Data security in the IIoT is only going one way
The topic of security is never far from the headlines. For the Industrial IoT (IIoT), where operational technology (OT) meets information technology (IT), the need for security is even more apparent. With many high-profile security breaches to cite and no doubt many more that go undisclosed, securing the boundary between the OT/IT domains is always under scrutiny.
Before the internet arrived, the default solution to maintaining security was to implement an air gap. This was a physical disconnect between systems with differing security requirements. Now, many feel the need to share data using connectivity across domains makes the air gap approach obsolete. In the industrial control domain, things often need to happen at near-real-time. This makes implementation of any security measures that increase latency even more challenging.
The OSI model is often used in discussions about security. At the top sits Layer 7, the Application Layer. It is common for attackers to gain access to a network at this point through web pages or other user-facing connections. At the bottom sits Layer 1, the Physical Layer (PHY), which takes care of converting data into electrical, optical or radio frequency (RF) signals that can be physically transferred over a connection. With more effort being put into securing the higher OSI levels using software, attention is turning toward the PHY and hardware-based security.
OSI model
The Open Systems Interconnection (OSI) model shows that all data flows through the physical layer. Adding a data diode at the physical layer can provide increased protection from cyberattack.
Security at the physical layer
Both the hunter and the prey are aware how vulnerable the PHY layer of the stack has been in the past. Many successful hacks we hear and read about start with someone putting an unsecured USB driver (or similar) into a trusted terminal. This effectively bypasses a large part of the software-based defenses in the upper layers of the OSI model. Of course, the threat doesn’t have to be physically present to launch an attack at the PHY layer.
Any successful cyberattack may need to move between layers, but ultimately all network access happens at the physical layer, specifically the optical, wired or wireless network connection itself. It is still difficult to add deep packet inspection to detect threats at the PHY; it normally happens in Layers 2 through 7. This puts a lot of responsibility for maintaining security on technologies such as firewalls, which reside in the top part of the OSI model.
For systems that absolutely need security at the PHY layer but where an air gap is not viable, the options are few. One technology, the data diode, was developed to secure systems before the advent of the internet and has been consigned to the history books by some. But even Amazon Web Services (AWS) recommends using a unidirectional gateway or data diode in its blog post: “Ten security golden rules for Industrial IoT solutions.”
The name perfectly describes its function, allowing data to flow in only one direction. In an age where data is inherently two-way, can the data diode still stack up?
Data diodes and unidirectional gateways
Functionally, a data diode is relatively simple. It allows information to flow in one direction, outbound, while blocking any return or inbound communications. In a world that operates on two-way protocols, the drawbacks of this approach are obvious. From a security point of view, the benefits are equally clear.
Because of its one-way nature, a network connection through a data diode is unable to receive acknowledgements, so anything sent is done purely on faith. Clearly, a strong need exists for robust encryption if there is any chance of an unfriendly actor sitting on the other end of that connection.
In applications that require the most extreme security, the use of a data diode is still sometimes mandated. They can also be useful in an IT environment for database mirroring or backing up information. In today’s artificial intelligence-driven and data-hungry world, the value of using a data diode to send information to the cloud for further analysis seems apparent and an area where the data diode may still have value.
Modern data diodes are now sometimes referred to as unidirectional gateways, which is perhaps more resonant with modern network topologies. The NIST (National Institute of Standards and Technology) Special Publication 800-82: “Guide to Industrial Control Systems (ICS) Security” refers to unidirectional gateways (and data diodes) as hardware-enforced devices that are increasingly deployed at the boundary between ICS and IT networks.
In these systems, software is often used to emulate protocol servers and devices. This provides the handshaking needed by most protocols to function correctly. If the device receiving the request doesn’t acknowledge it in the right way, the link is broken. Proxys are used to emulate that handshaking and keep the link alive.
This is a topic explored in the paper “Global Information Assurance Certification,” which describes how a simple, low-cost data diode can be implemented using off-the-shelf network components. The example starts by first creating a functional bidirectional network connection and then physically disconnecting one side of the connection. The author addresses the problem of emulating the protocol handshaking necessary to keep the connection alive with no return path, but stresses the solution presented cannot be treated as secure.
Another example, “Design for a TCP/IP transparent FPGA-based network diode,” takes this concept a stage further by showing how a data diode could potentially be implemented using an FPGA. It also addresses the need to maintain the semblance of a two-way communications channel.
Real-world examples of data diodes
Many of the data diodes or unidirectional gateways available today use FPGAs. It is testament to how the configurable hardware of an FPGA fabric can be closely coupled to a software element to overcome the obvious drawbacks of using a one-way network connection.
Most of the examples of data diodes available today are approved for use in highly secure applications, which remains the primary market. These mostly rack-based units sit alongside severs and pass all the information intended to flow in one direction. Each manufacturer has its own approach to emulating or implementing a two-way control path that runs alongside the data path while maintaining isolation.
Optical interconnect is often favored in these devices, as it is inherently isolated. However, until optical media converters can be made smaller, lighter and low-cost enough to fit inside small endpoints, they are unlikely to find their way to the edge of the IIoT.
One alternative is wired connectivity, and this may be where FPGA technology plays its part. A main feature of modern data diodes seems to be separating the data path from the control path when using networking protocols like Transmission Control Protocol/Internet Protocol (TCP/IP) and User Datagram Protocol (UDP). The combination of hardware and software functions needed to do this would be well accommodated in an FPGA with one or more embedded processors, or even using multiple soft cores.
Beam me up, Data?
Another possible approach to securing the physical layer might be to deconstruct, clean and reconstruct messages as they arrive at the PHY. This would be analogous to Star Trek’s transporter. Each time a crew member is beamed to or from the ship, they are effectively deconstructed, analyzed and then reconstructed in the new location. While that may never be a real option for mass transport, it could be applied to packetized data.
Dedicated hardware could be used to extract data from packets and discard anything that may compromise the secure system. Just the data would be repacketized and allowed access. This approach would be agnostic towards the physical layer, making it applicable to wireless interfaces, too.
Other areas of research include the development of unidirectional wireless protocols for wireless sensor networks. This approach can be effective against attacks like Man in the Middle, as there is no way for the attacker to fool the host. A unidirectional wireless interface could potentially be implemented through a proprietary protocol using one of the many wireless microcontrollers that support proprietary sub-GHz and 2.4 GHz wireless communications.
Further thoughts on data diodes
A noticeable amount of R&D is directed at implementing unidirectional gateway functionality, particularly in FPGAs. Some evidence also indicates this could be scaled down to fit inside resource-constrained smart endpoints, such as sensors and actuators. If that happens, perhaps the technology will soon find its way into microcontrollers and other SoCs.
There also seems to be an indication that a move away from TCP/IP and toward UDP is favored in data diodes and unidirectional gateways. It seems it can simplify the need for a two-way control path that remains isolated from the unidirectional data path when using a data diode approach to network security. For this reason, any solutions that do appear may use UDP instead of TCP/IP.
With an increasing number of ultra-low power wireless microcontrollers able to support proprietary protocols, perhaps the simplest solution would be to use a two-channel approach at the edge of the IIoT. This might take the form of a home-grown unidirectional protocol to send wireless sensor data and a standard protocol (such as Bluetooth) for the control channel.
While the need for security is unlikely to diminish, the number of ways to implement secure communications is also vast. The trend toward generating actionable data for cloud-based analysis could increase the use of data diodes or their modern equivalent.