Simple, powerful, unidirectional protection at the IT/OT ...

CYBERSECURITY FOR PI SERVERS

Cybersecurityfor PI ServersSimple, powerful, unidirectionalprotection at the IT/OT interface


Waterfall’s products are covered by U.S. Patents 7,649,452, 8,223,205, and by other pending patent applicationsin the US and other countries. “Waterfall”, the Waterfall Logo, “Stronger than Firewalls”, “In Logs We Trust”,“Unidirectional CloudConnect”, and “CloudConnect, and “One Way to Connect” are trademarks of WaterfallSecurity Solutions Ltd. All other trademarks mentioned above are the property of their respective owners.Waterfall Security reserves the right to change the content at any time without notice. Waterfall Securitymakes no commitment to update content and assumes no responsibility for any mistakes in this document.Copyright © 2021 Waterfall Security Solutions Ltd. All Rights Reserved. www.waterfall-security.com

TABLE OF CONTENTS


THE PROBLEM WITH DMZS

THE UNIDIRECTIONAL ALTERNATIVE

STRONG SECURITY FOR OSISOFT PI INSTALLATIONS

WATERFALL UNIDIRECTIONAL SECURITY GATEWAYS

3

4

6

8

9

2CYBERSECURITY FOR PI SERVERS

CYBERSECURITY FOR PI SERVERSCYBERSECURITY FOR PI SERVERS


OSIsoft PI servers are integral to IT/OT integration and to OT or industrialcybersecurity programs. PI servers enable countless efficiencies by providing data,insights and analytics to enterprise networks, cloud-based systems and OT / ICSnetworks. These efficiencies come with a cost though – increased cybersecurity risk.In this eBook we review cyber risks and examine a simple solution to the problem ofIT/OT integration risk – unidirectional gateways. Unidirectional gateways provideimportant OT and industrial networks with hardware-enforced, unhackableprotection from even the most sophisticated of online attacks, while continuing toenable the full functionality of PI servers and providing enterprises with efficiency-enabling industrial data.

3

Simple, powerful, unidirectional protection at the IT/OT interface

Unidirectional gateways provide important OT and industrial networks with hardware-enforced, unhackable protection from even the most sophisticated of online attacks

CYBERSECURITY FOR PI SERVERS 4

Classic IT/OT integration connects networks with firewalls, often with two layers offirewalls and a demilitarized zone (DMZ) between the firewalls. When there is a PIserver in the plant, it is generally located within the DMZ, reaching through afirewall to the industrial network, and accessible to the enterprise network throughanother firewall. Figure (1) illustrates this scenario. In the figure the PI server pullsOPC and other data from the control system network.

THE PROBLEM WITH DMZS

Firewall Firewall

PI ClientsPI ServerControl System

Enterprise NetworkDMZ NetworkIndustrial Network

OPC

Figure (1) PI Server in a DMZ

When there is no PI server in a plant, but the server is in the enterprise, there isgenerally an interface node in the DMZ, pulling data from the plant network andpushing the data to the enterprise or cloud-based PI server, as in Figure (2).

Enterprise PI ServerPI Interface NodeControl System


OPC

Figure (2) Enterprise PI Server

Firewall Firewall


While a single server is illustrated in thediagrams for simplicity, DMZ networksgenerally contain many servers,including Active Directory Servers,WSUS servers, anti-virus servers, fileservers, and/or automation web servers.

The problem with these DMZ designs isthe firewalls. Many practitioners havethe impression that firewalls protectnetworks while still providing access tovital industrial data. In fact, firewalls donot provide access to data – theyprovide access to systems. A stolenpassword or a compromised enterpriseworkstation provides threat actors withaccess to PI, OPC and other systemsright through firewalls.

Why is this? At their core, all firewalls arerouters – they forward network trafficfrom one network to another. Firewallsare not merely routers, of course.Firewalls have additional software thatseeks to inspect and to some degreeunderstand the network traffic. If thatsoftware determines that a particularnetwork message is permitted, thefirewall forwards the message to asystem in the DMZ or in the industrialnetwork. This means that when anattacker can persuade the firewall thatan attack message is permitted, thenthe firewall happily forwards thatmessage right into the network that thefirewall was meant to protect. This isfundamental – firewalls are and alwayswill be routers. There is no escapingthese kinds of attack paths throughfirewalls. Most modern cyber attacks onboth enterprise and industrial / OTnetworks pass through firewalls.

