NERC-CIP CAN-0024:

Securing Critical Cyber Assets with “Data Diodes”

Andrew Ginter
Director of Industrial Security
Waterfall Security Solutions

Proprietary Information -- Copyright © 2011

2012 by Waterfall Security Solutions Ltd. 2012
Unidirectional Security Gateways

● Laser in TX, photocell in RX, fibre-optic cable – you can send data
out, but nothing can get back in to protected network
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Server replication, not protocol emulation

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 2

Firewalls Are Not Enough

● Only “essential” connections allowed

● You trust the users, but should you trust their
workstations? Their cell phones?
● Firewalls are software - even firewalls have
vulnerabilities and “zero days”
● Errors and omissions
● Insider attack from business network – with
legitimate credentials
● Costly: procedures, training, management, log
reviews, audits, assessments
● Vulnerable: just ask for the password...

Photo: Red Tiger Security

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 3

Historian Replication

● TX agent is conventional historian client – request copy of new data

as it arrives in historian
● RX agent is conventional historian collector – drops new data into
replica as it arrives from TX
● TX agent sends historical data and metadata to RX using non-
routable, point-to-point protocol
● Complete replica, tracks all changes, new tags, alerts in replica

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 4

Unidirectional Communications in the Smart Grid

● Conventional generators – business network interface

● Nuclear generators – safety, control and business network
interfaces
● Transmission and distribution systems – business network interface
● Smart meters – back office data flow controls

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 5

CIP-002 R3: Critical Cyber Assets

● CIP-002 R3: Critical Cyber Assets are further qualified to be those having at least
one of the following characteristics:
R3.1. The Cyber Asset uses a routable protocol to communicate outside the
Electronic Security Perimeter; or,
R3.2. The Cyber Asset uses a routable protocol within a control center; or,
R3.3. The Cyber Asset is dial-up accessible.
● CIP R1-R4 apply only to highest-risk “Critical Cyber Assets”
● Routable and dial-up communications are higher risk than non-routable
communications
● CIP was written before unidirectional communications were in widespread
use

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 6

CIP-002 R3: Control Centers

● Control Center: A Control Center is capable of performing one or more of the

functions listed below for multiple (i.e., two or more) BPS assets, such as generation
plants and transmission substations.
● Not all control systems, even those using routable protocols internally, are
Bulk Electric System Control Centers

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 7

CIP-002 R3: Routable Protocols

● Routable Protocol: Routable protocols use addresses and require those addresses
to have at least two parts: A “network” address and a “device” address. Routable
protocols allow devices to communicate between two different networks by forwarding
packets between the two networks.
● Ethernet frames stay within local network – hardware device (MAC)
addresses are meaningless outside the local network
● Internet Protocol (IP) packets are contained inside Ethernet frames in local
networks, other kinds of encapsulation in wide area networks
● Internet addresses are recognized throughout the WAN

Internet Protocol packet inside an Ethernet Frame

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 8

CAN-0024: Stand-Alone Devices

● Stand-alone “data diode” appliances: network in, network out – look

from the outside like firewall appliances
● If the stand-alone data diode device has one or more IP addresses, it is
“using” a routable protocol for communication.
● No IP addresses generally mean the equipment is not using routable
protocols for communication.

Routable
Communications

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 9

Unidirectional Gateways: Pairs of Stand-Alone Devices

● Dual-ported agent hosts use IP within protected and external networks

● But: Gateway appliances have no IP addresses, no IP stack
● Copper connections use raw Ethernet frames with custom protocol – no IP
payload or embedded network addresses
● Fiber connection through ESP uses proprietary point-to-point data transfer
format
Non- Routable Communications

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 10

Embedded Network Interface Cards: Unclear

● CAN-0024: Another type of data diode device consists of network interface

cards that are installed into existing Cyber Assets, and which provide the same
uni-directional communication as stand-alone data diode devices. … In this case,
the data does not use a routable connection to cross the ESP, and the Cyber
Assets do not meet the connectivity requirement.
● Contradicts CIP-002 R3: embedded NICs are not routable, even if they
have IP addresses and use the routable IP protocol
● Expect some confusion regarding embedded NICs

