OT Networks: Segmentation and Protection through Data Diode.

Data diodes emerged between the 80s and 90s mainly in the defense and banking sectors, as a mechanism to protect networks and systems that handled confidential information. Currently, this type of technology is also being applied in OT network environments for the purpose of ensuring the availability of control systems.

The emergence of different APTs has meant that this type of solution is increasingly widespread in OT environments. Currently, control or operations (OT) networks and networks that connect transactional systems (IT) are often integrated. This is because both environments need to share information with each other, in real time on many occasions, and also because this information, as well as some process monitoring and control applications, is often required to be accessible from outside the plant. This necessitates segmentation devices such as the data diode, which allow this integration in a secure manner.

The data diode is composed of hardware that ensures unidirectional information transit (through fiber optic transceivers) and two servers (called proxies). These incorporate specific applications to unidirectionally transmit information that is handled in critical infrastructures and industrial environments over protocols such as Modbus or OPC, or that is stored on industrial databases such as OSIsoft PI or Wonderware Historian.

Each proxy maintains bidirectional communications between itself and the IT and OT networks respectively, however between them, through the diode, the communication is unidirectional. The key to the data diode is this, it is capable of interpreting bidirectional protocols (typical, TCP, which requires the three-way handshake), “breaking” them and converting them into unidirectional (between the proxies and the diode hardware) and then presenting them in the uncompromised network again as bidirectional.

For more information, contact us.