Unidirectional network

A unidirectional network (also referred to as a unidirectional gateway or data diode) is a network appliance or device that allows data to travel in only one direction. Data diodes can be found most commonly in high security environments, such as defense, where they serve as connections between two or more networks of differing security classifications. Given the rise of industrial IoT and digitization, this technology can now be found at the industrial control level for such facilities as nuclear power plants, power generation and safety critical systems like railway networks.

After years of development, data diodes have evolved from being only a network appliance or device allowing raw data to travel only in one direction, used in guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks, to combinations of hardware and software running in proxy computers in the source and destination networks. The hardware enforces physical unidirectionality, and the software replicates databases and emulates protocol servers to handle bi-directional communication. Data Diodes are now capable of transferring multiple protocols and data types simultaneously. It contains a broader range of cybersecurity features like secure boot, certificate management, data integrity, forward error correction (FEC), secure communication via TLS, among others. A unique characteristic is that data is transferred deterministically (to predetermined locations) with a protocol "break" that allows the data to be transferred through the data diode.

Data diodes are commonly found in high security military and government environments, and are now becoming widely spread in sectors like oil & gas, water/wastewater, airplanes (between flight control units and in-flight entertainment systems), manufacturing and cloud connectivity for industrial IoT. New regulations have increased demand and with increased capacity, major technology vendors have lowered the cost of the core technology.

History

The first data diodes were developed by governmental organizations in the eighties and nineties. Because these organizations work with confidential information, making sure their network is secure is of the highest priority. Primary solutions used by these organizations were air gaps. But, as the amount of transferable data increased, and a continuous and real-time data stream became more important, these organizations had to look for an automated solution.

In the search for more standardization, an increasing number of organizations started to look for a solution that was a better fit for their activities. Commercial solutions created by stable organizations succeeded given the level of security and long-term support.

In the United States, utilities and oil and gas companies have used data diodes for several years, and regulators have encouraged their use to protect equipment and processes in safety instrumented systems (SISs). The Nuclear Regulatory Commission (NRC) now mandates the use of data diodes and many other sectors, in addition to electrical and nuclear, also use data diodes effectively.

In Europe, regulators and operators of several safety-critical systems started recommending and implementing regulations on the use of unidirectional gateways.

In 2013 the working, Industrial Control System Cybersecurity, directed by the French Network and Information Security Agency ( ANSSI) stated that is forbidden to use firewalls to connect any class 3 network, such as railway switching systems, to a lower class network or corporate network, only unidirectional technology is permitted.

Applications

*Real time monitoring of safety-critical networks
*Secure OT – IT bridge
*Secure cloud connectivity of critical OT networks
*Database replication
* Data mining
* Trusted back-end and hybrid cloud hosted solutions (private / public)
*Secure data exchange for data marketplaces
*Secure credential/ certificate provisioning
*Secure cross-data base sharing
*Secure printing from a less secure network to a high secure network (reducing print costs)
*Transferring application and operating system updates from a less secure network to a high secure network
*Time synchronization in highly secure networks
* File transfer
* Streaming video
*Sending/receiving alerts or alarms from open to critical/confidential networks
*Sending/receiving emails from open to critical/confidential networks
* GovernmentAustralian Government Information Management Office 2003, Securing systems with Starlight, Department of Finance and Administration, viewed 14 April 2011


* Commercial companiesWordsworth, C 1998, Media Release: Minister Awards Pioneer In Computer Security, viewed 14 April 2011

Use

Unidirectional network devices are typically used to guarantee information security or protection of critical digital systems, such as Industrial control systems, from cyber attacks. While use of these devices is common in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications, the technology is also being used to enforce one-way communications outbound from critical digital systems to untrusted networks connected to the Internet.

The physical nature of unidirectional networks only allows data to pass from one side of a network connection to another, and not the other way around. This can be from the "low side" or untrusted network, to the "high side" or trusted network, or vice versa. In the first case, data in the high side network is kept confidential and users retain access to data from the low side. Slay, J & Turnbull, B 2004, 'The Uses and Limitations of Unidirectional Network Bridges in a Secure Electronic Commerce Environment', paper presented at the INC 2004 Conference, Plymouth, UK, 6–9 July 2004 Such functionality can be attractive if sensitive data is stored on a network which requires connectivity with the Internet: the high side can receive Internet data from the low side, but no data on the high side are accessible to Internet-based intrusion. In the second case, a safety-critical physical system can be made accessible for online monitoring, yet be insulated from all Internet-based attacks that might seek to cause physical damage. In both cases, the connection remains unidirectional even if both the low and the high network are compromised, as the security guarantees are physical in nature.

There are two general models for using unidirectional network connections. In the classical model, the purpose of the data diode is to prevent export of classified data from a secure machine while allowing import of data from an insecure machine. In the alternative model, the diode is used to allow export of data from a protected machine while preventing attacks on that machine. These are described in more detail below.

