SECURING POWER GENERATION:

A UNIDIRECTIONAL REFERENCE ARCHITECTURE

 Executive Summary
Cyber threats become more sophisticated over time, and so our defenses must
continue to evolve as well. Traditional IT-style defensive architectures depend unduly
MODERN
on firewalls and intrusion detection systems (IDS). Firewalls allow attacks to pass
from untrusted to trusted networks. Intrusion detection systems detect some
attacks, and miss others and in most cases remediating intrusions takes so long that
IDS are not effective at preventing attackers from achieving their cyber-espionage,
AT TA C K S :
cyber-sabotage or equipment-damaging goals. This is unacceptable.

This paper describes a modern reference architecture for defense-in-depth network

protection of power plants. The architecture recognizes that every system
exchanging messages with the Internet can be potentially compromised.

We will explore how stronger-than-firewalls protections eliminate the threat of

network attacks from untrusted networks, and eliminate external remote cyber risks
to protected, reliability-critical networks.

Phishing Social engineering

Send persuasive Get passwords via

emails to reveal shoulder surfing,
passwords or sticky notes or
Modern Threats download malware keystrokes
The electric grid has been identified as a strategic target for nation-state, terrorist,
hacktivist and other types of attack; and power plants remain essential elements of
the electric grid. Sophisticated attacks on ICS risk equipment damage, injuries to
personnel and environmental damage.

Modern network attacks begin with a piece of malware gaining a foothold on a

corporate network, and deceiving an employee into downloading an attachment.
The malware typically tunnels a remote connection to a command and control
server, and the attacker uses this remote connection to compromise select
additional machines through layers of firewalls. Once deep enough into their
targeted network, these attackers ultimately launch their end-game attack: either
stealing information, shutting down entire plants, or even damaging equipment.
Compromise a Attack exposed
Modern sophisticated attacks routinely defeat all software protections; including
firewalls, encryption, intrusion detection systems, anti-virus systems, security update
domain controller clients
programs, and strong password management systems.
Compromise trusted Compromise
external assets: IT industrial client
domain controller, software or business
DNS & ERP servers network

3 4
 Firewall-only Security
Insufficient for Power Plants
For years IT-centric, software-based security has been held up as the “gold standard”
for industrial control system networks. This understanding has changed. Security
research organizations, regulators and other experts world-wide are recognizing that
IT-centric security fails to meet the needs of control system networks - see Waterfall’s
Emerging Consensus Whitepaper for details.

Traditional IT-centric advice recognizes that firewalls are porous by design and
further recognizes that all software-based security mechanisms have vulnerabilities.
This advice encourages detection systems which actively seek out compromised
machines, contain them, identify stolen data, and restore the affected machines
from backups.

Expert consensus has emerged that regards traditional IT-centric advice as

insufficient to address the threat of modern, cyber-sabotage attacks on power
plants. The essential difference between IT systems and control systems is, not
surprisingly, control. Control systems operate large, complex, dangerous physical
processes. Damaged turbines and transformers cannot be “restored from backup”.
Worse, intrusion detection, response and remediation take time, even months, for
the average compromise to be resolved.

Modern ICS-focused advice for control systems recognizes that while intrusion
detection plays an important role in a defensive architecture, the foundation of the
architecture must be intrusion prevention. Any malicious remote operation of
plant equipment, however briefly, poses an unacceptable risk..

Modern Protections
for Modern Threats
The most important element in attack prevention in a reference architecture for
power plants, is protecting the industrial network perimeter from less trusted,
less critical external networks. Waterfall Unidirectional Security Gateways enable
safe IT/OT integration as well as continuous real-time monitoring of industrial
operations by enterprise applications and central security operations centers (SOCs),
without introducing vulnerabilities to attacks that always accompany firewalled
connections.

Replacing at least one layer of firewalls with unidirectional technology in industrial

network environments results in absolute protection to control systems and
operations networks from attacks originating on external networks. Unidirectional
Security Gateways enable vendor monitoring, industrial cloud services and visibility
into operations for modern enterprises and their customers.

Unidirectional Gateways replicate industrial servers, emulate devices and translate

industrial data to cloud formats for external enterprise networks. As a result,
Unidirectional Gateway technology is a plug-and-play replacement for firewalls,
without the vulnerabilities and maintenance issues that always accompany firewall
deployments. Unidirectional Gateways are combinations of hardware and software.
The gateway hardware physically transmits information in only one direction,
most commonly from the industrial network to an external IT network or the
Internet. External users and applications interact with the replica servers in real-time
as if those servers were the original, industrial systems, making the gateways
5 6
seamless replacements for firewalls.
 Your Our
Needs Solution
Waterfall’s Unidirectional Security Gateways
provide hardware-enforced stronger than
firewalls solutions for critical industrial networks.
The gateways enable safe IT/OT integration,
secure vendor monitoring and full visibility into
Safe, Secure &
operations at the same time providing absolute
Reliable IT/OT
protection from attacks originating on external
Integration networks. Unidirectional Gateways replace at
least one layer of firewalls in industrial network
environments, sending real-time data to business
networks while enabling operational processes to
continue reliably.