A confusing fact about firewalls is thatsome practitioners describe them asunidirectional. They define aunidirectional firewall as one whereconnections through the firewall can beestablished only from inside theprotected industrial or DMZ network.The problem is that once a TCPconnection is established, thatconnection is always two-way. Considera simple example – imagine a laptop ina DMZ protected by a “unidirectionalfirewall.” The laptop connects to anenterprise email server from the DMZ –this direction of connection is what“unidirectional” firewalls permit. Onceestablished and encrypted, thatconnection lets the laptop pull emailfrom the enterprise network. If a pieceof mail includes a malicious attachment,the laptop pulls the malware rightthrough the allegedly unidirectionalfirewall. In practice, all “unidirectionalfirewalls” are bi-directional andvulnerable.

Another problem with firewalls is thatfirewalls are software, and all softwarehas security vulnerabilities, bothdiscovered and undiscovered. Forevidence of these vulnerabilities, visityour favorite firewall vendor’s websiteand count how many security updateswere issued recently. Now - to be fair,most industrial security programsinvolve more than just firewalls, but theother elements of those programs aregenerally also software. Again – allsoftware has defects and securityvulnerabilities. We may be aware ofsome of those vulnerabilities and havesecurity updates for them. Othervulnerabilities our enemies may havediscovered and may be activelyexploiting without our knowledge.

5

Firewalls do not provide access to data – they

provide access to systems

Most modern cyber attacks on both enterprise

andindustrial / OT networks pass through firewalls.


Secure industrial sites use more than firewalls – such sites use at least one layer ofunidirectional gateways in their defense-in-depth network security designs. Thegateways are deployed either at the “top” of the DMZ – at the enterprise networkinterface - or at the “bottom” of the DMZ – at the ICS/OT network interface. A trulyunidirectional gateway is physically able to send information in only one direction –generally from a protected industrial network out to an enterprise network, orstraight out to the Internet. High quality gateways use optical isolation to guaranteeunidirectionality at the hardware level.

THE UNIDIRECTIONAL ALTERNATIVE

Unidirectional Gateway Firewall



OPC

Figure (3) OPC Replication to PI Server

Enterprise PI ServerPI Interface NodeControl System


OPC

Figure (4) OPC Replication to PI Interface Node

FirewallUnidirectional Gateway

High quality gateways use hardware optical isolation to guarantee unidirectionality at the

IT/OT perimeter

Unidirectional gateway software makescopies of servers. For example, Waterfall’sUnidirectional Security Gateway productsroutinely make copies of OPC-DA, UA, A&Eand HDA servers. Those servers are generallycopied from industrial networks into a DMZcontaining either a PI server as in Figure (3)or a PI Interface node as in Figure (4).


In addition, if there is a PI server in both a plant and the enterprise, that server isgenerally located in an existing DMZ. A unidirectional gateway may be deployed atthe interface between the DMZ network and the enterprise network as in Figure (5).In this case, the gateway replaces the PI-to-PI software that connects the enterprisePI Server to the plant PI Server through the firewall.

Unidirectional GatewayFirewall



OPC

Figure (5) Unidirectional PI-to-PI replication

EnterpriseServer

In all cases, the unidirectional gateway is deployed in the connectivity path betweenthe enterprise network and the industrial / OT network. The gateway hardwareprevents all attack packets from reaching industrial targets, no matter howsophisticated those attacks may be and no matter how cleverly the attacks havebeen disguised as normal, permitted traffic. All cyber attacks on industrial networksare information – when the gateway hardware blocks all packets, it blocks allattacks.

The gateway hardware prevents all attack packets from reaching industrial targets, no matter how sophisticated those attacks may be


Waterfall Security Solutions has beena strong OSIsoft PI partner for longerthan any other unidirectional vendor.We work shoulder-to-shoulder withOSIsoft sales, support and partnerpersonnel to provide the strongestpractical network security options forindustrial networks and PIinstallations.

Firewalls are limited, but do notmisunderstand – firewalls have theirplace. Unidirectional Gateways donot replace all firewalls in a networkarchitecture, far from it. Thegateways generally replace oraugment exactly one layer offirewalls in a defense-in-depthindustrial / OT network architecture,generally either at the top or bottomof the DMZ network.

With at least one layer of Waterfall’sUnidirectional Security Gatewaysprotecting industrial networks,industrial enterprises can beconfident of taking advantage of theIT/OT integration efficienciesenabled by OSIsoft PI installations,without the risk that comes fromfirewall-only communications pathsfrom the open Internet into the mostsensitive of industrial networks.

