In December of 2011, NERC issued Compliance Application Notice (CAN) 0024 “CIP-002 R3 Routable Protocols and Data Diode Devices.” The purpose of a CAN is to provide guidance to auditors who evaluate industry compliance with CIP reliability standards and who make findings that can lead to enforcement actions and monetary fines. CAN-0024 provides instruction for assessing whether the communication characteristics of data diode devices can be used to exclude cyber assets from consideration as Critical Cyber Assets (CCA) when a routable protocol is used when not at a control center.

“Data diodes” are hardware-enforced one-way or unidirectional communications. They permit data to flow from a protected network to an external network, but provide no physical data path for information, remote control attacks, or other cyber-attacks to flow back in to the protected network. Unidirectional hardware is used to provide strong security for connections through an Electronic Security Perimeter (ESP). Routable communications that cross an ESP are of concern under the NERC CIP standards because they can be a vector for attacking a control system.

This whitepaper introduces CIP-002, routable protocols that are used in “routable communications,” and unidirectional communication concepts, and then applies the guidance in the CAN-0024 to three types of commonly-deployed hardware architectures for unidirectional communications. We conclude that Waterfall’s Unidirectional Security Gateways, which do not use routable communications, can be used to exclude Cyber Assets from consideration as Critical Cyber Assets (CCA) in accordance with CAN-0024.

January 2012

View the article

This presentation briefly reviews firewall issues and costs, and introduces Unidirectional Gateways. We explore deployment scenarios in refineries and pipelines, and discuss common deployment issues and solutions for them.

Join us to see how network isolation via Unidirectional Gateways permits the flow of critical business information out of control networks, while providing cost savings, as well as strong protections against threats ranging from errors and omissions to insiders, common malware and even targeted attacks.

Waterfall thanks the National Petroleum Refiners Association (NPRA) for sponsoring this webinar and making this recording available.

Press here to view the recorded webinar.

ENHANCEMENTS:

Version: 4.0.0.0, Revision: 2827, Issue Date: December 5^th, 2011

• Local Folders Channel: Previously the ‘File Procedure’ DLL passed the file path with ‘\’ as the path separator character to the command line. A new tag named ‘PathSeparator’ is added to ‘ProcedureParams’ as a part of ‘FileProcedure’ tag. Using this tag, the user may determine a path separator to his convenience: ‘/’ or ‘\’. Note that for ‘\’ the tag input should be ‘\\’.
• Remote Folders Channel: Adding the ability of selecting a path separator by the User. The ‘File Procedure’ DLL now handles the files on the local path (LocalPath) and not on the remote path (RemotePath).

 Mirror Channel

BUG FIX:

Version: 4.0.0.0, Revision: 2855, Issue Date: December 5^th, 2011.

Not all the folders of the channel are created when configuring the Mirror channel and pressing on the Apply button.

Remote Screen View Channel

BUG FIX:

Version: 4.0.0.0, Revision: 2859, Issue Date: December 5^th, 2011.

When defining a Remote Screen View channel, at the RX side the HTTPD channel does not respond to browser’s requests.

Trio System

BUG FIX:

Version: 4.0.0.0, Revision: 2536, Issue Date: December 5^th, 2011.

Rx and Tx network cards stay permanently in suspension mode after disconnecting Trio Tx.

Dennis Kilgore, President and Founder of DLL Solutions, and Andrew Ginter, Director of Industrial Security at Waterfall Security Solutions explore the threat environment, Unidirectional Security Gateways, and the DLL Solutions experience of installing gateways at a merchant power plant.

Press here to view the recorded webinar.

“You need to be paranoid. You need to assume your system is under attack,” said Andrew Ginter, director of industrial security at Waterfall Security Solutions.

That is part of what a user must think about when they are a victim of an advanced persistent threat (APT) like Stuxnet, Ginter said during his talk Tuesday with Joel Langill, chief technology officer at SCADAHacker, entitled “How Stuxnet Spread: A Study of Infection paths in Best Practice Systems” at the ICSJWG 2011 Spring Conference in Dallas.

“An advanced persistent threat works on a single target,” Ginter said. “Stuxnet was one example.” Usually an APT comes from organized crime or from nation states, he said. This worm targeted the Siemens control systems that and went after the Iranian nuclear enrichment program. “The objective was to sabotage the nuclear program,” he said.

