Firewalls are often the first security mechanism that is installed on any network. For industrial control networks in municipal water systems, nuclear power plants and other critical infrastructure, firewalls simply aren’t good enough to keep attack payloads away. Industrial plants need unidirectional gateways to provide the ultimate security for critical control systems.
Every week it seems we hear about some advanced persistent threat (APT) that infiltrated a corporate network and slinked off with financial data or intellectual property. With so many similar stories in the news – and many more that we never hear about publicly – it makes you wonder about the ability of hackers to get into industrial control networks.
What would happen if an attacker could get to the point of being able to manipulate the industrial controls of a nuclear power plant, or a municipal water system, or a sprawling petrochemical plant? It was bad enough that Target and other merchants had tens of millions of cardholder records stolen, but at least nobody died from those incidents. But if an attacker could jack up the temperature gauges of a petrochemical hydrocracker unit, there could be massive casualties from the resulting explosions and fires.
In 2013 Trend Micro reported an experiment the company conducted where it deployed a dozen honey pots around the world that were designed to look like the ICS (industrial control system) networks of municipal water utilities. Between March and June, the honey pots attracted 74 intentional attacks, including at least 10 where the attackers were able to take over the control system.
This experiment proved that attackers have both the intention and the ability to penetrate critical infrastructure systems that, in theory, should be less vulnerable than Internet-facing corporate networks. We may be living with a false sense of security in thinking that ICS networks inherently possess security through obscurity.
In the industrial world, there were no connections between the control systems and the outside world until about two decades ago. That was when plant operators discovered there is a wealth of information in the control systems that could help them better manage their plants. For example, production units have to be taken offline every so often for maintenance. By collecting data from the control systems to understand how hard the equipment has been used, the managers might be able to optimize the schedules for maintenance. Running the equipment a few extra days between maintenance cycles could save millions of dollars a year.
When companies connected their control networks to their corporate networks for the purpose of gathering this data, they introduced the security problems that plague the corporate networks today. Everything from viruses to APTs can jump across networks and get into the control networks that used to be thought of as invulnerable.
Even firewalls are insufficient to keep the bad stuff out. As anyone who manages firewalls on a corporate network knows, malicious payloads sometimes slip through undetected, and this could be disastrous for an industrial control network. That’s why many ICS networks are protected with a different kind of security device called a unidirectional security gateway.
Andrew Ginter, vice president of Industrial Security with Waterfall Security Solutions, explained how his company’s unidirectional gateway technology works and where it fits in the scheme of protecting industrial control networks.
According to Ginter, industrial plants separate their control networks from their corporate networks with a DMZ. Instead of a traditional firewall, a unidirectional gateway sits at the DMZ to allow data to flow from the control network to the corporate network on the outside, but nothing can flow back the other way. In fact, it’s physically impossible for data to flow two ways, and here’s why.
A firewall is a box with network in, and network out. If you take your screwdriver and open up the box to see what’s inside you see CPU and memory. A firewall is software. The heart of the unidirectional gateway is hardware. There are two boxes, not one. One box is copper in and fiber out and the other one is fiber in and copper out. There is a very short fiber connecting the boxes. In the transmit box there is a fiber optic transmitter and in the receive box there is a receiver.
Standard fiber optic chipsets have both in the same chip. If you open up a Waterfall box, it only has a transmitter in the transmit box and a receiver in the receive box. You can send from the transmit box to the receive box but you can’t send anything back. There is physically no laser in the receiver to send any signal back to the transmitter. And if you somehow managed to transmit matter to send a signal back, there is no receiver in the transmitter. It can’t even tell if the other end is powered on. It has no way to physically receive any signal.
This technology lets you move information out of your control system networks without any risk of an attack or virus or remote control attack because nothing can get back in. This works because 99% of the data transfer needs are out of control systems, which are designed to run safely indefinitely without outside input.
The data coming out of a control network comes from sensors, gauges, thermostats and the like on the industrial equipment. The data from these devices is consolidated into a historian server. It’s a database optimized for a single schema to keep track of hundreds of thousands of different data points of timestamp data so that for any measurement point, you can go back, for example, 10 seconds, 10 days, or even several years and see what the value was. This database tends to be the point of integration with SAP and other business systems.
Waterfall replicates the historian server on the outside of the control network. Software queries the original historian database, asks it for the data, and sends the data out over the one-way channel. On the other side it inserts the data into the replica database and keeps those two databases synchronized to within about a second of each other. Now anyone who wants access to the data no longer reaches into the control system to ask the real system for data. Instead they reach into the copy and ask the copy for data. The copy has all of the data back to the beginning of time, and it has the latest data that is less than a second old. This satisfies the need for corporate to gather and use control device data without having any ability to send data back into those devices, even inadvertently.
Last October Waterfall Security Solutions introduced new technology called FLIP, and it has been well received by industrial customers. FLIP is a unidirectional gateway that allows you to send information into a control system in a very controlled manner. Normally FLIP allows information to flow out the network, but when a plant needs to communicate inbound for a few seconds – say, to send control recipes into a batch processing system so a chemical plant knows how to treat materials for the day -- FLIP can be temporarily reoriented inbound.
The FLIP technology doesn’t forward packets, which prevents attack communications from slipping through. Only legitimate communications in a payload can get sent into the control network. The plant can transmit the necessary instructions and then flip the gateway back to outbound transmission only.
Unidirectional gateway technology provides much stronger security than firewalls. The technology is already in use at every nuclear power plant in the United States, and there is a strong need for it in many other industrial situations.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. http://www.essential-iws.com) which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.