To the non-expert, cyber security can look tantalizingly simple: Just put a guard in front of your stuff and use it to keep the bad guys out. This observation tracks closely with the non-computing analogy of facility entry guards, a favorite comparison brought up during coffee at Board dinners: Guards control who enters the building,we are told, so security gateways should do the same for networks.
The problem is that things are not so simple. Take the TCP protocol as an example: For a server to authenticate a client through a gateway, a session must first be established, which involves a three-step, bidirectional handshake. Using our analogy, this is like the guard allowing someone to go into the building to see if they are permitted to go intothe building. This also illustrates Dijkstra’s warning that analogies are a poor excuse for conversation.
I had the great pleasure last week to take a stroll on a rare sunny day through lower Manhattan with my friend Lior Frenkel, Founder and CEO of Waterfall Security. We eventually found our way to Japonica for sushi boxes, and for more intense technical conversation. What I wanted to understand was how Waterfall separates industrial devices from hackers – and I knew that Lior would have a good story. He did not disappoint.
The essence of his separation method involves fiber optics, and the underlying different physical principles used in photon transmission and reception. Lior explained that if you create a transmit-receive (TX-RX) gateway that supports the familiar unidirectional optical pulsing from a laser, then you remove the possibility that by opening the door, you allow things to sneak in. As you’d expect, this property is important for industrial control security.
Let me try to explain the architecture from the outside-in – as Lior did with the green tea cups and soy sauce dispensers on our table: Start with the premise that some industrial devices – think turbines, or engine parts, or motor actuators – need to provide continuous telemetry to an Internet-connected management center. We can and should assume real-time requirements for such reporting, so batch-send is not an option for the telemetry.
Now, if you do this through a normal firewall gateway, then you create the possibility that commands might flow to the industrial devices, rather than from them, and even worse, using the inbound channel, attacks can get in and spread throughout the industrial network. “This is problematic for Internet-connected management centers,” Lior explained, “because you create a direct path from the Internet to industrial systems.” He went on to provide several examples where any reasonable person would not accept such a situation. So far, so good.
The Waterfall platform, usually replacing the industrial perimeter firewall, creates a hardware-based TX-RX unidirectional optical path in the communications from industrial device to the management center, and then uses software agents on the internal side to collect and receive telemetry in a real-time manner. The send and receive is like a constant heartbeat of data flowing to the management center, so that requests for data by managers reside on the outside, rather than across the network to the devices.
As you might expect, I asked about situations where the management center needs to issue mods, updates, or other commands to the industrial devices, and Lior shrugged: “You can easily use our platform to flip a switch to allow for such operation,” he explained. “Then you turn it off. This way, you can be 100% protected 99% of the time. Which is much better than the (firewall) alternative, where you are open 100% of the time.” I had to admit that this sounded reasonable.
Certainly, the approach – like any cyber security protection – will have its limitations. In an IT environment, for example, where back-and-forth communications cannot be impeded in any way, local engineers might not like the unidirectional flow. Similarly, for non-IoT gateways with massive traffic loads greater than 1 Gbps, the Waterfall solution might not be the best option today.
But for reliable protection of industrial devices in the presence of Internet-connected telemetry analysis, this approach looks truly world-class to me. I can’t think of any reason why modern SCADA environments would not be deploying this technology immediately. I think it will seriously annoy nation-state hackers – and when you get right down to it, that’s what we hope to do in our industry.
- Using Physics to Protect Industrial Devices Against Hacking - June 4, 2017