Waterfall’s® Unidirectional Security Gateways and data diodes core is shared by all of its products and solutions. The Waterfall core, a unique non routable system, is coupled with software agents that mediate its integration into the surrounding environments, while providing added functionalities and flexibility. The basic Waterfall architecture is as follows:
Figure: Basic Waterfall One-Way™ Architecture
The basic components are:
- A Waterfall Tx Software Agent, residing on a host which is part of the sending network. The agent interacts with applications (e.g. OSIsoft PI™, GE Proficy™) and protocols (e.g. OPC, Modbus) on the network, receives the relevant information and mediates the connection of the Waterfall One-Way with the sending network. Designated data is passed, in real-time, from the Tx software agent to the Waterfall Tx appliance.
- An appliance pair comprised of:
- A Waterfall Tx Appliance, transmitting information from the Tx software agent via a single fiber optic cable to the Waterfall Rx Appliance.
- A Waterfall Rx Appliance, receiving information from the Waterfall Tx appliance and transmitting it to the Waterfall Rx software agent, residing on a host which is part of the receiving network.
- A Waterfall Rx Software Agent, residing on a host which is part of the receiving network. The agent receives data from the Waterfall Rx appliance, mediates the connection of the Waterfall One-Way with the receiving network and interacts as required with applications and nodes on the receiving network, passing the designated data into the receiving network.
Encompassing this core, the Waterfall product consists of a multiple layered architecture, providing high-speed, real-time and reliable data transfer using a proprietary unidirectional protocol, content filtering, data assurance mechanisms and application layer connectors for third party applications and standard protocols integration
Waterfall One-Way Customer Benefits
The unique Waterfall architecture and its attributes provide two basic benefits for all Waterfall One-Way installations and deployments:
- Complete protection against external cyber attacks – hacking sessions are an interactive process in which a hacker initiates a working session with his target node, elicits a response, and accordingly makes his next move. When trying to hack across a Waterfall One-Way, the hacker will be unable to initiate a successful session.
- No data backflow – The hardware based appliance core of the Waterfall One-Way enforces unidirectional data flow at the physical layer (Layer 1 of the OSI model), which in turn ensures unidirectional communication will be totally preserved at all higher layers of the protocol stack, regardless of the communication protocol chosen and the applications being used. Thus, regardless of networks and applications used, there will be no data backflow across a Waterfall One-Way.
- Non Routable Protocols – Waterfall One-Way is a Non-routable communication system, as referred to in the relevant NERC-CIP definitions. This means that the communication path cannot be exploited to route messages or information to undesired or unplanned destinations.
- Integral Application White listing – Waterfall One-Way, using the unique “Waterfall connectors framework”, enables only allowed application’s data and protocols to pass via the unidirectional gateway. Any other protocol, not set up at the gateway, is not supported and shall not pass
Waterfall One-Way provides customers with the most powerful electronic security perimeter available, enforced by hardware, software and the very basic laws of physics. This unique technology and architecture helps ensure that compliance with NERC-CIP-005 requirements is fully reached, while providing true cyber-security to all critical assets and cyber assets residing within the Waterfall defined electronic security perimeter.
As an added benefit, Waterfall installations provide a hassle-free and zero-maintenance implementation of an electronic security perimeter, requiring a one-time configuration with no need for follow-up configurations, patches or updates. Thus overhead and related investments are minimized.
Only Waterfall can provide full visibility into the critical infrastructure networks running the bulk electric system, while still fully segregating them from any externally generated activities, in essence effectively air-gapping them to achieve unprecedented protection and security.