The internet of things and Industry 4.0 networks require reliable, safe, and secure data links. However, these days, any network is prone to cyberattacks even when secured by traditional security methods. To solve this issue, the data diode, a hard- and software device, allows only data uploads to the external world and avoids, for security reasons, any backward data downloads.
The cyber-diode extends the capabilities of traditional solutions for network security. The importance of safe and secure networks is proven by a study on cyberattacks conducted by the Bundesamt für Sicherheit in der Informationstechnik (BSI or, in English, German Federal Office for Information Security). According to the study, the amount of malware, including Trojans, ransomware, and trickbots, increased between June 2019 and May 2020 to 117 billion, with the variations and intensity of the malware continuing to rise. The requirements for optimal security in the interconnected industry and in critical infrastructures are very high, and industrial equipment interfaces must be fully protected to avoid any negative impact. Another important point is that the data transmitted must be confidential and non-manipulable.
Genua’s Steve Schoner
“But even with existing security solutions, there is still a remaining risk,” Steve Schoner, strategic product marketing manager of Genua GmbH, told EE Times Europe. “With the cyber-diode, we are closing this gap.” Genua GmbH, founded in 1992, is a business unit of Bundesdruckerei (German Federal Printing Office). It has extensive experience with private entities handling classified information and is specialized in protecting any network and digital communications.
The poor security in industrial networks as IT and OT become more and more interconnected is the reason why many companies are forgoing the advances made by connecting their factories to the outside world via the internet. Networking enables efficient, cost-effective, and flexible manufacturing down to lot size 1. It also allows monitoring and optimizing machines and systems (e.g., for predictive maintenance and analytics). With internet connection, however, Industry 4.0 networks are becoming a target for sabotage and espionage by cybercriminals.
“Because existing solutions for cybersecurity are either proprietary or very expensive, we developed our industrial cyber-diode, which ensures secure, reliable, manufacturer- and platform-independent communication,” Schoner explained. “It is worldwide the only data diode based on a certified confidential product.” For secure data transfer in industrial environments, it supports OPC UA Protocol (OPC Unified Architecture), an open standard for exchanging machine data. It also allows encrypted transmission of data to client applications via IPSec VPN. If IPSec is activated, external clients can communicate with the diode only by using encrypted communication. This is ensured by the diode-internal firewall, and it enables extremely secure data transmission to any desired service in the cloud or any other external location.
Cyber-diode in detail
Cyber-diode hardware is secure through the use of an I/O memory management unit (IOMMU) for compartment separation. The black compartment (left) in the functional block diagram illustrates the transmitter, which is, in this case, an OPC UA client. In the center, the patented One-Way-Task represents the one-way data transfer function. The red compartment (right) is the VPN-ready side that transmits VPN-secured data via the network interface (NIC) to the external target system. The additional Update Compartment (top) allows the integration of new functionalities or upgrades that are not allowed by the network for security reasons. Updates can be uploaded to the device itself only — via the network settings, no changes to the basic configuration are possible. The hardware is suitable for space-saving DIN rails or 19 rack housing and offers UEFI and Secure Boot support. The cyber-diode can be expanded for connection via mobile telephony (LTE) and WLAN, the company said.
Block diagram of a cyber-diode (Image source: Genua)
The core of the software is built on a minimalist hardened microkernel and a hardened OpenBSD operating system. Both contain just a few lines of code, which minimizes entry points for hackers and attack vectors. “Such an architecture is extremely difficult to attack,” said Schoner. Even vulnerabilities in the operating system have no effect on the patented One-Way functionality. Only the software provided by Genua can be run on the cyber-diodes. “It is cost-effective and available as a lifetime license that includes the hardware and the entire software for one system,” Schoner said. A hotline service or complete system management service is also guaranteed. The amount of needed cyber-diodes in a network depends on the user’s risk requirements and the network structure.
Improving security functions
Cyber-diodes enable secure data transfer in Industry 4.0 networks
Compared with traditional methods for cybersecurity like air gaps, firewalls, and optical fiber, cyber-diodes offer various advantages, Schoner claimed. An air gap separates, for example, IT from OT networks avoiding any automated data exchange, thus ensuring security. But in Industry 4.0, environment data has to be exchanged between different networks anyway. In this case, the data transmission is usually done through a USB stick or other memory devices, which is not efficient and prone to failure. USB sticks and other memory devices could possibly contain some malware.
The alternatives are firewalls, which can be configured to transmit data just in one direction. This could be a solution, but it is very complex because nearly all firewalls feature more than just one set of rules. This also means it is possible to change these sets of rules by accident or they become obsolete over the years. This complicates linking new network segments to it, or it requires at least great knowledge to do so. It could happen that the one-way function will be deactivated.
These risks are excluded in cyber-diodes. Fiber diodes, the third traditional option, are capable of blocking data in the reverse direction but require a separate channel to know if the data transmission was successful. To increase reliable data transfer, the cyber-diode confirms the successful data transfer by sending back just one bit. Finally, cyber-diodes can easily be integrated into existing industrial networks.
>> This article was originally published on our sister site, EE Times Europe.
- An introduction to confidential edge computing for IoT security
- IoT Security – Physical and hardware security
- IoT security hinges on effective device enrollment with public key infrastructure
- Understanding NIST Framework security controls
- Cloud to chip approach is key to driving adoption of IoT security
- A little early effort in security can return a huge payoff
For more Embedded, subscribe to Embedded’s weekly email newsletter.