There was a day when the most common question heard while
demonstrating a Unidirectional Security Gateway at an electric-sector trade
show was "What's that?” Today, most electric-sector security practitioners
are aware of unidirectional gateway technology and its advantages over
firewalls in one circumstance or another, but many are still unclear as to what
a unidirectionally-protected "big picture” network looks like. In this
article, we describe the network architecture we see deployed routinely to
protect power plant control networks. A simplified version of the network is
illustrated below.
The design strategy behind this architecture is simple -
replace at least one layer of firewalls in the layered, defense-in-depth
network with unidirectional gateways, thus protecting our most important
control system components from network attacks originating on less-trusted
networks, such as corporate networks and the Internet.
Safe
IT/OT Integration
The vast majority of power plants choose the IT/OT firewall
layer as the layer to replace with stronger unidirectional protections.
Cross-zone communications at this layer serve many functions. In the
discussions below, each IT/OT integration function is considered independently.
In practice, many or all of these functions are combined into a single set of
Unidirectional Security Gateway equipment. Let's look at each of the functions
in turn.
Primary
IT/OT Interface: The primary IT/OT interface is used to monitor real-time
operations continuously for purposes such as predictive maintenance, operations
optimization and widespread awareness of key performance indicators. The
majority of unidirectionally-protected power plants deploy Unidirectional
Security Gateways at this interface, but newer installations also use the Waterfall
FLIP at this interface, and it is a FLIP that is illustrated in high-level
diagram above. For readers unfamiliar with gateways or the FLIP:
- A Unidirectional Security Gateway is hardware that is physically able to transmit information in only one direction, coupled with software that makes copies of industrial servers, most often process historian databases, or various types of OPC servers. Users and applications on the corporate network needing access to real-time data can query the replicas for that data.
- A Waterfall FLIP is a kind of unidirectional gateway whose orientation can reverse on a schedule. A FLIP can physically send information in only one direction at a time, and makes copies of industrial servers just like the gateways do.
Vendor
Monitoring: The majority of coal, gas and hydro plants have remote connections
to their turbine vendors for vendor monitoring and diagnostics, and many have similar
connections to other vendors as well. These vendors monitor physical equipment
or control-system components continuously, and adjust system parameters from
time to time. Unidirectionally-protected plants meet the monitoring need with
server replication; the vendors monitor the replica servers. Most
unidirectionally-protected plants meet the "occasional adjustment"
need with remote screen view technology. Remote screen view makes a real-time
feed of screen images available to vendor support personnel, while site
personnel operate control system equipment. The vendors generally advise plant
personnel over the phone throughout these adjustments.
Generation Dispatch Center: Most power plants
need to report power production and other parameters to a generation dispatch
center continuously. A minority of plants has production schedules set far into
the future; such plants can deploy unidirectional gateways to replicate ICCP
servers to permit continuous monitoring by dispatch centers. The majority of
plants not only report their status continuously to a dispatch center, but receive
second-by-second updates of power production set points from that center as
well.
Some
such plants lease serial lines to exchange ICCP information with dispatch centers,
but a more secure solution is a pair of "inbound/outbound"
unidirectional gateways replicating ICCP servers. Inbound/outbound gateways are
two independent unidirectional gateway deployments, each replicating an ICCP
server in one direction. The inbound gateway polls the dispatch center’s ICCP
server and emulates that server to plant systems. The outbound gateway polls
the plant ICCP server and emulates that server to the dispatch center EMS.
These two channels are generally deployed on different sub-networks and are
unable to communicate with each other, though both are able to communicate with
control center and plant ICCP servers.
Cloud
Providers: Communications with cloud services is similar to
communications through the primary IT/OT interface, and is called out
separately in the diagram because of the high degree of interest in this
emerging field for power plants. Communications with cloud service providers
may be via unidirectional gateways, or if occasional updates from cloud
applications are necessary, may be via the FLIP as well.
Safety
and Protection Systems
In some cases, owners and operators decide they wish to
continue to use firewalls at the IT/OT interface, but still need safety
instrumented systems and protective relays protected unidirectionally. Such
plants always deploy unidirectional gateways at the interface between control
networks and the safety & protection networks. Unidirectional gateways poll
safety and protection devices and emulate those devices to control systems.
This design provides for continuous monitoring of the status of safety systems
and equipment protection systems without any risk of a network attack pivoting
through intermediate systems and networks in order to reconfigure, reprogram,
disable or otherwise compromise safety systems and protective relays.
Benefits of Unidirectional Protections
The primary driver for deploying a
unidirectionally-protected network is improved security and cyber-threat risk
reduction. The biggest cyber threat to power plants is not random, accidental
side-effects of infections by high-volume malware, but targeted attacks. When
an individual or group deliberately targets a site, they design their attack to
bring about as much damage as possible, at a time as inopportune as possible
for the targeted site. By far the biggest attack vector for these modern,
targeted attacks is interactive remote-control attacks, across the Internet,
pivoting through intermediate networks, connections and systems and breaching
intermediate firewalls. Unidirectional Security Gateways and related
technologies defeat these interactive remote control attacks, as well as more
conventional network virus, worm and insider attacks.
A secondary driver in North America, France, Israel and
other jurisdictions with cyber security regulations in place, is reduced
compliance costs. The NERC CIP V5 and proposed V6 standards for example, have
37 additional, costly “external routable connectivity” rules that large
medium-impact power plants must follow when they use firewalls, rules that do
not apply to plants protected exclusively by Unidirectional Security Gateways.
An additional driver for unidirectional gateway deployments
is operating cost reductions. Power plant IT/OT firewalls tend to be complex: many
streams of data, applications and users are typically configured to reach
through the firewall to request data from plant systems. Maintenance of these
complex firewall configurations is costly, because of the risk that any error
in configuration might relax firewall protections unacceptably. Monitoring of
firewall logs and communications through firewalls is even more costly, but
such monitoring is essential, because of the very real risk that some attack
will breach the firewall.
In contrast, Unidirectional Security Gateways and related
technologies are generally deployed to replicate a number of servers in whole
or in part, and these configurations rarely change. Furthermore, even if
unidirectional configurations change over time, unidirectional gateway
technologies do not forward messages, and the physical, unidirectional,
remote-control-defeating nature of the gateways makes them intrinsically safer
than firewalls. As a result, gateway deployments do not warrant the same degree
of continuous, costly scrutiny that is mandatory for firewalls.
Looking Forward
Unidirectional communications technologies are an idea whose
time has come. Control system security standards all over the world are being
updated to reflect the strength of unidirectional protections. Industrial
control system owners and operators in all industries are considering and
deploying unidirectional gateways to dramatically improve the security posture
of their industrial control system networks.
Waterfall Security Solutions has published a whitepaper
describing this power plant network architecture in detail, and has network
architecture whitepapers in progress for other parts of the electric sector,
and for other industries as well. For the full whitepaper, please contact me at andrew.ginter@waterfall-security.com.