Published on July 22nd, 2014 | by Greg Jones1
PROVIDING REAL CYBER SECURITY WITH DATA DIODES
Are your SCADA systems moving to IP based Ethernet connectivity like most?
Are you looking for ubiquitous connectivity that provides big data, to enable business intelligence for competitive advantage?
Are you taking the right steps to mitigate the security risks that this connectivity brings?
There is an ever-increasing need to improve security in SCADA networks. Today’s network security perimeter consists of firewalls, a complex technology that can never guarantee absolute protection. In saying that, firewalls can make networks highly secure, however this depends on diligence of network administrators and technical staff. One way or another even the most secure networks of today are not impenetrable, where there is a connection to the outside world there is an opportunity for a network to be compromised.
Corporate networks of even the largest companies in the world are prone to security flaws. The real danger however is when corporate networks are connected into its adjoining operations networks of major infrastructure. This in effect potentially grants a would-be attacker the ability to access critical operational systems. The ramifications of such an event have the ability to be highly detrimental to the victim company and its customers.
The threat is real. As published in “Alaska Dispatch”, in June of 2012 cyber spies targeted 23 pipeline companies in the United States gaining access to login information via email using malicious links or file attachments. This in turn granted access to a company’s operational network used to manage critical pipeline assets. If configured maliciously this could have potentially blown up 1,000 compressor stations simultaneously, using one mouse click. Luckily this was not the aim of the attackers. Supposedly the objective was to gather research and development information for innovative fracking techniques. This is an example of just one potentially devastating event.
Current technology leaves most SCADA networks vulnerable. Remote access of operations network or interconnectivity between corporate and operations networks grants the ability for unintended external access. The nature of access revolves around the unauthorised user establishing an interactive session where by the unauthorised user queries the compromised network to expose further sensitive information. This is the critical flaw of current firewall technology which is used in critical operations networks today as shown in the diagram below.
Figure 1 : Current firewall solution
A Data Diode is analogous to an electrical diode in that it restricts communication so that data can only be transmitted in one direction. A Data Diode, instead of moving charge over a conductive medium, sends light via a single fibre optic connection. The one way communication is guaranteed via the fact that one node generates light and the other end senses light. This basic but fundamental design feature prevents cyber-attackers the ability to create connection back into the SCADA environment as shown in the diagram below. Data Diode hardware appliances don’t have IP address, CPU, storage or any part that can be hacked. So they are able to provide the same level of protection as the old “Air Gap” did from external threats.
Titan ICT is partnering with Waterfall Security Solutions Ltd (Waterfall), who supply a unique technology called the Unidirectional Security Gateway which uses the data diode concept and a unique software solution. Waterfall technology is benchmarked by and partners with Schneider Electric, Siemens, Alstom, GE, Mitsubishi, Westinghouse, Azbil/Yamatake and many others.
Israel Natural Gas Lines Ltd (INGL) recently implemented this new network technology provided by Waterfall. INGL’s current network consists of 435km of pipelines, two receiving stations, 18 pressure reducing stations, and 25 block valve stations. Using Waterfall’s Unidirectional Security Gateway technology INGL was able to provide absolute protection of its operational network whilst still maintaining real-time connectivity with its corporate network to enable business intelligence. Remote support is enabled through exporting a screen Image while preventing outside connections in.
Titan ICT provides a range of solutions to confront the very real issue Cyber Security and can provide sound advice on how to mitigate the security risks that connectivity brings. For a confidential discussion contact Michael Ryan on +618 6467 0600.