342:: the high side can receive Internet data from the low side, but no data on the high side are accessible to Internet-based intrusion. In the second case, a safety-critical physical system can be made accessible for online monitoring, yet be insulated from all Internet-based attacks that might seek to cause physical damage. In both cases, the connection remains unidirectional even if both the low and the high network are compromised, as the security guarantees are physical in nature.
136:
330:, from cyber attacks. While use of these devices is common in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications, the technology is also being used to enforce one-way communications outbound from critical digital systems to untrusted networks connected to the
543:(NRL) has developed its own unidirectional network called the Network Pump. This is in many ways similar to DSTO's work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows more protocols to be used over the network, but introduces a potential
535:
In 2022, Fend
Incorporated released a data diode capable of acting as a Modbus Gateway with full optical isolation. This diode is targeted at industrial markets and critical infrastructure serving to bridge old outdated technology with newer IT systems. The diode also functions as a Modbus converter,
337:
The physical nature of unidirectional networks only allows data to pass from one side of a network connection to another, and not the other way around. This can be from the "low side" or untrusted network, to the "high side" or trusted network, or vice versa. In the first case, data in the high side
550:
Different implementations also have differing levels of third party certification and accreditation. A cross domain guard intended for use in a military context may have or require extensive third party certification and accreditation. A data diode intended for industrial use, however, may not have
417:
with sensitive data from an open side with business and
Internet connectivity, normally IT network, organizations can achieve the best of both worlds, enabling the connectivity required and assuring security. This holds true even if the IT network is compromised, because the traffic flow control is
345:
There are two general models for using unidirectional network connections. In the classical model, the purpose of the data diode is to prevent export of classified data from a secure machine while allowing import of data from an insecure machine. In the alternative model, the diode is used to allow
200:
information, making sure their network is secure is of the highest priority. Primary solutions used by these organizations were air gaps. But, as the amount of transferable data increased, and a continuous and real-time data stream became more important, these organizations had to look for an
74:
or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks, to combinations of hardware and software running in proxy computers in the source and destination networks. The hardware enforces physical unidirectionality, and the software replicates
497:, have developed its own Secure e-Application Gateway, consisting of multiple data diodes and other software components, to enable real-time bi-directional HTTP(S) web services transactions over the internet while protecting the secured networks from both malicious injects and data leakage.
385:
to keep classified data physically separate from any
Internet connection. With the introduction of unidirectional networks in some of these environments, a degree of connectivity can safely exist between a network with classified data, and a network with an Internet connection.
204:
In the search for more standardization, an increasing number of organizations started to look for a solution that was a better fit for their activities. Commercial solutions created by stable organizations succeeded given the level of security and long-term support.
490:
have developed software based ("logical") data diodes that use a
Microkernel Operating system to ensure unidirectional data transfer. Due to the software architecture these solutions offer higher speed than conventional hardware based data diodes.
223:
75:
databases and emulates protocol servers to handle bi-directional communication. Data Diodes are now capable of transferring multiple protocols and data types simultaneously. It contains a broader range of
46:
can be found most commonly in high security environments, such as defense, where they serve as connections between two or more networks of differing security classifications. Given the rise of industrial
99:, among others. A unique characteristic is that data is transferred deterministically (to predetermined locations) with a protocol "break" that allows the data to be transferred through the data diode.
863:& Turnbull, B 2004, 'The Uses and Limitations of Unidirectional Network Bridges in a Secure Electronic Commerce Environment', paper presented at the INC 2004 Conference, Plymouth, UK, 6–9 July 2004
479:
demonstrated its (now patented) one-way optical fiber link using 100G commercial off-the-shelf transceivers in a pair of Arista network switch platforms. No specialized driver software is required.
338:
network is kept confidential and users retain access to data from the low side. Such functionality can be attractive if sensitive data is stored on a network which requires connectivity with the
354:
Involves systems that must be secured against remote/external attacks from public networks while publishing information to such networks. For example, an election management system used with
978:
472:
disabled. Some commercial products rely on this basic design, but add other software functionality that provides applications with an interface which helps them pass data across the link.
397:. If users at each security level share a machine dedicated to that level, and if the machines are connected by data diodes, the Bell–LaPadula constraints can be rigidly enforced.
