With GISEC only a few days away, we spoke with Andrew Ginter, VP Industrial Security, of Waterfall Security Solutions to learn more about the solutions the company offers, their Gisec presence, and much more. To know more, keep reading.
Andrew: Waterfall was founded in 2007 – this is when the world started to become aware of the very sophisticated nation-state cyber attacks that, at the time, were called Advanced Persistent Threats. Governments all over the world were worried about this class of attack targeting OT networks and crippling critical infrastructures. Waterfall invented the Unidirectional Security Gateway to protect OT networks from this class of attack. Unlike other security products, Gateways are not just software – they are hardware-based, unhackable physical protection.
Today, of course, most of the ransomware groups out there are using the same attack techniques that nation states were pioneering in ’07. This means that Waterfall’s Gateways are being installed very widely, in both critical infrastructures and in other important manufacturing facilities.
Andrew: Well yes and no. Yes, because if you look at the data over the last couple of years, almost all cyber attacks that resulted in production outages or other physical consequences were ransomware – think the Colonial Pipeline for example.
But no, in a sense the biggest problem is nation-state attacks. But here’s the thing – in my research, ransomware tools & techniques are trailing nation-state tactics by about five years. Take cloud-seeded ransomware for example. Back in 2017, Russia was accused of sponsoring the NotPetya attack. The attackers planted malware in a security update for a Ukrainian tax preparation package. Hundreds of businesses downloaded the automatic update from the tax package website/cloud, and were crippled. In 2020, again the Russians were accused of planting malware in a SolarWinds Orion security update. This was an update distributed to SolarWinds customers and installed at maybe 17,000 or 18,000 sites. Now look at last year’s Kaseya attack. A ransomware group distribute their malware as a security update through a compromised Kaseya cloud service. Over 1000 sites were hit by the ransomware, simultaneously.
So that’s about a 5 year gap between nation states deploying malware as security updates through Internet services, and ransomware groups doing the same. And here’s the thing – a lot of us imagine that we’re not big enough or not important enough to be a target of a nation-state attack. But think about it – ransomware groups target everyone with money. Do we have money? What the nation states are doing to each other today, we must expect that ransomware criminals will be doing to all of us five years from now.
This is both good news and bad news. The bad news is of course that things are going to get much worse in the foreseeable future. The good news is that we have a little time – time to deploy powerful protections like Waterfall’s Unidirectional Security Gateways.
Andrew: Well, there are a lot of superficial differences between IT and OT networks. For example, the Engineering Change Control discipline means security updates are installed much more slowly on most OT networks. And expensive safety certifications for very specialized, low-volume devices mean that we still see some very old software running out there.
The real difference though, is consequences. Worst case consequences for breaching a business-critical IT network are a few days downtime as we erase affected machines and restore from backups, and maybe a class action lawsuit for leaking personally-identifiable data. Worst case consequences for breaching a control-critical OT network is explosions, dead and injured workers and maybe an environmental disaster. Consequences are the big difference – we cannot restore human lives and large, damaged equipment “from backups.”
What has emerged in the last decade as IT/OT best practice is hardware-enforced unidirectional connections between control-critical and safety-critical networks. Standards are recommending this, and in some jurisdictions and some industries, the law demands it. In many countries it is illegal to connect control-critical or safety-critical networks to business-critical networks through only layers of firewalls. Unhackable Unidirectional Gateways are the safe way to bridge those criticality gaps.
Andrew: Waterfall is expanding rapidly, world-wide. Last year we opened offices in the Emirates and Singapore, and we are opening more offices this year. The Middle East especially has a lot of highly-automated, very critical oil & gas infrastructures and Waterfall is seeing a lot of those infrastructures deploying unidirectional protection against those nation-state-style attacks that today’s ransomware groups and other groups are carrying out.
Andrew: We are speaking at GISEC. We have a booth there and will be doing mini-presentations out of our booth as well. We are working to introduce GISEC participants to our technology and to these OT security concepts that many IT security practitioners are only beginning to come to grips with. And we are using the opportunity of our executives being in the region to hold seminars and other kinds of meetings with important local decision-makers.
Andrew: I can give you some examples, but in a sense that’s a hard question. I mean – imagine a spring-loaded pressure-relief valve on a boiler. If the boiler pressure gets too high, the valve is forced open, the pressure is released, and there is no explosion. How many cyber attacks did that valve prevent? Well, it’s hard to tell – there is no CPU in the valve. No cyber attack is even possible against the valve.
Waterfall’s Unidirectional Security Gateways are the same thing. The one-way hardware is hardware. The hardware can send information from OT into IT networks to enable business automation, but the hardware is physically not able to send anything back into protected OT networks. There is no CPU in the hardware, and so like the spring-loaded valve, there is no way to attack the hardware. I mean, with a firewall, you can count dropped packets and come up with silly numbers like “well, I dropped a gazillion packets, so I must have defeated a gazillion attacks.” There’s really nothing to count in a Unidirectional Gateway.
But I promised you an example, so let me give you this one. Almost all OT outages in the last two years were the result of ransomware getting loose on IT networks and either leaking into OT networks, or otherwise impacting OT networks. Colonial Pipelines was like this, so was JBS meatpacking, and Sierra Wireless. Waterfall customers have also had their IT networks hit with ransomware – a major power producer in the USA and one of the world’s largest metro systems were hit recently.
But – those organizations had deployed Waterfall’s Unidirectional Security Gateways as the only connection between their OT and IT networks. In both cases, yes IT was crippled for about a week until everything could be erased and restored from backups. But during all that time, nothing leaked into OT. No hint of the attack could even leak into OT. The lights stayed on, and the metro kept running – safely – even though the IT networks were crippled.
So this is the point – ransomware attacks jump through firewalls every day. After all, every ransomware attack that gets into an IT network got past the IT-to-Internet firewall, didn’t it? It is unacceptable to have ransomware, or other cyber attacks, jump out of our IT networks into the OT networks that control safe and reliable physical operations. Modern businesses deploy at least one layer of Waterfall’s unhackable Unidirectional Security Gateways at this criticality boundary between OT/control networks and IT/business networks – because human lives, damaged equipment and lost production cannot be restored from backups.
To learn more, download the report Firewalls vs. Unidirectional Gateways at IT/OT Interfaces.