North America

North America

Booz Allen Hamilton

Published: November 2016

Read Abstract

What’s in the Standard

A Comprehensive Review of the 2015 Attacks on Ukranian Critical Infrastructure

The report details step-by-step process the threat actors took and seeks to highlight the opportunities for detection and prevention across the various steps of the attack. It includes an outline of the attack tools used – mainly BlackEnergy and KillDisk as well as an attack walk through highlighting threat actor activity during the attack.

In the section entitled “Top 10 Takeaways – What to Consider When Protecting your OT Environment”, #4 is entitled Segment your OT and IT Environments, “for ultimate protection, consider unidirectional technologies for one-way data transfer from sensitive environments to authorized systems”.

Take Aways

Although unidirectional technology is mentioned as a solution for “ultimate protection”, this report does not employ the same sophisticated approach to ICS cybersecurity for OT as we’ve seen elsewhere: the language is not as forceful regarding OT vs. IT as we see in the ABS guidelines, for example.

 The American Bureau of Shipping (ABS)

Published: September 2016

Read Abstract

What’s in the Standard

This is the first of two volumes published by the ABS on Cybersecurity. They are looking to influence best practices for cybersecurity within and across marine and offshore communities.

Marine and offshore environments include pervasive IT and extensive and numerous cyber physical systems (CPS) in the operation of a ship, including navigation, propulsion, maneuvering, system management, cargo management and safety sensors and alarms.

Ships and platforms are now connected in ways never before considered – and this poses vulnerabilities and an enlarged attack surface. The result is that general purpose systems are frequently connected to special purpose control systems, exposing control systems to security incidents that can have grave operational consequences. ABS is looking to protect vessels not only from malicious attacks, but also from human error.

Take Aways

The most relevant recommendations for cyber security for ICS from the document are : (#5) Provide Perimeter defense, (#17) Protect Operational Technology: this is where they recommend unidirectional technology for data transmission from critical components to authenticated outside users. (#18) Perform System and Security Continuous Monitoring: continuous monitoring (often remotely) is very important in this industry, (#23) Logs Maintenance, (#30) Need for Mobile Data Management, (#30) Exercise Communications Management: the company limits and manages its total connections to the internet.

This one of the largest marine classification societies in the world. The majority of commercial vessels in the US and vessels who want to trade in the US are classed with them.  The ABS sets specifications and guidelines for everything on the ship from construction, to safety, to maintenance, to systems, etc. As the marine industry is one of the most highly regulated industries in the world, safety and security are always front of mind. Implementing unidirectional technology for the most critical control systems for vessels is a recommended way to ensure this safety and security.

 The American Bureau of Shipping (ABS)

Published: September 2016

Read Abstract

What’s in the Standard

This document applies to passenger ships, cargo ships, mobile offshore units, high speed craft, and fixed or floating offshore production assets. If requested, ABS will certify the cybersecurity program of any vessel and its associated facilities in accordance with this Guide.

The authors of the document stress that blanket application of Information Technology (IT) management principles to an OT system is “not only sub-optimal, but may very well be hazardous”. Operators must have an understanding of the differences between OT-specific maritime cybersecurity and IT practices and their appropriate application. Ships and facilities that implement their own cyber policies and procedures must distinguish between managing an OT network or system versus traditional IT security methods.

The best practices matrix for implementation are located in a Capability Matrix: unidirectional gateways are mentioned in reference to protecting critical components or systems under (#32) Exercise Communications Management.

Take Aways

When it comes to the distinction between protecting OT systems vs. protecting IT systems – these guys get it. They understand industrial systems and the need for a different approach with OT security versus IT security and the potential for grave consequences if IT protections are employed.

Unidirectional gateways are mentioned as an Operational Technology best practice in exercising communications management in data reporting from critical systems.

Department of Homeland Security (DHS ICS-CERT)

Published: September 2016

Read Abstract

What’s in the Standard

A nice collection of advice for ICS security programs, including: risk management, security controls and technologies, as well as physical security and training/awareness recommendations. The document is helpful in that it describes attack scenarios and essential limitations of security technologies, as justification for specific recommendations.

