Implementation of data diodes can boost cybersecurity architecture at critical infrastructure installations

As large industrial companies continue to face cybersecurity challenges, across their distributed, decentralized governance structures and large operational technology (OT) environment, there is a growing number of situations where the use of data diodes can be deployed to deliver one-way data flow. These hardware devices typically bring about the physical and electrical separation of source and destination networks, putting in place one-way closed data transfer between networks. Thereby, enabling network integrity for industrial network monitoring without exposing internal networks to the growing external risks.

Adoption of data diodes is being driven by an increasing number of cyber-attacks on oil and gas and manufacturing environments amid the COVID-19 pandemic. Furthermore, the rise of digital transformation across industrial verticals is also leading to increased reliance on data diode technology to bolster the cybersecurity stance in these infrastructures. However, associated high costs and budget constraints among businesses impede the growth of the data diode market. 

In one of its insights, First Analysis wrote that it did not foresee a major inflection point for data diode demand in the near term, but did predict an eventual tipping point where cost reductions, expanded protocol support, and creative solutions to management challenges aggregate to substantially eliminate the tradeoffs for a much broader range of applications and make data diodes a compelling choice.

Industrial Cyber contacted experts in the data diodes space to provide our readers with their views on the benefits of deploying data diodes/unidirectional gateways across the critical infrastructure sector. The shift has been necessitated by the current threat landscape battered by rising ransomware attacks, hardware vulnerabilities, supply chain breaches, and a delicate geopolitical scenario.

“Unidirectional Security Gateways are one of the few proven methods to prevent cyber incidents from propagating into protected network segments, and IF protected networks are compromised, they act as a fail-safe to prevent malicious actors from communicating from inside the network to their command-and-control servers (C&C),” Sal Morlando, senior director of products at OPSWAT, told Industrial Cyber. 

With the escalating threats against critical infrastructure organizations, unidirectional security gateways are thus a critical component to improve the security posture of the organizations and ensure that their most sensitive assets and networks remain operational, Morlando said. “Unidirectional gateways also enable organizations to continue normal operations by allowing real-time access to operational data without compromising security. They can also help organizations cope with the increasing compliance requirements that followed major security incidents against critical infrastructure, including regulations such as NERC CIP, NRC 5.71, CFATS, and others,” he added.

“Data diodes are a government/military technology for protecting confidentiality. They are hardware-intensive with limited software support and are not widely used in industrial settings,” ​​Andrew Ginter, vice president for industrial security at Waterfall Security Solutions, told Industrial Cyber. “The NIST 800-82 standard defines unidirectional gateways as hardware that is able to send information in only one direction – similar to data diode hardware – with software that replicates servers and emulates devices,” he added. 

Unidirectional gateways are used routinely in industrial settings to prevent cyber-sabotage of industrial infrastructures, according to Ginter. “Wider use of the technology would make the world a safer place – literally. When used as recommended, the gateways prevent Internet-based and IT-based threat actors from reaching through firewalls and compromising safety systems, protection systems, and industrial control systems,” he added.

​​E. Christian Hager, vice president of business development at Fend Incorporated, has seen a big push toward affordable one-way communication (data) diodes since the Colonial Pipeline breach. He has also seen a significant interest uptick in one-way communication diode technology from across verticals, where the diodes push data one-way via built-in LTE connections. 

“A broader adoption of data diodes in the cybersecurity fabric of critical infrastructure could certainly reduce the threat vectors and force many attackers to seek easier targets,” Hager told Industrial Cyber. “This is naturally assuming that every critical infrastructure operator performs an OT network assessment to determine what assets are on their network, where the remote access points are, and what other vulnerabilities they might be exposed to.”

“That said, the network segmentation of OT & IT networks or the hardening of OT networks is essential to prohibit penetration of & lateral movement within an organization,” according to Hager. “Data diodes provide that physical security through physical optical isolation to ensure the operational readiness of the nation’s critical infrastructure as a whole. They can also help prevent the worst-case scenario, and provide for the security, safety, and health of employees and the general public,” he added.

Assessing whether the adoption of data diodes/unidirectional gateways by asset owners and operators in the critical infrastructure sector increased in the last couple of months, Morlando said that they are seeing an increase in interest for its solution, “and the interest is coming from several critical infrastructure verticals such as electrical power transmission and distribution, water & wastewater treatment facilities, and manufacturing facilities, as well as from more traditional IT environments such as data centers that want to deploy our security gateways to isolate and protect their data centers.”

“It was reported that security attacks increased 31% from 2020 to 2021; the double-digit year-over-year increase in cyberattacks has played a role in the increased demand we’re seeing for cybersecurity solutions with low recurring operational costs,” OPSWAT’s Morlando said. Organizations are also looking for solutions that are highly reliable and cannot cause disruption to ICS operations. More recently, tensions in Ukraine have caused an increase in cyberattacks, particularly against critical infrastructure, which is furthering interest in unidirectional gateways, he added.

“One might imagine that the warnings by various governments about the potential of critical infrastructure attacks coupled with the invasion of Ukraine would lead to increased deployment of unidirectional gateways, but we have seen little of this,” Ginter said. “What we have seen is a higher than usual increase in unidirectional deployments starting about 15-18 months ago. I attribute the increase to increased awareness of ransomware threats,” he highlighted.

“The number of ransomware incidents with physical consequences doubled in 2020 over the previous year, doubled again in 2021, and is on track to double again this year,” according to Waterfall’s Ginter. “Yes, Ukraine is a factor in industrial security decision-making and so is the Colonial Pipeline incident, but the main driver seems to be these ransomware outages,” he added.

