By Andrew Ginter
Recent Department of Homeland Security reports have highlighted poor security among the nation's water utilities, where operations networks and control systems are inadequately protected. The security situation in critical infrastructure is raising ratepayer concerns and prompting utilities to ask hard questions about which actions can truly improve their cybersecurity situations.
Are firewalls - the most common form of security in the market - capable of combatting modern threats? Would water system utilities be better protected if they completely isolated their control-system networks from public networks? Or is there a third option that would retain the efficiencies and cost savings that come from access to real-time operations information, while also protecting plants from cyber attacks? Technology that routinely protects industrial control networks in power plants and other critical infrastructures can help water utilities answer these questions.
Firewalls are a staple of industrial cybersecurity programs, but they have many inherent flaws that water facilities must identify, consider and address. Firewalls are complex software systems because they are difficult to configure, and their configurations are difficult to understand and verify. The smallest error in these configurations can introduce vulnerabilities. Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. In order to prevent exploitation of known defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even worse, because the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally expose these environments to numerous types of attacks.
For example, phishing attacks send email through a firewall to persuade recipients to either reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption keys have been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based "VPN" proxy servers are difficult or impossible to fix because they are essential to the design of the firewall's features.
Even if connections through firewalls are initiated from the control network side, once the connections are established, they permit bi-directional data to flow through the firewalls. Any of those flows can be used to launch attacks back to systems on the protected network. This means that utilities cannot deliver any confidence that their operational assets are adequately protected by firewalls. The level of risk is unacceptably high, and water utilities must compensate for it.
Firewalls are a difficult and costly technology to manage. To keep firewalled connections even somewhat secure, utilities must implement stringent processes, procedures, testing, reviews, audits, documentation, and other activities. Since continuous access to real-time data is essential to controlling costs and serving customers, water utilities should consider unidirectional gateways.
A unidirectional gateway is a combination of hardware and software that securely integrates operations data with business networks and systems. Gateway hardware enforces unidirectional data flows, while the gateway software replicates servers to provide a seamless replacement for firewalls. Users on corporate networks can access real-time data in the replica servers without any threat to, or impact on, the real operations servers. The gateway solution allows information to flow out of the operations network without allowing any attacks, messages or information to flow back into the network.
Unidirectional gateway hardware consists of two appliances: a TX appliance in the operations network and an RX appliance connected to the business network. The two stay connected by a fiber-optic cable but, because the TX gateway hardware contains a laser with no optical receiver and the RX gateway contains a receiver with no laser, the data can only move in one direction. Information can travel from the operations to the business network only, and no attacks from the business network or the Internet can threaten the operations network. Unlike with firewalls alone, a unidirectional gateway puts the burden for operations network security on hardware, not software. The hardware cannot send anything back to the operations network, protecting water plants from any and all attacks originating from the external network, including viruses, denial-of-service attacks, password guessers, and even the most sophisticated "advanced persistent threat" remote-control malware attacks.
A common question water systems utilities raise when first considering replacing their firewalls with unidirectional gateways relates to communications protocols. Common protocols such as Modbus, ODBC and OPC are bi-directional, so how can a unidirectional hardware connection carry them? It can't. The gateway solution instead replicates industrial servers in real-time so there is an always-updated exported copy of those industrial servers available for business users.
Look at the typical historian database as an example. Water utilities use these databases to store detailed, time-sequenced data gathered from a variety of systems in a central and uniformly-accessible repository. Using a unidirectional gateway, users can maintain the business historian as a true replica of the operations historian. The data is forwarded via the gateway solution to a replica historian on the business network. The result is a true, real-time replica on the business network of the operations historian. All the data is in the replica, as far back as history extends in the operations historian. All the real-time data is propagated to the replica immediately after it appears in the operations historian. On the business network, users and applications connect to the replica and use it as if it were the operations historian; business users don't notice any difference.
Many regulations and guidelines are including unidirectional security gateways as a perimeter protection alternative that is stronger than firewalls. At present, the water industry has no cybersecurity standards or guidance specific to the industry. Without specific guidance of their own, many water utilities are looking at the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, which are designed to keep power utilities secure. Unidirectional gateways are deployed widely to protect power plants, and the most recent NERC CIP V5 standards provide strong incentives for power utilities to deploy unidirectional gateways.
Unidirectional gateways make operations systems and data available on the business network without introducing the security risks that accompany communications through firewalls. By solving the top perimeter cybersecurity issues facing water systems utilities, these hardware-software solutions save plants money and improve services.
About the Author: Andrew Ginter is the vice president of industrial security at Waterfall Security Solutions, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control
