Professional Documents
Culture Documents
Securing Power Generation Ebook PDF
Securing Power Generation Ebook PDF
Securing Power Generation Ebook PDF
3 4
Firewall-only Security
Insufficient for Power Plants
For years IT-centric, software-based security has been held up as the “gold standard”
for industrial control system networks. This understanding has changed. Security
research organizations, regulators and other experts world-wide are recognizing that
IT-centric security fails to meet the needs of control system networks - see Waterfall’s
Emerging Consensus Whitepaper for details.
Traditional IT-centric advice recognizes that firewalls are porous by design and
further recognizes that all software-based security mechanisms have vulnerabilities.
This advice encourages detection systems which actively seek out compromised
machines, contain them, identify stolen data, and restore the affected machines
from backups.
Modern ICS-focused advice for control systems recognizes that while intrusion
detection plays an important role in a defensive architecture, the foundation of the
architecture must be intrusion prevention. Any malicious remote operation of
plant equipment, however briefly, poses an unacceptable risk..
Modern Protections
for Modern Threats
The most important element in attack prevention in a reference architecture for
power plants, is protecting the industrial network perimeter from less trusted,
less critical external networks. Waterfall Unidirectional Security Gateways enable
safe IT/OT integration as well as continuous real-time monitoring of industrial
operations by enterprise applications and central security operations centers (SOCs),
without introducing vulnerabilities to attacks that always accompany firewalled
connections.
Disciplined
must flow back into that network frequently and
periodically. The FLIP physically reverses a built-in
Unidirectional Reference
Remote Access Unidirectional Security Gateway allowing for safe
and disciplined scheduled updates. The FLIP
Architecture
hardware makes remote-control persistent
targeted attacks physically impossible. Unidirectional Security Gateway products are the foundation for Secure Industrial
Networking (SIN). The Gateways in all their forms never forward messages, and
provide hardware-based protections for generation networks. In a unidirectional
The Waterfall Secure Bypass Module enables reference architecture for power generation, secure IT/OT integration is only
on-site, physical control over remote access conducted unidirectionally through the gateways, not through firewalls, and
connections. The hardware includes an dangerous remote access paths are completely eliminated.
Control Over
electromechanical switch that – in emergencies –
Remote Access can be manually activated to permit conventional Note that generation utilities may still carry out segmentation of their OT networks
using firewalls, provided these firewalls are used between sub-networks at the same
interactive remote access for the duration of the
level of trust and criticality. As long as interconnections between Internet-exposed
declared emergency. and industrial control networks are protected with Unidirectional Gateways in a
defense-in-depth, layered network architecture, the path of infection from Internet-
exposed networks is broken.
The Unidirectional CloudConnect enables
industrial sites to benefit from the Industrial
Internet of Things (IIoT) while eliminating the risk
Secure of remote attacks. CloudConnect provides
Connection to the hardware-enforced network protection and real-
Industrial Cloud time unidirectional translation of industrial data
sources into Internet-friendly protocols and
cloud-friendly formats, while preventing remote
attacks from penetrating protected industrial
networks.
7 8
Use Case 1: SECURITY
Safe IT/OT Integration
The most common use of Unidirectional Security Gateways in power plants is
BENEFITS
to enable safe IT/OT network integration. The gateways generally replace
unacceptably vulnerable firewall integrations of networks and applications.
Theory of Operation
PLANT PLANT
INTERNET
OT NETWORK IT NETWORK
99 10 10
Use Case 2: SECURITY
Turbine Vendor Monitoring
At most power plants, there is a need to support control system vendor
BENEFITS
monitoring and diagnostics programs. Turbine and other ICS vendors
generally also require occasional opportunities to adjust control system
components to address problems as they arise, and prevent serious failures
later on.
Theory of Operation
PLANT VENDOR
VENDOR
OT NETWORK DMZ
11
11 12
Use Case 3: SECURITY
Protecting Relay and Safety
Networks BENEFITS
Safety equipment and protective relays are software components that are
essential to modern reliability and safety programs. These components
become ineffective when compromised, and so protecting these
components is vital. Prevents all remote adversaries, no
matter how sophisticated, from
Secure Monitoring of Safety and Protection Systems
Unidirectional Security Gateways are routinely deployed to replicate devices from
reaching through immediate
protection and safety networks to control networks for continuous monitoring. networks into protection and safety
These replications use DNP3, IEC 60870, IEC 61850, Modbus and other protocol
connectors. SNMP traps and syslog data sources may also be replicated to Central networks
Network and Security Operations Centers for additional reliability or security
monitoring. Continuous monitoring is essential to all security programs, process and
employee safety programs, and electric system reliability programs.