This approach to the attack was not new and in fact there may be more to come down the road.

“Two dozen nations announced they are funding cyber warfare initiatives,” Ginter said. “Some friendly, some not. In addition, one dozen more nations have not announced it, but it is known they are funding cyber warfare initiatives. Again, some friendly, some not.”

Ginter remains impressed with the mighty worm. “This had four zero days and the worm circulated 3 to 4 months before anyone was alerted to it. That meant it was free to go around a system and learn. This was also the first time a worm used a PLC rootkit, which allowed the worm to reprogram the PLC without the users knowing it was happening.”

If anyone thinks this worm was purely attacking a vulnerability in the Siemens system, think again, Langill said.

“There is a lot to the worm that can apply to any system from any vendor,” he said.

Another interesting aspect is the worm could attack from different vectors. Langill said the one most people focus on is the USB stick, but there were others like the local area network communications.

On top of the attack vectors, the worm also had the ability to adapt to its environment.

“This provided the bad guys a well controlled playbook to get into any system,” Langill said.

Stuxnet brought the idea of policy and procedures to the forefront of users’ attention. “Why spend $500,000 on a security system if you allow a USB stick to plug into your engineering workstation,” Langill said.

He then asked, “Are we still vulnerable? Yes.”

View the article

By Gregory Hale

ISS Source, May 5, 2011

ENHANCEMENT:

Version: 4.0.0.0, Revision: 2512, Issue Date: September 5^th, 2011.

Wait interval settings were removed since the reading mechanism of messages from the TibEMS server has changed. The EMS triggers are currently used instead of reading new messages by the interval timing.

File Transferring

BUG FIX:

Version: 4.0.0.0, Revision: 2705, Issue Date: September 5^th, 2011.

 ‘Local Folder’ missing an error report on RX console when  receiving files that contain Tilde ‘(~)’ in the file name.

OPC Channel

ENHANCEMENTS:

Version: 4.0.0.0, Revision: 2727, Issue Date: September 5^th, 2011

• Enabling deletion of a DB file in order to perform remapping the tags’ names: A new button named ‘Clean DB’ is added, for both DA and HDA Server channels. Pressing this button will delete the DB file as configured in ‘BackupRecoverFileName’ XML tag.
• In former OPC revisions, the user could either select all tags or select tags from the tag list. The new revision also enables the user to exclude tags from the tag list.
• A new “Debug Level” feature has been added, which enables the user to control the extra messages that are added to the LOG file. The levels are 0 to 2, with 0 extra messages in level 0 and all extra messages in level 2.
• A new tag- “DelayProcessingMsec”- was added to OPC DA Server and Client channels. This configuration was added to the data-structure layer, in order to control the load on the OPC server.

BUG FIXES:

Version: 4.0.0.0, Revision: 2727, Issue Date: September 5^th, 2011

• Formerly, when configuring the OPC-DA-Client channel, the configuration tool created the OPC tags and branches under the OPC Server tag at the XML file. Since the Stream Agent reads these tags from the main channel’s tag, OPC tags and branches are currently created by the configuration tool in the same location that the Stream Agent is reading from.
• A bug that causes crashing when printing a wrong type of parameter into the LOG file.

1. Waterfall Has More Control System “Connectors”

A “connector” allows what is typically two-way traffic to be sent through a one-way security device. You essentially install a protocol or application client / server on both sides of their device. The secure side server gets the information as usual, then pushes it out to the insecure side server using a Waterfall one-way protocol. So even though the communication is two way, data from the secure side can be available to the insecure side and accessed from other clients and servers on the insecure side.

In my original blog I mentioned that there were connectors available for protocols like OPC and ICCP, but in fact there is a much larger list including:

• Historians like OSIsoft’s PI Server and GE iHistorian
• Modbus TCP and DNP3
• NTP and log transfer
• Bentley Nevada, Siemens Simatic / WinCC and others

2. Some Connectors Push Configuration Data

One of the problems with the connector approach is the administrative burden. For example, an administrator would have to enter any new OPC tag on two systems, one on the secure side and the other on the insecure side. Of course this is often done with a USB stick or other sneakernet technique.

I learned that some of the Historian solutions have the ability to make configuration changes on the secure side and have these pushed through the one-way device to the insecure side.

View the article

By Dale Peterson

Digital Bond, October 5, 2010