Industries that once had their IT and OT (operational technology) networks siloed are realizing the growing pains of the connected, digital world. Present day OT networks have a growing reliance on SCADA networks, HMIs (Human-Machine Interfaces), SIEM, alarms, events, and analytical software for their environments.
This digitization has it benefits, with increased reliability and availability, which in turn increases the quality and quantity of production, whether it be clean drinking water, electricity, or resources like oil and gas. However, a lot of operators are told that no connection is truly 100% secure, so how do you lower your risk of unauthorized access without completely closing off your operations?
The problem lies in the traditional cybersecurity methods that require constant upkeep and specialized resources to provide the services intended – often along with downtime for updates and reconfiguration. Unfortunately, this means in many cases firewalls and other security systems go unpatched in organizations that provide critical services or produce products to turn a profit, as downtime is something that end-users try to avoid at all costs.
Government agencies and regulators such as the U.S. Department of Homeland Security (DHS), NIST, and the U.S. Department of Commerce have recognized this significant security risk and have responded with recommended guidelines and best practices to help mitigate cyber threats. One of the more helpful pieces created was a white paper entitled “Seven Steps to Effectively Defend Industrial Control Systems” in which the DHS, in conjunction with the FBI and the NSA, lay out concrete objectives that operators can take to prevent up to 98% of cyberattacks. One of the prominent methods featured in these steps is a technology known as the data diode.
A data diode is a hardware device that physically enforces a one-way flow of data. As one-way data transfer systems, data diodes are used as cybersecurity tools to enable IT and OT security professionals to separate (“air-gap”) designated networks or network segments. Its physical hardware components mitigate cyber threats against the network while also allowing the one-way transfer of data out of (or into) the network in a highly controlled, deterministic manner.
Data diodes can be used to…
- defend the perimeter of your network
- prevent lateral movement of hackers or malware if there is a breach
- pass critical files like updates and patches into a siloed network
- enable remote command and control, with two highly-restricted one-way paths
When we think about cybersecurity, we tend to think software first. However, software has its limitations. For example, have you ever looked at your firewall manufacturer’s website to see how many patches and updates they have released? How long did it take your security team to properly configure it? Are you even sure it’s properly configured? Are the access control lists kept up to date? Are there any unnecessary open ports? The complex, configuration-based management of software tools leaves a lot of potential attack vectors for the determined attacker. In contrast, hardware-based tools are enforced by the laws of physics, which are some of the only laws hackers cannot break.
Last, but certainly not least, to be a step ahead of the intruders, it is good practice to have a combination of hardware and software solutions to defend your network. In some situations, data diodes are being deployed to provide network and application data one-way to SIEM technology. With that combination of solutions in place, end-users can reap the benefits of real-time analysis of security alerts from SIEM with virtually no surface attack area.
If you’re looking to improve the security of your networks (and really, who isn’t?), start by creating a topology of your network architecture, if you don’t already have one. This will give you a good idea of the various connections to and from your devices and systems. Take a look at the list and investigate where a one-way connection could be leveraged. Do you have connections exclusively for remote monitoring? Are there data streams used purely for external analytics? Are there update files coming in from a software vendor? Any of these can be an ideal starting point to start plugging the potential holes in your network and reducing the time and effort it takes to monitor and defend your network… and honestly, who couldn’t use a little extra time?