Takeways

This is a big improvement from the 2009 document, but has flaws as well. While the document sometimes describes limitations of specific security technologies, it does not do so consistently. For example, the section on VLANs starts with mention of specific concerns, and then lists a long set of recommendations to reduce risks. At the end of the list though, there is no description of which of the original set of concerns and risks the recommendations have addressed, and what remains as residual risk. Compounding this omission is regular use of the word “secure” as an adjective, implying that if all recommendations are implemented, the resulting configuration is “secure.” Of course nothing can ever be completely secure, and so this terminology is particularly unfortunate in light of the omission of discussion of residual risks.

That said, this is, again, a big improvement over the original, and includes discussion of modern attacks, modern risks, and modern defensive technologies, including unidirectional security gateways.

Industrial Internet Consortium (IIC)

Published: September 2016

Read Abstract

What is in the standard

The document is a framework, making no recommendations, but describing the spectrum of possibilities that should be considered when looking at cyber security for IIoT products and IIoT deployments. The framework discusses host-based, cryptographic, and network flow control protections, including a variety of unidirectional gateway technologies, in detail. The document is unique in the way it describes the need to balance the host-based and cryptographic protections central to IoT technologies with the network-flow-control control concepts described as essential to industrial control systems in documents such as the ISA SP-99 / IEC 62443 standards.

Takeways

All software can be hacked, or in the terminology of the IIC framework, IIoT endpoints will most likely always suffer the risk of platform-based vulnerabilities. Endpoint-based and cryptographic protections may be sufficient for IoT, where the biggest risk is theft of personally-identifiable information. Additional, strong and often unidirectional network protections will always be essential to some kinds of industrial networks, networks where the consequences of mis-operation of large, costly and often dangerous physical infrastructure constitute entirely unacceptable risks.

Department of the Interior – Bureau of Safety and Environmental Enforcement (BSEE)

Published: April 2016

Read Abstract

What is in the standard
The Well Control Rule became law on April 14, 2016, when the BSEE announced the release of the Blowout Preventer Systems and Well Control rule (Final Rule). The final Well Control Rule results in one of the most significant safety and environmental protection reforms the Department of Interior has undertaken – its purpose is to reduce the risk of an offshore oil or gas blowout that could result in the loss of life, serious injuries or substantial harm to the environment through modernizing and strengthening offshore energy standards.

Real Time Monitoring (RTM) of data in final rule (§ 250.724) requires operators to gather and monitor real-time well data using an independent, automatic, and continuous monitoring system capable of recording, storing, and transmitting data regarding the BOP control system, the well’s fluid handling system on the rig, and the well’s downhole conditions with the bottom hole assembly tools. These data must be transmitted as they are gathered (barring any unforeseen interruptions) and have the capability to monitor the data onshore, using qualified personnel, in accordance with a real-time monitoring plan.

This plan requires real-time monitoring capabilities, data transmission onshore during operations, data storage, procedures for providing BSEE access, procedures for communication between rig personnel and the onshore monitoring personnel, and actions to be taken if you lose any real-time monitoring capabilities or communications between rig and onshore personnel and how BSEE is to be notified.

Relationship to Unidirectional Gateways
The requirement of real time data monitoring makes connecting ICS and business networks unavoidable. Oil companies will need to consider a new host of vulnerabilities and risks associated with connecting drilling rig industrial control systems to outside data centers in real time. This scenario makes unidirectional gateways all the more relevant when meeting data requirements of the Well Control Rule.

Takeaway
Due to recent cyber attacks in the maritime industry, cyber security is quickly becoming front of mind for many operators. As new drilling rigs are already being built pursuant to the updated BSEE industry standards. People working in the offshore energy industry have expressed real concern that real-time monitoring could introduce potential cybersecurity threats that could put at risk failure of critical safety systems.

Canadian Standards Association (CSA Group)

Published: April 2016

Read Abstract

What’s in the Standard
This new standard N290.7-14 “Cyber security for nuclear power plants and small reactor facilities”, requires the use of unidirectional gateways to protect the most safety critical CEAs (Cyber Essential Assets). Its objective, “to secure essential computer systems and components against cyber-attacks”, will require the implementation of unidirectional technology to all routable communication paths on the perimeter of CEAs of highest safety significance.

Relationship to Unidirectional Gateways
The standard breaks down categories of CEAs by security significance in accordance with the most important safety or security function a CEA performs. It takes a preventative posture by allowing only one way to secure the most important CEA’s from less-important networks of CEAs: hardware-enforced unidirectional gateways. The language contained in the regulation makes it clear that for the most important CEAs; insecure, unauthorized connections, unauthorized information flows, and remote deactivation and activation of services must prevented.

