North America

North America

Department of Homeland Security (DHS ICS-CERT)

Published: September 2016

Read Abstract

What’s in the Standard

A nice collection of advice for ICS security programs, including: risk management, security controls and technologies, as well as physical security and training/awareness recommendations. The document is helpful in that it describes attack scenarios and essential limitations of security technologies, as justification for specific recommendations.

Takeways

This is a big improvement from the 2009 document, but has flaws as well. While the document sometimes describes limitations of specific security technologies, it does not do so consistently. For example, the section on VLANs starts with mention of specific concerns, and then lists a long set of recommendations to reduce risks. At the end of the list though, there is no description of which of the original set of concerns and risks the recommendations have addressed, and what remains as residual risk. Compounding this omission is regular use of the word “secure” as an adjective, implying that if all recommendations are implemented, the resulting configuration is “secure.” Of course nothing can ever be completely secure, and so this terminology is particularly unfortunate in light of the omission of discussion of residual risks.

That said, this is, again, a big improvement over the original, and includes discussion of modern attacks, modern risks, and modern defensive technologies, including unidirectional security gateways.

Industrial Internet Consortium (IIC)

Published: September 2016

Read Abstract

What is in the standard

The document is a framework, making no recommendations, but describing the spectrum of possibilities that should be considered when looking at cyber security for IIoT products and IIoT deployments. The framework discusses host-based, cryptographic, and network flow control protections, including a variety of unidirectional gateway technologies, in detail. The document is unique in the way it describes the need to balance the host-based and cryptographic protections central to IoT technologies with the network-flow-control control concepts described as essential to industrial control systems in documents such as the ISA SP-99 / IEC 62443 standards.

Takeways

All software can be hacked, or in the terminology of the IIC framework, IIoT endpoints will most likely always suffer the risk of platform-based vulnerabilities. Endpoint-based and cryptographic protections may be sufficient for IoT, where the biggest risk is theft of personally-identifiable information. Additional, strong and often unidirectional network protections will always be essential to some kinds of industrial networks, networks where the consequences of mis-operation of large, costly and often dangerous physical infrastructure constitute entirely unacceptable risks.

Department of the Interior – Bureau of Safety and Environmental Enforcement (BSEE)

Published: April 2016

Read Abstract

What is in the standard
The Well Control Rule became law on April 14, 2016, when the BSEE announced the release of the Blowout Preventer Systems and Well Control rule (Final Rule). The final Well Control Rule results in one of the most significant safety and environmental protection reforms the Department of Interior has undertaken – its purpose is to reduce the risk of an offshore oil or gas blowout that could result in the loss of life, serious injuries or substantial harm to the environment through modernizing and strengthening offshore energy standards.

Real Time Monitoring (RTM) of data in final rule (§ 250.724) requires operators to gather and monitor real-time well data using an independent, automatic, and continuous monitoring system capable of recording, storing, and transmitting data regarding the BOP control system, the well’s fluid handling system on the rig, and the well’s downhole conditions with the bottom hole assembly tools. These data must be transmitted as they are gathered (barring any unforeseen interruptions) and have the capability to monitor the data onshore, using qualified personnel, in accordance with a real-time monitoring plan.

This plan requires real-time monitoring capabilities, data transmission onshore during operations, data storage, procedures for providing BSEE access, procedures for communication between rig personnel and the onshore monitoring personnel, and actions to be taken if you lose any real-time monitoring capabilities or communications between rig and onshore personnel and how BSEE is to be notified.

Relationship to Unidirectional Gateways
The requirement of real time data monitoring makes connecting ICS and business networks unavoidable. Oil companies will need to consider a new host of vulnerabilities and risks associated with connecting drilling rig industrial control systems to outside data centers in real time. This scenario makes unidirectional gateways all the more relevant when meeting data requirements of the Well Control Rule.

Takeaway
Due to recent cyber attacks in the maritime industry, cyber security is quickly becoming front of mind for many operators. As new drilling rigs are already being built pursuant to the updated BSEE industry standards. People working in the offshore energy industry have expressed real concern that real-time monitoring could introduce potential cybersecurity threats that could put at risk failure of critical safety systems.

Canadian Standards Association (CSA Group)

Published: April 2016

Read Abstract

What’s in the Standard
This new standard N290.7-14 “Cyber security for nuclear power plants and small reactor facilities”, requires the use of unidirectional gateways to protect the most safety critical CEAs (Cyber Essential Assets). Its objective, “to secure essential computer systems and components against cyber-attacks”, will require the implementation of unidirectional technology to all routable communication paths on the perimeter of CEAs of highest safety significance.

Relationship to Unidirectional Gateways
The standard breaks down categories of CEAs by security significance in accordance with the most important safety or security function a CEA performs. It takes a preventative posture by allowing only one way to secure the most important CEA’s from less-important networks of CEAs: hardware-enforced unidirectional gateways. The language contained in the regulation makes it clear that for the most important CEAs; insecure, unauthorized connections, unauthorized information flows, and remote deactivation and activation of services must prevented.

Takeaway
Generally speaking, nuclear sites face unique risks. However, when it comes to protecting control networks and critical infrastructure from cyber attacks, nuclear is no different from other industrial networks – nuclear is just leading the charge. In 2010, the Nuclear Regulatory Commission (NRC) in the US, effectively forbade the use of firewalls to protect nuclear generator control networks from a less-trusted network. As a result, all American nuclear generators deployed unidirectional gateway technology. With Canada following the US regulator’s lead, control system security standards throughout the North American nuclear industry now recognize the preventative strength of Unidirectional Security Gateways.

National Institute of Standards and Technology (NIST)

Published: May 2015

Read Abstract

What is in the standard
This standard provides guidance to secure industrial control systems (ICS) – to include supervisory control and data acqusition (SCADA) systems, distributed control systems (DCS, and other systems performing control functions. The intended audience is ICS communities vital to the operation of US critical infrastructure (90% of which are privately owned and operated). The document provides an overview of ICS topologies, identifies treats and vulnerabilities to these systems and networks, and recommends security countermeasures. Increased interconnectivity with business sytems and increased integration of wireless and remote networking exposes ICS to the outside world of cyber threats. Special preventions unique to ICS systems must be taken when introducting these solutions and technologies to control environments – and in some cases completely new and unique solutions are necessary.
Messaging executed in ICS has a direct effect on the physical world which introduce risk to health and safety of human lives, serious damage to the environment, great financial loss due to production losses, negative impacts to a nation’s economy, and compromise of proprietary information. The documents makes note of the distinction of performance and reliability requirements of ICS which are often unconventional to IT professionals. What’s more, the authors recognize that even the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems. The standard is helpful in providing clarity in the types of possible incidents which could arise in ICS environments – most of this information is contained in useful tables – e.g. policy and procedure vulnerabilities, architecture and design vulnerabilities, configuration and maintenance vulnerabilities, physical vulnerabilities, software development vulnerabilities, examples of adversarial incidents, and definitions of ICS impact levels.

Relationship to Unidirectional Gateways
The standard outlines major security objectives for ICS and recommends firstly unidirectional gateways to restrict logical access to the ICS network. It also outlines the typical defense in depth strategy for ICS which will ideally have unidirectional gateways to provide logical separation between the corporate and ICS networks. Typical security countermeasures are mentioned in detail – authentication, credentialing, restricting access, disabling ports, policy and procedures, personal identity verification, encryption, security patches, network protocols, and network topology designating levels of security to different networks.
Unidirectional gateways are advised concerning network segmentation and segregation and boundary protection. Separating ICS in a high security domain from the corporate network is ideally and traditionally best achieved through unidirectional gateway technology which restricts communications between connections to a single direction – segmenting the network. The standard describes unidirectional gateways as a combination of hardware and software which makes it physically impossible to send any information back into the source network, the ICS – “The software replicates databases and emulates protocol servers and devices”.

Takeaway
This standard reflects NIST’s sophisticated understanding of the functionality and importance of unidirectional gateways in control system environments. The authors illustrate the dramatic differences in the goals, vulnerabilities, and risks associated with ICS versus the IT environment, knowing full well that these differences warrant different solutions. Unidirectional gateways are mentioned throughout the document to protect the most critical networks and assets of an ICS from the threat of cyber attacks.

National Institute of Standards and Technology (NIST)

Published: February 2014

Read Abstract

What is in the standard

In response to Executive Order 13636, Feb 2013 calling for the development of a voluntary Cybersecurity Framework to improve critical infrastructure cybersecurity. It is a “risk-based approach to managing cybersecurity risk”. This framework provides guidance to industry and organizations on managing cybersecurity risk. Critical infrastructure is not a predefined set of industries but rather any system and assets which are vital enough to the United states that if compromised, would result in a debilitating impact on national security, the economy, and/or public health and safety.

