Industrial networks often contain highly sensitive or classified information. Everything from personal employee information to proprietary product formulations—and even vital financial accounts—are stored on business networks. It’s clear why many major companies treat network security very seriously—at least on the surface.
Unfortunately, despite attempts to increase infrastructure security, data breaches and leaks happen all the time. When was the last time you heard of a major corporation accidentally releasing identifying details of its customers or classified business emails? It probably hasn’t been long since you’ve seen a story like this make headlines.
Most businesses never seem to have a problem until one day, out of the blue, they have a huge problem. By then, it’s too late. The data breach has already happened.
Security issues are further compounded by the widespread adoption of IoT in industrial settings. Now, business networks have dozens or even hundreds of extra data endpoints added to their networks, along with innumerable users who have access to those IoT devices.
There are not only brand new access points, but there is more information than ever before flowing through each connection on the network. It’s a large increase in both hardware and data at the same time.
The crux of the problem? Industrial IoT network security training tends to lag behind rapid technology development. When a company adopts an IoT program, it often fails to compensate for the increased difficulty of maintaining a secure network until after a problem occurs.
Companies sincerely believe they make cybersecurity a top priority, but they seldom see how new technology can compromise that security.
There are several effective steps that companies can take to strengthen the security of their networks and ensure the integrity of their data. Installing data diodes to manage transfers between networks is one such step.
What are data diodes, and why do firewalls not measure up?
A data diode is a device that acts as a checkpoint for all data passing between two separate networks. It is a unidirectional gateway, meaning that it only allows data to flow from one network to the other. Any attempts to pass data in the reverse direction are shut down by the data diode checkpoint.
Data diodes use one-way fiber optic connections to accomplish this task. The receiver is not capable of transmitting data, and the transmitter is not capable of receiving data. Each can pass data in only the intended direction.
Because data diodes are hardware units, they can’t be corrupted by malicious code that could change their functionality. This is a primary way that they differ from the more traditionally used firewalls that manage the flow of information between networks using software to detect unauthorized data transfers.
Unlike firewalls, data diodes do not require complicated configuration settings, maintenance, and monitoring for bugs or unintended back doors. Once data diodes are installed, you won’t need to update or reconfigure them
Also unlike firewalls, data diodes don’t introduce network latencies that could disrupt real-time applications. After a simple installation process, data diodes act as an efficient, relatively invulnerable safety valve that manages the flow of information from one network to another.
How do data diodes boost industrial IoT security?
Networks that hold sensitive data are frequently isolated from other networks. This separation reduces the risk of unintended access, data leaks, and malicious attacks.
However, sometimes it is necessary to send information between two separate, isolated networks. This creates potential security problems for the entire system.
A network presents a collection of permitted access points. For a network to be secure, all of those access points must be trustworthy, and any unintended access must be shut down. When you connect two networks, it doubles the chance of compromised security. In cases where data is highly sensitive or classified, this risk is unacceptable.
Even transporting data between two high-security networks can be tricky. Without a data diode as a checkpoint, someone could always use the open connection to reach the network of origin and view, copy, or even corrupt data that they shouldn’t be able to access.
This is where the primary functionality of a data diode comes in handy.
Data diodes prevent data breaches and leaks.
When you add a data diode in between two networks, you ensure that information is transported in one direction only. If you needed to connect your higher-security network to a lower-security network to send a few files, you could do that without worrying that a malicious actor from the lower-security network was using that open connection to gain entry to your higher-security side. The files would be sent from the network of origin to the receiving network, with no data transmission happening in the other direction.
Data diodes are also useful for transferring data from lower-security networks to higher-security networks. In these cases, it’s not as vitally important to protect the data contained within the lower-security network of origin. However, you do need to ensure that no data leaks from the higher-security side while the transfer is in process.
Data leaks can be intentional or unintentional. It isn’t always a disgruntled employee sending sensitive or internal information to the media. Often, data leaks happen unintentionally and without anyone being aware the leak happened until the repercussions appear.
Mistakenly entering the wrong destination address is still a form of data leakage, as is the access of data by malware installed via the connection from a lower-security network. Both cases happen frequently and are usually missed by all but the most vigilant security specialists. So, even if you implicitly trust all of your network operators, it still isn’t safe to initiate data transfers between networks without taking adequate precautions.
Installing a data diode is a good precaution to take regardless of the direction of data transfer between networks, because it prevents the leakage of important data. In cases where communication is required in both directions, installing two data diodes would still provide protection from unauthorized data transfers because data diodes only allow for specifically configured messages to be sent. They will block all other traffic and prevent misconfigured messages from making it to the destination network.
What about industrial sabotage?
Stolen or compromised data is not the only danger when an IoT network is involved. A company may have numerous devices and sensors that detect maintenance issues and monitor or control critical operations.
A water processing plant, for instance, has sensors that measure the levels of chemicals and contaminants in the water supply. Depending on the information from these sensors, the appropriate response can be carried out by other automated systems: changing the levels of certain chemicals, diverting contaminated supplies for extra filtration, or approving water for distribution.
An industrial saboteur could easily tamper with any number of these sensors or automated devices to ruin the water supply and cause immeasurable damage to the water supply and to public health if contaminated water is used by consumers.
The implications are sobering. Factories could have their power lines disrupted or their construction plans altered. Hospitals might experience service disruptions or have critical patient information corrupted.
Government and military networks are particularly at risk, which is one reason that they form the primary market for data diodes and other unidirectional solutions.
What are some other useful applications of data diodes in industrial IoT networks?
If your company uses multiple sensors, you will need to send the data from those sensors to another location on the network. Consider installing a data diode on each connection so that information can be sent from the sensor to the rest of the network, but not from the network to the sensor. This eliminates the ability for the sensor’s software to be manipulated by threats within the network.
Additionally, if your network utilizes an intrusion detection system, a data diode could enable that system to view traffic to monitor for intrusions without permitting any other data from being affected. Similarly, error log monitoring systems may sometimes be able to take actions on the systems they are monitoring. If you’d like to prevent that from happening, a data diode would be a simple solution.
Why don’t more enterprises use data diodes?
Data diodes have a reputation for being too expensive and limiting for all but specialty, ultra-secure users such as the military and government.
Some industrial network operators steer clear of hardware security solutions such as data diodes because they think they need a two-way communication system. The idea of installing two separate gateways that flow in opposite directions seems complicated or cumbersome to people inexperienced with the technology. Or the network may have so many data flows and protocols that the idea of narrowing down into a single gateway is incomprehensible.
However, data diodes can be scaled to work with any number of data flows and protocols with proper setup. And multiple diodes are not necessarily prohibitively expensive, even for large, complex networks.
Data diodes are simple to install and do not require configuration by highly certified technicians. When no maintenance and monitoring requirements are factored in, the up-front cost for data diodes pays for itself over time when compared to the extensive maintenance needed for traditional software firewalls.
Since hardware gateways provide superior protection over software solutions, the return on investment is much higher for data diodes if they prevent even one critical data breach or malicious attack.
