Data diodes allow data to flow in one direction, effectively protecting sending devices from an external attack.
Like harsh traffic cops, data diodes reinforce a one-way path for data traveling through a network, ensuring that post-diode IoT devices will not be compromised by malicious incoming traffic.
Simple yet elegant solutions, data diodes provide device-based security for Internet of Things (IoT) environments. These environments have become more vulnerable as the volume of connected devices increases, and networks extend to wider and more distant geographies. For any administrator of an IoT infrastructure, security is a major concern today – for good reason.
“IoT devices now account for 32.72% of infected devices monitored,” Nokia noted in the “Threat Intelligence Report 2020,” which chronicles malware activity on networks based on data collected by the company’s security software. “Compared to 2019, the share occupied by IoT devices in the total breakdown of the device has increased by 100%, from a previous share of 16.17%.” The threat to IoT endpoints is so severe that Nokia concluded, “Cybercriminals are focusing their efforts on IoT and mobile devices.”
“The growing digitalisation of critical infrastructure with an increasing number of IoT devices is raising the bar for network security,” wrote Andres Guilarte, global product, connectivity and IoT manager for Siemens Mobility in response to email questions from IoT World Today.
How data diodes protect networks
A diode is “a device, such as a two-element electronic tube or a semiconductor, through which current can flow freely in only one direction,” according to Dictionary.com.
Data diodes apply this technology to the network infrastructure to allow data to flow in one direction and to prevent data from traveling to the other dead in its tracks. And while they have grown in sophistication and capability since their introduction a few decades ago, data diodes are still essentially devices with a purpose of providing a relatively straightforward service.
Data diodes work similarly to other hardware-based network flow controllers. For example, a similar effect has been achieved by modifying cable connections, such as removing pins from an RS-232 connector to prevent data leakage in one direction. This is a brutal solution, to be sure, and that lacks diode capabilities like protocol awareness which can be critical to network operations.
There are also network gateways that can restrict or eliminate certain data transmissions over a network, but they tend to have similar complexities, hardware requirements, and issues with updating firewall technologies. “One of the benefits of diodes is that you do not need to patch them,” said Johan Vermij, IoT Research Analyst at 451 Research, “so they are more suitable than firewalls for remote locations.”
“Transfer a one-way transfer based on hardware physics,” said Brian Romansky, chief innovation officer for diode maker Owl Cyber Defense. “You can not secretly or accidentally open a backward port you forgot.”
According to Romansky, data diodes date back to the Cold War era. “The concept of the data diode came from a job that was actually a Department of Defense program and actually relates to a time when the US and Russia had signed a nuclear dismantling agreement,” he noted. Both sides had to share data to ensure compliance with the pact. “How can I share data with my most incredible enemy from my most secret data set? And how do I make that connection work without being a very manual, tedious process? And so the data diode was invented as a way to do that. “
Given their origins in defense and intelligence, it is not surprising that data diodes appear on the recommendation of the Department of Homeland Security. “If one-way communication can accomplish a task, use optical partitioning (” data diode “),” the department suggests in its publication “Seven Strategies to Protect ICS.”
Where data diodes fit into a security scenario
A successful IoT security strategy is likely to require a multi-layered approach using software and hardware security products. A typical IoT environment involves smart and not-so-smart devices for collecting and analyzing data. Smart devices may have more inherent vulnerabilities, but they also have the computing power to execute sophisticated security software. Less intelligent endpoint devices rarely have the processing power to do anything other than their assigned tasks.
Encryption and firewalls are standard fees in IoT security scenarios, but they can also fail in certain areas, leaving potentially vulnerable gaps. The more data traffic that is encrypted the better, but data encryption and decryption can introduce network delays and cause problems for systems that need to respond in real time to data from sensors and other devices. the last.
