Unidirectional network

Last updated

A unidirectional network (also referred to as a unidirectional gateway or data diode) is a network appliance or device that allows data to travel in only one direction. Data diodes can be found most commonly in high security environments, such as defense, where they serve as connections between two or more networks of differing security classifications. Given the rise of industrial IoT and digitization, this technology can now be found at the industrial control level for such facilities as nuclear power plants, power generation and safety critical systems like railway networks. [1]

Contents

After years of development, data diodes have evolved from being only a network appliance or device allowing raw data to travel only in one direction, used in guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks, [2] [3] to combinations of hardware and software running in proxy computers in the source and destination networks. The hardware enforces physical unidirectionality, and the software replicates databases and emulates protocol servers to handle bi-directional communication. Data Diodes are now capable of transferring multiple protocols and data types simultaneously. It contains a broader range of cybersecurity features like secure boot, certificate management, data integrity, forward error correction (FEC), secure communication via TLS, among others. A unique characteristic is that data is transferred deterministically (to predetermined locations) with a protocol "break" that allows the data to be transferred through the data diode.

Data diodes are commonly found in high security military and government environments, and are now becoming widely spread in sectors like oil & gas, water/wastewater, airplanes (between flight control units and in-flight entertainment systems), manufacturing and cloud connectivity for industrial IoT. [4] New regulations [5] have increased demand and with increased capacity, major technology vendors have lowered the cost of the core technology.

History

The first data diodes were developed by governmental organizations in the eighties and nineties. Because these organizations work with confidential information, making sure their network is secure is of the highest priority. Primary solutions used by these organizations were air gaps. But, as the amount of transferable data increased, and a continuous and real-time data stream became more important, these organizations had to look for an automated solution.[ citation needed ]

In the search for more standardization, an increasing number of organizations started to look for a solution that was a better fit for their activities. Commercial solutions created by stable organizations succeeded given the level of security and long-term support.[ citation needed ]

In the United States, utilities and oil and gas companies have used data diodes for several years, and regulators have encouraged their use to protect equipment and processes in safety instrumented systems (SISs). The Nuclear Regulatory Commission (NRC) now mandates the use of data diodes and many other sectors, in addition to electrical and nuclear, also use data diodes effectively. [1]

In Europe, regulators and operators of several safety-critical systems started recommending and implementing regulations on the use of unidirectional gateways. [6]

In 2013 the working, Industrial Control System Cybersecurity, directed by the French Network and Information Security Agency (ANSSI) stated that is forbidden to use firewalls to connect any class 3 network, such as railway switching systems, to a lower class network or corporate network, only unidirectional technology is permitted. [5]

Unidirectional gateway in a cabinet Industrial Unidirectional Gateway.jpg
Unidirectional gateway in a cabinet

Applications

Usage

Unidirectional network devices are typically used to guarantee information security or protection of critical digital systems, such as Industrial control systems, from cyber attacks. While use of these devices is common in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications, the technology is also being used to enforce one-way communications outbound from critical digital systems to untrusted networks connected to the Internet.

The physical nature of unidirectional networks only allows data to pass from one side of a network connection to another, and not the other way around. This can be from the "low side" or untrusted network, to the "high side" or trusted network, or vice versa. In the first case, data in the high side network is kept confidential and users retain access to data from the low side. [12] Such functionality can be attractive if sensitive data is stored on a network which requires connectivity with the Internet: the high side can receive Internet data from the low side, but no data on the high side are accessible to Internet-based intrusion. In the second case, a safety-critical physical system can be made accessible for online monitoring, yet be insulated from all Internet-based attacks that might seek to cause physical damage. In both cases, the connection remains unidirectional even if both the low and the high network are compromised, as the security guarantees are physical in nature.

There are two general models for using unidirectional network connections. In the classical model, the purpose of the data diode is to prevent export of classified data from a secure machine while allowing import of data from an insecure machine. In the alternative model, the diode is used to allow export of data from a protected machine while preventing attacks on that machine. These are described in more detail below.

One-way flow to less secure systems

Involves systems that must be secured against remote/external attacks from public networks while publishing information to such networks. For example, an election management system used with electronic voting must make election results available to the public while at the same time it must be immune to attack. [13]

This model is applicable to a variety of critical infrastructure protection problems, where protection of the data in a network is less important than reliable control and correct operation of the network. For example, the public living downstream from a dam needs up-to-date information on the outflow, and the same information is a critical input to the control system for the floodgates. In such a situation, it is critical that the flow of information be from the secure control system to the public, and not vice versa.

