Strong Security
in NERC CIP Version 5 Unidirectional Security Gateways
February, 2013
Andrew Ginter, Director of Industrial Security,
Waterfall Security Solutions
Chris Humphreys, CEO and Co-Founder,
The Anfield Group
The following are questions submitted during the CIPv5
webinar and their answers. In some cases, we have
aggregated similar questions.
Question: How I read CIP-005-5 is that a function like UDP
syslog would not be subject to the CIP standard. Do you
think you will see more applications utilizing UDP for
""push"" only data? It refers to the "bi-directional"
Question: Isn't UDP still running on top of IP and is thus
bidirectional routable traffic. IP provides an amount of bidirectional session control upon which UDP operates.
Answer: Thank you - the second person's question makes
a good point in response to the first one. UDP
communication will not likely be regarded by the auditors
as unidirectional. UDP rides on top of IP, and IP is both
routable and bi-directional. UDP uses ICMP, which is also
routable and bi-directional. The intent of the word “bidirectional” in the definition of ERC was to encourage the
use of hardware-enforced unidirectional communications,
not to encourage UDP communications through firewalls.
Question: Also if latency will be an issue?
Answer: When connecting plant networks to business
networks, latency requirements are usually determined
by business requirements. "Real-time" in most business
systems means data that is no more than a couple of
minutes old. Unidirectional gateway latency is subsecond.
Question: This is genius idea one way gw. I have 2
questions: How do we guarantee faithful replica is indeed
faithful i.e. a way to compare screens for discrepancies.
Answer: There are some 8 layers of protection for data
integrity in the unidirectional gateway solution. The layers
are: (1) high quality optical hardware deployed over short
distances, (2) error correcting codes, (3) optional
retransmission of every message as many times as you
wish, (4) sequence numbers and alerting on the receive
side to detect any missing messages, (5) configurable
heartbeats on every data channel, (6) a high availability
option, (7) ways to trigger retransmission of missing data
manually from the TX side, and (8) ways to automatically
trigger retransmission of all data periodically, eg: daily, so
that manual intervention is never required.
In practice, our customers tell us that pretty much the
only reason they ever lose data is when they take the
receiving gateway down to install Windows updates, and
they schedule that downtime for periods when the
physical process is down anyways, and so there is no data
to lose.
For more information about data integrity protections,
single points of configuration and other common
replication issues, please see the whitepapers and articles
on the “Resources” tab of the Waterfall website.
Question: For view-only vs. full control remote support It
is sometimes impractical to guide onsite personnel over
the phone because of the ambient noise plant floor.
Answer: I suspect this question was submitted before the
Secure Manual Uplink option was discussed. Secure
Manual Uplink requires only that someone on the inside
network "turn the key" to allow temporary bi-directional
communications via a simplified plant firewall.
Question: Does the TX send some sort of cryptographic
checksum to the RX so what is received can be confirmed
as what was sent?
Answer: No - we use a hamming-style error correcting
code instead. The physical communications between the
TX agent, the TX gateway, the RX gateway and the RX
agent are all required to be wired to each other directly,
without intervening switches, and are always within the
same physical security perimeter / server room. It is not
possible to tamper with the data being transmitted over
those media without physical access to the media. For
that reason, we have not applied cryptographic
authentication and other technologies to communications
over those media.
Proprietary Information – © Copyright 2013 Waterfall Security Solutions Ltd. All Rights Reserved.
2
Question: What is the acronym SMU?
Answer: Secure Manual Uplink - the appliance which
provides temporary bi-directional connectivity with a
unidirectionally-protected network.
Question: CIP 4 goes into effect on April 14th, 2013?
correct?
Answer: CIP v4 goes into effect on April 1, 2014.
Question: what if we want to exercise control from the
external business network?
Answer: Secure Manual Uplink is what people use for that
purpose. It is not as secure as Remote Screen View, but
still more secure than a firewall – the recording explains
why and how. Ie: 100% secure 99% of the time, as secure
as a firewall the rest of the time.
Question: Is there a presentation on the NRC
requirements for Cyber Security?
Answer: Not yet - good idea though.
Question: How does your gateway differ from your
competitors?
Answer: We have the world's largest collection of
Commercial Off The Shelf (COTS) unidirectional industrial
server replications. Other vendors claim to have
everything we have - ask them to demonstrate their
technology.
We have high-availability solutions and many other
industrial unidirectional vendors do not. We have COTS
products as our only business model - if you need
something we don't already have we will never charge
you custom engineering to build it. We have the world's
largest installed base of unidirectional gateways
protecting the safety and reliability industrial networks.
