CFATS – Can SD-WANs Be Standards Compliant?

Any innovative technology faces a battle of doubt. When Amazon first rolled out AWS, few could imagine servers running in the cloud. Before Salesforce, many thought CRM to be too critical to run as SaaS. I find SD-WANs to be facing a similar battle. It’s inconceivable to many that an SD-WAN could replace MPLS. This is particularly true for security teams, such as those under CFATS standards.

At one recent client, a chemical company, the team was looking to transition from MPLS to SD-WAN. The security group, though, could not accept the fact that SD-WANs met the requirements stipulated by CFATS (Chemical Facility Anti-Terrorism Standards) guiding the chemical industry.

To get to the bottom of their question, I chatted with Nirvik Nandy, the president and CEO, of Red Lantern, a security and compliance consultancy. Here’s what he had to say.

Nirvik, what are potential regulatory / security issues from your perspective when companies consider SD-WANs running over the Internet?

End to end security. In an MPLS dedicated type on environment there is a sense of your data being contained on carrier’s connection. The traffic, routing and transport layer security of SD-WANs over the internet is not clearly explained or validated by security community to feel the same level of comfort as dedicated MPLS connections.

A lot of our readers are not in the chemical industry. Can you provide us with a quick definition of CFATS?

Sure, CFATS, recommends Risk Based Performance Standards for protecting facilities with Chemicals of Interest (COI) The specification looks to deter theft or diversion or cyber sabotage, including preventing unauthorized on-site or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems and Distributed Control Systems (DCSs) Process Control Systems (PCSs), Industrial Control Systems (ICSs); critical business systems; and other sensitive computerized systems.  

Are there significant differences between CFATS and, say, HIPAA, in terms of their requirements from networking systems?

The risk is exposure of confidential data. HIPPA approaches it with the purpose of protecting PII and medical records whereas CFAT is looking to deter cyber sabotage. So CFATS has specific requirements on segmentation to isolate these environments from the corporate environment.

Is firewalling or MPLS then required by CFATS?

Firewall is just one option other security controls are needed to ensure that segmentation. SD-WAN, if designed properly, will allow for firewalling the systems and well as segmenting traffic flow via traffic overlay and encryption for communication between the CFATS control systems and the general corporate network.

As a security professional, do you think SD-WANs are CFATS compliant? Why?

It can be compliant if deployed correctly and the various controls (both technical and administrative / process) are implemented. Unless an organization had interpreted the guidance of “RBPS section 8 – Cyber” where it talks about segmentation of the SCADA, DCs, PCSs ICSs etc. to be completely air-gapped/ disconnected from corporate. If that is the case then the solution is very expensive.

It would seem that a logical question with SD-WANs is that attackers could launch a DDOS attack against a router or host and disrupt a connection. Wouldn’t that be a violation of CFATS and if not, why not?

You can run DDoS against a firewall too. CFATS does not talk about being bulletproof but of having a layered defense model that includes preventative technologies. So you can have SD-WAN, routers and firewalls but they need to be supported by processes, such as monitoring, so you can react and respond in case of an attack.

Share this post