Data diode

Data Diode and Unidirectional Gateways

A data diode is a network security device that allows data to flow in only one direction. True data diodes are completely hardware-based, which makes them difficult to bypass or tamper with. Such data diodes provide robust protection from information leaking or attacks propagating in the “opposite” direction of the diode. Unlike software-based security solutions, the hardware function of a true data diode cannot be bypassed by malware or other malicious software.

A classic complaint about data diodes is their lack of support for modern communications systems and protocols, especially in the OT security / industrial control system domain. Since data diodes are unable to participate in TCP/IP client/server conversations, data diode systems are constrained to connectionless protocols such as broadcast Ethernet and broadcast UDP/IP systems. This makes integration into conventional networks very difficult.

Data Diodes > Unidirectional Gateways

More modern advice, such as the US NIST 800-82 Guide to Industrial Control Systems (ICS) Security, points out that data diode technology has evolved. The modern version of the data diode is the Unidirectional Gateway, which NIST defines as:

Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from one network to another, but is physically unable to send any information at all back into the source network. The software replicates databases and emulates protocol servers and devices.”

Is short, Unidirectional Gateways contain one-way hardware like data diodes, coupled with software that transparently gathers industrial data, sends it through the one-way hardware and publishes the data to identical servers in external IT networks.  Unidirectional Gateway software routinely makes copies of process historians, OPC-DA servers, relational databases and many other industrial data sources on enterprise networks, through truly unidirectional hardware. Enterprise users and applications use the replica servers and data sources normally and bi-directionally on IT networks. Unidirectional Gateways provide the security strength of data diode hardware, with the convenience of normal client/server interactions with (copies of) industrial data sources.

Unidirectional Vs Data Diode

Data Diode Unidirectional Gateway
One-way hardware
Yes
Yes
Focus
Send data into classified military & government networks
Send data out of reliability-critical industrial networks
Top priority
Protect the data
Protect safe, reliable and efficient physical operations
File & Syslog replication
Rarely
Yes
Industrial server replications - historians, OPC, MQTT
No
Yes
Industrial form factors - eg: DIN Rail
No
Yes

Today, Unidirectional Gateways are used routinely to protect industrial networks. In fact, Unidirectional Gateways are today a key tool in the emerging body of knowledge that is network engineering, which is part of the cybersecurity engineering strategy announced by the US Department of Energy. Today’s Unidirectional Gateways are used routinely as robust protection for industrial control networks in power generation, rail systems, refining and many other industries.

And if at any time you would like an update on the latest Unidirectional Gateway developments, please use the form below to request a free consultation with one of Waterfall’s unidirectional technologies experts:

Free consultation with one of Waterfall's unidirectional technologies expert

Read more about Data Diodes and Unidirectional Gateways