“We see a strong growth trend toward physically securing critical infrastructure in the past six months, a trend that we see as reactionary,” Hager said. “The recommendations by DHS-CISA to mitigate cyber threats with one-way communication (data) diodes as stated in multiple industry advisories and the ‘Shields Up‘ warning have driven awareness for one-way communication diodes as a whole, especially toward the more affordable offerings,” he added.

Hager also indicated that there is also a new acceptance in industry and other organizations to allow raw operational data (Modbus or BACnet streams from critical assets/ PLCs/ sensors for example) to go directly to the cloud, so that analytics providers’ using APIs can generate reports and maintenance schedules based on real-time data and alerts.

Determining the feasibility for asset owners and operators in the critical infrastructure sector to quickly re-calibrate cyber defenses using data diodes/unidirectional gateways, and the time lag for these operators to assess the difference brought about by these hardware devices, OPSWAT’s Morlando said that “unidirectional gateways are considered a best practice to secure the network boundary between OT and IT assets, forming a security perimeter around critical OT assets.” 

“While highly secure, traditional optical-based data diodes are notoriously challenging to set up, and they oftentimes have reliability issues,” according to Morlando. “Unidirectional Security Gateways are the modern evolution of data diodes, maintaining security advantages while affording reliable operations and straightforward configurations,” he added. 

“The replication of OT data to the IT network enables secure monitoring of the OT infrastructure, as well as transfer files such as software updates from the IT network to the OT domain – helping to secure the supply chain and reduce threats introduced using portable media,” Morlando said. 

“It also ensures greater business and operational integrity compared to other solutions on the market, making it easier for critical infrastructure organizations to quickly re-calibrate their cyber defenses,” according to Morlando. “With this, the benefits of deploying unidirectional security gateways can be realized more quickly than data diodes between the easy installation and configuration and immediate reduction in operational overhead and compliance reporting associated with firewalls and data diodes,” he added.

Ginter said installing the products is really quite painless. “Assessing results for really effective cybersecurity is always a little tricky though: how do you measure lack of intrusions? What is easier to observe post-installation is that the cybersecurity process for industrial operations becomes less emergency-driven and more deliberate?” he added.

With unidirectional gateway hardware blocking all online attacks from IT and Internet networks, there is no need to be searching for the latest indicators of compromise the second they are available, Ginter highlighted. With these devices, “there is less need to be intensely scrutinizing every tiny deviation in the behavior of industrial networks and systems from our NOCs and SOCs – because the most pressing attacks are simply off the table,” he added. 

With unidirectional gateways installed, engineering cybersecurity programs can focus on those measured and deliberate remediations that may still be needed to address those residual risks that remain, Ginter added.

Some of the data diodes are primarily ‘plug & play’ devices, “allowing the operator’s technical teams to quickly install these units themselves and become protected ‘instantly,’ according to Hager. “Data diodes not only protect nefarious code from being installed/ activated in the OT network, but they also prevent the unauthorized exfiltration of data from the network as the data diode only communicates with a designated IP address.”

“The crucial difference between the data diode, a truly one-way communication device, and the ‘typical’ OT network security (including SCADA systems) is the remote access which, as we know, is very convenient but not always secure and often a critical vulnerability,” Hager observed. “Once an organization believes it only needs to let actionable operational data & alerts out and no control commands in, the data diode is a logical next step. There are many touch points in these networks where technicians are on-site during the day or on-call within minutes, negating the need to remotely manipulate settings,” he added.

Gauging if any new use cases will emerge for data diodes/unidirectional gateways that would equip critical infrastructure operators to better deal with the rising threat level, Morlando said that unidirectional security gateways will enhance supply chain security through vulnerability detection and country of origin validation, and solution providers can offer a high-security file transfer platform supporting the transferring of software updates and other critical files into the OT domain. 

“We can expect to see unidirectional gateways used to further segment the OT network as a way to stop the propagation of threats and security transfer OT networks, as well as securely transfer OT data from remote assets to cloud-based resources such as data historians,” Morlando added.

Ginter said that the most important use case is unchanged – monitoring industrial operations without risk by using a single unidirectional gateway that is oriented from the industrial network out to the world.

“The real new use I’m seeing is unidirectional gateways protecting the protection equipment,” Ginter said. “Transmission system operators in the power grid need to monitor and control their high voltage substations remotely, but generally, only monitor their protective relays. We are seeing transmission systems organize their protective relays into small, separate networks in each substation and deploy a unidirectional gateway between the relay and the main substation networks,” he added.

Addressing the intensifying cybersecurity threat, “unidirectional gateways are a powerful tool to defeat any attack coming from the Internet, be it today’s nation-state attacks, or today’s ransomware groups with yesterday’s nation-state attacks,” Ginter added.

“While there is movement in the segmentation of OT from the IT or enterprise networks, it is imperative that going forward, the critical infrastructure operations are not impacted in ways that Colonial, CNA, Nordex, Deutsche Windtechnik, John Deere, AGCO, the Great Ethiopian Renaissance Dam, Oldsmar, and others have been,” Hager said. 

Flagging that security in energy and grid operations has always been an issue, Hager said that “as we shift increasingly to renewables, with smaller, more numerous remote sites, the SCADA systems are coming under attack. This is evident in wind turbines, solar installations, and hydroelectric facilities. This is where lower-cost data diodes that can serve remote locations can play a positive role in protecting such installations with no negative impact to the business case,” he added.

“Health care facilities and medical device manufacturers continue to be well behind other critical infrastructure sectors, especially with the constant introduction of new IoT devices aimed at making the patient’s care easier,” he added.

Hager also advocated the protection and hardening of the legal industry’s (law firms, court systems, large insurers that support them, etc) databases, and securing research facilities, whose proprietary databases need to be protected. “Key information or files that need to be shared can be exfiltrated from secure enclaves via data diodes to shared secure servers, rather than granting remote access to the protected network and unfiltered client information,” he concluded.