How Waterfall Security Protects Water Facilities
Waterfall’s Unidirectional Gateways are used to secure water utilities by creating a one-way communication channel that allows the flow of information in only one direction –> out of the facility. This configuration prevents any data from flowing in the opposite direction back into the facility, making it physically impossible to remotely inject malicious code into the system. In the context of water utilities, this can help protect critical control systems and prevent unauthorized access or tampering and makes sure that a clean supply of water continues uninterrupted, even if other systems are compromised.
Here’s a general overview of how Waterfall’s Unidirectional Gateway could be implemented to secure a water facility:
1. Network Segmentation: A water facility’s network should be segmented into separate zones to isolate critical control systems from non-critical systems and external networks. This helps contain potential security breaches and limits the overall attack surface.
2. Unidirectional Communication: A Unidirectional Gateway such as the WF-600 can be installed at the boundary between the critical control system network and any external networks or systems. This allows data to flow from the critical control system network to external networks/systems but prevents any data from flowing back into the critical network. This ensures that no unauthorized commands or malicious data can be sent back into the control system.
3. Secure Data Transfer and Encryption: Waterfall Security’s Unidirectional Gateways can be configured with whichever connectors are required to work with existing 3rd party encryption protocols which allows the outflowing information to be encrypted as it leaves the facility, helping ensure that it’s integrity and confidentiality remain intact.
4. Monitoring and Logging: It’s an understood fact that robust monitoring and logging systems should be in place to track and record all communication activity passing throughout the network. This helps in detecting any suspicious behavior earlier, identifying potential threats, and conducting forensic analysis any time a breach or attempt has been detected. Furthermore, Waterfall’s Blackbox creates a tamperproof copy of your logs, which can be used to quickly reveal what hackers may have attempted to conceal by comparing the tampered and tamperproof logs.
5. Restricted Remote Access: The water facility should severely restrict any remote access, which normally rely on authentication protocols for any user or system attempting to access the critical control systems. Instead, only remote monitoring is enabled in a secure way, while any adjustments that need to be made to the industrial processes are done by a worker physically present at the location. This helps ensure that only physically present personnel and systems can interact with the control systems, eliminating the risk of unauthorized remote access, while at the same time, allowing for remote monitoring.
6. Flip to enable Security Updates: Let’s face it, all computerized systems need to be updated sooner or later. When it comes to industrial control systems, the whole operation can be at risk if an update has even the smallest hiccup. The Blue Screen of Death is not an option for a critical water facility. Waterfall Security’s FLIP allows for updates to be done on a copy of the ICS, so that it can be confirmed to work and not contain any malware before it is sent to the PLCs and the entire system to update.
7. Audit without disruptions: With the increased regulation that has started flooding the water industry, an increase in audits and forensic activity is a fair expectation. However, it is critical that all the pumps and valves keep working and that people have an uninterrupted water supply during these audits. Waterfall’s unidirectional loggers such as the WF Blackbox are ideal for enabling this process, while eliminating the need to shut down the system for the technical portion of the audit or forensic investigation.
8. Cloud Connectivity: While the water systems are physical and require a human operator present, there are many 3rd party solutions that require the OT to be connected to the cloud. The Waterfall Unidirectional Cloud Gateway makes it possible to safely connect to the cloud, without risk of compromise, by providing a virtual copy of the PLCs to interact with the cloud, which only passes information in one direction, and sequesters updates to the “copy” to negate it being used as an attack vector.
9. Securing IDS: Intrusion Detection Systems are designed to prevent intrusion. However, the sensor computer that runs the IDS software maintains a connection to the OT system via the mirror port, and a talented hacker would be able to exploit this vulnerability to send malicious packets into the OT. WF for IDS prevents this vulnerability by effectively placing a “one way valve” between the mirror port and the sensor computer, so that no matter how talented an adversarial hacker might be, it is still physically impossible for any data to make its way back from the IDS to the mirror port.
It’s important to note that implementing Unidirectional Gateways are just one aspect of securing a water facility. A comprehensive security strategy would involve a combination of physical security measures, network segmentation, access controls, encryption, intrusion detection systems, and regular training and awareness programs for personnel. Additionally, it is crucial to engage with security experts who specialize in securing critical infrastructure to ensure the implementation is tailored to the specific needs and risks of the water facility.
Stay up to date
Subscribe to our blog and receive insights straight to your inbox