Tacky security is essential in industrial environments. The security level can be raised to a higher level with various network products. One of these is a data diode, a device that sends outward network traffic in only one direction. Kees-Jan Hermans from Fox-IT says during E&A more about the advantages of such a diode.
By: Dimitri Reijerman
Network security seems to be a complex matter, but Hermans gives a simple example where it is essential that the information provided is reliable: “Networks are designed to function bi-directionally. This is desirable in many cases, but sometimes it is not necessary. For example, consider a security camera pointed at the vault door of a bank. This camera only needs to send images to one side. But one problem is that modern security cameras are also susceptible to hacking these days. A data diode communicates in an 'old-fashioned' way by sending all traffic only in one direction, and then guaranteed. So the security camera can spit out its images, but it cannot receive any data. This makes him 'unhackable'.”
Transforming a network-connected camera into an impregnable fortress has more advantages, says the Fox IT specialist: “With a data diode you are more certain about the integrity of the camera's images. This way you can be sure that no one is standing in front of the safe with a cutting torch and remains out of the picture by first hacking the camera.”
The data diode's executive logic fits on a fairly small piece of PCB, but the security company has further improved the diode. Compared to previous generations it has become smaller. The device has also passed a vibration test - necessary for industrial environments - and the diode can handle 10 Gigabit networks. But there is more to further increase security, says Hermans: “We have also made the device fully redundant. The power can be offered redundantly, but the data can also be made redundant. This gives you a greater guarantee that if something breaks, there will still be data throughput.”
Protecting state secrets
The origin of Fox-IT's data diode lies in demand from governments: “We are the go-to guys for protecting state secrets. That's what the device was originally designed for. There are different classification levels within the government. Secret networks are of course not allowed to communicate outside. Until recently this was accomplished by data transfer via CD-ROMs, but a data diode solves this. Because you can send data from a lower classified network to a higher classified network, but not the other way around.”
But demand from industry is now also growing rapidly, says Hermans: “What we see is that PLCs are important in industrial settings. One-way traffic is very important in these types of devices, for example for sending status information. But these run on software. That is why we see a great business case for industrial environments. And we now also have a version for industrial environments. So you can place it next to a pump. And depending on how much you trust your network architecture, you can install one or more network diodes.”
Root exploits
He continues: “You can also do this with a firewall, but the government regulations themselves do not allow that. They are seen as insufficiently reliable. About every two years there will be one remote root exploit out for Linux, Unix or BSD. This essentially means that the reliability of that OS over the past two years can be thrown into the trash. Because you could have worked around that firewall if you had known about that exploit. Governments not only protect themselves against script kiddies; they also want to be able to defend themselves against state actors.”
To also guarantee the integrity of the hardware used, the data diode is subjected to a strict inspection regime: “You have a whole process for that, supply chain management,” says Hermans. “That entire process is offered for evaluation to an independent third party. We opted for one Common Criteria-Evaluation. It has seven levels of hardness and based on the process we offer, we have been given an EAL – evaluation assurance level – awarded out of 7, the highest value. This makes it highly unlikely that it has been tampered with. This process is very intensive and that is why our data diode is not cheap.”
Nederlands