Attacks and Vulnerabilities
Control device security
Critical infrastructure
News
OT Network security
Reports

Data diodes are expected to reach tipping point for OT, IoT applications

December 22, 2021
data diodes

Rising trends and challenges that encompass the needs of cybersecurity, critical infrastructure, and industrial assets are expected to accelerate the demand for extreme security provided by data diodes, according to a recent report. The escalating threat landscape provides more situations where these network hardware devices, or data diodes, will be optimal cybersecurity solutions.

The decision on whether to use data diodes is typically driven by an assessment of the value of precluding either inbound or outbound data flow versus certain inefficiencies, limitations, and costs inherent in using data diodes, Howard Smith, managing director at First Analysis, wrote in the company’s ‘First Analysis Quarterly Insights.’

Smith said that he does not foresee a major inflection point for data diode demand in the near term. But, “we do foresee an eventual tipping point where cost reductions, expanded protocol support and creative solutions to management challenges aggregate to substantially eliminate the tradeoffs for a much broader range of applications in OT and the Internet of Things,” he added.

Headquartered in Chicago, First Analysis delivers an integrative research process that underpins its efforts, by combining dynamic investment research on thousands of companies with thousands of relationships among executives, investors, and other stakeholders. 

OT (Operational Technology) covers the hardware and software that is used to monitor and control physical processes, devices, and infrastructure across a large range of asset-intensive sectors, performing various tasks ranging from monitoring critical infrastructure to controlling robots on the shop floor. OT environments are deployed across the industrial sector, including surface transportation, manufacturing, oil and gas, electrical generation and distribution, and utilities.  

Cybersecurity threats are further compounded with the fact that most traditional cybersecurity solutions were created for and are primarily used in environments with computing devices that use a small set of standard and well-known communication protocols and operating systems, the First Analysis report said. But, in reality, the world of industrial and infrastructure connections encloses a much more diverse range of protocols and operating systems that many traditional cybersecurity solutions don’t adequately address. 

“Given these trends and challenges, we believe there is a growing number of situations where data diodes, perhaps integrated with or combined in innovative ways with traditional software-based firewalls as well as non-diode hardware-based firewalls, will be optimal cybersecurity solutions,” Smith wrote.

Initially used in the 1980s, data diodes were mainly deployed in military and government sectors to protect weapon systems and sensitive information, according to the First Analysis report. Since 2000, their use has expanded to some regulated critical infrastructure and has been mandated in the U.S. by the Nuclear Regulatory Commission to protect parts of the nuclear ecosystem. Over the past few years, the adoption of data diodes has expanded into more critical infrastructure as well as some general commercial applications, it added.

Data diodes can preclude any data from entering while still allowing data to exit for organizations where the paramount concern is making sure malicious parties don’t penetrate internal systems via network connections, the report said. These network hardware devices protect the network and assets on the transmitting side of the connection from a cyberattack. There is simply no path for malware to enter the network. 

“So even if assets on the protected side have vulnerabilities – unknown or known but difficult to patch – the outside world has no means to exploit the vulnerabilities remotely,” according to Smith. As a result, users of data diodes do not have to worry about their cybersecurity vendors finding exploits and updating systems to look for and block malware, he added.

Smith also highlights another characteristic of data diodes that can be used to prevent attackers from extracting internal data even if the attackers penetrate the network with malware through inbound data flows. “While the computers and servers on the protected side of the data diode are vulnerable to cyberattack, the risk is limited to slowing or shutting down the operation – there is no risk of leaking classified information through the network connection,” he wrote in the report.

Data diodes come with their fair share of trade-offs, which Smith says are ‘diminishing’.  Historically, data diodes have been much more expensive than software, rules-based firewalls. Costs have been coming down in recent years, but the cost per megabyte of throughput is still high relative to less-secure solutions. Data passing through a diode arrives in some protocol. Protocols include transmission control protocol/internet protocol (TCP/IP), file transfer protocol (FTP), other widely adopted protocols, and thousands of proprietary protocols used in the operational infrastructure. 

Unlike software firewalls, which can pass data through without change, data diodes must completely deconstruct data to convert it to a series of light pulses on the transmitter side and then accurately reconstruct the data on the receiver side, either in the same protocol or a different one. 

For instance, in the case of OT applications, the protected transmitter side may support numerous proprietary protocols while the open network receiver side reconstructs the data in TCP/IP packets easily digested by common internet devices. The process of preserving the integrity of video images, emails, and other forms of information through these conversions is complex. 

Smith also said that most current cybersecurity solutions and networked devices can be administered, updated, patched, and configured remotely. But, when data diodes are used to protect a network from malicious attack by precluding inbound data flows, the transmitting side of the data diode and connected devices behind it cannot be accessed remotely. This means technicians must be physically on-site, or at least on the protected side of the network, to investigate and correct issues.

“We think gradually increasing demand for data diodes will naturally diminish the first two limitations by enabling economies of scale that reduce production costs and enabling investment to support more protocols,” according to Smith. “Reducing management challenges may be more daunting. The industry realizes this and is coming up with clever solutions. Many of these involve allowing very limited two-way communication for special pre-programmed data types or during limited, highly monitored time periods,” he added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape