Is It Time To Consider Data Diodes to Protect Your Plants?
Is It Time To Consider Data Diodes to Protect Your Plants?
Bayshore is pleased to announce the launch of its latest purpose-built OT security appliance, SCADAwall, an industrial airgap bridge. Like SCADAfuse and OTaccess, SCADAwall is designed to be easy for OT engineers and operators to set up and use, without requiring corporate IT resources, or the constant care and feeding of re-purposed IT security tools.
SCADAwall uses the basic design idea of a data diode. A diode is an electrical component that allows electric current to pass in only one direction, “forward,” and blocking anything returning from the “reverse” direction. The diode acts as a sort of electronic version of a check valve.
Similarly, data diodes (also sometimes called “unidirectional security gateways”) have been deployed as purpose-built hardware devices where the trusted domain could transmit data but not receive it, and the untrusted domain could receive data but not transmit it. This was achieved by physical modification of standard network interfaces, and a mix of special software adapters which overcame the typical requirements for “normal” network connections before applications would work. They accepted incoming connections, broke them apart into a format which could be moved without any kind of handshake from the other side (that’s the “unidirectional” part), and then reassembled the data back into something more conventional on the other side.
This basic model is fine, but it’s relatively slow and inefficient. The hardware diodes rely on retransmission to ensure that the full content of a connection is delivered, and the overall bandwidth is fairly low – between 10 and 100 megabits per second in most cases. Much of that bandwidth can be consumed via that retransmission overhead, so the real throughput is even lower. The customer therefore pays twice – first, the base cost is high, and second, the value equation per throughput is weak.
Improving the Value Equation
SCADAwall takes the good parts of this unidirectional isolation – no networking between the two sides, separate CPUs to handle each domain – and adds two major architectural advantages while improving the value equation tremendously.
The first advantage is Guaranteed Delivery. What this means is that SCADAwall knows internally when a message has been delivered correctly from the trusted side to the untrusted side. It does this because the trusted side is able to read a value computed by the untrusted side and placed in memory. When the trusted side confirms the value it expects is present, it knows the delivery was successful, and no further transmission is required.
The second advantage is that we don’t use partially disabled network interfaces on either side of SCADAwall. Each interface looks and acts like a normal TCP/IP interface as far as the originating and receiving applications and network locations are concerned. This makes integrating different connection types much easier, and while we’re proud of the capabilities included at launch, we have big plans to keep expanding that list. Our internal bus between the two halves of SCADAwall is capable of raw throughput of 40 gigbits per second. This means that we could, for example, equip our two component systems with 10-gigabit optical interfaces and still only be using 25% of the bandwidth potential of the solution. At launch, however, we’ll “only” support ethernet versions of 50 megabit, 100 megabit, and 1 gigabit throughput. If you start with a smaller one, you can upgrade to a faster one as needed via nothing more than a license change.
Widening the Accessibility
SCADAwall is designed to make real physical separation of trusted devices a realistic segmentation strategy for midsize and smaller ICS network operators. SCADAwall, based upon the basic data diode design idea is also a budget-friendly solution with a strong set of capabilities and performance now within reach of companies of all sizes.
In essence, SCADAwall lets you isolate your most important devices from the rest of the network, ensuring that even if your main plant environment were compromised by malware or intruders, they would not be able to gain access to – and manipulate – those critical production assets.
At the same time, those same assets remain able to communicate back to the rest of your plant environment at full speed, including databases and historians; SCADA tools; and real-time streaming protocols such as MQTT-SN or syslog. In every case, however, the critical goal is to ensure that nothing from the untrusted side can do any kind of connection back into the trusted side. No network connections for applications, no pings, no reconnaissance or probing of any sort is permitted.
The specific list of unidirectional features we support at launch include:
- OPC DA replication, for 50,000 points or more and multiple simultaneous servers;
- OPC AE replication
- Modbus server replication, for multiple simultaneous servers;
- File transfers, using Windows SMB (or CIFS) or FTP;
- Database record replication via exported records into files on the trusted side, and ingestion into another DB instance on the untrusted side; and
- Unidirectional streaming UDP and TCP sockets, for any applications that can use them, such as syslog, MQTT-SN, or TFTP.
“Commercially Off-the-Shelf” Systems
Bayshore uses Dell 1U servers for the underlying systems of SCADAwall. The belief is that the worldwide support network, high quality engineering, and overall system stability are all suitable performance tiers for SCADAwall deployments. SCADAwall uses cryptographic hardware keys to control access to the administrative interface and supplies the system with a native Windows-based management console application. Use of the OPC DA replication also requires the use of Bayshore OPC services on flanking Windows servers.