Hat’s off to the Waterfall marketing team on the buildup for their new WF-600. They treated it like a movie release with a trailer and other social media content designed to peak interest in the new product release. Part of the reason it was so effective, at least for me, is it was out of character for what I’d classify as a conservative brand.
I eagerly opened the announcement on Monday and … meh. It’s more features and packaging for one-way / data-diode / or what Waterfall calls Unidirectional.
One-way is simple, and dull, from a technology perspective. The core of the solution is hardware-based, physics that allows data to flow in only one direction. There is sophisticated software on either side of the solution that mimics the client or server and there is management of this software, but it is a supporting technology to the core one-way hardware solution.
It also is highly effective and highly recommended at certain points in the architecture. For example, one-way is ideal for passing information from safety / SIS to control / ICS without allowing any data from the ICS to reach and possibly impact safety. One-way is ideal for passing historical data from the ICS to the cloud for predictive maintenance and efficiency studies. It allows you to get the benefit of the cloud offerings without adding risk to the ICS. I’ve seen other cases for one-way data passing of operator screen replication on the enterprise, sending data between ICS, and other applications.
The big decision still remains:
Where can I and should I use one-way technology?
Andrew Ginter and Lior Frenkel at Waterfall have an expansive view of this, as you would expect. They have passionately espoused widespread use of one-way that flies in the face of industry trend for more two-way communication between boundaries. The trend line of places where one-way makes sense is going down. This is balanced by the fact that the penetration of where it’s deployed where it makes sense is less than 10%. The market size should grow as penetration increases more quickly than the addressable market size decreases.
The Waterfall new product announcement addresses the second question:
If I chose to use one-way for a certain security perimeter, what one-way solution should I use.
Waterfall has been the dominant player in the one-way industrial space for almost two decades. This is due to a number of factors including the quality and support of their solution, and a determined, consistent marketing effort on the technology and the Waterfall brand. They are one of the few companies in the ICS security space that has been profitable, still rare, and year over year.
For a long time, one-way was primarily Owl and Waterfall in the market. In the last five years a number of new entrants have joined, primarily trying to win business being significantly lower cost than Waterfall. The one-way product is typically one of many products in these new entrants’ solutions, and this lack of religion on one-way may be one reason they have not pulled much market share from Waterfall.
If you decide you can use one-way in some locations, then you will want to dig into the WF-600. I haven’t seen a demo yet to understand the purported management benefits. The screen shots indicate that you can do some deep packet inspection filtering of the one-way communication in a seemingly straightforward manner for the large number of protocols they support.