Theory of Operation
PROTECTIVE
RELAYS
GENERATING
UNIT CONTROL
NETWROK
SAFETY
SYSTEMS
UNIDIRECTIONAL
SECURITY GATEWAY
11
13 12
14
Use Case 4: SECURITY
Control Center Communications
Base-load plants frequently need to communicate with regional authorities
BENEFITS
such as the power utility’s generation-dispatch control center. The protocol
of choice is often ICCP, but may also be and of DNP3. IEC 60870-5-104, or
61850 MMS. For some base-load plants, this communication is purely a
reporting function; change orders from the regional authority are infrequent
Absolute protection against
and are accomplished through schedules agreed long in advance. Base-load external attacks for plants that do
plants can be secured by outbound-oriented Unidirectional Security
Gateways, as described in the IT/OT use case above. not require continuous commands
from a control center
Secure Control of Peaking Plants
Peaking plants are more complex: they require continuous reporting to a generation
dispatch center, and require a continuous, second-by-second stream of new setpoints Inbound/Outbound gateway
from the dispatch center.
configuration MUCH stronger than
Unidirectional Security Gateways replicating the power plant’s ICCP slave or other
protocol slave devices to a generating dispatch center meet the needs of some base
firewalls for all other plants
load plants, and inbound/outbound Unidirectional Gateways can be deployed to
meet the needs of all remaining plants. The outbound Unidirectional Gateway
replicates the plant’s ICCP server to the corporate network or to a dedicated DMZ, so
that the dispatch center’s EMS/SCADA master can poll the plant replica. The inbound Permits only reasonable setpoint
Unidirectional Gateway replicates the EMS ICCP server back into the plant where values to enter the plant control
plant systems query the replica for new setpoints.
system from generation–dispatch
control centers with Waterfall’s
Application Control option
Theory of Operation
INBOUND/OUTBOUND CORPORATE
UNIDIRECTIONAL FIREWALL
SECURITY GATEWAYS
9
15 10 16
NERC CIP Which of Our Control Systems is
Compliance Benefits Expendable?
The NERC CIP V5 and V6 standards both encourage the use of strong security in the A decade ago, firewalls were effectively the only available technology able to protect
form of Unidirectional Security Gateways by reducing the number of compliance our most important control system networks from corporate networks, central
requirements for unidirectionally-protected networks. vendor sites, and the Internet. When we wanted to benefit from real-time access to
control system data we had no choice but to connect networks, deploy firewalls and
Exemptions From 30% of NERC CIP V5 Requirements other security software, and “cross our fingers.” Today, cyber attackers have
The NERC CIP V5 standards define External Routable Connectivity as “bi-directional” demonstrated repeatedly the ability to defeat all software-based security, including
routable communications through an External Security Perimeter (ESP). Waterfall’s firewalls.
Unidirectional Security Gateways are never bi-directional. All communications are
unidirectional, including inbound communications via a FLIP and Inbound/Outbound Waterfall Security Solutions invented Unidirectional Security Gateways to provide an
gateway pairs. A power plant protected exclusively by Waterfall’s Unidirectional alternative to firewalls for safe IT/OT integration. Today, Unidirectional Security
Security Gateways therefore, has no bi-directional communications through an ESP, Gateways are readily available, widely deployed around the world, and documented
and therefore has no External Routable Connectivity. as a best practice by leading cyber security experts, authorities and standards. Today
As a result, the power plant is exempt from the 38 CIP V5 requirements for Medium with this technology so readily available, we must ask the question “which of our
Impact BES Cyber Systems with External Routable Connectivity, precisely because generating sites are so expendable that we can afford to protect them with only
the plant is not at risk from External Routable Connectivity. The compliance cost firewalls?” The answer is self-evident.
savings resulting from these exemptions are substantial and can be up to millions of The risk-reduction benefit of deploying Unidirectional Security Gateways is clear –
dollars per year. the reliability of our power plants, the equipment in those plants, and the
reputations of our generating businesses are at serious risk from modern attacks. In
NERC CIP V6 order to attack sites protected by Unidirectional Security Gateways, IT insiders,
The proposed NERC CIP V6 standards preserve all V5 definitions and exemptions hacktivists, organized crime and even nation-states have no choice but to revert to
relating to Unidirectional Security Gateways, and add new definitions and crossing the physical perimeter of a plant. This dramatically increases the difficulty in
exemptions. CIP V6 defines Low Impact External Routable Communications (LERC) attacking generating sites, and this benefit is the reason that Unidirectional Security
as “bi-directional” routable communications. Unidirectionally-protected networks are Gateways are so often recommended and required in best-practice guidance and
exempt from all requirements related to LERC. regulations.
The case for securing our power plants with Waterfall’s Unidirectional Security
Gateways is clear. The real question remaining is “when do we start?” Sooner is
better. The threat grows by the day.
17 18
About Waterfall Security
Waterfall Security Solutions is the global leader in
industrial cybersecurity technology. Waterfall
products, based on its innovative unidirectional
security gateway technology, represent an
evolutionary alternative to firewalls. The company's
expanding portfolio of customers includes national
infrastructures, power plants, nuclear plants, offshore
oil and gas facilities, rail transport, refineries,
manufacturing plants, utility companies, and many
more. Deployed throughout North America, Europe,
the Middle East and Asia, Waterfall products support
the widest range of leading industrial remote
monitoring platforms, applications, databases and
protocols in the market.
Visit us at www.waterfall-security.com
Waterfall’s products are covered by U.S. Patents 7,649,452, 8,223,205, and by other pending patent applications
in the US and other countries. “Waterfall”, the Waterfall Logo, “Stronger than Firewalls”, “In Logs We Trust”,
“Unidirectional CloudConnect”, and “CloudConnect, and “One Way to Connect” are trademarks of Waterfall
Security Solutions Ltd. All other trademarks mentioned above are the property of their respective owners.
Waterfall Security reserves the right to change the content at any time without notice. Waterfall Security
19
makes no commitment to update content and assumes no responsibility for any mistakes in this document. 20
Copyright © 2020 Waterfall Security Solutions Ltd. All Rights Reserved. www.waterfall-security.com