The Waterfall FLIP is used when data flows out of

a critical network routinely, and when updates

Disciplined
must flow back into that network frequently and
periodically. The FLIP physically reverses a built-in
Unidirectional Reference
Remote Access Unidirectional Security Gateway allowing for safe
and disciplined scheduled updates. The FLIP
Architecture
hardware makes remote-control persistent
targeted attacks physically impossible. Unidirectional Security Gateway products are the foundation for Secure Industrial
Networking (SIN). The Gateways in all their forms never forward messages, and
provide hardware-based protections for generation networks. In a unidirectional
The Waterfall Secure Bypass Module enables reference architecture for power generation, secure IT/OT integration is only
on-site, physical control over remote access conducted unidirectionally through the gateways, not through firewalls, and
connections. The hardware includes an dangerous remote access paths are completely eliminated.
Control Over
electromechanical switch that – in emergencies –
Remote Access can be manually activated to permit conventional Note that generation utilities may still carry out segmentation of their OT networks
using firewalls, provided these firewalls are used between sub-networks at the same
interactive remote access for the duration of the
level of trust and criticality. As long as interconnections between Internet-exposed
declared emergency. and industrial control networks are protected with Unidirectional Gateways in a
defense-in-depth, layered network architecture, the path of infection from Internet-
exposed networks is broken.
The Unidirectional CloudConnect enables
industrial sites to benefit from the Industrial
Internet of Things (IIoT) while eliminating the risk
Secure of remote attacks. CloudConnect provides
Connection to the hardware-enforced network protection and real-
Industrial Cloud time unidirectional translation of industrial data
sources into Internet-friendly protocols and
cloud-friendly formats, while preventing remote
attacks from penetrating protected industrial
networks.

7 8
 Use Case 1: SECURITY
Safe IT/OT Integration
The most common use of Unidirectional Security Gateways in power plants is
BENEFITS
to enable safe IT/OT network integration. The gateways generally replace
unacceptably vulnerable firewall integrations of networks and applications.

Historian and Database Replication

The most common unidirectional IT/OT network integration architecture is a
Breaks the online attack channel
Unidirectional Security Gateway integrating plant IT and OT networks via a historian
database. When there is a historian on the plant network, the gateway replicates the
plant database to the corporate network, where corporate users and applications can
query the replica database without any threat to the control system network.
Prevents all fuzzing attacks,
Optional Feature: Network Security Updates with Unidirectional Gateways targeted remote control attacks,
When regular anti-virus updates, WSUS or other security updates must be sent into
the plant industrial network, a Waterfall FLIP can augment Unidirectional Security and virus attacks
Gateway deployment. The FLIP is a Unidirectional Gateway whose orientation
periodically physically reverses, providing a disciplined inflow of updates into plant
networks, without ever introducing the unacceptable vulnerabilities that always
accompany bidirectional firewall deployments.
Secures real-time monitoring of
Optional Feature: SIEM and Other IT Integrations
Waterfall’s unidirectional products are often configured to replicate a variety of IT- operational industrial plant data
centric data sources from plant networks to corporate networks. File servers can be
replicated to simplify reporting, debugging and other file transfers from plant
networks to corporate networks; thus minimizing the use of removable media. Syslog
servers and SNMP data sources can be replicated to Security Information and Event
Management (SIEM) systems in corporate SOCs and NOCs. When branch SIEMs have Plug-n-play replacement for
been deployed on control system networks, Unidirectional Gateway products are able
to replicate those branch SIEMs as well; aggregating plant information into an
firewalls
enterprise SIEM.

Theory of Operation

PLANT PLANT
INTERNET
OT NETWORK IT NETWORK

UNIDIRECTIONAL SECURITY CORPORATE

GATEWAY + FLIP FIREWALL

A Waterfall Unidirectional Security Gateway implements safe IT/OT

integration by creating a fully functional system replica on the IT network,
while a Waterfall FLIP enables disciplined, scheduled updates of production
ordered and anti-virus signatures in production systems.

99 10 10
 Use Case 2: SECURITY
Turbine Vendor Monitoring
At most power plants, there is a need to support control system vendor
BENEFITS
monitoring and diagnostics programs. Turbine and other ICS vendors
generally also require occasional opportunities to adjust control system
components to address problems as they arise, and prevent serious failures
later on.

