PAS: One Way Communications Works

Wednesday, April 24, 2013 @ 05:04 PM gHale

By Gregory Hale
Sometimes communication should only go one way.

That is why there were two companies – Waterfall Security Solutions and Owl Computing — talking differing technologies at the PAS Technical Conference in Houston, but saying one way communication is a very effective security tool.

PAS: Human Reliability
Firms Don’t Budget to Protect IP
Manufacturing Most Attacked Industry
Simulated Attacks Hike Security Awareness
Malware Attacks Hit Constantly

Take the Shamoon attack this past August. RasGas suffered from the attack last August and it forced the company to disconnect completely from the network.

This was the same virus that wiped out 30,000 hard drives at Saudi Aramco.

While the immediate reaction was to disconnect from the network, that was obviously not a sustainable solution, so Owl Computing came in and introduced the data diode to RasGas to allow the natural gas provider in Qatar to get back into the ballgame.

The solution the beleaguered natural gas leader decided on was implementing a plant that involved a data diode. A data diode is an appliance or device that creates a one way communication to ensure data travels securely in only one direction, said Ron Mraz, president and CTO at Owl Computing during his Tuesday discussion entitled “Cyber Security Solutions at RasGas.” The data diode provides multiple independent point to point channels within the controlled network security environment.

The solution provides:
• Non routable point to point communications across the electronic security perimeter (ESP)
• Allows for a point to point hardware channels without source/destination addressing
• Dedicated channels enforce non-routable communications
• Supports IP hardware level protocol breaks across the ESP

One of the positives, Mraz said, about using the data diode was it “was a guaranteed one way transfer of necessary operational information out of a control system network.”

Then there is also the idea of how in some scenarios unidirectional gateways are the superior choice to combat bad guys trying to invade your system. While firewalls get the most publicity and are a very effective tool, sometimes unidirectional gateways are a much better fit, said Andrew Ginter, director of industrial security at Waterfall Security Solutions, during his discussion entitled “13 ways through a firewall, what you don’t know will hurt you.

“The reasons you connect to the business network is for profitability,” Ginter said. “But that introduces risks to reliability. Computers are not as robust as humans, a simple virus can cause a problem.”

Traditionally, when confronted with the idea they must create some kind of security solution, an end user usually just will say, “Let’s put up a firewall and we will be protected.” Ginter said that is the wrong approach. First you must understand what you are trying to protect and then go into the most effective way of doing that. Sometimes a firewall works, but in more cases there are other solutions that work better.

That is why he went about saying there are 13 ways to break through a firewall.

The thirteen ways are:
1. Phishing, which was the single most common way to break through a firewall
2. Social engineering, easiest way to break through a firewall
3. Compromise the domain controller and create your own account
4. Attack exposed servers and bypass the firewall
5. Attack the Industrial Control System via compromised servers
6. Session hijacking, man in the middle
7. Piggy back on the VPN
8. Firewall vulnerabilities
9. Errors and omissions
10. Forge an IP address
11. Bypass the network security perimeter
12. Physical access to the firewall. If you can touch it, you can compromise it.
13. Sneakernet

“Firewalls are software and with lines and lines of code, that means code vulnerabilities are more prevalent,” Ginter said.

2 Responses to “PAS: One Way Communications Works”

  1. I find this a slightly confusing article.

    I agree with the 13 reasons why a firewall is limited in what it can achieve (there are other reasons too). BUT the implication is this is why a Data Diode is good. Why I agree Data Diodes have a role in ICS security, it can still be vulnerable to some of these issues. A Diode is exactly what it says, a one way function – I can still pass malware though it – the security comes as I am prevented from establishing bi-lateral communication with a command and control server on the secure side. I can still, for example, mount a denial of service attack via a diode by sending a logic bomb to the far side.

    To prevent such attacks you need proxy software, with protocol and content controls on the secure side of the diode. These are software controls – with line and lines of code – so just as vulnerable as the firewall if the software is not developed in a trusted and secure development lifecycle.
    Diodes and Firewalls both have a place in a network solution – chosen carefully, based on a good understanding of the threats the system is under and the potential vulnerabilities in the solution.

    Finally the debate about are diode solutions non-routable, providing a protocol break is one that continues to roll on, with strong arguments on both sides of the house!

  2. […] – One Way Communications Works […]

Leave a Reply

You must be logged in to post a comment.