Data Diode and Unidirectional Gateways

Picture of Waterfall team

Waterfall team

A data diode is a network security device that allows data to flow in only one direction. True data diodes are completely hardware-based, which makes them difficult to bypass or tamper with. Such data diodes provide robust protection from information leaking or attacks propagating in the “opposite” direction of the diode. Unlike software-based security solutions, the hardware function of a true data diode cannot be bypassed by malware or other malicious software.

A classic complaint about data diodes is their lack of support for modern communications systems and protocols, especially in the OT security / industrial control system domain. Since data diodes are unable to participate in TCP/IP client/server conversations, data diode systems are constrained to connectionless protocols such as broadcast Ethernet and broadcast UDP/IP systems. This makes integration into conventional networks very difficult.

Data Diodes > Unidirectional Gateways
More modern advice, such as the US NIST 800-82 Guide to Industrial Control Systems (ICS) Security, points out that data diode technology has evolved. The modern version of the data diode is the Unidirectional Gateway, which NIST defines as:

“Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from one network to another, but is physically unable to send any information at all back into the source network. The software replicates databases and emulates protocol servers and devices.”

Is short, Unidirectional Gateways contain one-way hardware like data diodes, coupled with software that transparently gathers industrial data, sends it through the one-way hardware and publishes the data to identical servers in external IT networks. Unidirectional Gateway software routinely makes copies of process historians, OPC-DA servers, relational databases and many other industrial data sources on enterprise networks, through truly unidirectional hardware. Enterprise users and applications use the replica servers and data sources normally and bi-directionally on IT networks. Unidirectional Gateways provide the security strength of data diode hardware, with the convenience of normal client/server interactions with (copies of) industrial data sources.

Would you like to speak with one of our Unidirectional Gateways experts? >> Click Here >>

 

UNIDIRECTIONAL VS DATA DIODE

 

Data Diode

Unidirectional Gateway

One-way hardware

Yes

Yes

Focus

Send data into classified military & government networks

Send data out of reliability-critical industrial networks

Top priority

Protect the data

Protect safe, reliable and efficient physical operations

File & Syslog replication

Rarely

Yes

Industrial server replications – historians, OPC, MQTT

No

Yes

Industrial form factors – eg: DIN Rail

No

Yes

Today, Unidirectional Gateways are used routinely to protect industrial networks. In fact, Unidirectional Gateways are today a key tool in the emerging body of knowledge that is network engineering, which is part of the cybersecurity engineering strategy announced by the US Department of Energy. Today’s Unidirectional Gateways are used routinely as robust protection for industrial control networks in power generation, rail systems, refining and many other industries.

Would you like to speak with one of our Unidirectional Gateways experts? >> Click Here >>

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox