Data Diode and Unidirectional Gateways
Waterfall team
A data diode is a network security device that allows data to flow in only one direction. True data diodes are completely hardware-based, which makes them difficult to bypass or tamper with. Such data diodes provide robust protection from information leaking or attacks propagating in the “opposite” direction of the diode. Unlike software-based security solutions, the hardware function of a true data diode cannot be bypassed by malware or other malicious software.
A classic complaint about data diodes is their lack of support for modern communications systems and protocols, especially in the OT security / industrial control system domain. Since data diodes are unable to participate in TCP/IP client/server conversations, data diode systems are constrained to connectionless protocols such as broadcast Ethernet and broadcast UDP/IP systems. This makes integration into conventional networks very difficult.
Data Diodes > Unidirectional Gateways
More modern advice, such as the US NIST 800-82 Guide to Industrial Control Systems (ICS) Security, points out that data diode technology has evolved. The modern version of the data diode is the Unidirectional Gateway, which NIST defines as:
“Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from one network to another, but is physically unable to send any information at all back into the source network. The software replicates databases and emulates protocol servers and devices.”
Is short, Unidirectional Gateways contain one-way hardware like data diodes, coupled with software that transparently gathers industrial data, sends it through the one-way hardware and publishes the data to identical servers in external IT networks. Unidirectional Gateway software routinely makes copies of process historians, OPC-DA servers, relational databases and many other industrial data sources on enterprise networks, through truly unidirectional hardware. Enterprise users and applications use the replica servers and data sources normally and bi-directionally on IT networks. Unidirectional Gateways provide the security strength of data diode hardware, with the convenience of normal client/server interactions with (copies of) industrial data sources.
UNIDIRECTIONAL VS DATA DIODE
Data Diode | Unidirectional Gateway | |
One-way hardware | Yes | Yes |
Focus | Send data into classified military & government networks | Send data out of reliability-critical industrial networks |
Top priority | Protect the data | Protect safe, reliable and efficient physical operations |
File & Syslog replication | Rarely | Yes |
Industrial server replications – historians, OPC, MQTT | No | Yes |
Industrial form factors – eg: DIN Rail | No | Yes |
Today, Unidirectional Gateways are used routinely to protect industrial networks. In fact, Unidirectional Gateways are today a key tool in the emerging body of knowledge that is network engineering, which is part of the cybersecurity engineering strategy announced by the US Department of Energy. Today’s Unidirectional Gateways are used routinely as robust protection for industrial control networks in power generation, rail systems, refining and many other industries.
Share
Trending posts
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