One-way flow to more secure systems

The majority of unidirectional network applications in this category are in defense, and defense contractors. These organizations traditionally have applied air gaps to keep classified data physically separate from any Internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an Internet connection.

In the Bell–LaPadula security model, users of a computer system can only create data at or above their own security level. This applies in contexts where there is a hierarchy of information classifications. If users at each security level share a machine dedicated to that level, and if the machines are connected by data diodes, the Bell–LaPadula constraints can be rigidly enforced. [14]

Benefits

Traditionally, when the IT network provides DMZ server access for an authorized user, the data is vulnerable to intrusions from the IT network. However, with a unidirectional gateways separating a critical side or OT network with sensitive data from an open side with business and Internet connectivity, normally IT network, organizations can achieve the best of both worlds, enabling the connectivity required and assuring security. This holds true even if the IT network is compromised, because the traffic flow control is physical in nature. [15]

Weaknesses

Variations

The simplest form of a unidirectional network is a modified, fiber-optic network link, with send and receive transceivers removed or disconnected for one direction, and any link failure protection mechanisms disabled. Some commercial products rely on this basic design, but add other software functionality that provides applications with an interface which helps them pass data across the link.[ citation needed ]

All-optical data diodes can support very high channel capacities and are among the simplest. In 2019, Controlled Interfaces demonstrated its (now patented) one-way optical fiber link using 100G commercial off-the-shelf transceivers in a pair of Arista network switch platforms. No specialized driver software is required.

Other more sophisticated commercial offerings enable simultaneous one-way data transfer of multiple protocols that usually require bidirectional links.[ citation needed ] The German companies INFODAS and GENUA have developed software based ("logical") data diodes that use a Microkernel Operating system to ensure unidirectional data transfer. Due to the software architecture these solutions offer higher speed than conventional hardware based data diodes.[ citation needed ]

ST Engineering, have developed its own Secure e-Application Gateway, consisting of multiple data diodes and other software components, to enable real-time bi-directional HTTP(S) web services transactions over the internet while protecting the secured networks from both malicious injects and data leakage. [16]

In 2018, Siemens Mobility released an industrial grade unidirectional gateway solution in which the data diode, Data Capture Unit, uses electromagnetic induction and new chip design to achieve an EBA safety assessment, guaranteeing secure connectivity of new and existing safety critical systems up to Safety integrity level (SIL) 4 [17] to enable secure IoT and provide data analytics and other cloud hosted digital services. [18]

In 2022, Fend Incorporated released a data diode capable of acting as a Modbus Gateway with full optical isolation. This diode is targeted at industrial markets and critical infrastructure serving to bridge old outdated technology with newer IT systems. The diode also functions as a Modbus converter, with the ability to connect to serial RTU systems on one side and Ethernet TCP systems on the other.[ citation needed ]

The US Naval Research Laboratory (NRL) has developed its own unidirectional network called the Network Pump. [19] This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows more protocols to be used over the network, but introduces a potential covert channel if both the high- and low-side are compromised through artificially delaying the timing of the acknowledgment. [20]

Different implementations also have differing levels of third party certification and accreditation. A cross domain guard intended for use in a military context may have or require extensive third party certification and accreditation. [21] A data diode intended for industrial use, however, may not have or require third party certification and accreditation at all, depending on the application. [22]

Notable vendors

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security, or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

SCADA is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.

Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for voice calls for the delivery of voice communication sessions over Internet Protocol (IP) networks, such as the Internet.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">Air gap (networking)</span> Network security measure

An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interface controllers connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality.

EtherCAT is an Ethernet-based fieldbus system developed by Beckhoff Automation. The protocol is standardized in IEC 61158 and is suitable for both hard and soft real-time computing requirements in automation technology.

The Interactive Link is a suite of hardware and software products designed for application within areas where network separation is implemented for security reasons. Manufactured and marketed by Tenix Datagate, the Interactive Link hardware products have been evaluated to the highest level under international security criteria with a strong focus on maintaining the confidentiality of the secure network. The technology underlying the products is drawn from Starlight Technology, developed by the Australian Defence Science and Technology Group.

The Internet of things (IoT) describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communications networks. The Internet of things encompasses electronics, communication, and computer science engineering. "Internet of things" has been considered a misnomer because devices do not need to be connected to the public internet; they only need to be connected to a network and be individually addressable.

System Architecture Evolution (SAE) is the core network architecture of mobile communications protocol group 3GPP's LTE wireless communication standard.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

In information security, a guard is a device or system for allowing computers on otherwise separate networks to communicate, subject to configured constraints. In many respects a guard is like a firewall and guards may have similar functionality to a gateway.

