Technology is evolving at such an enormous pace in this era that it often becomes challenging to balance the innovation with security, especially within Operational Technology (OT) environments. In managing risk for such organizations, we face the dual challenge of ensuring that selected security controls do not hinder the adoption of advanced and innovative technological solutions necessary for competitive business relevance.
Simultaneously, it's crucial to ensure that these innovative solutions do not inadvertently compromise OT operations in previously unforeseen ways, potentially impacting the health, safety, and environment (HSE) posture of the organization. Furthermore, in navigating this balance between innovation and security, we must ensure that cybersecurity measures are cost-effective and that investments in this area do not disproportionately consume budgets meant for enhancing productivity and innovation.
This delicate equilibrium demands a strategic approach where emerging challenges are addressed without losing sight of the core objectives of cybersecurity within OT operations.
In this article, we'll discuss a powerful cybersecurity control—the Data Diode—that aligns well with the fundamental cybersecurity objectives in most typical OT environments and allows us to remain both innovative and secure simultaneously, with a high degree of confidence and without significantly impacting the budget.
A Data Diode and its Guarantees
A Data Diode—also known as a unidirectional gateway—deterministic one-way boundary device, or unidirectional network, is a network appliance or device designed to allow data to travel strictly in one direction. This capability is enforced through hardware limitations, distinguishing it from other network security devices like firewalls. Unlike firewalls, data diodes are incapable of being reprogrammed to allow bidirectional data flow due to these inherent hardware constraints.
By definition, a data diode establishes firm network segmentation, delineating one network side as the 'sending' side and the other as the 'receiving' side. This one-way data flow ensures the Confidentiality of the receiving side’s data, as the sending side cannot access or retrieve it. Simultaneously, it guarantees the integrity and availability of the sending side’s data, as the receiving side is incapable of interfering with or manipulating it.
These hardware-based guarantees, rooted in physical principles, are what make the data diode a highly promising solution in cybersecurity.
Securing the OT-IT Interface: A Time-Tested Approach for Future Challenges
Predicting the technological landscape's future trajectory is always challenging. However, a retrospective look over the past decades reveals a consistent theme: while technology and its application have evolved dramatically, the core concerns of cybersecurity have remained remarkably stable.
Dating back to 1977, NIST, the U.S. National Institute of Standards and Technology (then the National Bureau of Standards) defined computer security in its Special Publication 500-19 as, “The protection of system data and resources from accidental and deliberate threats to confidentiality, integrity, and availability”.
Fast forward to the end of 2023, and these principles, encapsulated in the "Confidentiality, Integrity, and Availability" (CIA) triad, remain central in leading IT cybersecurity standards like ISO 27001:2022, NIST Cybersecurity Framework 1.1 and 2.0 (draft), and NIST SP 800-37 Rev. 2 (Risk Management Framework). Typically, the emphasis in IT environments leans towards confidentiality, while Integrity and Availability following it in order.
The operational technology (OT) sphere, while distinct, shares these cybersecurity concerns, albeit with a different priority order. As we deal with physical processes here rather than just data and information, and those processes tend to crucial to everyday life, the paramount importance is to be placed on safety, reliability, efficiency and adherence to "Health, Safety, and Environment" (HSE) standards.
Despite significant technological advancements—from manual to analog, then digital, and now towards data/AI-driven and cloud-oriented solutions—these core OT concerns remain unchanged. As these process have become dependent on digital systems, the CIA triad becomes relevant to fulfill the same safety and reliability requirements. However, order of priority within CIA pillars is often different compared to the IT sphere. As argued in ISA-62443-1-1-2007 for example, Availability and Integrity are often prioritized over the Confidentiality.
OT systems typically possess relatively raw and less confidential, yet invaluable data that, when analyzed, can unveil operational inefficiencies and significantly boost uptime through meaningful predictive and condition-based maintenance strategies. This necessitates a secure method to transfer OT data beyond its traditional confines for analysis and optimization, without compromising the system's integrity. This is among the compelling reasons for IT/OT Convergence activities.
Herein lies the strategic role of data diodes. They provide a secure conduit for transferring critical, yet less confidential, OT data to IT systems, or between varying security level zones within the OT environment.
By employing data diodes like this, we achieve risk avoidance with respect to Integrity and Availability of OT data, the most secure treatment of any security risk. Data diodes give us a confidence that is derived from the laws of physics—that our operations are protected from external manipulations by means of digital connectivity.
Yet this security risk avoidance does not cost the organization most of the benefits of IT/OT Integration. They still can harness the OT data and employ technologies like big data analytics to see, analyze and understand their physical operations and enhance their business’s competitiveness.
An implementation of data diode may be as simple as described in the Australian Defense Science and Technology Organization’s 1999 Technical Report (DSTO TR-0785) titled, “An Implementation of an Optical Data Diode." This report, released to public, uses commercial off-the-shelf ethernet switches and fiber optic transceivers having separate transmit and receive lines. In addition, it assumes availability of host computers on both sides to handle data. This simple arrangement requires two assurances to achieve physical guarantees required from the data diode:
- No fiber optic from transmit port of receiving side to receive port on sending side of data diode (that is—fiber optic is used only in transmit direction)
- Sending transmitter being only capable to transmit the optical signals, not capable to receive
If we can verify fulfillment of these two requirements, we have all the hardware setup giving us guarantees we need from the data diode. However, data diode does not have to be such a home-grown solution. Depending on available resources and requirements, dedicated data diode devices may be deployed where needed. As of this writing, Common Criteria EAL 7+ certified (highest CC assurance level) solutions as well as 62443-4-2 SL3 compliant data diodes are available in the market.
In addition to hardware, well established market players offer software solutions that handle certificate management, data integrity, forward error correction (FEC), secure communication via TLS among other features.
