A small number of vendors are promoting unidirectional network security devices, most notably Waterfall Security Solutions from Israel. [FD: Waterfall has advertised on digitalbond.com] To their credit Waterfall has doggedly pursued the control system security space and has some good content on using their product in control systems. And based on the number of questions we receive on their product, they are getting some mindshare.
So when clients and prospects ask the question, here is the general version of our answer.
1. Make sure the product actually only allows one-way / unidirectional communication. Too often we have heard descriptions of TCP being used in unidirectional communication or allowing an administrative channel back through the one-way device. As soon as you do this you are lessening the primary advantage of a one-way security device.
2. Determine if you have any truly one-way communication. Based on our review of perimeter security firewall rulesets, there are not many out there. In fact, one of the most common and critical assessment findings is to lessen the holes in the perimeter firewall and implement a true, least privilege ruleset.
There are some candidates for one-way communication. For example, the communication from a safety system to a control system might be a great use of this technology. The control system gets the information and yet is not an attack pathway to the safety system. Pushing data out to a business partner using ICCP or OPC, DMZ or corporate network is another possible use, but remember that the delivery of information will only be best effort with no error messages. Your applications need to support it and no requests can be made from the less secure side.
3. Is the potential of an adversary breaking through your strongly configured, least privilege firewall truly your greatest risk? Remember we should be pushing down the most significant risks first in a risk management process. We do have some clients with very advanced, years in the making, information security programs that could answer this question yes. I think they are in a small minority.
The idea of buying a product to solve security is appealing to managers, and let’s admit that the technology guys love the latest gadget as well. Many control systems would achieve greater risk reduction if that effort and money was put on administrative controls.
These unidirectional security products will become more appealing if network and product designs implement more one-way / push out capabilities.