A data diode is a network security device that allows data to flow in only one direction. True data diodes are completely hardware-based, which makes them difficult to bypass or tamper with. Such data diodes provide robust protection from information leaking or attacks propagating in the “opposite” direction of the diode. Unlike software-based security solutions, the hardware function of a true data diode cannot be bypassed by malware or other malicious software.
A classic complaint about data diodes is their lack of support for modern communications systems and protocols, especially in the OT security / industrial control system domain. Since data diodes are unable to participate in TCP/IP client/server conversations, data diode systems are constrained to connectionless protocols such as broadcast Ethernet and broadcast UDP/IP systems. This makes integration into conventional networks very difficult.
More modern advice, such as the US NIST 800-82 Guide to Industrial Control Systems (ICS) Security, points out that data diode technology has evolved. The modern version of the data diode is the Unidirectional Gateway, which NIST defines as:
“Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from one network to another, but is physically unable to send any information at all back into the source network. The software replicates databases and emulates protocol servers and devices.”
Is short, Unidirectional Gateways contain one-way hardware like data diodes, coupled with software that transparently gathers industrial data, sends it through the one-way hardware and publishes the data to identical servers in external IT networks. Unidirectional Gateway software routinely makes copies of process historians, OPC-DA servers, relational databases and many other industrial data sources on enterprise networks, through truly unidirectional hardware. Enterprise users and applications use the replica servers and data sources normally and bi-directionally on IT networks. Unidirectional Gateways provide the security strength of data diode hardware, with the convenience of normal client/server interactions with (copies of) industrial data sources.
| Data Diode | Unidirectional Gateway | |
|---|---|---|
|
One-way hardware |
Yes |
Yes |
|
Focus |
Send data into classified military & government networks |
Send data out of reliability-critical industrial networks |
|
Top priority |
Protect the data |
Protect safe, reliable and efficient physical operations |
|
File & Syslog replication |
Rarely |
Yes |
|
Industrial server replications - historians, OPC, MQTT |
No |
Yes |
|
Industrial form factors - eg: DIN Rail |
No |
Yes |
Today, Unidirectional Gateways are used routinely to protect industrial networks. In fact, Unidirectional Gateways are today a key tool in the emerging body of knowledge that is network engineering, which is part of the cybersecurity engineering strategy announced by the US Department of Energy. Today’s Unidirectional Gateways are used routinely as robust protection for industrial control networks in power generation, rail systems, refining and many other industries.
And if at any time you would like an update on the latest Unidirectional Gateway developments, please use the form below to request a free consultation with one of Waterfall’s unidirectional technologies experts:
We explore how to select the appropriate unidirectional architecture, including reversible unidirectional gateways, unidirectional gateways with bypass and inbound/outbound architectures and industrial cloud.
Atlantic Data Security and Waterfall Security Solutions announce a strategic partnership to strengthen industrial cybersecurity in many industries. This collaboration provides ADS customers with secure and consolidated IT/OT integration technology that safeguards against both current and future cyber threats.
This is the OT security revolution. In the first decade of the OT / ICS security discipline, practitioners took inspiration from IT security, because that’s all we had. Back then, the question was “how much like IT security can we make our OT / industrial security program?” Today, the world is asking different questions.
OT security in Japan is strengthened by a new partnership between Terilogy and Waterfall Security Solutions, making Waterfall’s Unidirectional Security Gateways more readily available to Japanese customers.
Choosing between Unidirectional Gateways and firewalls depends on factors such as risk, architecture, and data exchange patterns. We explore how to select the appropriate tool in an expanding market of segmentation options.
Download here Waterfall’s latest whitepaper: NERC CIP V5 Standards And Unidirectional Network Protection
English
Français
Español
עברית
Deutsch
日本語
한국어
中文
اَلْعَرَبِيَّةُ
