, CM, CP, MP, PE, SA, SI and SC). Each of the relevant specific controls within these families as well as relevant recommendations made in NIST 800.82 will be discussed herein together with its corollary Waterfall One-Way™ response.

Please note that the controls, can be either directly relevant to Waterfall One Way™ technology, or supported by the technology but not directly linked to it or totally irrelevant and relate to other aspects of security. The following will discuss only the directly relevant controls which Waterfall One Way™ technology directly provides an answer to.

Access Control (AC)

NIST 800.82 Recommendation: Role based access control can be used to provide a uniform means to manage access to ICS devices while reducing the cost of maintaining individual device access levels and minimizing errors. RBAC should be used to restrict ICS user privileges to only those that are required to perform each person’s job (i.e., configuring each role based on the principle of least privilege).

SCADA and historian software vendors typically provide Web servers as a product option so that users outside the control room can access ICS information. In many cases, software components such as ActiveX controls or Java applets must be installed or downloaded onto each client machine accessing the Web server. Some products, such as PLCs and other control devices, are available with embedded Web, FTP, and e-mail servers to make them easier to configure remotely and allow them to generate e-mail notifications and reports when certain conditions occur. When feasible, use HTTPS rather than HTTP, use SFTP or SCP rather than FTP, block inbound FTP and e-mail traffic, etc.


of 40

VLANs have been effectively deployed in ICS networks, with each automation cell assigned to a single VLAN to limit unnecessary traffic flooding and allow network devices on the same VLAN to span multiple switches [34]. UAC-3 U ACCESS ENFORCEMENT (NIST 800.53)

Control: The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.

Waterfall One-Way™ response:

Waterfall technology enforces physical separation between networks, therefore approved authorization for logical access is implemented on the physical layer and unauthorized personal are unable to access the logical units whatsoever.

UAC-4 U INFORMATION FLOW ENFORCEMENT (NIST 800.53)

Control: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.


Waterfall SME products provide physical segregation between the control network and the corporate network and therefore access to the SCADA and historian servers is not possible from the corporate network in any way. Waterfall simply eliminates this risk elegantly and efficiently.

AC-6 LEAST PRIVILEGE (NIST 800.53)

Control: The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.


As mentioned in AC-3, the outcome of the physical network separation between the control network and the corporate network limits access to sensitive control systems by authorized users only from the control location. Waterfall, in this case enforces access control to authorized people only on the highest security level possible – the physical layer.


of 40

UAC-17U REMOTE ACCESS (NIST 800.53) Control: The organization: Documents allowed methods of remote access to the information system; Establishes usage restrictions and implementation guidance for each allowed remote access method; Monitors for unauthorized remote access to the information system; Authorizes remote access to the information system prior to connection; and Enforces requirements for remote connections to the information system.

NIST 800.82 Recommendation: Another issue for ICS firewall design is user and/or vendor remote access into the control network. Any users accessing the control network from remote networks should be required to authenticate using an appropriately strong mechanism such as token-based authentication. While it is possible for the controls group to set up their own remote access system with multi-factor authentication on the DMZ, in most organizations it is typically more efficient to use existing systems set up by the IT department. In this case a connection through the firewall from the IT remote access server is needed. Remote support personnel connecting over the Internet or via dialup modems should use an encrypted protocol, such as running a corporate VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme, in order to connect to the general corporate network. Once connected, they should be required to authenticate a second time at the control network firewall using a strong mechanism, such as a token based multi-factor authentication scheme, to gain access to the control network. For organizations that do not allow any control traffic to traverse the corporate network in the clear, this could require a cascading, or secondary tunneling solutions, to gain access to the control network, such as a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) VPN inside an IPsec VPN. Waterfall One-Way™ response:

In most cases, remote support is provided by sending monitoring information to the vendor or the external entity and receiving orders and guidance by phone. Waterfall (please refer to the SMU application and Waterfall Remote Screen viewing) enables such unidirectional information flow without compromising the control or the corporate network. In addition, if bidirectional communication is unavoidable, Waterfall offers the WF-SMU (Manual Uplink) which allows for controlled bi-directionality and is used in


of 40

parallel with existing authentication and encryption methods. The WF-SMU prevents any human errors and assists in enforcing organizational security policy.

AC-20 USE OF EXTERNAL INFORMATION SYSTEMS (NIST 800.53)

Control: The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from the external information systems; and Process, store, and/or transmit organization-controlled information using the external information systems. Waterfall One-Way™ response:

In most cases, remote support or the use of external services is provided by sending monitoring information to the vendor/ external entity and receiving orders and guidance by phone. Waterfall (please refer to the SMU application and Waterfall Remote Screen viewing) enables such unidirectional information flow without compromising the control or the corporate network. In addition, if bidirectional communication is unavoidable, on top of all the authentication and encryption methods it would be wise to use the WF-SMU, to prevent any human errors and enforce organization policy.

In the event that the information feed is from an external source outside of the organization such as weather forecasts, pollution level data, consumption levels etc, Waterfall One-Way™ may be installed to enable a unidirectional flow of information in that will ensure that no online cyber attack is possible and no threat of data leakage from the organization to the outside world is possible.

Audit and Accountability (AU)

AU-9 PROTECTION OF AUDIT INFORMATION (NIST800.53)

Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion.


of 40

Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Related controls: AC-3, AC-6. Waterfall One-Way™ response:

Protecting confidential and critical information for audit purposes (which may disclose vulnerabilities) requires state of the art data protection. By storing this information behind Waterfall, using the DRE (Date Retention Enabler) topology, the confidential information is kept behind a physical barrier and access to the storage media is physically restricted to authorized personnel. Writing to the storage depository is possible by logical access as with any other logical authentication and access control procedure but reading, deleting, modifying is possible only by having physical access to the storage media.

Security Assessment and Authorization (CA) UCA-3 UINFORMATION SYSTEM CONNECTIONS (NIST 800.53) Control: The organization: Authorizes connections from the information system to other information systems outside of the authorization boundary through the use of Interconnection Security Agreements; Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and Monitors the information system connections on an ongoing basis verifying enforcement of security requirements. Waterfall One-Way™ response:

All this risk, hassle and paper work become redundant when utilizing Waterfall as external connections to the control network are impossible!

Configuration Management (CM)

CM-5 ACCESS RESTRICTIONS FOR CHANGE (NIST800.53)

Control: The organization defines documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.


After defining and documenting the approvals, the ultimate enforcement of this policy is obtained by Waterfall as physical separation between the networks is achieved. After


of 40

installing the Waterfall between the higher level security network and the lower level security network (with regard to level 4 and level 3) it is clear that no access from level 3 users will be possible to any equipment residing on level 4 whatsoever.

CM-7 LEAST FUNCTIONALITY (NIST 800.53)

Control: The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services]. Waterfall One-Way™ response:

Waterfall One-Way™ technology typically replicates online historian and SCADA information from the control network to lower security level networks. As a result all ports and functions that were open to users to receive this information are now blocked by a physical, unbreakable hurdle and restricted function open ports and protocols are no longer relevant as all these vulnerabilities and weak points are eliminated through the use of Waterfall.

Contingency Planning (CP)

NIST800.82 Recommendation: Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cyber security intrusions, and alternatives to achieve necessary interfaces and coordination. Employees should be trained and familiar with the contents of the contingency plans. Contingency plans should be periodically reviewed with employees responsible for restoration of the ICS, and tested to ensure that they continue to meet their objectives. Organizations also have business continuity plans and disaster recovery plans that are closely related to contingency plans. Because business continuity and disaster recovery plans are particularly important for ICS, they are described in more detail in the sections to follow.

UCP-9 U INFORMATION SYSTEM BACKUP (NIST 800.53) Control: The organization: Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];


of 40

Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and Protects the confidentiality and integrity of backup information at the storage location.

NIST 800.82 Recommendation: Redundancy and Fault Tolerance - ICS components or networks that are classified as critical to the organization have high availability requirements. One method of achieving high availability is through the use of redundancy. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS, or does not cause another problem elsewhere, such as a cascading event. The control system should have the ability to execute an appropriate fail-safe process upon the loss of communications with the ICS or the loss of the ICS itself. The organization should define what "loss of communications" means (e.g., 5 seconds, 5 minutes, etc. without communications). The organization should then, based on potential consequences, define the appropriate fail-safe process for their industry. Backups should be performed using the “backup-in-depth” approach, with layers of backups (e.g., local, facility, disaster) that are time-sequenced such that rapid recent local backups are available for immediate use and secure backups are available to recover from a massive security incident. A mixture of backup/restore approaches and storage methods should be used to ensure that backups are rigorously produced, securely stored, and appropriately accessible for restoration.


Waterfall One Way™ technology, besides the capability to perform in a redundant topology in its own right, provides the organization with important tools to a safe redundancy by buffering SCADA and historian data in case of a fail over. Waterfall provides additional answers to the redundancy and high availability issue as in most cases, when using a Waterfall, the topology structure behooves an additional historian server or HMI so the system availability is doubled. This means, when using a Waterfall system, you inherently increase the control system availability. Furthermore, in some cases, availability means keeping a safe copy of the data. Waterfall can provide, with our DRE topology a safe write-only memory deposit that can be accessed only locally and ensures that the records are untouchable, genuine and available.


of 40

CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION (NIST800.53)

Control: The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.


One of the most common uses of Waterfall technology is to replicate historian servers and deliver SCADA information in a unidirectional fashion. Keeping replica servers enables the organization to prevent effectively any disruption and if occurred to recover quickly using the replica configuration and data. In addition, keeping configuration templates of all systems in the treatment of confidential data, behind a Waterfall, in DRE (Data Retention Enabler) ensures effective recovery and reconstitution.

Media Protection (MP)

MP-2 MEDIA ACCESS (NIST 800.53)

Control: The organization restricts access to [Assignment: organization-defined types of digital and non-digital media] to [Assignment: organization-defined list of authorized individuals] using [Assignment: organization-defined security measures]. Waterfall One-Way™ response:

Waterfall technology enforces physical separation between networks. Consequently the organization obtains restriction access to the digital/cyber and control equipment, logically and physically.

Physical and Environmental Protection (PE) UPE-19 U INFORMATION LEAKAGE (NIST 800.53) Control: The organization protects the information system from information leakage due to electromagnetic signals emanations.


Waterfall One Way™ technology is implemented with two separated boxes (TX and RX) with a single fiber optic cord between them. As a consequence, no electromagnetic emanation is possible between the protected network and the other network.


of 40

System and Services Acquisition (SA)

SA-13 TRUSTWORTHINESS (NIST 800.53)

Control: The organization requires that the information system meets [Assignment: organization-defined level of trustworthiness].


Waterfall One Way technology, especially with the predominant application of control network segregation by physical mean, provides significant enhancement to the information system trustworthiness level by increasing dramatically the security level. In addition, Waterfall One Way topology creates redundancy data bases which also momentous to the information systems trustworthiness.

System and Communications Protection (SC) USC-2 U APPLICATION PARTITIONING (NIST 800.53) Control: The information system separates user functionality (including user interface services) from information system management functionality.

NIST 800.82 Recommendations: Domain Name System (DNS): Domain Name System (DNS) is primarily used to translate between domain names and IP addresses. For example, a DNS could map a domain name such as control.com to an IP address such as 192.168.1.1. Most Internet services rely heavily on DNS, but its use on the control network is relatively rare at this time. In most cases there is little reason to allow DNS requests out of the control network to the corporate network and no reason to allow DNS requests into the control network. DNS requests from the control network to DMZ should be addressed on a case-by-case basis. Local DNS or the use of host files is recommended. Hypertext Transfer Protocol (HTTP): HTTP is the protocol underlying Web browsing services on the Internet. Like DNS, it is critical to most Internet services. It is seeing increasing use on the plant floor as well as an all-purpose query tool. Unfortunately, it has little inherent security, and many HTTP applications have vulnerabilities that can be


