Unidirectional network


A unidirectional network is a network appliance or device that allows data to travel in only one direction. Data diodes can be found most commonly in high security environments, such as defense, where they serve as connections between two or more networks of differing security classifications. Given the rise of industrial IoT and digitization, this technology can now be found at the industrial control level for such facilities as nuclear power plants, power generation and safety critical systems like railway networks.
After years of development the use of data diodes have increased creating two variations:
Data diodes are commonly found in high security military and government environments, and are now becoming widely spread in sectors like oil & gas, water/wastewater, airplanes, manufacturing and cloud connectivity for industrial IoT. New regulations have increased demand and with increased capacity, major technology vendors have lowered the cost of the core technology.

History

The first data diodes were developed by governmental organizations in the eighties and nineties. Because these organizations work with confidential information, making sure their network is secure is of the highest priority. Primary solutions used by these organizations were air gaps. But, as the amount of transferable data increased, and a continuous and real-time data stream became more important, these organizations had to look for an automated solution.
In the search for more standardization, an increasing number of organizations started to look for a solution that was a better fit for their activities. Commercial solutions created by a stable organizations succeeded given the level of security and long-term support.
In the United States, utilities and oil and gas companies have used data diodes for several years, and regulators have encouraged their use to protect equipment and processes in SISs. The Nuclear Regulatory Commission now mandates the use of data diodes and many other sectors, in addition to electrical and nuclear, also use data diodes effectively.
In Europe, regulators and operators of several safety-critical systems started recommending and implementing regulations on the use of unidirectional gateways.
In 2013 the working, Industrial Control System Cybersecurity, directed by the French Network and Information Security Agency stated that is forbidden to use firewalls to connect any class 3 network, such as railway switching systems, to a lower class network or corporate network, only unidirectional technology is permitted.

Applications

Unidirectional network devices are typically used to guarantee information security or protection of critical digital systems, such as Industrial control systems, from cyber attacks. While use of these devices is common in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications, the technology is also being used to enforce one-way communications outbound from critical digital systems to untrusted networks connected to the Internet.
The physical nature of unidirectional networks only allows data to pass from one side of a network connection to another, and not the other way around. This can be from the "low side" or untrusted network, to the "high side" or trusted network, or vice versa. In the first case, data in the high side network is kept confidential and users retain access to data from the low side. Such functionality can be attractive if sensitive data is stored on a network which requires connectivity with the Internet: the high side can receive Internet data from the low side, but no data on the high side are accessible to Internet-based intrusion. In the second case, a safety-critical physical system can be made accessible for online monitoring, yet be insulated from all Internet-based attacks that might seek to cause physical damage. In both cases, the connection remains unidirectional even if both the low and the high network are compromised, as the security guarantees are physical in nature.
There are two general models for using unidirectional network connections. In the classical model, the purpose of the data diode is to prevent export of classified data from a secure machine while allowing import of data from an insecure machine. In the alternative model, the diode is used to allow export of data from a protected machine while preventing attacks on that machine. These are described in more detail below.

One-way flow to less secure systems

Involves systems that must be secured against remote/external attacks from public networks while publishing information to such networks. For example, an election management system used with electronic voting must make election results available to the public while at the same time it must be immune to attack.
This model is applicable to a variety of critical infrastructure protection problems, where protection of the data in a network is less important than reliable control and correct operation of the network. For example, the public living downstream from a dam needs up-to-date information on the outflow, and the same information is a critical input to the control system for the floodgates. In such a situation, it is critical that the flow of information be from the secure control system to the public, and not vice versa.

One-way flow to more secure systems

The majority of unidirectional network applications in this category are in defense, and defense contractors. These organizations traditionally have applied air gaps to keep classified data physically separate from any Internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an Internet connection.
In the Bell-LaPadula security model, users of a computer system can only create data at or above their own security level. This applies in contexts where there is a hierarchy of information classifications. If users at each security level share a machine dedicated to that level, and if the machines are connected by data diodes, the Bell-Lapadula constraints can be rigidly enforced.

Benefits

Traditionally, when the IT network provides DMZ server access for an authorized user, the data is vulnerable to intrusions from the IT network. However, with a unidirectional gateways separating a critical side or OT network with sensitive data from an open side with business and Internet connectivity, normally IT network, organizations can achieve the best of both worlds, enabling the connectivity required and assuring security. This holds true even if the IT network is compromised, because the traffic flow control is physical in nature.
The simplest form of a unidirectional network is a modified, fiber-optic network link, with send and receive transceivers removed or disconnected for one direction, and any link failure protection mechanisms disabled. Some commercial products rely on this basic design, but add other software functionality that provides applications with an interface which helps them pass data across the link.
All-optical data diode links can present channel capacity greater than their driving electronics. In 2019, Controlled Interfaces demonstrated one-way optical link connectivity using optical fibers and 100G Commercial Off The Shelf transceivers.
Other more sophisticated commercial offerings enable simultaneous one-way data transfer of multiple protocols that usually require bidirectional links. The German companies INFODAS and GENUA have developed software based data diodes that use a Microkernel Operating system to ensure unidirectional data transfer. Due to the software architecture these solutions offer higher speed than conventional hardware based data diodes.
In 2018, Siemens Mobility released an industrial grade unidirectional gateway solution in which the data diode, Data Capture Unit, uses electromagnetic induction and new chip design to achieve an EBA safety assessment, guaranteeing secure connectivity of new and existing safety critical systems up to Safety integrity level 4 to enable secure IoT and provide data analytics and other cloud hosted digital services.
The US Naval Research Laboratory has developed its own unidirectional network called the Network Pump. This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows more protocols to be used over the network, but introduces a potential covert channel if both the high- and low-side are compromised through artificially delaying the timing of the acknowledgment.
Different implementations also have differing levels of third party certification and accreditation. A cross domain guard intended for use in a military context may have or require extensive third party certification and accreditation. A data diode intended for industrial use, however, may not have or require third party certification and accreditation at all, depending on the application.

Vendors