The Framework is neutral when it comes to technology. It provides a mechanism for organizations to describe current and future state cybersecurity postures, improvement processes and assessment, and communication plans to stakeholders. The framework is unfortunately weak on prevention, and focuses heavily on five core functions; identify, protect, detect, respond, recover. This is due to the fact that it views the functions, categories and subcategories of the framework for IT and ICS to be identical. They have taken a cyber risk framework directly from an IT context and applied it to ICS. Not emphasizing prevention as a core function in the realm of protecting critical infrastructure is a weakness in the framework. Under the core function of “protect”, there is not specific guidance on protecting the perimeter or boundary of the ICS network. Appendix A – the Framework Core, does not appear to be specifically tailored to ICS, rather an IT framework lightly applied to industrial control operators. To attest to this, the second category within the Protect function is data security. Rather than seeing an emphasis on industrial safety and control, which is top priority within ICS, the framework takes a typical IT driven focus: data protection. The core framework itself does not mention safety of personnel inside ICS at all, (it only mentions public safety in the summary text).

Overall, this is a very IT focused and based framework which has been very lightly modified to be applied to industrial control systems. This framework could apply to any organization, which again begs the question, why apply another generic IT model to ICS. Understanding what is most important to protect from cyber attack in ICS, safety and control, not data and information, is the only way we will be able to provide a valuable framework operators of critical infrastructure can implement.

Read Abstract

What is in the standard
This standard addresses the issue of security for industrial automation and control systems (IACS), and outlines security requirements for control systems while assigning systems different security levels. Given that control systems are increasingly interconnected with non IACS (OT) networks – the increased connectivities introduce greater risk for cyber attack against control system hardware and software. These vulnerabilities could lead to health, safety and environmental consequences. The cyber security approach for IACS needs to consider functional requirements, risk assessments and operational issues. IACS security goals are different from IT security goals: IACS security measures must prevent the loss of essential services and emergencies. IT is more focused on protecting information rathar than human lives and physical assets.

The main objective of ISA 62443 series is to provide a framework that addresses security vulnerabilities in IACS and apply the necessary defensive mitigations. The intended audience is the IACS communities including asset owners, system integrators, product suppliers, service providers and compliance authorities. The goal is to define a common set of requirements to reach heightened security levels. There are seven foundational requirements for control systems: identification and suthentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Security measures applied to these requirements shall not cause loss of protection, loss of control or loss of view.

Relationship to Unidirectional Gateways
The standard mentions unidirectional gateways four times when prescribing security measures for restricted data flow, zone boundary protection, malicious code protection and denial of service protection. The standard recommends unidirectional gateways for networks controling the most important and most securitized assets within IACS. The standards also recommends segmenting networks in control system networks from non-control system networks to reduce exposure to threats to control system reliability.

Takeaway
The standard clearly states that the security goals and requirements for industrial control systems differ from those of IT networks. With the increased connectivity of business networks to control networks, new vulnerabilities present themselves. This standard recommends that networks protecting the most critical assets be identified as such and be protected by the most stringent methods, one of which being unidirectional gateways.

American Public Transport Association (APTA)

Published: June 2013

Securing Control and Communications Systems in Rail Transit Environments – Part II Defining a Security Zone Architecture for Rail Transit

Read Abstract

Coming soon.

North American Electric Reliability Corporation (NERC)

Published: October 2012

Read Abstract

What is in the standard
The electric power sector leads both North American industry and the world in strong cyber-security standards. Both the NEI and NRC standards in nuclear generation and the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards in the Bulk Electric System1 (BES) are seen as among the most demanding cyber-security regimes enforced anywhere in the world. The NERC CIP standards in particular are seen as a model of cyber security for other industries and critical infrastructures. The NERC CIP V5 standards are designed specifically to enhance the reliability of the Bulk Electric System through strong security.

Relationship to Unidirectional Gateways
The CIP V5 standards recognize that Unidirectional Security Gateways provide security which is stronger than firewalls, and position the gateways as an alternative to firewalls and costly Network Intrusion Detection Systems (NIDS). The V5 CIP standards have 103 requirements overall, and provide exemptions from 37 Medium-Impact requirements, and 5 High-Impact requirements, when Waterfall’s Unidirectional Security Gateways are used to protect an Electronic Security Perimeter (ESP) rather than using firewalls and NIDS. Unidirectional Security Gateways increase the security of critical control systems, simplify and reduce the ongoing cost of CIP V5 compliance programs, and eliminate the need to use high-maintenance firewalls and NIDS.

Takeaway
Waterfall’s Unidirectional Security Gateways are deployed widely in Bulk Electric Systems, especially in power generation applications. The strong security provided by these gateways is recognized by steadily increasing numbers of industry analysts and security experts. In short, the Bulk Electric System is becoming measurably safer, more secure and more reliable as a result of the widespread deployment of Unidirectional Security Gateways.