of 40

exploited. HTTP can be a transport mechanism for many manually performed attacks and automated worms. In general, HTTP should not be allowed to cross from the corporate to the control network. If it is, then HTTP proxies should be configured on the firewall to block all inbound scripts and Java applications. Incoming HTTP connections should not be allowed into the control network, as they pose significant security risks. If HTTP services into the control network are absolutely required, it is recommended that the more secure HTTPS be used instead and only to specific devices. FTP and Trivial File Transfer Protocol (TFTP): FTP and Trivial File Transfer Protocol (TFTP) are used for transferring files between devices. They are implemented on almost every platform including many SCADA systems, DCS, PLCs, and RTUs, because they are very well known and use minimum processing power. Unfortunately, neither protocol was created with security in mind; for FTP, the login password is not encrypted, nor for TFTP, no login is required at all. Furthermore, some FTP implementations have a history of buffer overflow vulnerabilities. As a result, all TFTP communications should be blocked, while FTP communications should be allowed for outbound sessions only or if secured with additional token-based multi-factor authentication and an encrypted tunnel. More secure protocols, such as Secure FTP (SFTP) or Secure Copy (SCP), should be employed whenever possible. Telnet: The telnet protocol defines an interactive, text-based communications session between a client and a host. It is mainly used for remote login and simple control services to systems with limited resources or to systems with limited needs for security. It is a severe security risk because all telnet traffic, including passwords, is unencrypted, and it can allow a remote individual considerable control over a device. Inbound telnet sessions from the corporate to the control network should be prohibited unless secured with token-based multi-factor authentication and an encrypted tunnel. Outbound telnet sessions should be allowed only over encrypted tunnels (e.g., VPN) to specific devices. Simple Mail Transfer Protocol (SMTP): SMTP is the primary e-mail transfer protocol on the Internet. E-mail messages often contain malware, so inbound e-mail should not be allowed to any control network device. Outbound SMTP mail messages from the control network to the corporate network are acceptable to send alert messages. Waterfall One-Way™ response:

Waterfall One Way™ technology eliminates this risk completely as there is no physical connection between the control network and the corporate network. In addition protocols like FTPS, HTTPS, SFTP and SMTP are supported by the Waterfall and can be delivered in a one way connection fashion.

USC-3 U SECURITY FUNCTION ISOLATION (NIST 800.53) Control: The information system isolates security functions from non-security functions.


of 40


Waterfall answers this requirement explicitly. As the critical cyber assets are isolated from all other non-critical assets when using the Waterfall system, all data processing, monitoring and viewing becomes available to the corporate users however security related issues can only be performed on the control network and there is no physical possibility to mix them.

USC-4 U INFORMATION IN SHARED RESOURCES (NIST 800.53) Control: The information system prevents unauthorized and unintended information transfer via shared system resources


This risk is completely eliminated when using Waterfall. While the information becomes available to the authorized people in the corporate network the shared resource is by no way a gateway to the control network. Since Waterfall streams the information in a unidirectional manner only no unintended information can be transferred and in consequence tamper with the smooth operation of the control network.

USC-5 U DENIAL OF SERVICE PROTECTION (NIST 800.53) Control: The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].


By utilizing Waterfall this risk is completely eliminated as the Physical segregation the Waterfall provides will prevent any DOS or DDOS from reaching the control network. The worst scenario that can result from DOS or DDOS is that the flow of information from the control network to the corporate network will cease. However, the control network will be not be compromised in any way whatsoever.

USC-7 UBOUNDARY PROTECTION (NIST 800.53) Control: The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.


of 40

NIST 800.82 Recommendation: Data Historians - The existence of shared control network/corporate network servers such as data historians and asset management servers can have a significant impact on firewall design and configuration. In three-zone systems the placement of these servers in a DMZ is relatively straightforward, but in two-zone designs the issues become complex. Placing the historian on the corporate side of the firewall means that a number of insecure protocols, such as MODBUS/TCP or DCOM, must be allowed through the firewall and that every control device reporting to the historian is exposed to the corporate side of the network. On the other hand, putting the historian on the control network side means other equally questionable protocols, such as HTTP or SQL, must be allowed through the firewall, and there is now a server accessible to nearly everyone in the organization sitting on the control network.