One-way flow to less secure systems

Involves systems that must be secured against remote/external attacks from public networks while publishing information to such networks. For example, an election management system used with electronic voting must make election results available to the public while at the same time it must be immune to attack.

This model is applicable to a variety of critical infrastructure protection problems, where protection of the data in a network is less important than reliable control and correct operation of the network. For example, the public living downstream from a dam needs up-to-date information on the outflow, and the same information is a critical input to the control system for the floodgates. In such a situation, it is critical that the flow of information be from the secure control system to the public, and not vice versa.

One-way flow to more secure systems

The majority of unidirectional network applications in this category are in defense, and defense contractors. These organizations traditionally have applied air gaps to keep classified data physically separate from any Internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an Internet connection.

In the Bell-LaPadula security model, users of a computer system can only create data at or above their own security level. This applies in contexts where there is a hierarchy of information classifications. If users at each security level share a machine dedicated to that level, and if the machines are connected by data diodes, the Bell-Lapadula constraints can be rigidly enforced.

Benefits

Traditionally, when the IT network provides DMZ server access for an authorized user, the data is vulnerable to intrusions from the IT network. However, with a unidirectional gateways separating a critical side or OT network with sensitive data from an open side with business and Internet connectivity, normally IT network, organizations can achieve the best of both worlds, enabling the connectivity required and assuring security. This holds true even if the IT network is compromised, because the traffic flow control is physical in nature.

*No reported cases of data diodes being bypassed or exploited to enable two-way traffic.
*Lower long-term operating cost (OPEX) cost as there are no rules to maintain. Although there will be software updates to be installed. Often these devices need to be maintained by the vendors.
*The unidirectional software layer cannot be configured to allow two-way traffic due to the physical disconnection of the RX or TX line.

Weaknesses

*As of June 2015, unidirectional gateways were not yet commonly used or well understood.
*Unidirectional gateways are unable to route the majority of network traffic and break most protocols.
*Cost; data diodes were originally expensive, although lower cost solutions are now available.
*Specific use cases that require a two-way data flow can be difficult to achieve.

Variations

The simplest form of a unidirectional network is a modified, fiber-optic network link, with send and receive transceivers removed or disconnected for one direction, and any link failure protection mechanisms disabled. Some commercial products rely on this basic design, but add other software functionality that provides applications with an interface which helps them pass data across the link.

All-optical data diodes can support very high channel capacities and are among the simplest. In 2019, Controlled Interfaces demonstrated its (now patented) one-way optical fiber link using 100G Commercial Off The Shelf transceivers in a pair of Arista network switch platforms. No specialized driver software is required.

Other more sophisticated commercial offerings enable simultaneous one-way data transfer of multiple protocols that usually require bidirectional links. The German companies INFODAS and GENUA have developed software based ("logical") data diodes that use a Microkernel Operating system to ensure unidirectional data transfer. Due to the software architecture these solutions offer higher speed than conventional hardware based data diodes.

ST Engineering, have developed its own Secure e-Application Gateway, consisting of multiple data diodes and other software components, to enable real-time bi-directional HTTP(S) web services transactions over the internet while protecting the secured networks from both malicious injects and data leakage.

In 2018, Siemens Mobility released an industrial grade unidirectional gateway solution in which the data diode, Data Capture Unit, uses electromagnetic induction and new chip design to achieve an EBA safety assessment, guaranteeing secure connectivity of new and existing safety critical systems up to Safety integrity level (SIL) 4 to enable secure IoT and provide data analytics and other cloud hosted digital services.

The US Naval Research Laboratory (NRL) has developed its own unidirectional network called the Network Pump. This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows more protocols to be used over the network, but introduces a potential covert channel if both the high- and low-side are compromised through artificially delaying the timing of the acknowledgment.Myong, HK, Moskowitz, IS & Chincheck, S 2005
'The Pump: A Decade of Covert Fun'
/ref>

Different implementations also have differing levels of third party certification and accreditation. A cross domain guard intended for use in a military context may have or require extensive third party certification and accreditation. A data diode intended for industrial use, however, may not have or require third party certification and accreditation at all, depending on the application.

Notable vendors

Fox-IT
- NL
* BAE Systems - US/UK
* Siemens - Germany
* ST Engineering - Singapore

OWL CyberDefense - US

Fend Incorporated
- US

Waterfall Security
- Israel

Forcepoint
- US

See also

* Bell-LaPadula model for security
* Network tap
*Intrusion detection system

References

External links

SANS Institute Paper on Tactical Data Diodes in Industrial Automation andControl Systems.Guide to Industrial Control Systems (ICS) Security
United States Department of Commerce - National Institute of Standards and technology on data diode use on Industrial Control Systems.
Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies
United States Department of Homeland - Security Industrial Control Systems Cyber Emergency Response Team on data diode use.

{{DEFAULTSORT:Unidirectional Network
Networking hardware
Computer network security