Electric generators are protected

Vendor Monitoring
Generating sites address this need by deploying a Unidirectional Gateway to absolutely from compromised
replicate control-system servers from a reliability-critical network to a vendor DMZ. vendor machines and networks
The DMZ is connected to the vendor’s central management system; most often via
VPN. The control system server replicas are faithful copies of plant systems and
provide the vendor full visibility into the status and condition of generating plant
systems.
Vendors can monitor turbines
Optional Feature: Remote Adjustment with Remote Screen View
continuously, but no network attack
If a vendor needs to adjust control system or turbine parameters, the vendor can reach back from the vendor’s
schedules time with site personnel to view plant workstations through with
Waterfall’s Remote Screen View (RSV). With the RSV client installed, screen central site into the power plant’s
mirroring is enabled through a Unidirectional Security Gateway. The vendor is able control system
to view the plant workstation via video feed streamed through the Gateway, without
exposing the plant workstation to attack. The vendor is thus able to guide site
personnel through a process of verifying that corrections have been made.

Theory of Operation

PLANT VENDOR
VENDOR
OT NETWORK DMZ

UNIDIRECTIONAL SECURITY CORPORATE

GATEWAY FIREWALL

A Waterfall Unidirectional Security Gateway enables safe vendor monitoring

and real-time visibility into operations while at the same time providing
absolute protection to control systems and operations networks from
attacks originating on external, less secure networks.

11
11 12
 Use Case 3: SECURITY
Protecting Relay and Safety
Networks BENEFITS
Safety equipment and protective relays are software components that are
essential to modern reliability and safety programs. These components
become ineffective when compromised, and so protecting these
components is vital. Prevents all remote adversaries, no
matter how sophisticated, from
Secure Monitoring of Safety and Protection Systems
Unidirectional Security Gateways are routinely deployed to replicate devices from
reaching through immediate
protection and safety networks to control networks for continuous monitoring. networks into protection and safety
These replications use DNP3, IEC 60870, IEC 61850, Modbus and other protocol
connectors. SNMP traps and syslog data sources may also be replicated to Central networks
Network and Security Operations Centers for additional reliability or security
monitoring. Continuous monitoring is essential to all security programs, process and
employee safety programs, and electric system reliability programs.

These Unidirectional Gateway deployments may be the only unidirectional

Correctly-functioning protection
protections for the safety systems, or the gateways may be deployed as a second and safety networks ensure that no
layer of security. In the latter case, the gateways protect safety systems from attack
by plant insiders, and from attack by malware that may have reached reliability-
lasting damage can be inflicted to
critical control system networks via USB Flash sticks and other removable media. plant equipment or personnel

Theory of Operation

PROTECTIVE
RELAYS
GENERATING
UNIT CONTROL
NETWROK
SAFETY
SYSTEMS

UNIDIRECTIONAL
SECURITY GATEWAY

A Waterfall Unidirectional Security Gateway secures the relay and safety

networks behind an impassable physical protection layer, allowing the
transmission of information from these networks to the generating unit
control network, and disabling any transmission from getting inside.

11
13 12
14
 Use Case 4: SECURITY
Control Center Communications
Base-load plants frequently need to communicate with regional authorities
BENEFITS
such as the power utility’s generation-dispatch control center. The protocol
of choice is often ICCP, but may also be and of DNP3. IEC 60870-5-104, or
61850 MMS. For some base-load plants, this communication is purely a
reporting function; change orders from the regional authority are infrequent
Absolute protection against
and are accomplished through schedules agreed long in advance. Base-load external attacks for plants that do
plants can be secured by outbound-oriented Unidirectional Security
Gateways, as described in the IT/OT use case above. not require continuous commands
from a control center
Secure Control of Peaking Plants
Peaking plants are more complex: they require continuous reporting to a generation
dispatch center, and require a continuous, second-by-second stream of new setpoints Inbound/Outbound gateway
from the dispatch center.
configuration MUCH stronger than
Unidirectional Security Gateways replicating the power plant’s ICCP slave or other
protocol slave devices to a generating dispatch center meet the needs of some base
firewalls for all other plants
load plants, and inbound/outbound Unidirectional Gateways can be deployed to
meet the needs of all remaining plants. The outbound Unidirectional Gateway
replicates the plant’s ICCP server to the corporate network or to a dedicated DMZ, so
that the dispatch center’s EMS/SCADA master can poll the plant replica. The inbound Permits only reasonable setpoint
Unidirectional Gateway replicates the EMS ICCP server back into the plant where values to enter the plant control
plant systems query the replica for new setpoints.
system from generation–dispatch
control centers with Waterfall’s
Application Control option
Theory of Operation

PLANT ICCP GENERATION

OT NETWORK WAN DISPATCH

INBOUND/OUTBOUND CORPORATE
UNIDIRECTIONAL FIREWALL
SECURITY GATEWAYS

Two Waterfall Unidirectional Security Gateways create independent

Inbound/Outbound application replications for secure bi-directional
information transmission between the power plant OT network and the
Generation Dispatch center network.