In general, the best solution is to avoid two-zone systems (no DMZ) and use a three-zone design, placing the data collector in the control network and the historian component in the DMZ; however, even this can prove problematic in some situations. Heavy access from the large numbers of users on the corporate network to a historian in the DMZ may tax the firewall’s throughput capabilities. One potential solution is to install two servers: one on the control network to collect data from the control devices, and a second on the corporate network mirroring the first server and supporting client queries. The issue of how to time synchronize both historians will have to be addressed. This also requires a special hole to be put through the firewall to allow direct server-to-server communications, but if done correctly, this poses only minor risk.


Waterfall One Way™ technology was designed to answer this specific requirement. By locating a Waterfall system between the control network and the corporate network all cumbersome topologies of firewalls, DMZ’s, relays, configurations, paperwork become simply unneeded. All monitoring and control information can flow, on an online basis, from the control network to the corporate network while leaving the control network physically disconnected and isolated from the outside world. The Waterfall provides 100% security, eliminates completely the risks and keeps the entire topology simple and efficient. Waterfall supports a variety of Historian servers that can be online replicated across the fiber optic link as well as several SCADA protocols like Modbus, OPC, ICCP and more.


of 40

USC-8 U TRANSMISSION INTEGRITY (NIST 800.53) Control: The information system protects the integrity of transmitted information.

NIST 800.82 Recommendation: Simple Network Management Protocol (SNMP) :SNMP is used to provide network management services between a central management console and network devices such as routers, printers, and PLCs. Although SNMP is an extremely useful service for maintaining a network, it is very weak in security. Versions 1 and 2 of SNMP use unencrypted passwords to both read and configure devices (including devices such as PLCs), and in many cases the passwords are well known and cannot be changed. Version 3 is considerably more secure but is still limited in use. SNMP V1 & V2 commands both to and from the control network should be prohibited unless it is over a separate, secured management network whereas SNMP V3 commands may be able to be sent to the ICS using the security features inherent to V3. Distributed Component Object Model (DCOM): DCOM is the underlying protocol for both OLE for Process Control (OPC) and ProfiNet. It utilizes Microsoft’s Remote Procedure Call (RPC) service which, when not patched, has many vulnerabilities. These vulnerabilities were the basis for the Blaster worm exploits. In addition, OPC, which utilizes DCOM, dynamically opens a wide range of ports (1024 to 65535) that can be extremely difficult to filter at the firewall. This protocol should only be allowed between control network and DMZ networks and explicitly blocked between the DMZ and corporate network. Also, users are advised to restrict the port ranges used by making registry modifications on devices using DCOM. SCADA and Industrial Protocols: SCADA and industrial protocols, such as MODBUS/TCP, EtherNet/IP, and DNP317, are critical for communications to most control devices. Unfortunately, these protocols were designed without security built in and do not typically require any authentication to remotely execute commands on a control device. These protocols should only be allowed within the control network and not allowed to cross into the corporate network. Network Address Translation (NAT):Network address translation (NAT) is a service where IP addresses used on one side of a network device can be mapped to a different set on the other side on an as-needed basis. It was originally designed for IP address reduction purposes so that an organization with a large number of devices that occasionally needed Internet access could get by with a smaller set of assigned Internet addresses. To do this, most NAT implementations rely on the premise that not every internal device is actively communicating with external hosts at a given moment. The firewall is configured to have a limited number of outwardly visible IP addresses. When an internal host seeks to communicate to an external host, the firewall remaps the internal IP address and port to one of the currently unused, more limited, public IP


