Data Diode Devices Secure Systems

Wednesday, January 25, 2012 @ 06:01 PM gHale

By Nicholas Sheble
“You can’t attack, if you can’t communicate” is how Andrew Ginter sees it.

This is the concept of unidirectional gateways. There’s a security perimeter around your asset whatever it may be, a factory, a process, a data farm, whatever. Then there’s the outside world of threat, crime, and destruction.

Unidirectional gateways allow one-way communication only over the void where firewalls exist and where firewalls can fail. “Firewalls are only software,” said Ginter, director of industrial security at Waterfall Security Solutions. “Stuxnet could not have spread over the data diodes operating in a unidirectional gateway.”

The only communication to the outside world (the business network, for example) is data moving in one direction and that direction is out of the protected area. Moreover, that is data only, no code, no logic, no compromising intelligence.

Ginter talked about that topic and more during a Tuesday webinar entitled, “NERC Issues CAN-0024: Guidance for Unidirectional, Routable Communications” with Mark Simon, senior consultant with Encari a critical infrastructure protection-consulting firm, and Joel Langill, chief technology officer at SCADAhacker.

NERC has issued CAN-0024, which provides guidance to NERC-CIP auditors as to when unidirectional communications equipment or “data diodes” must come into consideration to facilitate “routable communications.”

NERC is the North American Electric Reliability Corporation. Its mission is to ensure the reliability of the North American bulk power system. CIP stands for critical infrastructure protection.

CAN is Compliance Application Notice and CAN-0024 is “Routable Protocols and Data Diode Devices.”

An increasing number of NERC entities are deploying unidirectional communications equipment, because such equipment provides stronger security to protected cyber assets than firewalls can provide.

“Unidirectional communications enable sandboxing,” Ginter said.

Sandboxing is creating confined execution environments. A sandbox limits, or reduces, the level of access its applications have. In effect, it is a container. Therefore, the scope of potential damage caused by a malicious entity within is minimal.

The CAN-0024 guidance makes it clear that some deployments use routable protocols, and other deployments do not. In some cases, this distinction influences which cyber assets are technically Critical Cyber Assets.

The best discussion of the security advantages of this technology and for helpful visuals and graphics, click here for Ginter’s white paper.

Nicholas Sheble ( is an engineering writer and technical editor in Raleigh, NC.

One Response to “Data Diode Devices Secure Systems”

Leave a Reply

You must be logged in to post a comment.