Waterfall Security Solutions » Whitepapers and Information

Applying NERC-CIP CAN-0024

amir — Mon, 23 Jan 2012 05:57:12 +0000

Under the direction of the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) is charged with enforcing reliability standards for the Bulk Electric System (BES) in North America. Reliability standards for the BES are created under NERC’s supervision by an industry-driven process. Both physical security threats and cyber security threats are regarded as threats to the reliability of the BES, and as a result a set of Critical Infrastructure Protection (CIP) security standards have been adopted.

In December of 2011, NERC issued Compliance Application Notice (CAN) 0024 “CIP-002 R3 Routable Protocols and Data Diode Devices.” The purpose of a CAN is to provide guidance to auditors who evaluate industry compliance with CIP reliability standards and who make findings that can lead to enforcement actions and monetary fines. CAN-0024 provides instruction for assessing whether the communication characteristics of data diode devices can be used to exclude cyber assets from consideration as Critical Cyber Assets (CCA) when a routable protocol is used when not at a control center.

“Data diodes” are hardware-enforced one-way or unidirectional communications. They permit data to flow from a protected network to an external network, but provide no physical data path for information, remote control attacks, or other cyber-attacks to flow back in to the protected network. Unidirectional hardware is used to provide strong security for connections through an Electronic Security Perimeter (ESP). Routable communications that cross an ESP are of concern under the NERC CIP standards because they can be a vector for attacking a control system.

This whitepaper introduces CIP-002, routable protocols that are used in “routable communications,” and unidirectional communication concepts, and then applies the guidance in the CAN-0024 to three types of commonly-deployed hardware architectures for unidirectional communications. We conclude that Waterfall’s Unidirectional Security Gateways, which do not use routable communications, can be used to exclude Cyber Assets from consideration as Critical Cyber Assets (CCA) in accordance with CAN-0024.

January 2012

View the article

Recorded Webinar: Strong Cyber Perimeter Protections with Unidirectional Communications

amir — Tue, 10 Jan 2012 07:56:47 +0000

Unidirectional Gateways transmit business-critical information out of operations networks without introducing any risk to the availability, integrity or safety of control system assets inside those networks. The technology often raises questions, though, when first encountered by security practitioners accustomed to firewalls — questions of data integrity, remote management, and integration into corporate security systems. However, since Unidirectional Gateways have been deployed successfully at hundreds of sites, and in many industries, there are good answers to all these questions. In the end, Unidirectional Gateways both increase the security of operations networks, and sharply reduce perimeter management costs when compared with conventional firewalls.

This presentation briefly reviews firewall issues and costs, and introduces Unidirectional Gateways. We explore deployment scenarios in refineries and pipelines, and discuss common deployment issues and solutions for them.

Join us to see how network isolation via Unidirectional Gateways permits the flow of critical business information out of control networks, while providing cost savings, as well as strong protections against threats ranging from errors and omissions to insiders, common malware and even targeted attacks.

Waterfall thanks the National Petroleum Refiners Association (NPRA) for sponsoring this webinar and making this recording available.

Press here to view the recorded webinar.

Recorded Webinar: Strong Cybersecurity: Power Plant Case Study

amir — Tue, 25 Oct 2011 12:25:24 +0000

Unidirectional Security Gateways allow data to flow out of protected control networks, but prevent any information or network attacks from flowing back into those networks. While this protects control networks absolutely from external network attacks, it begs questions – What had to change at the plant to make this work? How did plant personnel react, not just at the time of installation, but months later, once the system had been used for a time?

Dennis Kilgore, President and Founder of DLL Solutions, and Andrew Ginter, Director of Industrial Security at Waterfall Security Solutions explore the threat environment, Unidirectional Security Gateways, and the DLL Solutions experience of installing gateways at a merchant power plant.

Press here to view the recorded webinar.

A Realistic Approach for Connecting SCADA/DCS Networks

admin — Mon, 26 Oct 2009 11:35:33 +0000

SCADA/DCS networks monitor and control the most valuable assets nationwide and usually refer to operational networks. On the other hand, most of the users are connected through an administrative network which is less sensitive and thus less secure than the operational network. The demand for connecting the networks is required for business continuity reasons and for day by day necessity. The presentation will analyze the threats with regard to networks connectivity and expand the model to other IP based networks. Some solutions will be analyzed and a novel solution will be presented to overcome the network connectivity problem.

By Lior Frenkel, Waterfall™ Security Solutions’ co-founder and CTO

Presented at the Entelec Conference, March 2009

View the article

View the presentation

Waterfall™ for NERC-CIP Compliance

admin — Mon, 26 Oct 2009 11:36:10 +0000

Using Waterfall’s Unidirectional Security Solution to Achieve True Security & NERC-CIP Compliance

Critical National Infrastructure is under a constant, yet invisible, threat from cyber hacking and cyber terror attempts that are being launched from external networks. These attacks (mainly – from the Internet) are targeting industrial Process Control Networks (PCN), Supervisory Control and Data Acquisition (SCADA) Networks and lower level Distributed Control Systems (DCS) and Process Control Systems (PCS) networks.

In the Electricity Utilities’ domain, these critical networks control and operate the very machinery which powers modern day civilization. Throughout North America, electricity utilities are challenged with the task of complying with the reliability standards mandated by NERC (North American Electric Reliability Corporation).

The NERC-CIP (Critical Infrastructure Protection) standards, recently revised in May 2009, provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. The following whitepaper introduces the reader to the Waterfall One-Way™ unidirectional cyber security solution, and explains its ideal fit for achieving both powerful cyber-security as well as NERC-CIP compliance.

July 09

View the article