Air-Gapped Networks and Data Diodes

Air-Gapped Networks and Data Diodes

An air gap is the ultimate cybersecurity measure: a physical separation between a secure  network and any other computer or network.

The purpose of an air gap is to eliminate any possibility that a threat actor can attack the protected system via an external connection – whether they are in Russia or sitting in the parking lot trying to get in through an open Wi-Fi connection. Since an air gapped network has no external connections, a would-be attacker needs to gain physical access to carry out an attack. Air gaps are common security features in high-uptime environments, especially in the critical infrastructure sector, where a cyber attack can disrupt or halt operations – interrupting production (think electricity, gas, water, telecommunications, food supply, banking, etc.) or leading to physical damage, environmental harm, or even loss of life.

Creating an air gapped network is fairly straightforward. A network of computers, servers, IoT devices, industrial controls, etc. are connected using standard networking equipment, without any external network connections, so data can move within the network but absolutely no external access exists (input or output).  The challenge is maintaining business operations with an air gap in place.

Air gaps: benefits and drawbacks

The key benefit of an air gap is the robust cybersecurity posture it creates – only allowing people who have physical access to use it. That means before an attacker could install malware or ransomware, or steal data from an air gapped system, they would likely need to get past multiple layers of gates, guards, and other physical defenses first. It also means that authorized users outside of the air gapped network will need to pass through those same security measures every time they need to access or share data generated inside the secure network (i.e. electricity generated, duty cycles of equipment, errors, alarms, billing information, etc.)

The expense and inconvenience of maintaining an onsite physical presence to access operational data can lead organizations to abandon the idea of air-gapping their systems despite their superior cybersecurity posture. And with smart devices and the cloud becoming fundamental elements of critical infrastructure operations, maintaining an air gap gets harder as data hungry cloud analytics want access to plant information.

Data diodes: air gaps that work 

Air gaps are stellar at preventing remote cyber attacks but by themselves lack a way of easily communicating with the outside world. Data diodes solve that problem. They are the ideal solution for maintaining air-gapped security against outside attacks while enabling external communications for remote monitoring, cloud analytics, preventative maintenance, digital twins, production tracking and a whole host of other applications.

A data diode is a cybersecurity device that allows data to travel in one direction only, using hardware components that are physically incapable of transferring data, or allowing access, in the “wrong” direction. They provide a much higher level of assurance than firewalls, which are inherently bidirectional and, as software-based solutions, are subject to a wide array of exploits and vulnerabilities. Data diodes easily facilitate data transfer out of a secure facility while absolutely guaranteeing that nothing (hackers, malware, viruses, ransomware, etc.) can get through the data diode into the secure facility.

A critical infrastructure facility, for example, might be air gapped to prevent threat actors from gaining access to operational technology such as a turbine. or manufacturing system. But while it serves the purpose of defending the facility and equipment operating in it, an air gap without a data diode makes it impossible for remote personnel to monitor device status or assess facility performance. Many critical infrastructure operators use Owl data diodes to transfer facility data out to IT networks or the cloud, or a NOC or a SOC while maintaining a defensive air gap against external threats.

In other cases, an organization might need to air gap systems against outbound traffic while permitting inbound traffic. For example, a major U.S. bank uses Owl data diodes to send transaction records and other information into its secure data vault, while maintaining an air gap against exfiltration of sensitive financial data.

Is it still an air gap if you can send data across it?

Data diodes are one-way only data valves and possess an air gap within each device with no physical or electrical connection – only light via a fiber optic cable crosses the air gap.

Organizations are now recognizing the need for stronger cybersecurity, and are recognizing that data diodes in combination with strict air gaps or network segmentation provide the security benefits of an air gap, while also supporting data access needed for business continuity and operations.

Owl Cyber Defense data diodes have delivered this capability for more than 20 years and remain the most secure, most reliable solution available today.

Learn more about data diodes and how they provide air-gapped security while eliminating operational roadblocks.

Dan Crum

Common Criteria Evaluation Assurance Level and Data Diodes

As the world’s #1 provider of data diode technology, we field a lot of questions about Common Criteria (CC) and its “Evaluation Assurance Levels” (EAL) of certification, from EAL1 t...
May 19, 2021

Cross Domain Security for Critical Infrastructure 

Cybersecurity has always been a key concern in the critical infrastructure sector. But in 2021, security is taking on even greater importance, due to the convergence of two factors: the g...
May 11, 2021

Cross Domain Solution FAQ

Cross domain solutions have protected the world's most sensitive networks and data for more than 20 years. Despite the technology's widespread use within governmental, military, and intel...
April 20, 2021