Can SD-WANs meet standards requirements?

Any innovative technology faces a battle of doubt. When Amazon first rolled out AWS, few could imagine servers running in the cloud. Before Salesforce, many thought CRM to be too critical to run as SaaS. I find SD-WANs to be facing a similar battle. It’s inconceivable to many that an SD-WAN could replace MPLS. This is particularly true for security teams.

At one recent client, a chemical company, the team was looking to transition from MPLS to SD-WAN. The security group, though, could not accept the fact that SD-WANs met the requirements stipulated by CFATS (Chemical Facility Anti-Terrorism Standards) guiding the chemical industry.

It was a classic example of professionals getting hooked into the implementation and failing to consider alternative approaches to addressing the same need. CFATS professionals assume MPLS and firewalls to be mandated by the standard. MPLS being the de facto transport. As for firewalls, “Organizations understand and feel safe with firewalls,” says Nirvik Nandy, my partner and the president and CEO, of Red Lantern, a security and compliance consultancy.

But, in fact, neither are mandated by the specification. CFATS recommends Risk Based Performance Standards for protecting facilities with Chemicals of Interest (COI). The specification looks to deter theft, diversion or cyber sabotage, which includes preventing unauthorized on-site or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems.

It talks about the need to protect “control systems,” and to achieve that, you must take a layered defense strategy that includes both technical controls like define boundaries for the control systems, limit and monitor external connections, segment from the business network and encrypt data, limit and monitor remote access, deploy “least privilege” to contain access, etc., as well as procedural controls, says Nirvik.

MPLS and firewalls are not explicitly mandated by CFATS. In fact, firewalls do not inspect packets for valid control systems protocol contents and hence are not the most effective solution to segment the business and control systems environments. Encrypted SD-WAN traffic overlays with next generation firewall (NGFW) capabilities can provide a much better protection of layer 4-7 network services.

But proving that SD-WANs can meet CFATS or any standard is particularly challenging. In part that’s because SD-WANs use of the Internet conjures up cyber threats and hacks—the very opposite of CFATS compliance. There’s also no consensus around what exactly is an SD-WAN. Every vendor implements their SD-WAN differently. Appliances, managed services, cloud services—these are all different things to security professionals. The technology needs to stabilize and education need to improve before security professionals will be comfortable with SD-WANs.

At the same time, security and networking are merging, blurring the definition of the classical firewalls. Already Cato Networks is offering an SD-WAN service in the cloud with built-in NGFW, SGW, and malware protection. Other vendors, such as Open Systems, are providing best-of-breed security service prepackaged into their appliances.

So, can SD-WANs be compliant with regulations? We think so, at least in the case of CFATS, if deployed correctly with the technical and administrative controls. “The only exception is if an organization has interpreted the guidance of “RBPS section 8 – Cyber” discussing segmentation of the SCADA, DCs, and other control systems to be completely air-gapped from the corporate network with the whole separate set of administrative controls including monitoring, incident response, etc.,” says Nirvik. “If that is the case then the solution is going to be very expensive indeed.”

(You can read more of the interview with Nirvik on our blog.)