Under the hood of HERA are two instances of Waterfall’s flagship Unidirectional Security Gateways technology. One Unidirectional Gateway is oriented from the protected OT network out to the Internet-exposed IT network or to the Internet directly. That gateway’s hardware is physically able to send information in only one direction – the gateway sends HERA screen images out to the remote user across the Internet. Nothing can get back.

The second gateway under the hood of HERA is a variation of the standard Unidirectional Gateway. This gateway does two things. First, this second gateway sends HERA encrypted keystrokes and mouse movements (KMM) back into the OT network through the unidirectional hardware – nothing can get back out through that hardware. Second, the inbound hardware has gate array logic built in, and this logic scans the unidirectional communications and allows only the very simple encrypted HERA KMM information to pass – all other attempts at communication are rejected. Finally, on the OT network, that gateway’s receiving CPU runs virtual machine (VM) software, creating a brand new VM for each remote user session.

To recap, under the hood of the HERA gateway is:

• An inbound Unidirectional Gateway, which contains:
  
  
  • An Internet-exposed CPU interacting with the remote user / laptop,
    
    
  • One-way hardware that permits only encrypted KMM data to pass, and
    
    
  • A CPU on the OT network receiving the encrypted KMM data, decrypting that data and sending keystrokes and mouse movements to the remote users’ session VMs,
    
    
• An outbound Unidirectional Gateway, which contains:
  
  
  • A CPU on the OT network receiving screen images from the HERA VMs,
    
    
  • One-way hardware,
    
    
  • A CPU on the IT/Internet sending copies of HERA’s session VM screens across the Internet to remote users.
    
    

The whole solution fits in 2u of rack space.