Saturday, April 6, 2013

The Data Diode Question

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

In our recent webinar with EnergySec on CIP Version 4, we got two questions on data diodes, and I had two organizations call me to discuss the question afterwards.  I suspect these are just the tip of the iceberg.  As organizations look at the cost of complying with CIP Version 4 (or Version 3, for that matter), it has to be very tempting to think that there might be a simple fix to the whole problem: just install a data diode device.  This will break your external routable connectivity and result in a Critical Asset not having any Critical Cyber Assets, per CIP-002-4 R2.

You can read our response in the Q&A document.  But I’ll summarize this for you: Data diodes are a wonderful security measure for critical infrastructure; almost nobody disputes that.  But you shouldn’t rely on them to be a “get out of jail free” card for NERC CIP compliance.[i]

Most of you know that NERC put out a Compliance Application Notice (CAN-0024) on data diodes more than a year ago.  While a draft said that it shouldn’t be assumed that any data diode would break the external routable connection, the final version actually changed this tune.  It said that “embedded” data diodes break the routable connection, but “non-embedded” ones do not (or at least, it can’t be assumed they do).  I know a number of people – including CIP auditors – were mystified by the reasoning used to justify this distinction. 

In any case, CAN-0024 was rescinded by NERC in March (indeed, NERC is moving away from CANs altogether).  This means that there is no longer any official NERC guidance on the subject of data diodes.  You may ask, “This applies to CIP Version 3.  What about Version 4?”  The answer is, since CIP-003 through CIP-009 are exactly the same in V4 as in V3, this action applies to V4 as well.  There is now no official guidance for data diodes in V3 or V4. 

Does this mean that implementing a data diode device will or won’t break the external routable protocol connection – or more importantly, what will the auditors say about it?  Fortunately, a CIP auditor with one of the regions discussed this at length with me after the webinar.  He said that his team will evaluate each instance of a data diode on its own merits.  They will look at the details, diagram the situation, and make the decision in each case whether the routable protocol connection is present or absent.  Moreover, he said this has always been their approach (remember, the CANs are only advisory). 

I asked him the $64,000 question: How likely is it that an entity will not be assessed any potential violations if they have a data diode in place at a facility that is a Critical Asset, and have not otherwise taken the normal CIP-required steps to protect cyber assets at the facility?  He said that there was always this possibility, but there was always the possibility that he would issue PV’s for lack of compliance with every CIP requirement that hadn’t been implemented.[ii]

Think what this means.  Say you don’t comply with maybe 20 of the 40-odd CIP requirements at the facility, because you are counting on your data diode to be your get-out-of-jail-free card for CIP V4.  April 1, 2014 comes and goes, and nothing bad happens.  Are you feeling good about your decision?  If so, you’re like the guy who jumps off the top of a 30-story building; as he passes the second floor he yells out, “So far, so good!”

Let’s further say your next CIP audit is two years later, in April of 2016.  Your auditor comes by, looks at your data diode and your network, and says, “Nope, you still have an external routable protocol connection here.”  What is your potential fine?  Let’s see, $1MM a day per requirement violated X 20 requirements X 730 days.  I don’t have enough zeroes in my calculator to figure that out, but I’d say it’s a lot of money.  Of course, your fine wouldn’t be anything near that, but it’s not likely to be anywhere near zero, either.  Is this worth the risk?  The answer is left as an exercise for the reader.

There’s another reason not to look to data diodes as the knight that will ride in to save you from CIP.  CIP Version 5 will almost certainly come into effect within 2-3 years after Version 4.   In V5, cyber assets (BES Cyber Systems, to be exact) that don’t have external routable connectivity are still subject to most of the requirements. 

There are some requirements of V5 that only apply to BES cyber systems with such connectivity, but most of the requirements don’t care whether that connectivity is there or not (and given the experience of Stuxnet, which was spread at the Natanz uranium enrichment facility in Iran through USB sticks - there being no external routable connectivity at the facility - this is understandable.  Of course, Stuxnet came into view long after CIP Versions 1 to 3 were drafted, but was very much on the SDT’s mind when Version 5 was drafted).  This means that, even if you get a pass from your auditor on V4 compliance due to your data diode, you are still going to have to implement most of the CIP controls to comply with Version 5 later.

I won’t say any more, except to emphasize again that data diodes are a wonderful security control for any critical infrastructure facility.  However, the question whether they will drastically lower your CIP compliance costs – without subjecting you to high fines in the future – is very much an open one.


P.S. Be sure to sign up for Honeywell’s upcoming webinar with EnergySec, “Covering your Assets in CIP Version 5”.  You can sign up for it here.  The webinar is on August 21st 10:30CDT.  If you can’t make the webinar but want to see the video, sign up anyway.  You’ll get the link to the video as soon as it is posted after the webinar.




[i] When Stacy read the question on data diodes in the webinar, I at first tried to break in to say that we shouldn’t be addressing theological questions (since I consider this question to be almost a matter of religious preference).  However, my phone connection was suddenly lost and I had to dial back in.  Coincidence?  I’ll let you be the judge.
[ii] I’ve talked to other auditors who are not so kind toward data diodes – they say that there are few if any cases where they would judge them to have broken the external routable protocol connection.

6 comments:

  1. Tom, although I had to read your explanation a couple of time (that's the whole problem in this area...because this is complicated stuff) I completely agree with your conclusion.
    However,I would state it somewhat more simply. At Natantz with Stuxnet, there were no routable protocols whatsoever, since there were air gaps and a totally isolated network! If absolute network isolation doesn't totally solve a problem, data diodes won't address it either!
    Any isolated network that contains data and is accessed by humans is always susceptible to physical intrusion (USB sticks, laptops...etc.) What we need to do is take away as many licit reasons for these physical intrusions as possible. Getting data OUT of a facility for analysis (fault, production, etc) is one major reason for such licit connections...and data diodes are extremely effective at providing a safe way to do this.
    This substantially reduces the pressure (excuse?) for far riskier internal connections and their concomitant loss of security.
    Without doing this..."love will find a way" and so will thing like Stuxnet!

    ReplyDelete
    Replies
    1. Scott, I do agree with what you say. I think data diodes are about the best protection you can provide, but they still won't protect against the USB sticks, etc. There need to be other controls for those.

      But dd's aren't a get out of jail free card for NERC CIP Versions 1-3 (and they certainly aren't for V5, since the routable protocol 'exemption' is largely - though not completely - eliminated there).

      Delete
  2. Tom,
    Thank you for sharing this information in your blog.
    Like you, I am not entirely clear for the logic behind the difference between “embedded” and “non-embedded” ones. Presumably the concern is related to the potential to be able to route traffic from the external network to the protected network (i.e., the “wrong way” as a far as the diode is concerned). If this is the case, then one has to assume the concern is about the potential for misconfiguration of the network layer to bypass the diode (or unexpected alternative routes).
    Is this your understanding, or I am barking up the wrong tree?
    Cheers,
    Colin Robbins

    ReplyDelete
    Replies
    1. Well, it doesn't matter since the CAN has been rescinded. I couldn't see any real justification for the distinction, though - although I'm not a network engineer so I may have missed the really fine points (but other who are engineers also couldn't see the justification).

      Delete
  3. As with all ICS security implementations, you MUST perform a sufficient risk assessment to understand the threats which you are trying to mitigate with your armory of implemented security controls. There is no better protection measure to preventing external threats, than a data diode. Furthermore, these devices are the most reliable in eliminating the covert communication channels required to establish any remote C&C capabilities. Agree, they do nothing to stop internal attacks to the ICS networks that could originate via a local USB infection ... and for this there are other methods.

    I would love to discuss the comments on Stuxnet and its propagation ... but this is better served in another forum! One thing that is worth noting ... it is doubtful anyone could have prevented Stuxnet. Sure, everyone thinks they have a solution ... as hind-sight is always 20/20! However, most traditional controls and security programs that would comply with any version of CIP are not effective for a strategically planned targeted attack. These will only be detected (as I do not believe that can be prevented) with new, enhanced security controls that regulations like CIP are not really stressing.

    ReplyDelete
  4. Thanks for your comments, Joel! I won't pretend to know a lot about Stuxnet. I certainly agree that current and future CIP versions don't address Stuxnet-type attacks. And it's very hard to see how any cyber security regulation ever could.

    Of course, my point on data diodes is that, while they are wonderful from the cyber security point of view, they aren't the CIP get-out-of-jail free card that some vendors were selling them as, because of their alleged ability to "break" the routable protocol. Regardless of the technical merits of that argument, it would be very dangerous to base your compliance program on data diodes alone - you still have to do meet all of the other requirements.

    Fortunately, I've noticed that at least one of the dd vendors seems to be backing off those claims (especially since CIP Version 5 will be the next version, which doesn't have an "exemption" for facilities not routably connected to the outside world).

    ReplyDelete