Takeaway
Generally speaking, nuclear sites face unique risks. However, when it comes to protecting control networks and critical infrastructure from cyber attacks, nuclear is no different from other industrial networks – nuclear is just leading the charge. In 2010, the Nuclear Regulatory Commission (NRC) in the US, effectively forbade the use of firewalls to protect nuclear generator control networks from a less-trusted network. As a result, all American nuclear generators deployed unidirectional gateway technology. With Canada following the US regulator’s lead, control system security standards throughout the North American nuclear industry now recognize the preventative strength of Unidirectional Security Gateways.

National Institute of Standards and Technology (NIST)

Published: May 2015

Read Abstract

What is in the standard
This standard provides guidance to secure industrial control systems (ICS) – to include supervisory control and data acqusition (SCADA) systems, distributed control systems (DCS, and other systems performing control functions. The intended audience is ICS communities vital to the operation of US critical infrastructure (90% of which are privately owned and operated). The document provides an overview of ICS topologies, identifies treats and vulnerabilities to these systems and networks, and recommends security countermeasures. Increased interconnectivity with business sytems and increased integration of wireless and remote networking exposes ICS to the outside world of cyber threats. Special preventions unique to ICS systems must be taken when introducting these solutions and technologies to control environments – and in some cases completely new and unique solutions are necessary.
Messaging executed in ICS has a direct effect on the physical world which introduce risk to health and safety of human lives, serious damage to the environment, great financial loss due to production losses, negative impacts to a nation’s economy, and compromise of proprietary information. The documents makes note of the distinction of performance and reliability requirements of ICS which are often unconventional to IT professionals. What’s more, the authors recognize that even the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems. The standard is helpful in providing clarity in the types of possible incidents which could arise in ICS environments – most of this information is contained in useful tables – e.g. policy and procedure vulnerabilities, architecture and design vulnerabilities, configuration and maintenance vulnerabilities, physical vulnerabilities, software development vulnerabilities, examples of adversarial incidents, and definitions of ICS impact levels.

Relationship to Unidirectional Gateways
The standard outlines major security objectives for ICS and recommends firstly unidirectional gateways to restrict logical access to the ICS network. It also outlines the typical defense in depth strategy for ICS which will ideally have unidirectional gateways to provide logical separation between the corporate and ICS networks. Typical security countermeasures are mentioned in detail – authentication, credentialing, restricting access, disabling ports, policy and procedures, personal identity verification, encryption, security patches, network protocols, and network topology designating levels of security to different networks.
Unidirectional gateways are advised concerning network segmentation and segregation and boundary protection. Separating ICS in a high security domain from the corporate network is ideally and traditionally best achieved through unidirectional gateway technology which restricts communications between connections to a single direction – segmenting the network. The standard describes unidirectional gateways as a combination of hardware and software which makes it physically impossible to send any information back into the source network, the ICS – “The software replicates databases and emulates protocol servers and devices”.

Takeaway
This standard reflects NIST’s sophisticated understanding of the functionality and importance of unidirectional gateways in control system environments. The authors illustrate the dramatic differences in the goals, vulnerabilities, and risks associated with ICS versus the IT environment, knowing full well that these differences warrant different solutions. Unidirectional gateways are mentioned throughout the document to protect the most critical networks and assets of an ICS from the threat of cyber attacks.

National Institute of Standards and Technology (NIST)

Published: February 2014

Read Abstract

What is in the standard

In response to Executive Order 13636, Feb 2013 calling for the development of a voluntary Cybersecurity Framework to improve critical infrastructure cybersecurity. It is a “risk-based approach to managing cybersecurity risk”. This framework provides guidance to industry and organizations on managing cybersecurity risk. Critical infrastructure is not a predefined set of industries but rather any system and assets which are vital enough to the United states that if compromised, would result in a debilitating impact on national security, the economy, and/or public health and safety.