Protocol Break and Rebuilding
Most of today’s network applications work on top of protocols like TCP and others, that rely on receiving side sending some replies or acknowledgements (ACKs) back to the sender, even when the data payload is desired to be transferred strictly in one direction. Due to physically enforced one way traffic limitation, data diodes result in breaking all these protocols, as even the traffic like ACKs can’t reach back.
In one way, it is an advantage in that it denies a large proportion of attacks that takes place through the protocol’s meta data. In the other way, it brings challenges, as we have to strive for alternative ways to get what these protocols offer us, like a reliable transfer of data in case of TCP. Protocols like UDP allow for “pushing” unidirectional data without acknowledgement from receiver but they lack the capabilities for error detection and data replication in case of errors.
To build back the desired level of reliability even in the absence of TCP, we have “Forward Error Correction” techniques available where the sender encodes the message in a redundant way, most often by using an error correction code (ECC). The redundancy allows the receiver not only to detect errors that may occur anywhere in the message, but often to correct a certain degree of errors.
As mentioned, techniques are also available to enable secure communication via TLS. Utilizing such techniques typically requires using dedicated proxies on both ends of the data diode. The sending side proxy collects data from its network using any of the desired protocols, prepares it to be pushed over one way link and passes it to the data diode.
The receiving side proxy rebuilds data received from data diode and presents it to the network as desired using the established bidirectional protocols. The software running on these proxies can make the data diode completely invisible to the applications running on either side of the boundary.
By their very nature, data diodes cannot protect confidentiality of OT data. However, this concern can usually be addressed well, as the OT systems, situated on-premises, or at the edge in cloud configurations, aren't usually connected to the public internet directly.
Whether the architecture being deployed resembles the Purdue Model, ISA 62443 Zone and Conduit model or the IIoT Consortium Reference Architecture (IIRA), the OT systems are typically hidden behind the enterprise systems that lie between the OT and the outside world.
Assuming the enterprise systems, residing on-premises or in the cloud, adequately protect data confidentiality—often a given, considering the generally higher confidentiality of enterprise data compared to raw OT data—the confidentiality of OT data is well addressed by the enterprise.
Another limitation is that the data diodes inhibit remotely controlling the OT operations. For most of the critical operations, this is usually not a big concern, as the physical nature of the operations often requires presence of staff on premises who can perform the manual interventions required to control the operations without the need for a completely remote control.
However, should such a remote control be required, alternate strategy would be required to circumvent this limitation of data diode. This could be addition of a data diode for traffic in-bound towards OT, with significantly stricter controls in-place. Such a connection may also be utilized for delivering patches and updates to OT side when needed.
There could even be two data diodes in series with a DMZ in-between for this OT bound traffic. Such a DMZ would play the role similar to the access control vestibules used in physical security. Depending on the need, this reverse path may often be kept disabled as a carefully crafted policy to reduce the attack surface, while the OT to IT traffic may keep moving in real-time without any such hurdles.
It also needs to be kept in mind that, like all the technical security controls, data diodes cannot guarantee security in the absence of a holistic cybersecurity program. If physical security allows attacker to physically reach the OT equipment, or the policies or their enforcement is loose enough to allow an employee to establish side channels deliberately or unknowingly, even the strong controls like air gaps or data diode cannot prevent the attacks.
Furthermore, attacks utilizing vectors other than digital connectivity are completely beyond the scope of data diodes. A comprehensive risk management approach is always the only way forward, in which the data diode may enjoy a well-respected position as a layer of defense, for present and the future.
Compliance with Standards and Regulations
Data didoes / unidirectional gateways receive a well-respected treatment in OT cybersecurity standards and regulations, especially those related to critical infrastructure. Under System Requirement SR5.1 (Network segmentation) of ISA 62443-3-3-2013 for example, achieving Security Level SL4 requires Logical and physical isolation of critical networks.
This physical requirement cannot be achieved with the firewalls and DMZs, while data diodes enable achieving this highest security level without compromising organization’s productivity. NIST SP 800-82r3 also mentions them under OT-Specific Recommendations for Network Architecture.
US Nuclear Regulatory Commission’s RG 5.71 requires licensees to allow only one-way data flow from the highest security level systems to lower security level systems and implementing this one-way control in hardware. Similar regulatory and compliance requirements can be seen in most of the standards and regulations dealing with OT systems in critical infrastructure.
Opportunities for manufacturers, system integrators and asset owners
While data diodes offer unparalleled security and facilitate the innovative use of data, their adoption is not as widespread as other security solutions such as firewalls. This presents a unique opportunity for OT asset owners, who can leverage the strengths of data diodes to reduce their Operating Expenditure (OPEX), enhance security, and safely enjoy most of the benefits of IT/OT Integration.
Furthermore, for manufacturers and system integrators, there is a significant market potential in creating data diode solutions that are not only easy to deploy but also cost-effective in terms of Capital Expenditure (CAPEX). These solutions can cater to a broad range of end-users, making advanced security accessible and manageable for a diverse array of organizations.
In the face of an ever-changing cybersecurity threat landscape, data diodes stand out as reliable solutions to protect the OT perimeter and zone boundaries against future uncertainties. They robustly uphold the fundamental security objectives at a low operational cost while they don’t inhibit the organizations from effectively utilizing the OT data for enhancing the business competitiveness.
This makes data diodes a crucial consideration for cybersecurity risk management for organizations running OT operations, even if it is not mandated by compliance requirements. Simultaneously, it is crucial for manufacturers and system integrators to focus on reducing both the cost and complexity of data diode installations.
Such efforts are vital for their wider adoption, ensuring they are feasible and beneficial for organizations of all sizes in their cybersecurity risk management strategies.