Data diodes only allow data to flow in one direction, effectively protecting sending devices from external attack.
Like harsh traffic cops, data diodes enforce a one-way path for data traveling through a network, ensuring that IoT devices behind the diodes are not compromised by malicious incoming traffic.
Simple yet elegant solutions, data diodes provide hardware-based security for Internet of Things (IoT) environments. These environments have become more vulnerable as the volume of connected devices grows and networks extend to larger and more remote geographies. For any administrator of an IoT infrastructure, security is the number one concern today, and for good reason.
“IoT devices now account for 32.72% of observed infected devices,” Nokia noted in its “2020 Threat Intelligence Report,” which records malware activity on networks based on data collected by security software from Nokia. the company. “Compared to 2019, the share held by IoT devices in the overall device breakdown has increased by 100%, from a previous share of 16.17%.” The threat to IoT endpoints is so serious that Nokia concluded, “Cybercriminals are focusing their efforts on IoT and mobile devices.”
“The increasing digitization of critical infrastructure with an increasing number of IoT devices is raising the bar for network security,” Andrés Guilarte, global product manager, connectivity and IoT at Siemens Mobility wrote in response to emailed questions. email from IoT World Today.
How Data Diodes Protect Networks
A diode is “a device, such as a two-element electron tube or semiconductor, through which current can freely pass in only one direction,” according to Dictionary.com.
Data diodes apply this technology to the network infrastructure to allow data to flow in one direction and prevent data from traveling in the other direction. And while they have grown in sophistication and capabilities since their introduction several decades ago, data diodes are still essentially single-purpose devices that provide relatively simple service.
Data diodes work in a similar way to other hardware-based network flow controllers. For example, a similar effect was achieved by altering cable connections, such as removing pins from an RS-232 connector to prevent data flow in one direction. That’s a brute force solution, to be sure, and one that lacks diode capabilities like protocol awareness that can be critical to network operations.
There are also network gateways that can limit or eliminate certain data flows through a network, but they tend to have similar complexities, hardware requirements, and upgrade issues as firewall technologies. “One of the benefits of diodes is that they don’t need to be patched,” said Johan Vermij, IoT research analyst at 451 Research, “so they’re better suited than firewalls for sites that are far away.”
“It’s a one-way transfer based on the physics of the hardware,” said Brian Romansky, director of innovation at diode maker Owl Cyber Defense. “You can’t secretly or accidentally have a port open that you forgot about.”
According to Romansky, data diodes date back to the cold war era. “The data diode concept grew out of work that was actually a Department of Defense program and actually dates back to a time when the US and Russia signed a nuclear decommissioning agreement,” he noted. The two parties needed to share data to ensure compliance with the pact. “How do I share data with my least trusted enemy from my most secret data set? And how do I make that connection work without it being a very manual and tedious process? And so the data diode was invented as a way to do that.”
Given its defense and intelligence pedigree, it’s no surprise that data diodes appear in a recommendation from the Department of Homeland Security. “If one-way communication can accomplish a task, use optical separation (“data diode”),” the department suggests in its “Seven strategies to defend ICS” publication.
Where data diodes fit in a security scenario
A successful IoT security strategy will likely require a multi-layered approach that uses hardware and software security products. A typical IoT environment comprises smart and not-so-smart devices for collecting and analyzing data. Smart devices may have more inherent vulnerabilities, but they also have the computing power to run sophisticated security software. Less intelligent end devices rarely have the processing power to do more than their assigned tasks.
Encryption and firewalls are standard fare in IoT security scenarios, but they can also fail in certain areas, leaving potentially vulnerable gaps. The more data traffic that is encrypted, the better, but encrypting and decrypting data can introduce network latency and cause problems for systems that need to respond in real time to data from sensors and other endpoint equipment.
Firewalls, a staple of IT network security, also feature prominently in the discussion. Firewalls can effectively prevent incursions and control the flow and direction of data movement on the network. The downside of firewalls is that they require dedicated servers and need to be managed and monitored, patched and updated frequently. That can become an onerous task for complex networks that require multiple firewalls to run simultaneously.
