You can always count on Waterfall to take a different approach to solving a security need. (this is a good thing). They recently announced their Hardware Enforced Remote Access (HERA).
HERA leverages Waterfall’s unidirectional technology (one-way, hardware enforced, data-diode) to allow authenticated users to have keyboard and mouse control, and only this capability, on a virtual machine in OT. The responses are sent back via a separate unidirectional connection.
While Waterfall highlights the advantages of hardware, no software vulnerabilities to patch and data-diode protection is physics, I believe there are other benefits that are equally or more important in this solution:
- An attacker who has established a remote connection cannot upload any of their tools. They are restricted to what is in the OT environment, living off the land. This is enough for most ICS, but it does require more time and more talent.
- The virtual machine on OT used for the connection is ephemeral. It is deleted when the remote connection is terminated. Cattle, not pets / DevOps approach. Any progress on the virtual machine is destroyed. A wise attacker would RDP/SSH to another OT computer and use this as home base.
The HERA solution is ideal for OT remote access by engineers and others who need to have full access to everything in OT. Granular access control, what the remote user can access, what they can do, is not an issue if you decide these engineers might need access to everything to do anything.
This is common. Many security conscious asset owners only provide OT remote access to their best engineers who need to get in to deal with emergencies. Emergencies that can happen anywhere in the system. The rest of the people access OT data pushed out to the OT DMZ or IT.
The harder decision for HERA v. other OT Secure Remote Access is if you could implement granular access control for OT remote access. My favorite example is third party support for a boiler. Other OT Secure Remote Access solutions could limit the user to only boiler access. HERA could not. You could get even more granular and say the third party can only access these cyber assets, using this protocol, to write to these tags, with a value in this range.
As you allow more OT remote access, the likelihood that you will have multiple roles where this access control granularity would be important increases. When you are making your decision you should consider your likely remote access needs for the next 1-3 years.
Waterfall would argue that this access control granularity is illusory because it’s software. It will have vulnerabilities that would allow an attacker to circumvent these controls. While they’re right security products have vulnerabilities, I don’t buy that you should assume these products providing security controls in software have no value, or even significantly diminished value.
The good news is you have another technical approach to choose from now as you make your OT secure remote access decision.