TME Online Articles

Securing Industrial Control Systems With Data Diodes

A recent study evaluated the ability of one-way data diodes to protect operational technology systems from cyberattacks while providing real-time data and performance monitoring.

By Colin Dunn, P.E., PMP, CEM, LEED AP, M.SAME, and Tapan Patel, P.E.

Each year, more equipment is brought online for real- time monitoring to help prioritize investment and make more optimal use of personnel time. The economic and efficiency gains can be significant, but the connectivity that makes this operational awareness possible has also opened these systems up to the risk of cyberattack. A new class of technology aims to combine the security of an air gap with the connectivity needed to efficiently manage both modern and legacy operational technology (OT) systems.

A recent project led by Fend Incorporated and the U.S. Army Engineer Research & Development Center’s Construction Engineering Research Laboratory (CERL), through the Environmental Security Technology Certification Program (ESTCP), studied the utilization of data diodes as a secure, practical, and low-cost way to get data out of facility-related control systems and other equipment assets and into the hands of operators. The research evaluated whether this new class of U.S.-made hardware can provide enhanced operational intelligence and security.

With an easier and more secure way to obtain performance data, managers using data diodes have the opportunity to improve energy efficiency, productivity, and system resilience.

PHYSICAL ENFORCEMENT

Data diodes enable a physically enforced, one-way information stream from OT networks and equipment by using light to transmit data from one side to the other, physically isolating vulnerable equipment from lower-security external networks. The technology has advanced significantly in terms of usability, capability, and cost since its early deployments at nuclear power plants and across the intelligence community. Protection that once required a $100,000 purchase (plus custom installation) can now be obtained for less than 1/20 the cost and installed by on-site personnel.

In September 2021, the Department of Homeland Security’s Critical Infrastructure Security Agency issued recommendations for the use of one-way communication diodes to protect control system boundaries. Previously, operators looking to get data out of facility-related control systems and other industrial systems had to borrow technologies and policies from the IT world, including firewalls and software-based systems, that are not always well suited to protecting OT equipment.

Bad actors are always finding new exploits that allow them to bypass or defeat these systems. While intrusion detection systems can help network administrators clean up after an attack and restore data systems with relative ease, in an industrial setting, when parts can take months to obtain, there may be no practical backup copy available.

Traditional air gaps, where equipment is left disconnected from external systems, greatly increase security. But they result in the sacrifice of real-time information. Relying on air gaps is limiting potential technological advancements. Data collection from air gapped systems also can be expensive. For example, performance data collected as part of an energy savings performance contract on an air gapped system is often done through the physical retrieval of hard drives. This process can cost thousands of dollars in travel and labor and result in stale data that may be six months old.

STUDYING SECURITY

The ESTCP evaluation project sought to determine the ability of data diodes to provide increased security for OT systems while increasing the accessibility of performance data to asset managers across the Department of Defense. Overall, the work centered on two key questions: can data diodes send useful and accurate OT information across the device; and can an outside attacker send data upstream or disable the device?

Additionally, researchers also sought results from several specific performance objectives: complete isolation of protected equipment; uninterrupted equipment operation; interoperability with various equipment types and protocols; ease of installation; data transmission to desired network location; and cost performance.

Evaluating Performance. The bulk of testing related to equipment and protocol compatibility was done at CERL’s facility in Champaign, Ill. The first step was to determine whether data diodes could extract data from several common equipment types using industry-standard communication protocols, such as Modbus, BACnet, LonTalk, and FTP. The CERL team used its Control System Test Lab for compatibility testing, which allowed for connections to sensors, controllers, switches, and servers.

Long-term testing was performed by connecting diode hardware to an administrative building on site. Before connection, staff performed an initial Assured Compliance Assessment Solution scan on the diode. Data then was collected over time and analyzed to determine the reliability of the data diode and data stream accuracy. The diodes were used to extract data from a facility-related control system and send it to another location for later retrieval and analysis.

Results showed that the data diodes were able to successfully transmit data under a variety of conditions. Several protocols were transmitted or converted on board, including BACnet (IP and serial), Modbus (TCP and serial), LON-IP, FTP, and FTPS. The devices continued to send accurate data during long-term tests.

Cybersecurity Testing. In addition to the initial Assured Compliance Assessment Solution scans, the project team subjected the data diode hardware to cybersecurity performance tests by teams from the U.S. Army and U.S. Navy. CERL worked with the Army’s Threat System Management Office and the Naval Facilities Engineering & Expeditionary Warfare Center’s Control Systems Test Bed to conduct penetration and operational survivability testing. Testing involved seeing if data can be only sent one way; attempting to disrupt, reroute, or manipulate data; and determining whether the device could be disabled or re-engineered.

Data diodes were able to block outside attempts to send data upstream and withstand attacks intended to disrupt device operation. The devices passed other tests, including RF emission detection, physical attacks, file manipulation, or unauthorized access.

IMPROVING PERFORMANCE

The results of this demonstration show that designers, system administrators, and facility operators can deploy data diodes and enable the secure data acquisition needed to improve operation performance. Additional applications across the defense community’s equipment portfolio could make use of streams of real-time equipment telemetry data. These one-way devices can even open the door to federally approved, cloud-based tools that make use of predictive analytics and machine learning.

By providing access to information that was previously locked behind an air gap and improving security over legacy solutions, these next generation data diodes can enable greater operational efficiency and resilience.

Colin Dunn, P.E., PMP, CEM, LEED AP, M.SAME, is CEO and Founder, Fend Incorporated; cdunn@fend.tech.

Tapan Patel, P.E., is Mechanical Engineer, Construction Engineering Research Laboratory – U.S. Army Engineer Research & Development Center; tapan.c.patel@usace.army.mil.

[This article first published in the September-October 2022 issue of The Military Engineer.]