The following outline is provided as an overview of and topical guide to computer security:

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

WebUSB is a JavaScript application programming interface (API) specification for securely providing access to USB devices from web applications.

A software-defined wide area network (SD-WAN) is a wide area network that uses software-defined networking technology, such as communicating over the Internet using overlay tunnels which are encrypted when destined for internal organization locations.

The industrial internet of things (IIoT) refers to interconnected sensors, instruments, and other devices networked together with computers' industrial applications, including manufacturing and energy management. This connectivity allows for data collection, exchange, and analysis, potentially facilitating improvements in productivity and efficiency as well as other economic benefits. The IIoT is an evolution of a distributed control system (DCS) that allows for a higher degree of automation by using cloud computing to refine and optimize the process controls.

Browser isolation is a cybersecurity model which aims to physically isolate an internet user's browsing activity away from their local networks and infrastructure. Browser isolation technologies approach this model in different ways, but they all seek to achieve the same goal, effective isolation of the web browser and a user's browsing activity as a method of securing web browsers from browser-based security exploits, as well as web-borne threats such as ransomware and other malware. When a browser isolation technology is delivered to its customers as a cloud hosted service, this is known as remote browser isolation (RBI), a model which enables organizations to deploy a browser isolation solution to their users without managing the associated server infrastructure. There are also client side approaches to browser isolation, based on client-side hypervisors, which do not depend on servers in order to isolate their users browsing activity and the associated risks, instead the activity is virtually isolated on the local host machine. Client-side solutions break the security through physical isolation model, but they do allow the user to avoid the server overhead costs associated with remote browser isolation solutions.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

References

  1. 1 2 "Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies - United States Department of Homeland Security" (PDF). Cybersecurity and Infrastructure Security Agency . September 2016. Retrieved 15 April 2023.
  2. 1 2 3 4 5 6 Scott, Austin (30 June 2015). "Tactical Data Diodes in Industrial Automation and Control Systems". SANS Institute . Retrieved 15 April 2023.
  3. "National Institute of Standards and technology. Guide to Industrial Control Systems (ICS) Security" (PDF).
  4. "IoT Security".
  5. 1 2 "ANSSI - Cybersecurity for Industrial Control Systems" (PDF).
  6. "German VDMA Industrie 4.0 Security Guidelines recommends the use of data diodes to protect critical network segments" (PDF).
  7. "Protecting Oil and Gas Pipelines from Cyberattack Using Fend Data Diodes" (PDF). fend.tech.
  8. "Safely Opening the Door to the Cloud for Critical Manufacturing Facilities" (PDF). fend.tech.
  9. "Real-time Monitoring".
  10. Australian Government Information Management Office 2003, Securing systems with Starlight, Department of Finance and Administration, viewed 14 April 2011, Archived 6 April 2011 at the Wayback Machine
  11. Wordsworth, C 1998, Media Release: Minister Awards Pioneer In Computer Security, viewed 14 April 2011, Archived 27 March 2011 at the Wayback Machine
  12. Slay, J & Turnbull, B 2004, 'The Uses and Limitations of Unidirectional Network Bridges in a Secure Electronic Commerce Environment', paper presented at the INC 2004 Conference, Plymouth, UK, 6–9 July 2004
  13. Douglas W. Jones and Tom C. Bowersox, Secure Data Export and Auditing Using Data Diodes, Proceedings of the 2006 USENIX/ACCURATE Electronic Voting Technology Workshop, 1 August 2006, Vancouver.
  14. Curt A. Nilsen, Method for Transferring Data from an Unsecured Computer to a Secured Computer, U.S. Patent 5,703,562, 30 December 1997.
  15. "Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies - United States Department of Homeland" (PDF).
  16. "ST Engineering Data Diode in Industries" (PDF).
  17. "New Siemens data diode now available: secure monitoring of your networks - Rail stories - Global". Siemens . Retrieved 15 April 2023.
  18. "Innotras 2018 highlights".
  19. "Archived copy" (PDF). Archived from the original (PDF) on 11 November 2020. Retrieved 11 February 2015.{{cite web}}: CS1 maint: archived copy as title (link)
  20. Myong, H.K., Moskowitz, I.S. & Chincheck, S. 2005, 'The Pump: A Decade of Covert Fun'
  21. "Cross-Domain Solutions". Lockheed Martin . Archived from the original on 7 March 2019. Retrieved 6 March 2019.
  22. "Data Diodes". MicroArx. Retrieved 6 March 2019.