Segmentation 201: Unidirectional Gateways vs. Firewalls

Waterfall team

Waterfall team

Robert M. Lee at Davos 2023 pointed out that when IT security biases are applied to operational technologies (OT), a lot of money is spent with little return. Segmentation in OT is a prime example of this, where the misuse of firewall technologies often occurs. There is nothing inherently wrong with firewalls, but they may not always be the most effective solution. In many instances unidirectional technologies are the optimal solution. There are many benefits of utilizing Unidirectional Gateways vs. firewalls:

Feature UGW Firewall
No Routing Yes No
Protocol break completely removeunnecessary data Yes No
Unidirectional, using Physics Yes No
Rule-free cybersecurity Yes No
Guaranteed prevention of network ransomware and malware Yes No
Made for OT Yes No
Counters credential theft Yes No

Table 1: Unidirectional Gateways vs. Firewalls

Your Brakes?

Forget about ports and protocols for a moment. Imagine only data flows: sending and receiving information. Now imagine the wheels of your car. Will you be okay with sensors sending information to the cloud about braking patterns and brake-pad wear? You might object on grounds of confidentiality, but would you object on the grounds of safety? Looking at this another way, would you be okay with the brakes being controlled, enabled or disabled by the cloud? All software – from clouds to firewalls – have inevitable defects. None of us wants known defects and vulnerabilities or the possibility of a zero-day attack hanging over us while driving a car.

When it comes to safety, we generally demand deterministic protection: no matter how sophisticated the external attacks, your brakes should never activate or fail to activate at the appropriate moment while driving due to a problem in the cloud, or a cyber attack from the cloud or through a firewall. The most reliable – deterministic – way to enable cloud-based monitoring without cloud-based controls is to physically prevent any data at all, no matter how benign that data seems, from flowing from the cloud back to your brakes.

Unidirectional technologies in cybersecurity are based on hardware. They can send data but not receive. As such two main factors will make them an optimal solution over firewalls:

  • If the network is safety or reliability critical, then unidirectional technologies may be a good solution, because firewalls can be confused or defeated, and unidirectional gateways cannot – unidirectional protection is based on physics, not software.
  • The second parameter is data flows. Many devices or computers send tons of data but may not need to be updated regularly. When asymmetric data flows are at work, then unidirectional technologies may be a better fit than a firewall.

Gateways vs. Firewalls talks about Safety-critical systems like rail networks and passenger trains
Safety-critical systems

Cloud vs. Gateways vs. Firewalls

Cloud computing has become pervasive in enterprise networks and industrial cloud computing is becoming increasingly pervasive in manufacturing and even critical infrastructures. When devices or control systems send information to the cloud autonomously to report their state, these systems most often do not require immediate action. They often send terabytes of data for predictive maintenance purposes. The information is analyzed promptly but may not produce conclusions for months, and when those conclusions are produced, they generally need to be acted upon within the following few weeks. In this case, is a firewall the right choice? Inspecting each packet? Using AI? Hoping nothing nasty comes back inside the encrypted connection to the cloud, through the Internet?

The right solution in this case is to send the data physically unidirectionally by replicating the data, creating a “data twin.” These twins are important from both functionality and security perspectives. For example, in the upcoming S4x23, Ryan Dsouza will provide IEC62443 current standards to address the use of cloud.

Similar use cases appear throughout in critical infrastructures. Trains need to send status information to passenger cell phone apps, but rail switching systems can not afford to be compromised because of firewalled connectivity with the Internet. Refineries need to send information to Security Operation Centers automatically, but again cannot afford compromise from a central or out-sourced, Internet-based SOC. In any case where the risk of external attack is high and the information flow is asymmetric, unidirectional gateways are the preferred option – the technology is mature enough so that information can be sent easily, transparently, and regardless of the protocol, provided that flow is mostly unidirectional.

Conclusion

When choosing an unidirectional gateways vs. firewalls as an OT segmentation solution, consider:

  • Is the network segment critical?
  • Is the information flow asymmetric out of this segment?

If the answer is yes to both, then unidirectional technologies are most often a better choice than firewalls.

All that said, there is always the follow-up question: even if data flows are asymmetric, I still need to send some data in. It turns out that today’s unidirectional architectures do resolve these issues – I will discuss them in a follow-up blog. The right segmentation choice reduces operational expenses and improves cybersecurity.

For more details, see Waterfall’s guide: Unidirectional Gateways vs. Firewalls.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox