• United States

Can SD-WANs meet standards requirements?

Jul 26, 20173 mins
Internet of ThingsSD-WANSecurity

When it comes to security standards, the newness of SD-WAN technologies might raise questions among security professionals when it comes to HIPAA, CFATS, PCI and other compliance regulations.

network security primary2
Credit: Thinkstock

Any innovative technology faces a battle of doubt. When Amazon first rolled out AWS, few could imagine servers running in the cloud. Before Salesforce, many thought CRM to be too critical to run as SaaS. I find SD-WANs to be facing a similar battle. It’s inconceivable to many that an SD-WAN could replace MPLS. This is particularly true for security teams.

At one recent client, a chemical company, the team was looking to transition from MPLS to SD-WAN. The security group, though, could not accept the fact that SD-WANs met the requirements stipulated by CFATS (Chemical Facility Anti-Terrorism Standards) guiding the chemical industry.

It was a classic example of professionals getting hooked into the implementation and failing to consider alternative approaches to addressing the same need. CFATS professionals assume MPLS and firewalls to be mandated by the standard. MPLS being the de facto transport. As for firewalls, “Organizations understand and feel safe with firewalls,” says Nirvik Nandy, my partner and the president and CEO, of Red Lantern, a security and compliance consultancy.

But, in fact, neither are mandated by the specification. CFATS recommends Risk Based Performance Standards for protecting facilities with Chemicals of Interest (COI). The specification looks to deter theft, diversion or cyber sabotage, which includes preventing unauthorized on-site or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems.

It talks about the need to protect “control systems,” and to achieve that, you must take a layered defense strategy that includes both technical controls like define boundaries for the control systems, limit and monitor external connections, segment from the business network and encrypt data, limit and monitor remote access, deploy “least privilege” to contain access, etc., as well as procedural controls, says Nirvik.

MPLS and firewalls are not explicitly mandated by CFATS. In fact, firewalls do not inspect packets for valid control systems protocol contents and hence are not the most effective solution to segment the business and control systems environments. Encrypted SD-WAN traffic overlays with next generation firewall (NGFW) capabilities can provide a much better protection of layer 4-7 network services.

But proving that SD-WANs can meet CFATS or any standard is particularly challenging. In part that’s because SD-WANs use of the Internet conjures up cyber threats and hacks—the very opposite of CFATS compliance. There’s also no consensus around what exactly is an SD-WAN. Every vendor implements their SD-WAN differently. Appliances, managed services, cloud services—these are all different things to security professionals. The technology needs to stabilize and education need to improve before security professionals will be comfortable with SD-WANs.

At the same time, security and networking are merging, blurring the definition of the classical firewalls. Already Cato Networks is offering an SD-WAN service in the cloud with built-in NGFW, SGW, and malware protection. Other vendors, such as Open Systems, are providing best-of-breed security service prepackaged into their appliances.

So, can SD-WANs be compliant with regulations? We think so, at least in the case of CFATS, if deployed correctly with the technical and administrative controls. “The only exception is if an organization has interpreted the guidance of “RBPS section 8 – Cyber” discussing segmentation of the SCADA, DCs, and other control systems to be completely air-gapped from the corporate network with the whole separate set of administrative controls including monitoring, incident response, etc.,” says Nirvik. “If that is the case then the solution is going to be very expensive indeed.”

(You can read more of the interview with Nirvik on our blog.)


In 2007, Steve Garson started SD-WAN-Experts (at that point called MPLS-Experts) to help U.S. companies communicate with their Chinese and Indian manufacturing facilities. Two clients were rolling out their ERP systems in China and found that their new networks were impeding operations, an unexpected and undesirable problem. A quick examination identified their VPN over Internet as the root cause of the unacceptable performance they were experiencing.

SD-WAN-Experts helped them install a high quality MPLS network to eliminate the packet loss and reduce the latency that is found on the internet. This led to quickly realizing that many other U.S. companies were having the same problem; or they were using less manageable frame relay or point-to-point circuits. Thus, was born this specialized practice in consulting to companies on the procurement and roll-out of Wide Area Networks (WANs). SD-WAN-Experts now serves companies worldwide with global facilities, large retail chains, as well as small domestic companies, and has even designed government emergency communication networks for an entire state.

The opinions expressed in this blog are those of Steve Garson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.