Since the eighties, data diodes have been diligently, and discreetly working behind the scenes around the world to help keep critical infrastructure and operations safe. Data diodes, also known as unidirectional network gateways, are network appliances that allow raw data to travel in only one direction in order to guarantee information security and to ensure the protection of critical digital systems from inbound cyberattacks.
Despite their significant role in the cybersecurity chain, these devices are not widely known. That is beginning to change however due to factors including the growing interconnectedness of operational and IT networks, evolving attacks targeted at critical infrastructure and more recently, through governments mandating their use to protect industry sectors.
Data diodes were traditionally found in high security military, space agency and government domains but are now becoming widely adopted in sectors such as oil and gas, power generation, distribution and renewables, water supply and treatment, aircraft (between flight control units and in-flight entertainment systems), airports, manufacturing, engineering systems and cloud connectivity for industrial IoT applications.
Adopting data diodes as part of your cybersecurity posture makes sense as the devices require little or no configuration, maintenance or support while establishing immediate network segregation.
Unlike firewalls, data diodes are physical hardware devices that enforce a one-way flow of data at the physical level. Most diode devices do not contain any software, logic or field-programmable gate arrays (FPGAs) and only contain a physical path for signals to travel in one direction. In some cases, such as the Advenica DD1000A, network traffic is converted to light and this stream of light is visible via a display window on the front panel.
Due to the design of data diodes and the nature of physics, electrons can only flow in one direction. Therefore, online attacks on a data diode in reverse are physically impossible. A firewall on the other hand is a software solution. Humans have programmed the software along with the inherent risk of incorporating bugs – some of which could be manifested as security vulnerabilities.
There are various examples of firewall solutions that have been hacked by exploiting such vulnerabilities. Moreover, a firewall can be complex to manage and configure. That can lead to mistakes like wrong ports being opened, which hackers may have access to.
In 2013 the Industrial Control System Cybersecurity, directed by the French Network and Information Security Agency (ANSSI) stated that is forbidden to use firewalls to connect any class 3 network, such as railway switching systems, to a lower class network or corporate network, and that only unidirectional technology is permitted.
The most important thing about a data diode is that information only can pass through it unidirectionally. In earlier times, critical infrastructure and networks were less vulnerable to unauthorized access due to being air-gapped or physically isolated. With the advent of the internet and the growing interconnectedness of networks to satisfy business and management information needs, this advantage has been lost.
Adopting certified data diodes, which meet military standards ensures that network segmentation can be quickly re-established. One clear use case is at the intersection of a production/operational network and the IT corporate network. Management still need to receive information from the production network but with the application of data diodes, a back channel for cyber exploitation is not possible.
As already discussed, data diodes are common in a range of industrial sectors. We see these devices becoming more ubiquitous now, however with emerging legislation around the world to warrant their use.
On June 30th, new EU guidelines regarding cybersecurity for banks came into force. As a result, it is now clearer how various financial services organisations are to manage internal and external risks linked to IT and security. Segmentation using data diodes is an essential measure to mitigate security risks.
The new guidelines from the European Banking Authority, EBA are the European standard for managing security and IT risks. It describes how banks, fund managers and providers of payment services operating within the EU are to manage internal and external risks linked to IT and security. The goal is to reduce the likelihood of attacks, data leaks, disruptions and intrusions to critical systems.
Among other things, the guidelines point out which security measures must be developed and implemented to mitigate IT and security risks that expose financial institutions to risk. It is important to understand that the guidelines come with legal requirements and that the operators covered, therefore, are obliged to justify any deviations from its application.
The guidelines address the management of internal and external risks within IT and information security as well as operational risk management in financial institutions, referred to as payment service providers, credit institutions and securities companies.
The guidelines are detailed, but a central requirement regards classification; stating that financial institutions must make a risk assessment and classification of business functions, support processes and information assets, judged on how critical these are. Another vital requirement is information security measures: the guidelines state that security measures must be developed and implemented to mitigate IT and security risks that financial institutions face.
An excellent method for mitigating security risks and protecting critical information and critical systems is network segmentation through a combination of physical and logical separation. Physical separation means that safety zones are defined and distributed on different physical hardware.
Logical separation means that different zones or network traffic are allowed to coexist on the same hardware or in the same network cable, which makes it less apparent – and thus leads to lower confidence in the strength of the separation mechanism than that of physical separation.
Most data diode solutions utilise the one-way property of the device. While we recommend simple “unidirectional data pass through” diodes for most customer applications, we sometimes specify more sophisticated models that enable such functionality as protocol filtering, certain message handling bidirectionality and incorporate specific customer services to achieve required business outcomes.
DDE Technology has considerable experience advising customers on cybersecurity software and hardware solutions for industrial, IoT and ICT systems across a range of industries including power generation and transmission, water supply and treatment, aviation, casino resorts, defense, oil and gas and banking and finance. Contact us to learn more about our cybersecurity solutions and industry experience.