of 40

addresses, effectively concentrating outgoing traffic into fewer IP addresses. The firewall must track the state of each connection and how each private internal IP address and source port was remapped onto an outwardly visible IP address/port pair. When returning traffic reaches the firewall, the mapping is reversed and the packets forwarded to the proper internal host. For example, a control network device may need to establish a connection with an external, non-control network host (for instance, to send a critical alert e-mail). NAT allows the internal IP address of the initiating control network host to be replaced by the firewall; subsequent return traffic packets are remapped back to the internal IP address and sent to the appropriate control network device. More specifically, if the control network is assigned the private subnet 192.168.1.xxx and the Internet network expects the device to use the corporate assigned addresses in the range 192.6.yyy.zzz, then a NAT firewall will substitute (and track) a 192.6.yyy.zzz source address into every outbound IP packet generated by a control network device. Producer-consumer protocols, such as EtherNet/IP and Foundation Fieldbus, are particularly troublesome because NAT does not support the multicast-based traffic that these protocols need to offer their full services. In general, while NAT offers some distinct advantages, its impact on the actual industrial protocols and configuration should be assessed carefully before it is deployed. Furthermore, certain protocols are specifically broken by NAT because of the lack of direct addressing. For example, OPC requires special third-party tunneling software to work with NAT.


Unsecure use of SNMP, SCADA protocols and inefficient use of NAT are risks and problems which Waterfall eliminates. By separating the controlled elements from the monitoring station with Waterfall, SNMP traffic becomes very secure as there is no physical access to the components monitored. Furthermore SCADA protocols, including OPC, are supported by Waterfall and can be delivered from the control network to the corporate network in a one way manner so the possibility to abuse the protocol-inherent vulnerabilities becomes impossible and therefore NAT becomes irrelevant.

USC-9 U TRANSMISSION CONFIDENTIALITY (NIST 800.53) Control: The information system protects the confidentiality of transmitted information.


Waterfall supports encrypted protocols like HTTPS, FTPS, SFTP and secure authentication methods, making the unidirectional Waterfall link preserve point to point encryption and information confidentiality


of 40

SC-11 TRUSTED PATH (NIST 800.53)

Control: The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and reauthentication].


Trusted communication path is established between the higher level security network and lower level security network by implementing Waterfall system in between. The trusted path is obtained by the physical separation and the one way flow of the information, as users interface with the replica source and not with the sensitive resources in the control network.

USC-23U SESSION AUTHENTICITY (NIST 800.53) Control: The information system provides mechanisms to protect the authenticity of communications sessions.


Where Waterfall resides, as in most cases, between the control network and the corporate network, tampering with the data inside the control network from the outside becomes impossible and therefore the information source and the consequently its data authenticity is kept. In addition digital signatures and their verification are supported when streamlining information through the Waterfall.

SC-25 THIN NODES (NIST 800.53)

Control: The information system employs processing components that have minimal functionality and information storage.


Thin Nodes methodology is applied wherever the processing units need to be protected from the users and where the information is only presented to the user in a way that minimal access to the data storage and the process unit is possible. Waterfall One Way technology applies this principal and concept in the method of replicating data from the processing units and the original data bases so no real access is ever obtained while the


of 40

information is always available in real time to the user. When implementing the Waterfall system the idea, purpose and objectives of thin nodes is obtained in full.

SC-27 OPERATING SYSTEM-INDEPENDENT APPLICATIONS (NIST 800.53)

Control: The information system includes: [Assignment: organization-defined operating system-independent applications].


Waterfall One Way can run on Windows or Linux based machines (in some applications) and interfaces with any operation system or application on an IP traffic basis. USC-28 U PROTECTION OF INFORMATION AT REST (NIST 800.53) Control: The information system protects the confidentiality and integrity of information at rest.


Waterfall One Way™ technology provides possibilities to keep data integrity and confidentiality when a Waterfall system has been implemented. This DRE (Data Retention Enabler) topology provides an extremely cost effective way to keep information safe from any external entity by keeping the storage unit behind a Waterfall. Information can be added and streamed to the unit but nothing can be removed or accessed unless a person physically connects to the unit locally.

USC-30U VIRTUALIZATION TECHNIQUES (NIST 800.53) Control: The organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations.


When using Waterfall all transferred information becomes available at the less secure network while in most cases, like when replicating an historian server, all users tend to believe and have the “feel” that they are connected to the real historian server while in fact they are connected to the replica historian server. This common topology, when using Waterfall, creates a virtualization of the control equipment and data.


of 40

USC-32U INFORMATION SYSTEM PARTITIONING (NIST 800.53) Control: The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.


There isn’t a better way to separate physical domains than using Waterfall One Way™ technology! It is extremely important to protect, in the best way possible, the critical cyber assets which reside in the control network. The best way to do this is by physically disconnecting the control world from all other networks. Since this approach will impair business operations the only way to benefit from the physical separation and a smooth business operation is by installing a Waterfall. The placement of a waterfall system between those networks will enable smooth and online data transfer from the control network to the corporate network while the control network remains physically separated, disconnected and unreachable.

USC-33 U TRANSMISSION PREPARATION INTEGRITY (NIST 800.53) Control: The information system protects the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.


Waterfall devices are often connected directly to PLC’s, RTU’s or HMI’s, therefore gathering the data and transforming the protocols into unidirectional proprietary protocol and transmitting the information out to the corporate networks requires not only reliable processing but also the taking of special measures to ensure the integrity of information. All these functionalities are provided by Waterfall and enhance the data integrity in the organization.

SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS (NIST 800.53)

Control: The information system at [Assignment: organization-defined information system components]: Loads and executes the operating environment from hardware-enforced, read-only media; and Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.


of 40


Waterfall One Way technology enables the keeping of executables of the operating environment completely isolated behind Waterfall system and by hardware keep read only media. This practice is possible in some applications where the executable or the data base can be reinstalled every preconfigured time to avoid undesired changes.

System and Information Integrity (SI)

SI-3 MALICIOUS CODE PROTECTION (NIST 800.53)

Control: The organization: a. Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or Inserted through the exploitation of information system vulnerabilities; b. Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.


Waterfall system separates the secured networks and prevents any entry point that may contaminate the network with malicious code. In addition Waterfall systems can


of 40

contribute to the effort of keeping the network elements most updated with anti viruses signatures and other security patches without exposing the secure network to the outside world and to any risk of online attack or data leakage. Please refer to WF-updater sheet.

SI-9 INFORMATION INPUT RESTRICTIONS (NIST 800.53)

Control: The organization restricts the capability to input information to the information system to authorized personnel.


When implementing the Waterfall system the immediate result is that the secured network/s are completely isolated and therefore absolute restriction of information input is achieved. Data can only be streamed out from the secured network and consequently information input becomes impossible unless the qualified people from the secured network and with the physical access to it are performing this action.


of 40

Controls: Supported but not implemented by Waterfall One-Way™ The following controls are supported by the Waterfall One Way technology and enjoy full compatibility. Notwithstanding it is important to understand that the waterfall system or installation of such do not generate or initiate these functionalities which need to be obtained by other systems or procedures.

AC-7 UNSUCCESSFUL LOGIN ATTEMPTS

Control: The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period]; and Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next login prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. The control applies regardless of whether the login occurs via a local or network connection.

AC-8 SYSTEM USE NOTIFICATION Control: The information system: Displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording; Retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and For publicly accessible systems: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system.


of 40

AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION Control: The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access).

AC-11 SESSION LOCK Control: The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and Retains the session lock until the user reestablishes access using established identification and authentication procedures.

AC-16 SECURITY ATTRIBUTES Control: The information system supports and maintains the binding of [Assignment: organization-defined security attributes] to information in storage, in process, and in transmission.

AU-8 TIME STAMPS Control: The information system uses internal system clocks to generate time stamps for audit records.

AU-10 NON-REPUDIATION Control: The information system protects against an individual falsely denying having performed a particular action.

AU-12 AUDIT GENERATION Control: The information system: Provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: organization-defined information system components]; Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.


of 40

AU-14 SESSION AUDIT Control: The information system provides the capability to: Capture/record and log all content related to a user session; and Remotely view/hear all content related to an established user session in real time.