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 11

NERC-CIP R5 Draft – Routable Communications

● Low / Medium / High Impact Cyber Assets – not determined by dial-up

or routable communications
● Distribution Providers now covered by the standard
● External Connectivity = routable or dial-up communications through an
Electronic Security Perimeter
● CIP-005 R5 Draft – requirements apply only to Electronic Access Points
and remote access systems with routable or dial-up connectivity
● Some requirements for Medium Impact Cyber Assets apply only to
assets associated with External Connectivity
● Less training, documentation and testing requirements if unidirectional,
non-routable communications result in the elimination of Electronic
Access Points.

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 12

Reduced Security Costs

● Eligible sites: reduced CCA documentation and other costs

● Most sites: 12-24 months cost recovery
● Reduced firewall management costs
● Reduced DMZ equipment management costs
● Reduced audit and compliance documentation costs
● Reduced remote access training costs
● Reduced remote access management
costs
20% of NERC-CIP R3 requirements
revolve around firewalls. Keeping
firewalls secure is difficult and
expensive.

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 13

Strong Security

● Gateway hardware is gate-array programmed - no CPUs, no software, no way

for a vulnerability to give an adversary control of the hardware
● Entire gateway solution assessed by Idaho National Labs: no back channels,
no side channels, no way back into protected network
● Protection from even advanced, targeted threats and their Remote
Administration Tools
● More secure than firewalls and serial
connections

Two appliances (TX/RX) means no

shared grounds, no shared power,
or other shared components which
can mask back-channels

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 14

 Waterfall Unidirectional Gateway Connectors
Leading Industrial Applications/Historians Leading Industrial Protocols
● OSIsoft PI, Scientech R*Time, Instep eDNA ● Modbus, OPC (DA, HDA, A&E)
● GE: iHistorian, iFIX, OSM ● DNP3, ICCP
● Siemens: WinCC, SINAUT/Spectrum Remote Access
● Emerson Ovation, Matrikon Alert Manager ● Remote Screen View™
● Microsoft SQLServer, Wonderware Historian ● Secure Manual Uplink
Other connectors
Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG ● UDP, TCP/IP
● CA Unicenter, CA SIM, HP OpenView ● NTP, Multicast Ethernet
● Nitro SIEM ● Video/Audio stream transfer
● Mail server/mail box replication
File/Folder Mirroring
● IBM Websphere MQ series
● Folder, tree mirroring, remote folders (CIFS)
● Antivirus updater, patch (WSUS) updater
● FTP/FTFP/SFTP/TFPS/RCP
● Remote print server

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 15

 Waterfall Security Solutions

● Headquarters in Israel, sales and operations office in the USA, installed

world-wide in all critical infrastructure sectors
● Focused exclusively on industrial markets and industrial server replication
● World’s largest suite of industrial replication solutions, patent protected
● Nuclear market: 80% of decided sites chose Waterfall, 60% are deployed
already
● Pike Research: Waterfall is key player in the cyber security market
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens,
and many other major industrial vendors

Market leader for server

replication in industrial
environments

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 16

Unidirectional Security Gateways

● CAN-0024 guidance identifies Unidirectional Gateways as non-routable

● Unidirectional Gateways reduce the cost of security programs
● Less complex configuration than firewalls
● Lower maintenance costs, less configuration, less to get wrong
● Lower audit costs: less documentation, no remote access, fewer logs
● Unidirectional Gateways are strong security
● Absolute protection from external network attacks
● Stronger than firewalls, stronger than serial connections
● Protects against errors and omissions
● Eliminates remote-control attacks

CAN-0024 guidance recognizes that NERC auditors

encounter unidirectional communications equipment
in multiple geographies

Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 17