Friday, October 30, 2015

Protecting Generating Networks with Unidirectional Security Gateways

There was a day when the most common question heard while demonstrating a Unidirectional Security Gateway at an electric-sector trade show was "What's that?” Today, most electric-sector security practitioners are aware of unidirectional gateway technology and its advantages over firewalls in one circumstance or another, but many are still unclear as to what a unidirectionally-protected "big picture” network looks like. In this article, we describe the network architecture we see deployed routinely to protect power plant control networks. A simplified version of the network is illustrated below.

The design strategy behind this architecture is simple - replace at least one layer of firewalls in the layered, defense-in-depth network with unidirectional gateways, thus protecting our most important control system components from network attacks originating on less-trusted networks, such as corporate networks and the Internet.

Safe IT/OT Integration
The vast majority of power plants choose the IT/OT firewall layer as the layer to replace with stronger unidirectional protections. Cross-zone communications at this layer serve many functions. In the discussions below, each IT/OT integration function is considered independently. In practice, many or all of these functions are combined into a single set of Unidirectional Security Gateway equipment. Let's look at each of the functions in turn.

Primary IT/OT Interface: The primary IT/OT interface is used to monitor real-time operations continuously for purposes such as predictive maintenance, operations optimization and widespread awareness of key performance indicators. The majority of unidirectionally-protected power plants deploy Unidirectional Security Gateways at this interface, but newer installations also use the Waterfall FLIP at this interface, and it is a FLIP that is illustrated in high-level diagram above. For readers unfamiliar with gateways or the FLIP:
  • A Unidirectional Security Gateway is hardware that is physically able to transmit information in only one direction, coupled with software that makes copies of industrial servers, most often process historian databases, or various types of OPC servers. Users and applications on the corporate network needing access to real-time data can query the replicas for that data.
  • A Waterfall FLIP is a kind of unidirectional gateway whose orientation can reverse on a schedule. A FLIP can physically send information in only one direction at a time, and makes copies of industrial servers just like the gateways do.
At unidirectional-gateway sites, security updates are communicated to plant networks on removable media - most commonly write-once CD's. At FLIP sites, the FLIP is configured to pull such updates automatically, on a schedule.

Vendor Monitoring: The majority of coal, gas and hydro plants have remote connections to their turbine vendors for vendor monitoring and diagnostics, and many have similar connections to other vendors as well. These vendors monitor physical equipment or control-system components continuously, and adjust system parameters from time to time. Unidirectionally-protected plants meet the monitoring need with server replication; the vendors monitor the replica servers. Most unidirectionally-protected plants meet the "occasional adjustment" need with remote screen view technology. Remote screen view makes a real-time feed of screen images available to vendor support personnel, while site personnel operate control system equipment. The vendors generally advise plant personnel over the phone throughout these adjustments.

Generation Dispatch Center: Most power plants need to report power production and other parameters to a generation dispatch center continuously. A minority of plants has production schedules set far into the future; such plants can deploy unidirectional gateways to replicate ICCP servers to permit continuous monitoring by dispatch centers. The majority of plants not only report their status continuously to a dispatch center, but receive second-by-second updates of power production set points from that center as well.

Some such plants lease serial lines to exchange ICCP information with dispatch centers, but a more secure solution is a pair of "inbound/outbound" unidirectional gateways replicating ICCP servers. Inbound/outbound gateways are two independent unidirectional gateway deployments, each replicating an ICCP server in one direction. The inbound gateway polls the dispatch center’s ICCP server and emulates that server to plant systems. The outbound gateway polls the plant ICCP server and emulates that server to the dispatch center EMS. These two channels are generally deployed on different sub-networks and are unable to communicate with each other, though both are able to communicate with control center and plant ICCP servers.

Cloud Providers: Communications with cloud services is similar to communications through the primary IT/OT interface, and is called out separately in the diagram because of the high degree of interest in this emerging field for power plants. Communications with cloud service providers may be via unidirectional gateways, or if occasional updates from cloud applications are necessary, may be via the FLIP as well.

Safety and Protection Systems
In some cases, owners and operators decide they wish to continue to use firewalls at the IT/OT interface, but still need safety instrumented systems and protective relays protected unidirectionally. Such plants always deploy unidirectional gateways at the interface between control networks and the safety & protection networks. Unidirectional gateways poll safety and protection devices and emulate those devices to control systems. This design provides for continuous monitoring of the status of safety systems and equipment protection systems without any risk of a network attack pivoting through intermediate systems and networks in order to reconfigure, reprogram, disable or otherwise compromise safety systems and protective relays.

Benefits of Unidirectional Protections
The primary driver for deploying a unidirectionally-protected network is improved security and cyber-threat risk reduction. The biggest cyber threat to power plants is not random, accidental side-effects of infections by high-volume malware, but targeted attacks. When an individual or group deliberately targets a site, they design their attack to bring about as much damage as possible, at a time as inopportune as possible for the targeted site. By far the biggest attack vector for these modern, targeted attacks is interactive remote-control attacks, across the Internet, pivoting through intermediate networks, connections and systems and breaching intermediate firewalls. Unidirectional Security Gateways and related technologies defeat these interactive remote control attacks, as well as more conventional network virus, worm and insider attacks.

A secondary driver in North America, France, Israel and other jurisdictions with cyber security regulations in place, is reduced compliance costs. The NERC CIP V5 and proposed V6 standards for example, have 37 additional, costly “external routable connectivity” rules that large medium-impact power plants must follow when they use firewalls, rules that do not apply to plants protected exclusively by Unidirectional Security Gateways.

An additional driver for unidirectional gateway deployments is operating cost reductions. Power plant IT/OT firewalls tend to be complex: many streams of data, applications and users are typically configured to reach through the firewall to request data from plant systems. Maintenance of these complex firewall configurations is costly, because of the risk that any error in configuration might relax firewall protections unacceptably. Monitoring of firewall logs and communications through firewalls is even more costly, but such monitoring is essential, because of the very real risk that some attack will breach the firewall.

In contrast, Unidirectional Security Gateways and related technologies are generally deployed to replicate a number of servers in whole or in part, and these configurations rarely change. Furthermore, even if unidirectional configurations change over time, unidirectional gateway technologies do not forward messages, and the physical, unidirectional, remote-control-defeating nature of the gateways makes them intrinsically safer than firewalls. As a result, gateway deployments do not warrant the same degree of continuous, costly scrutiny that is mandatory for firewalls.

Looking Forward
Unidirectional communications technologies are an idea whose time has come. Control system security standards all over the world are being updated to reflect the strength of unidirectional protections. Industrial control system owners and operators in all industries are considering and deploying unidirectional gateways to dramatically improve the security posture of their industrial control system networks.

Waterfall Security Solutions has published a whitepaper describing this power plant network architecture in detail, and has network architecture whitepapers in progress for other parts of the electric sector, and for other industries as well. For the full whitepaper, please contact me at