Critical infrastructure company Garland Technology revealed that its Data Diode TAPs (test access points) device allows raw data to travel only in one direction to help improve network integrity and reduce air gaps. Data Diode TAPs can be used as a traffic enforcer, guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks.
The unidirectional or one-way data flow in data diodes are designed to secure OT networks from external threats, eliminating inbound data flow and outside threats to OT (operational technology) network segments while providing needed out-of-band data flow needed to monitor. The devices help deliver network integrity for industrial network monitoring without exposing additional risk from remote attacks, DDoS attacks, malware, ransomware from external networks.
The purpose-built network hardware Data Diodes TAPs sit in a network segment between two appliances like a network switch and a firewall, which support the critical link. The Data Diode TAPs send a unidirectional copy of that traffic to the out-of-band monitoring destination, the link between the two appliances is unaffected. There is no physical connection between the Data Diode monitoring ports and the network ports, eliminating any possible intrusion from the destination.
The hardware devices enforce one-way data flow from a network segment to a monitoring destination, with physical hardware separation, guaranteeing protection of critical digital systems, such as industrial control systems (ICS) from inbound cyber threats.
While these Data Diode TAPs physically do not send traffic back onto the network providing “no injection” tap visibility for 10/100/1000M networks, it ensures that no Ethernet packets can physically be sent to the live Network TAP ports or SPAN ports. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real-time.
The devices also create unidirectional monitoring solutions that capture every bit, byte, and packet, while ensuring that the copied packets don’t go back in and disrupt the industrial network, in a package that is purpose-built and unhackable.
Data Diode TAPs deliver a more secure option for network visibility than SPAN ports from a network switch, where engineers will often connect directly to intrusion detection systems (IDS), or between segment facilities to monitoring tools. Not only can SPAN ports drop packets, hiding security vulnerabilities, but SPAN has bidirectional traffic, which opens backflow of traffic into the network, making the switch susceptible to hacking.
“Data Diode TAPs are designed to provide OT/IT security monitoring solutions “every bit, byte, and packet,” to ensure the network is properly analyzed and protected without introducing additional vulnerabilities from incoming traffic in the process,” wrote Jerry Dillard, Garland’s CTO and co-founder in a company blog post. “Thereby, enabling modern ICS security strategies to incorporate them alongside their network TAP and packet broker visibility fabrics.”
Purpose-built for industrial, manufacturing, utility and military environments, data diodes can be found in high-security environments, where they serve as connections between two or more networks of differing security classifications. The technology can be found at the industrial control level at various facilities, such as nuclear power plants, power generation and safety critical systems like railway networks.
Data Diode TAPs can be used as a traffic enforcer, guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks. A network TAP creates an exact copy of both sides of the traffic flow, continuously, without dropping packets, delaying, or altering the data. They are either passive or “failsafe,” meaning traffic continues to flow between network devices if power is lost or a monitoring tool is removed, ensuring it isn’t a single point of failure.