The Framework is neutral when it comes to technology. It provides a mechanism for organizations to describe current and future state cybersecurity postures, improvement processes and assessment, and communication plans to stakeholders. The framework is unfortunately weak on prevention, and focuses heavily on five core functions; identify, protect, detect, respond, recover. This is due to the fact that it views the functions, categories and subcategories of the framework for IT and ICS to be identical. They have taken a cyber risk framework directly from an IT context and applied it to ICS. Not emphasizing prevention as a core function in the realm of protecting critical infrastructure is a weakness in the framework. Under the core function of “protect”, there is not specific guidance on protecting the perimeter or boundary of the ICS network. Appendix A – the Framework Core, does not appear to be specifically tailored to ICS, rather an IT framework lightly applied to industrial control operators. To attest to this, the second category within the Protect function is data security. Rather than seeing an emphasis on industrial safety and control, which is top priority within ICS, the framework takes a typical IT driven focus: data protection. The core framework itself does not mention safety of personnel inside ICS at all, (it only mentions public safety in the summary text).

Overall, this is a very IT focused and based framework which has been very lightly modified to be applied to industrial control systems. This framework could apply to any organization, which again begs the question, why apply another generic IT model to ICS. Understanding what is most important to protect from cyber attack in ICS, safety and control, not data and information, is the only way we will be able to provide a valuable framework operators of critical infrastructure can implement.

Read Abstract

What is in the standard
This standard addresses the issue of security for industrial automation and control systems (IACS), and outlines security requirements for control systems while assigning systems different security levels. Given that control systems are increasingly interconnected with non IACS (OT) networks – the increased connectivities introduce greater risk for cyber attack against control system hardware and software. These vulnerabilities could lead to health, safety and environmental consequences. The cyber security approach for IACS needs to consider functional requirements, risk assessments and operational issues. IACS security goals are different from IT security goals: IACS security measures must prevent the loss of essential services and emergencies. IT is more focused on protecting information rathar than human lives and physical assets.

The main objective of ISA 62443 series is to provide a framework that addresses security vulnerabilities in IACS and apply the necessary defensive mitigations. The intended audience is the IACS communities including asset owners, system integrators, product suppliers, service providers and compliance authorities. The goal is to define a common set of requirements to reach heightened security levels. There are seven foundational requirements for control systems: identification and suthentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Security measures applied to these requirements shall not cause loss of protection, loss of control or loss of view.

Relationship to Unidirectional Gateways
The standard mentions unidirectional gateways four times when prescribing security measures for restricted data flow, zone boundary protection, malicious code protection and denial of service protection. The standard recommends unidirectional gateways for networks controling the most important and most securitized assets within IACS. The standards also recommends segmenting networks in control system networks from non-control system networks to reduce exposure to threats to control system reliability.

Takeaway
The standard clearly states that the security goals and requirements for industrial control systems differ from those of IT networks. With the increased connectivity of business networks to control networks, new vulnerabilities present themselves. This standard recommends that networks protecting the most critical assets be identified as such and be protected by the most stringent methods, one of which being unidirectional gateways.

American Public Transport Association (APTA)

Published: June 2013

Securing Control and Communications Systems in Rail Transit Environments – Part II Defining a Security Zone Architecture for Rail Transit

Read Abstract

Coming soon.

North American Electric Reliability Corporation (NERC)

Published: October 2012

Read Abstract

What is in the standard
The electric power sector leads both North American industry and the world in strong cyber-security standards. Both the NEI and NRC standards in nuclear generation and the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards in the Bulk Electric System1 (BES) are seen as among the most demanding cyber-security regimes enforced anywhere in the world. The NERC CIP standards in particular are seen as a model of cyber security for other industries and critical infrastructures. The NERC CIP V5 standards are designed specifically to enhance the reliability of the Bulk Electric System through strong security.

Relationship to Unidirectional Gateways
The CIP V5 standards recognize that Unidirectional Security Gateways provide security which is stronger than firewalls, and position the gateways as an alternative to firewalls and costly Network Intrusion Detection Systems (NIDS). The V5 CIP standards have 103 requirements overall, and provide exemptions from 37 Medium-Impact requirements, and 5 High-Impact requirements, when Waterfall’s Unidirectional Security Gateways are used to protect an Electronic Security Perimeter (ESP) rather than using firewalls and NIDS. Unidirectional Security Gateways increase the security of critical control systems, simplify and reduce the ongoing cost of CIP V5 compliance programs, and eliminate the need to use high-maintenance firewalls and NIDS.

Takeaway
Waterfall’s Unidirectional Security Gateways are deployed widely in Bulk Electric Systems, especially in power generation applications. The strong security provided by these gateways is recognized by steadily increasing numbers of industry analysts and security experts. In short, the Bulk Electric System is becoming measurably safer, more secure and more reliable as a result of the widespread deployment of Unidirectional Security Gateways.