We are installed in all critical infrastructure sectors, not
just the power generation sector.
Question: Is it necessary to assign an IP address to an
interface in order to utilize your product (due to CAN
024)?
Answer: No IP addresses are necessary. The gateways
have no IP addresses and communicate via broadcast
layer 2 Ethernet frames. The frames do not even contain
device addresses – the destination is all “1” bits and the
source is all “0” bits.
With the Ethernet broadcasts, we layer the proprietary
Waterfall application-layer protocol directly into the Layer
2 frames. The payloads contain application data, not
tunneled protocols. The Waterfall protocol includes ECC
codes and channel IDs to separate different data types
passing through the gateways. It also contains the
application data, such as historian point names,
attributes, timestamps, and values.
Question: No question, just some information. In terms of
defining electronic access, look at CAN-0007 for CIP-004
R4.2, bottom of page 1, top of page 2. NERC is considering
such access to include "view". Something to think about
even though the CAN is (currently) linked to Version 3.
Answer: Hmm – good point. We need to add that
reference to the slide. When we asked this question of
the NERC authorities in their V5 webinar a couple months
ago, they pointed out the “end user initiated” clause in V5
was the reason that Remote Screen View would not be
considered “remote access.” With Remote Screen View
leaving the protected system via Unidirectional Gateways,
no access of any sort can be initiated by an external user.
The same wording is on the top of page 2 of CAN-0007.
Local access is from inside the ESP. Remote access is any
access that is initiated from outside the ESP.
Note: in the webinar, we did not have the references
handy to interpret this attendee’s comment properly and
answered what turns out to be a different question about
whether CAN-0024 would continue to apply in CIP V5. For
the record, our answer to that question was that CAN0024 is currently phrased entirely in terms of CCAs. Since
CCAs no longer exist in CIP V5 it is clear that CAN-0024
will need to be either retired or rewritten if CIP V5 is
approved as submitted.
Question: BTW - latency for delivering Synchrophasor
data is not as vital as GPS time source accuracy. If Phasor
data is used in controlling aspects of the power grid,
seconds are typically ok.
There may be future
applications where the delivery of Phasor data to the PDC
is required in sub-cycle times, but there's no wide spread
application like that quite yet that has been applied.
Answer: Good to know, thanks.
Question: Do you have oracle replication tools?
Answer: Yes. We need to update the connections slide
again.
Question: what protocol is your hardware using for
communication between Tx and RX?
Answer: We use Ethernet OSI Layer 2 broadcasts.
Proprietary Information – © Copyright 2013 Waterfall Security Solutions Ltd. All Rights Reserved.
3
Question: when do expect NERC CIP v 5 to be
implemented?
Answer: The implementation plan submitted to FERC
indicated that CIP v5 should be implemented on or after
July 1, 2015. It may be delayed longer than that if FERC
takes a long time approving CIP v4. That said, it is clear
that NERC is encouraging the use of strong security
measures such as Unidirectional Security Gateways.
Investments in strong security today improve reliability,
reduce operating costs, and will reduce compliance costs
in both the short term and the long term.
Question: Could you please give examples of how
Waterfall products are deployed in the nuclear power
industry?
Answer: Nuclear industry cyber-security regulations are
much more demanding than NERC-CIP. Those regulations
also provide substantial compliance benefits from the
deployment of hardware-enforced unidirectional
gateways. The American nuclear industry as a whole has
decided to deploy at least one layer of gateways in every
nuclear plant in the country, and nuclear sites in other
countries are deploying the technology as well. Waterfall
products were selected by over half of the country's
nuclear generators. Waterfall introduced unidirectional
gateways to the nuclear market, and it was Waterfall's
equipment the authors of the standards and regulations
had in mind when they created those documents.
For more examples, click here to see: the ITWire article.
Thank you again for attending the webinar. Please feel
free to contact the presenters directly at:
andrew. ginter@waterfall-security. com
chumphreys @theanfieldgroup. com
if you have further questions.
Disclaimer: While Waterfall Security Solutions and
The Anfield Group make reasonable efforts to
ensure that the information presented herein is
accurate, neither Waterfall Security Solutions nor
The Anfield group guarantees nor warrant that the
information contained in this document is accurate,
comprehensive or fit for any specific purpose.
Proprietary Information – © Copyright 2013 Waterfall Security Solutions Ltd. All Rights Reserved.