CM-3 CONFIGURATION CHANGE CONTROL Control: The organization: Determines the types of changes to the information system that are configuration controlled; Approves configuration-controlled changes to the system with explicit consideration for security impact analyses; Documents approved configuration-controlled changes to the system; Retains and reviews records of configuration-controlled changes to the system; Audits activities associated with configuration-controlled changes to the system; and Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection: (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

CM-6 CONFIGURATION SETTINGS Control: The organization: Establishes and documents mandatory configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; Implements the configuration settings; Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Control: The information system uniquely identifies and authenticates [Assignment: organization-defined list of specific and/or types of devices] before establishing a connection.


of 40

SI-4 INFORMATION SYSTEM MONITORING Control: The organization: Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks; Identifies unauthorized use of the information system; Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

SI-8 SPAM PROTECTION Control: The organization: Employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.


of 40

Table of compliance by Waterfall One Way™ The following controls were found relevant to Waterfall One Way technology while the rest of the controls are simply not relevant in the aforementioned regard.

NIST 800.53 Control Family Control Waterfall

Full Compliance achieved with Waterfall solution

Supported with additional 3rd party security measures

Access Control AC-3 ACCESS ENFORCEMENT YES

AC-4 INFORMATION FLOW ENFORCEMENT YES

AC-6 LEAST PRIVILEGE YES

AC-7 UNSUCCESSFUL LOGIN ATTEMPTS YES

AC-8 SYSTEM USE NOTIFICATION YES

AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION YES

AC-11 SESSION LOCK

AC-16 SECURITY ATTRIBUTES

AC-17 REMOTE ACCESS YES

AC-20 USE OF EXTERNAL INFORMATION SYSTEMS YES

Audit and Accountability AU-9 PROTECTION OF AUDIT INFORMATION YES

AU-8 TIME STAMPS YES

AU-10 NON-REPUDIATION YES

AU-12 AUDIT GENERATION YES

AU-14 SESSION AUDIT YES

Security Assessment and Authorization CA-3 INFORMATION SYSTEM CONNECTIONS YES

Configuration Management CM-5 ACCESS RESTRICTIONS FOR CHANGE YES

CM-7 LEAST FUNCTIONALITY YES

CM-3 CONFIGURATION CHANGE CONTROL YES

CM-6 CONFIGURATION SETTINGS YES

Contingency Planning CP-9 INFORMATION SYSTEM BACKUP YES

CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION YES


of 40

NIST 800.53 Control Family Control Waterfall

Full Compliance achieved with Waterfall solution

Supported with additional 3rd party security measures

Identification and Authentication IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION YES

Media Protection MP-2 MEDIA ACCESS YES

Physical and Environmental Protection PE-19 INFORMATION LEAKAGE YES

System and Services Acquisition SA-13 TRUSTWORTHINESS YES

System and Communications Protection SC-2 APPLICATION PARTITIONING YES

SC-3 SECURITY FUNCTION ISOLATION YES

SC-4 INFORMATION IN SHARED RESOURCES YES

SC-5 DENIAL OF SERVICE PROTECTION YES

SC-7 BOUNDARY PROTECTION YES

SC-8 TRANSMISSION INTEGRITY YES

SC-9 TRANSMISSION CONFIDENTIALITY YES

SC-11 TRUSTED PATH YES

SC-23 SESSION AUTHENTICITY YES

SC-25 THIN NODES YES

SC-27 OPERATING SYSTEM-INDEPENDENT APPLICATIONS YES

SC-28 PROTECTION OF INFORMATION AT REST YES

SC-30 VIRTUALIZATION TECHNIQUES YES

SC-32 INFORMATION SYSTEM PARTITIONING YES

SC-33 TRANSMISSION PREPARATION INTEGRITY YES

SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS YES

System and Information Integrity SI-3 MALICIOUS CODE PROTECTION YES

SI-4 INFORMATION SYSTEM MONITORING YES

SI-8 SPAM PROTECTION YES

SI-9 INFORMATION INPUT RESTRICTIONS YES