Opinion Cybersecurity has many supremely annoying aspects. It soaks up talent, time, and money like the English men’s football squad, and like that benighted institution, the results never seem to change.
Now, an idea is making its way out of the murky worlds of government, industrial, and high-security networks into commercial awareness – unidirectional gateways, better known as data diodes. You’ve probably guessed what these do. They’re network appliances that pass data in one direction only, and they do it in hardware. Unlike a firewall, which blocks traffic only if its software is correctly configured, the laws of physics prevent data going the wrong way through a data diode. Think of it as a one-way air gap.
Data diodes have been around since the mid ’80s, and were invented by people with highly classified networks who nevertheless needed to pass selected information out to networks with a lower security rating. Data diodes provided a connection allowing that but completely eliminating any pathway through which an attacker who’d compromised the less secure network could touch the good stuff.
Physically, data diodes are if anything simpler than ordinary gateways. Somewhere within any normal network connection, there’s a physical circuit that transmits data and another that receives it. Remove that one, and there’s your diode. You can do this with optical fibers, wired networks, or even wireless – your local on-air radio station and your broadcast receiver make a perfectly effective data diode. In networks, though, the problems with data diodes are software, specifically data transmission protocols.
The whole of the internet is designed to detect and correct errors in data transmission. Packets are sent with extra information that the receiver can use to check for data integrity, and if there’s been corruption or other problems, the receiver sends back a request for retransmission. Other signals help manage efficient data flow. Transmitters need these signals to operate properly, and data diodes block them. A data diode that was only hardware would be completely incompatible with modern systems.
The answer is to have software in the data diode that creates the reverse traffic each protocol needs so that it looks as if it’s a normal network as far as possible. It can also add extra information so that software on the other side of the diode can detect and correct errors before sending it onward. These techniques have evolved over the years, so that a modern diode supports a wide range of protocols.
An alternative that may seem paradoxical is to route incoming data to the more secure network through another data diode – and what’s the point in making a system that goes just one way if you just punch another hole going the other? But putting a data filter on the secure side of the path back in can present a very narrow window for attacks. It’s as if your local radio station has a telephone number for taking requests. You’re not going to be able to use that to take over the transmitter and urge the downtrodden masses to rise up and crush the oppressors, only to plead for Pink Floyd.
Data diodes will always need to be incorporated with intelligence and finesse. There are compromises and limitations, but also benefits. Lifetime maintenance costs can be low. Set up a traditional firewall and fail to patch it, and it will be a potential security vulnerability that will only grow over time. A data diode will just keep working. Or at worst, fail in a way that’s immediately obvious and inherently safe.
One particular incident illustrates why data diodes are so in vogue with industry sectors where significant physical infrastructure needs to be integrated with IT systems. In 2008, a massive explosion disabled a gas pipeline in Turkey in what subsequently turned out to be the most destructive cyberattack then or now. Intruders had got into the pipeline’s network systems through a vulnerability in the surveillance camera system, subsequently disabling the cameras and the pipeline’s sensor systems.
They then commanded the pumps to over-pressure the pipeline until it split open and exploded. No alarms were triggered during this because the sensors were offline. Routing the security cameras through data diodes would have eliminated them as an attack vector, while keeping the sensors on the secure side of a data diode isolated network segment would have stopped them being disabled.
If you don’t happen to run a pipeline or highly classified networks, data diodes still have potentially significant applications. Take database replication, where an attacker who manages to compromise one network for the purposes of ransomware, say, won’t be able to attack the copy behind a data diode. It’s no miracle cure, of course, as very few commercial systems can be neatly isolated from data input, control, and requests, but as a design option that can significantly reduce a system’s attack surface. Logging, alerts, and telemetry can be made more secure and more reliable too.
In the energy, manufacturing, and other industries with significant or critical physical systems, the single biggest cybersecurity decision is how to interconnect IT and OT – the operations technology that keeps the lights on or violently explodes. These days, the IT side means the massively interconnected, highly proficient, and highly exposed off-the-shelf software and hardware that everyone else uses. Data diodes play a big and increasingly important part in partitioning the truly critical from more vulnerable environments.
Your critical systems may not be handling gigawatts of power or stopping aircraft from falling out of the sky, but it’s no sin to behave as if they do. ®