Deployment of a Data Diode for ICS Cyber Defense
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Introduction
ICS Cyber Defense - Industrial Control Systems (ICS), controlling utility operations, manufacturing and high-risk chemical and nuclear processes are now integrated with Industrial Internet of Things (IIoT) devices. This extended architecture enhances the productivity and process control capability, but also increases the cyber-attack surface and the risk of outages and damages.
To assure an adequate level of cyber security, the ICS architecture must be holistically protected with effective measures to prevent both internally and externally generated attack and supply chain related attacks.
ICS cyber security experts know well that all software-based defense appliances such as Firewalls, Demilitarized Zone (DMZ), White-listing, Intrusion detection systems (IDS), etc., can be compromised by attackers who are activated by hostile countries and crime organizations. Therefore, to protect critical facilities, one may consider the use of unidirectional data transfer appliance known as Data diode, which is capable of improved cyber defense.
The solution described below is not aimed as an alternative to industry regulations and standards such as NERC-CIP, NIST-80-92, NIST Framework 1.1 and the ISA-IEC 62443, but rather enhances the cyber-defense for ICS.
Prior to considering this option, the reader must understand the operating principles of the data diode and evaluate “if and where” it can be deployed. This paper explains the basic principles and does not promote any specific product or vendor.
Introduction to Data Diodes
The data diode is a hardware based cyber security appliance. Although the complete data diode uses computers and software, it has a unidirectional section, which allows the data flow only in a single direction. In the heart of the data diode appliance is a single fiber link, which is connected on one side to an optical transmitter and on the other side to an optical receiver. Consequently, the data may flow from the transmitter side to the other side, where the optical receiver resides. The illustration below shows the principal architecture of the data diode, interconnecting between the IT and the ICS Zones.
Where the Data Diode fits
Obviously, you may deploy the data diode among zones, where you expect single direction data flow, and the data diode is configured to operate with specific ICS and other protocols (Modbus, OPC, Syslog, etc.) such as defined by the organization. For example, if your ICS must deliver real time reports to the IT group on the production rate, availability of raw material, operating hours of machinery, information on faulty conditions, etc., these processes do not require data flow from the IT zone to the ICS zone. On rare occasions, perhaps less than 1% of the time, when you may need to send new a production recipe from the IT to the ICS zone, it is possible to deploy a reversible diode which allows changing the data flow direction.
However, under no circumstances may data flow in both direction at the same time. While that rotation option makes the data diode slightly less perfect, the fact it is stays in the reverse mode just for a fraction of the time, makes it significantly more secure than using a bidirectional software-based security appliance.
Is the diode communication reliable?
This is a valid question, in light of the fact that TCP based communication is always bi-directional. The data diode appliance is built with reliable components and its design must include built in arrangements that monitor the data traffic using digital error monitoring measures. If, due to any failure occasion, such as faulty optical device, damaged fiber link, faulty computer or power outage, the transferred data is not accurate, the computer network on the IT side must be alerted on that situation. Upon such incident, the operator must dispatch a service person who shall repair the appliance or replace it with a spare unit. During the down time, the data will not be sent from the ICS to the IT zone, and upon restarting the normal operation, the service process shall resolve that gap either through manual or automatic data transfer.
Is the ICS safe during a cyber-attack?
Obviously, the data diode does not protect the ICS operation against internally generated or a supply chain-initiated attack, which may be initiated by a serviceman connecting his infected computer or a USB device directly to the ICS network. Furthermore, the data diode is not protecting the IT operation, and for that purpose other defense measures must be deployed.
However, if the IT zone is under cyber-attack, such as encryption or erasing the entire database, the ICS zone will remain completely safe, secure and continue operating because the attack was blocked by the data diode. After completion of the recovery and restarting the normal IT network operation, the next step will be copying the entire database (manually or automatically) to the IT network and restoring the cyber secured data flow from the ICS to the IT zone.
Can a diode operate in a bidirectional mode?
The simple answer to this question is obviously “No”. However, if that requirement becomes a mandatory request, it can be implemented by using a pair of data diodes, communicating with two separate IT networks, which are isolated each from other. Similarly, to the normal process described above, one data diode will export the data from the ICS network to the corporate IT network and the other data diode will be configured operating in an opposite direction and allow the importing of data from another IT zone to the ICS. See figure below for a simplified illustration of that architecture. Each of the two diodes will be configured to operate with specific protocols, such as defined by the ICS and each of the two IT architectures.
Summary of Conclusions
ICS Cyber Defense - Cyber security managers should be prepared for deploying modern and well-adapted cyber defense measures, that will ensure the operating safety, reliability and business continuity for the organization. Use of a data diode creates a very strong cyber defense for the industrial operation. Furthermore, because the data diode has a simple and stable computerized process, it does not require frequent updates such as required for Firewalls. Managers must allocate the needed budget and resources for technology updates and cyber defense training for employees to be always one step ahead of the cyber attackers.
Daniel Ehrenreich, BSc. is a consultant and lecturer acting at Secure Communications and Control Experts, periodically teaches in colleges and present at industry conferences topics on integration of cyber defense with ICS; Daniel has over 29 years of engineering experience with ICS/OT for: Electricity, water, oil and gas and power plants as part of his activities at Tadiran Electronics, Motorola Solutions, Siemens and Waterfall Security.
Follow Us
Deployment of a Data Diode for ICS Cyber Defense