Firewalls, a key element of IT network security, also appear prominently in the discussion. Firewalls can effectively prevent intrusions and control the flow and direction of data movements in the network. The disadvantage of firewalls is that they require dedicated servers and need to be managed and monitored, and often patched and updated. This can be a daunting task for complex networks that require multiple firewalls to operate simultaneously.
“Given the ever-increasing connectivity and rapidly increasing cyber attacks, firewalls are no longer the only online security option,” noted Siemens’ Guilarte.
A widespread area of IoT security technology involves the use of device-based security devices. Sometimes referred to as secure hardware modules — or HSMs — this category includes both specific security devices such as data diodes, as well as terminal devices that have been upgraded with chips that provide security features.
The main facts about data diodes
While data diodes have found their way into a variety of environments and operations, their most frequently cited application is to isolate reporting from data collection. “The most common use case we see is historically actually replicating data historians,” Romansky said. “You can get reports and information from that system guaranteeing that no threat can enter.”
Today, however, diodes are used in many other ways to increase IoT security. Some of the critical applications that diodes can help protect against include the following:
- Disaster reservation and recovery depots
- Copy the database and other application databases
- Traffic flowing to / from remote sensors and other objects
One concern that potential implementers may have is the ability of receiving devices to accept that data has been received.
“One-way data transmission is essentially a blind transmission if the sending network cannot verify receiving data from the other network,” noted Vermij e 451. Without it, sending systems could not confirm that the data their are taken. “This could result in retransmission which would use the extra bandwidth.” Added Vermij.
But modern data diodes are much smarter than simple one-way switches they once were. With an integrated understanding of communication protocols, diodes can provide the necessary recognition without exposing data.
“Every time you try to create a TCP session, you need an acknowledgment to come back – it’s session based,” Romansky said. He noted that Owl diodes have integrated proxy servers to address the issue of recognition. “When you make a connection to a data diode, you are actually connecting to an application running on the diode and you are connecting to an application we have developed that is aware of the protocol you are trying to send out.”
Another consideration may be how the data diodes will work in the context of existing security systems, first and foremost, how the security systems will be able to monitor the devices behind the data diodes. Proper placement of data diodes will ensure that security applications get what they need. “You can pass that monitoring data through the diode and give it if you have an SOC or a NOC where you are collecting analytics,” Romansky said.
Siemens’ Guilarte noted that a data diode is unlikely to interfere with existing security systems, but may even make them better. “It is not vulnerable to software changes or mismanagement,” Guilarte wrote.
Data diodes Buyer checklist
Data diodes typically cost several thousand dollars, with the price rising as more sophisticated features are added. This is in line with the cost of a firewall, but the useful life of a diode exceeds that of other mains products.
“Some have been operating for 20 years without maintenance,” Vermij noted.
Guilarte noted that this reliability may be a deal for some IoT environments. “Given that diodes are used in very secure / sensitive systems, long life cycle support is a must in order to match the long life cycles of such systems,” he wrote.
Some other features you should be aware of when purchasing data diodes include throughput capabilities and protocol support, which will be dictated by current and planned network architectures.
Safety assessments can also be a factor. Many diodes are rated using the EAL1 to EAL7 rating scale. EAL7 is the highest rating and means that the product has undergone formal design verification and has been tested. Other standards may also come into play. “Independent safety assessment of development, production and support according to internationally recognized standards such as IEC 62443” should also be considered according to Guilarte.
The future of hardware-based IoT security
As effective as data diodes are, they can be challenged by an increasing number of large IoT networks that support thousands or hundreds of thousands of endpoints. With that scale and complexity of the network, effective security will need to be more localized.
“Network security is becoming impossible, so we need to bring security to the edge, to the device itself,” Vermij said. “Full air opening is no longer practical.”
Data diode manufacturers realize that traditional diode operations may not be enough and are transferring their technologies to chip-sized platforms that can be incorporated directly into the latest devices. “Once you have the ability to do this type of inspection on a set of programmable field gates, you now dramatically reduce the size, weight and power and cost of a package handling solution. Now you can start thinking about where else can you decide that? “