To dig deeper, please feel free tocontact Waterfall and request a free,no obligation consultation with a OTsecurity solutions architect toexplore how your security programmight benefit from UnidirectionalSecurity Gateways.

STRONG SECURITY FOR OSISOFT PI INSTALLATIONS

Waterfall Security Solutions has been a strong OSIsoft PI partner for longer than any other unidirectional vendor


WATERFALL UNIDIRECTIONAL SECURITY GATEWAYS

Waterfall is the world’s leading producer of Unidirectional Security Gateways.Waterfall’s product hardware is certified to be truly unidirectional, even in the faceof the most sophisticated of adversaries. Waterfall’s software connectors of coursereplicate OSIsoft PI, Asset Framework and OPC servers. Our connectors replicate anenormous array of other kinds of protocols, systems, databases, servers and othercomponents as well:

9

Table (1) Waterfall Connector Software

Historians and Databases

► OSIsoft: PI System, PI Asset Framework, PI Backfill

► GE: iHistorian, iHistorian Backfill, OSM, iFix, Bently-Nevada System1

► Schneider-Electric: Wonderware eDNA, Wonderware Historian, SCADA Expert, ClearSCADA

► AspenTech IP.21, Rockwell FactoryTalk Historian, Honeywell Alarm Manager, Scientech R*Time

► Microsoft SQL Server, Oracle, MySQL, PostgreSQL

Industrial Applications and Protocols

► Siemens S7, PCS7 Historian► OPC DA, A&E, HDA, HDA Backfill

and OPC UA► Emerson: EDS ► Yokogawa OPC► Modbus, DNP3, ICCP ► IEC 60870-5-104, OmniFlow

Enterprise Monitoring

► FireEye: Helix & Managed Defense► Email/SMTP, SNMP, Syslog► HP ArcSight, Splunk, Splunk Universal

Forwarder, IBM QRadar, McAfee ESM, CyberX, Radiflow iSID, ForeScout Silent Defence, Dragos, Indegy

► MSMQ, IBM MQ, AMQP, TIBCO► SolarWinds Orion, Thales Aramis,

IOSight, Panorama

Other Connectors

► TimeSync, Netflow► Video & audio streaming► Kaspersky, Norton, FortiGate,

Check Point, McAfee and OPSWAT Anti-virus updaters

► WSUS and Linux Repository updaters

► Tenable Nessus Network Monitor, Nessus Security Center Updates

► Remote printing

File Transfer

► Folder mirroring, Local Folders► FTP/S, SFTP, TFTP, SMB, CIFS, NFS► HTTP POST► Log Mirroring

Remote Access

► Remote Screen View► Secure Bypass


INDUSTRY-LEADING FEATURES OF WATERFALL PRODUCTS INCLUDE:► Optional high availability, with no

single point of failure, for all softwareconnectors,

► Detailed diagnostics, reporting andremote management features tosimplify deployment and trouble-shooting,

► Integrated thin-client, web-baseduser interface for all configuration,monitoring and management tasks,

► Routine support for backfilloperations – filling in missing data inreplicas after scheduled andunscheduled downtime – for servers,protocols and systems that are ableto backfill,

► The ability to run on Windows andLinux, and in some cases on Solaris,AIX and VxWorks as well,

► The ability to run on Waterfallhardware modules, customer-supplied computer hardware andvirtual machines,

► No limits on the number of industrialdatabases, protocols and otherservers that can be replicatedthrough the Unidirectional Gatewayhardware, other than bandwidthlimitations,

► 1Gbps throughput standard on allWaterfall hardware products,

► The ability to deploy multiple 1Gbpsconnections in parallel to increasethroughput,

These features and connectivitygenerally extend to Waterfall’s entirefamily of hardware products, includingWaterfall’s DIN-rail units, FLIP, SecureBypass, Unidirectional CloudConnectand BlackBox tamper-proof forensicsdevice. And all this is to say nothing ofWaterfall’s legendary support services,which are of course what you expect ofthe industry leader.

In short, Waterfall’s UnidirectionalSecurity Gateways and related productsare comprehensive – meeting securecommunications and secure IT/OTintegration needs in all industrialoperations and plants in modernindustrial enterprises.

Simple, powerful, unidirectional protection at the IT/OT ...

Documents

Transcript of Simple, powerful, unidirectional protection at the IT/OT ...