OT Network Segmentation and Fortification: the Data Diode
Incorporating devices that fortify perimeter access and proper network segmentation is one of the basic countermeasures that should be considered within a defense-in-depth strategy. The data diode is ...
Incorporating devices that fortify perimeter access and proper network segmentation is one of the basic countermeasures that should be considered within a defense-in-depth strategy.
Why is network fortification so important?
The lack of devices that allow secure access to the OT network, failure to configure them correctly, deploying them with default configurations, and/or the lack of network segmentation policies make the equipment, processes, and systems located in the operations environment more vulnerable to both external and internal threats.
Taking into account the network architecture existing in each plant and the criticality of the processes, the most appropriate segmentation and fortification solutions should be adopted. In any case, considering the idiosyncrasies of OT environments and in order to increase the security of their industrial networks, it is essential to audit their status; inventorying the devices that connect to them, identifying the means through which they are accessible, and analyzing their degree of segmentation.
One of the most used tools for network fortification is the data diode. It is a hardware device (there is no firmware as in the case of firewalls) that separates/protects two networks, ensuring unidirectionality in the flow of information, ensuring that information from one network reaches another network (but not vice versa). It is highly recommended for truly critical environments in which it is necessary to provide infrastructures with an almost impregnable level of security.
Among the alternatives to consider is the FOX IT data diode: it is composed of hardware that ensures unidirectionality in the transit of information (through fiber optic transceivers) and two servers (called proxies). These incorporate specific applications to unidirectionally transmit the information that is handled in critical infrastructures and in industrial environments over protocols such as Modbus or OPC, or that is stored on industrial databases such as OSIsoft PI or Wonderware Historian.
The key to this data diode lies in the fact that it is capable of interpreting bidirectional protocols (typical, TCP, which requires three-way handshaking), “breaking” them and converting them into unidirectional ones (between the proxies and the diode hardware) to then present them in the uncompromised network again as bidirectional.
To have more precise and complete information on the operation of this data diode, FoxIT has organized the webinar ‘Seamless integration of Active Directory with the Fox DataDiode!’ for March 29. You can access the form from the following link.