9
15 10 16
 NERC CIP
Compliance Benefits
The NERC CIP V5 and V6 standards both encourage the use of strong security in the
form of Unidirectional Security Gateways by reducing the number of compliance
requirements for unidirectionally-protected networks.
Exemptions From 30% of NERC CIP V5 Requirements
The NERC CIP V5 standards define External Routable Connectivity as “bi-directional”
routable communications through an External Security Perimeter (ESP). Waterfall’s
Unidirectional Security Gateways are never bi-directional. All communications are
unidirectional, including inbound communications via a FLIP and Inbound/Outbound
gateway pairs. A power plant protected exclusively by Waterfall’s Unidirectional
Security Gateways therefore, has no bi-directional communications through an ESP,
and therefore has no External Routable Connectivity.
As a result, the power plant is exempt from the 38 CIP V5 requirements for Medium
Impact BES Cyber Systems with External Routable Connectivity, precisely because
the plant is not at risk from External Routable Connectivity. The compliance cost
savings resulting from these exemptions are substantial and can be up to millions of
dollars per year.
NERC CIP V6
The proposed NERC CIP V6 standards preserve all V5 definitions and exemptions
relating to Unidirectional Security Gateways, and add new definitions and
exemptions. CIP V6 defines Low Impact External Routable Communications (LERC)
as “bi-directional” routable communications. Unidirectionally-protected networks are
exempt from all requirements related to LERC.
17
Which of Our Control Systems is
Expendable?
A decade ago, firewalls were effectively the only available technology able to protect
our most important control system networks from corporate networks, central
vendor sites, and the Internet. When we wanted to benefit from real-time access to
control system data we had no choice but to connect networks, deploy firewalls and
other security software, and “cross our fingers.” Today, cyber attackers have
demonstrated repeatedly the ability to defeat all software-based security, including
firewalls.
Waterfall Security Solutions invented Unidirectional Security Gateways to provide an
alternative to firewalls for safe IT/OT integration. Today, Unidirectional Security
Gateways are readily available, widely deployed around the world, and documented
as a best practice by leading cyber security experts, authorities and standards. Today
with this technology so readily available, we must ask the question “which of our
generating sites are so expendable that we can afford to protect them with only
firewalls?” The answer is self-evident.
The risk-reduction benefit of deploying Unidirectional Security Gateways is clear –
the reliability of our power plants, the equipment in those plants, and the
reputations of our generating businesses are at serious risk from modern attacks. In
order to attack sites protected by Unidirectional Security Gateways, IT insiders,
hacktivists, organized crime and even nation-states have no choice but to revert to
crossing the physical perimeter of a plant. This dramatically increases the difficulty in
attacking generating sites, and this benefit is the reason that Unidirectional Security
Gateways are so often recommended and required in best-practice guidance and
regulations.
The case for securing our power plants with Waterfall’s Unidirectional Security
Gateways is clear. The real question remaining is “when do we start?” Sooner is
better. The threat grows by the day.
18
 About Waterfall Security
Waterfall Security Solutions is the global leader in
industrial cybersecurity technology. Waterfall
products, based on its innovative unidirectional
security gateway technology, represent an
evolutionary alternative to firewalls. The company's
expanding portfolio of customers includes national
infrastructures, power plants, nuclear plants, offshore
oil and gas facilities, rail transport, refineries,
manufacturing plants, utility companies, and many
more. Deployed throughout North America, Europe,
the Middle East and Asia, Waterfall products support
the widest range of leading industrial remote
monitoring platforms, applications, databases and
protocols in the market.

Visit us at www.waterfall-security.com

Waterfall’s products are covered by U.S. Patents 7,649,452, 8,223,205, and by other pending patent applications
in the US and other countries. “Waterfall”, the Waterfall Logo, “Stronger than Firewalls”, “In Logs We Trust”,
“Unidirectional CloudConnect”, and “CloudConnect, and “One Way to Connect” are trademarks of Waterfall
Security Solutions Ltd. All other trademarks mentioned above are the property of their respective owners.
Waterfall Security reserves the right to change the content at any time without notice. Waterfall Security
19
makes no commitment to update content and assumes no responsibility for any mistakes in this document. 20
Copyright © 2020 Waterfall Security Solutions Ltd. All Rights Reserved. www.waterfall-security.com