In a typical highly networked complex industrial process (see diagram) there are many potential access points for data retrieval, management and control.
Plant operators need detailed control of the operating process, plant supervisors need monitoring and override control, office and procedural need ordering and despatch information, Engineering need detailed analysis and process prototyping, Corporate Management need strategic and financial information and so on.
Complex networks are typically put in place to allow all these entities to communicate with each other and systems of pass control, often using passwords and islanded networks are used to ensure that only those with the right access level are granted rights to change or monitor particular areas of activity.
But what about the rogue environment? Networks are prone to cyber attack, disaffected employees can bypass or disable firewall and password protection, and there is the simple operator error mistake.
It is usually the case that more clients need status, (what the process is doing, what the schedule is, what the latest management information is), than need control or to alter information. This allows for the use of a one way data network component, a data diode, that provides a physical barrier to network traffic.
The data diode has the characteristic that data can flow only one way from one network to another. There is simply no physical return path to allow data to flow from the receiving network.
In a process control environment protected in this way, this means that there is no way that for example, someone using the office network can change the process network , yet they can still monitor it. This scenario obviously extends to cyber attacks. Even if the office network is compromised by a Trojan program, no changes can be made to the secured process. And of course this can also be extended further, allowing for example lower security networks to send data to the higher security network such as corporate head quarters or financial systems and no data can be sent back to the lower-level networks, preventing the theft or misappropriation of secure data.
Somerdata’s AROW Optical Wormhole Data Diode is an embodiment of this principle that simply sits between networks. It incorporates fast Gigabit Ethernet connectivity using TCP/IP , UDP Unicast and Multicast protocols to sit seamlessly into an existing network. The diode can be dual redundant with automatic failover protection providing maximum data integrity in the event of physical or routing failure and separate network monitoring ports for maximum performance and network integrity.
Developed for maximum security networks, AROW has been designed to the most stringent standards to ensure data flow can only be one way.
Operating system independence is provided by open source scripting control software so that network administrators and network quality assurance auditors can be 100% sure of data that is being transmitted.
The diagram above relies on software and levelled access control with all of the administration needed to constantly update and revise who has access to what.
So let’s island the networks and connect AROW data diodes to see how this admin burden can be reduced and security improved.
The majority of information required is to monitor different aspects of the process, from billing and purchasing to quality and performance measurement. Additionally the normal administrative tasks of meeting personnel, email and internet communications need to be maintained.
If we insert 3 diodes into this group of networks, we can see that all of those functions can still be achieved, but only the Industrial network can actually change or control the process.
If we insert two more diodes, we can also prevent Corporate and external level data being accessed by the lower levels while still allowing Corporate to access information it needs.
There is now no necessity for administrative network configuration to prevent user control access – simply, the levels outside of the diodes cannot gain control of the protected networks. Only information that the protected network wishes to share is available to the other networks.
Somerdata High Reliability Data Diodes provide a non-intrusive, low-maintenance additional security option to protect your valuable process from accidental and malicious misuse.