How to Protect Network Integrity with Unidirectional Data Diode TAPs

Today’s critical infrastructure landscape makes up the fundamental building blocks of the connected world we live in. From the essential communication we enjoy through WiFi, the internet and telephones to resources we may take for granted, like energy, water, manufacturing, and transportation systems. Even our national security, such as The Department of Defense (DoD) and various Federal agencies, rely on similar operational technology (OT) environments. This critical infrastructure provides constant and reliable resources for our society and must be protected at all costs.

OT is the New Frontier for Cybersecurity Threats

Gartner’s OT Security Best Practices states, “By 2021, 25% of asset-centric enterprises will adopt a hybrid model to secure operational technology (OT) environments with traditional security deployed alongside specialist OT security technology, up from 10% in 2018.”

In other words, the security challenges from the convergence of modern OT and IT environments and its goal to improve operations efficiency, performance, and quality of services are growing threats. Pushing organisations across the industrial spectrum to re-evaluate their network visibility to address these challenges is a significant first step.

This vulnerability was illustrated by the Oldsmar, Florida, water systems attack, where a hacker accessed the facility’s control system and triggered an increase in the amount of lye in the water to dangerous levels. Driving home the reality that traditional firewalls and virtual private network (VPN) access sometimes expose systems to outside intrusion.

How to Block Access from Reaching these Critical Systems

ICS environments face challenges in protecting critical network segments from incoming threats through the infrastructure designed to protect them. Most OT and IT network environments send out-of-band Ethernet packet copies to security monitoring tools to analyse and respond to threats. For this analysis, many visibility architectures or fabrics flow this out-of-band traffic from the separate facilities to a centralised or enterprise network. These IT solutions and integrated systems connect the network to the internet, indirectly exposing this once-siloed infrastructure to outside vulnerabilities and threats.

Diagram 1:  A bird’s eye view of malicious activity transmitted between different facilities or segments, exposing the network through bidirectional traffic.

A one-way data transfer between segments or facilities may be required to address these challenges. In addition to modern OT/IT security tools, such as firewalls, intrusion detection systems (IDS) and Security information and event management (SIEM), one piece of hardware quickly becomes a staple of ICS critical infrastructure — data diode TAPs.

Unidirectional or one-way data flow in data diode TAPs is designed to secure OT networks from external threats, eliminating inbound data flow and, ultimately, outside threats to OT network segments while providing the needed out-of-band data flow to monitor.

Data Diode TAP technology is a more secure option for network visibility than SPAN ports from a network switch, where engineers will often connect directly to intrusion detection systems (IDS) or between segment facilities to monitoring tools. SPAN ports can drop packets, hiding security vulnerabilities, and SPAN has bidirectional traffic, which opens the backflow of traffic into the network, making the switch susceptible to hacking.

Diagram 2: Illustrates how unidirectional traffic helps ensure monitoring traffic being transmitted from different facility segments remains secure.

Data diode TAPs are commonly found in high-security environments, such as federal defence and Industrial IoT, connecting two or more networks of differing security classifications. This technology can now be found at the industrial control level for facilities like nuclear power plants, power generation and safety critical systems like railway networks.

How do Data Diode TAPs work?

Data diode TAPs are purpose-built network hardware devices allowing raw data to travel only in one direction. Data diode TAPs can be used as traffic enforcers, guaranteeing information security or protecting critical digital systems, such as industrial control systems, from inbound cyber attacks.

A network TAP creates an exact copy of both sides of the traffic flow, continuously 24/7/365 and does not drop packets, introduce delay, or alter the data. They are either passive or “failsafe,” meaning traffic continues to flow between network devices if power is lost or a monitoring tool is removed. This ensures it isn’t a single point of failure.

Diagram 3: Illustrates how a data diode TAP is placed in a network segment, securing the traffic from the destination.

Data diode TAPs are commonly found in high-security environments, such as federal defence and Industrial IoT, connecting two or more networks of differing security classifications. This technology can now be found at the industrial control level for facilities like nuclear power plants, power generation and safety critical systems like railway networks.

Data Diodes TAPs sit in a network segment between two appliances, like a network switch and a firewall, that support the critical link. The Data Diode TAP sends a unidirectional copy of that traffic to the out-of-band monitoring destination. The link between the two appliances is unaffected. There is no physical connection between the Data Diode monitoring ports and the network ports, eliminating any possible intrusion from the destination.

These specifically designed TAPs physically do not send traffic back onto the network, providing “no injection” tap visibility for 10/100/1000M networks. This hardware-based one-way data transfer ensures no Ethernet packets can physically be sent to the live Network TAP ports or SPAN ports.

Did you know that Data Diode TAPs:

The ultimate goal for Data Diode TAPs is to feed OT/IT security monitoring solutions “every bit, byte, and packet” to ensure the network is adequately analysed and protected without introducing additional vulnerabilities from incoming traffic in the process. That is why modern ICS security strategies incorporate them alongside their network TAP and packet broker visibility fabrics.

Are you looking to add Data Diode TAP visibility but unsure where to start? Join us for a brief network Design-IT consultation or demo. No obligation – it’s what we love to do.

Picture of Written By Jerry Dillard

Written By Jerry Dillard

Jerry Dillard, CTO and Co-founder of Garland Technology, leverages over two decades in design and engineering to ensure maximum performance within today’s network environments. Dillard, the inventor of the Bypass TAP, continues to innovate network visibility solutions worldwide.

IT'S EASY TO GET STARTED

Call us on +61 7 3435 1569

Hennsol Technologies

Call or email to schedule a meeting

Hennsol Technologies

Collaboratively prepare implementation plan, solution, and topology design

Hennsol Technologies

Enjoy the peace of mind knowing you are using the best technology and security available

Scroll to Top