“Given ever-increasing connectivity and the rapid increase in cyber attacks, firewalls are no longer the only cyber security option,” said Siemens’ Guilarte.
A burgeoning field of IoT security technology involves the use of hardware-based security devices. Sometimes called hardware secure modules, or HSMs, this category includes security-specific devices, such as data diodes, as well as endpoint devices that have been enhanced with chips that provide security features.
Key facts about data diodes
While data diodes have found their way into a variety of environments and operations, their most cited implementation is to isolate reporting from data collection. “The most common use case that we see historically has actually been data historian replication,” Romansky said. “You can get reports and information from that system and ensure that threats don’t get in.”
Today, however, diodes are used in many more ways to improve IoT security. Some of the critical applications that diodes can help protect include the following:
- Backup and disaster recovery repositories
- Replication of databases and other application data
- Traffic flowing to/from remote sensing and other facilities
One concern potential implementers might have is the ability of receiving devices to recognize that data has been received.
“One-way data transmission is basically blind transmission if the sending network can’t verify receipt of data from the other network,” 451’s Vermij noted. Without that, sending systems can’t confirm that their data was received. . “That could result in a retransmission that would consume additional bandwidth.” Vermij added.
But modern data diodes are much smarter than the simple one-way switches they once were. With a built-in understanding of certain communication protocols, diodes can provide the necessary acknowledgment without exposing the data.
“Every time you try to establish a TCP session, you need an acknowledgment to come back, it’s session-based,” Romansky said. He pointed out that Owl’s diodes have built-in proxy servers to address the recognition problem. “When you make a connection to a data diode, you are actually connecting to an application that is running on the diode and you are connecting to an application that we have developed that knows the protocol that it is trying to send. outside.”
Another consideration could be how data diodes will function in the context of existing security systems, primarily how security systems will be able to monitor devices behind the data diodes. Proper placement of the data diodes will ensure that security applications get what they need. “You can pass that monitoring data through the diode and deliver it if you have a SOC or a NOC where you collect analytics,” Romansky said.
Siemens’ Guilarte noted that a data diode is not likely to interfere with existing security systems, but may even improve them. “It is not vulnerable to software changes or mismanagement,” Guilarte wrote, “it is secure by default, and no misconfiguration or software vulnerability can make it insecure.”
Data Diode Buyer’s Checklist
Data diodes typically cost a few thousand dollars, with the price increasing as more sophisticated features are added. That’s in line with the cost of a firewall, but the lifespan of a diode far exceeds other network products.
“Some have been running for 20 years without maintenance,” Vermij noted.
Guilarte noted that this reliability could be a deal breaker for some IoT environments. “As data diodes are used in highly secure/sensitive systems, long life cycle support is a must to match the long life cycles of such systems,” she wrote.
Some other features to consider when purchasing data diodes include performance capabilities and protocol support, both of which will be dictated by current and planned network architectures.
Security ratings can also be a factor. Many diodes are rated using the EAL1 to EAL7 Evaluation Assurance Level scale. EAL7 is the highest rating and indicates that the product has undergone formal design verification and has been tested. Other standards may also come into play. According to Guilarte, the “independent security evaluation of the development, manufacture and support by internationally recognized standards such as IEC 62443” should also be considered.
The future of hardware-based IoT security
As effective as data diodes are, they may be challenged by a growing number of wide-range IoT networks supporting thousands or hundreds of thousands of endpoints. With that scale and complexity of the network, effective security will need to be more localized.
“Network security is becoming impossible, so we have to push security to the limit, to the device itself,” Vermij said. “The full air gap is not really practical anymore.”
Data diode manufacturers understand that traditional diode operations may not be enough and are moving their technologies to chip-sized platforms that can be directly incorporated into end devices. “Once you have the ability to perform this type of inspection on a field programmable gate array, you will now dramatically reduce the size, weight, power and cost of a package handling solution. So now you can start thinking about where else I can put this.”