365:
problems, where protection of the data in a network is less important than reliable control and correct operation of the network. For example, the public living downstream from a
208:
In the United States, utilities and oil and gas companies have used data diodes for several years, and regulators have encouraged their use to protect equipment and processes in
212:. The Nuclear Regulatory Commission (NRC) now mandates the use of data diodes and many other sectors, in addition to electrical and nuclear, also use data diodes effectively.
482:
Other more sophisticated commercial offerings enable simultaneous one-way data transfer of multiple protocols that usually require bidirectional links. The German companies
70:
After years of development, data diodes have evolved from being only a network appliance or device allowing raw data to travel only in one direction, used in guaranteeing
937:
639:
413:
server access for an authorized user, the data is vulnerable to intrusions from the IT network. However, with a unidirectional gateways separating a critical side or
230:
to connect any class 3 network, such as railway switching systems, to a lower class network or corporate network, only unidirectional technology is permitted.
827:
393:
security model, users of a computer system can only create data at or above their own security level. This applies in contexts where there is a hierarchy of
381:
The majority of unidirectional network applications in this category are in defense, and defense contractors. These organizations traditionally have applied
1036:
1101:
824:
Australian
Government Information Management Office 2003, Securing systems with Starlight, Department of Finance and Administration, viewed 14 April 2011,
674:
429:
cost as there are no rules to maintain. Although there will be software updates to be installed. Often these devices need to be maintained by the vendors.
189:
1010:
1112:
903:
631:
1096:
153:
985:
122:. New regulations have increased demand and with increased capacity, major technology vendors have lowered the cost of the core technology.
102:
Data diodes are commonly found in high security military and government environments, and are now becoming widely spread in sectors like
373:. In such a situation, it is critical that the flow of information be from the secure control system to the public, and not vice versa.
432:
The unidirectional software layer cannot be configured to allow two-way traffic due to the physical disconnection of the RX or TX line.
326:
Unidirectional network devices are typically used to guarantee information security or protection of critical digital systems, such as
196:
The first data diodes were developed by governmental organizations in the eighties and nineties. Because these organizations work with
1133:
1109:
United States
Department of Commerce - National Institute of Standards and technology on data diode use on Industrial Control Systems.
362:
632:"Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies - United States Department of Homeland Security"
175:
845:
222:
In 2013 the working, Industrial
Control System Cybersecurity, directed by the French Network and Information Security Agency (
157:
346:
export of data from a protected machine while preventing attacks on that machine. These are described in more detail below.
1115:
United States
Department of Homeland - Security Industrial Control Systems Cyber Emergency Response Team on data diode use.
904:"Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies - United States Department of Homeland"
735:
469:
119:
1128:
540:
369:
needs up-to-date information on the outflow, and the same information is a critical input to the control system for the
753:"German VDMA Industrie 4.0 Security Guidelines recommends the use of data diodes to protect critical network segments"
920:
825:
608:
513:
209:
1046:
327:
790:
769:
547:
if both the high- and low-side are compromised through artificially delaying the timing of the acknowledgment.
96:
92:
597:
390:
1106:
701:
521:
146:
84:
64:
476:
525:
414:
406:
394:
254:
216:
517:
292:
Transferring application and operating system updates from a less secure network to a high secure network
873:
842:
Wordsworth, C 1998, Media
Release: Minister Awards Pioneer In Computer Security, viewed 14 April 2011,
509:
475:
All-optical data diodes can support very high channel capacities and are among the simplest. In 2019,
358:
must make election results available to the public while at the same time it must be immune to attack.
505:
270:
188:
536:
with the ability to connect to serial RTU systems on one side and
Ethernet TCP systems on the other.
445:
Unidirectional gateways are unable to route the majority of network traffic and break most protocols.
382:
227:
71:
56:
702:"National Institute of Standards and technology. Guide to Industrial Control Systems (ICS) Security"
938:"New Siemens data diode now available: secure monitoring of your networks - Rail stories - Global"
584:
811:
48:
752:
889:
Curt A. Nilsen, Method for Transferring Data from an Unsecured Computer to a Secured Computer,
1004:
461:
426:
355:
551:
or require third party certification and accreditation at all, depending on the application.
483:
448:
Cost; data diodes were originally expensive, although lower cost solutions are now available.
501:
60:
487:
1102:
SANS Institute Paper on Tactical Data Diodes in Industrial Automation and Control Systems.
1041:
849:
831:
529:
410:
303:
289:
Secure printing from a less secure network to a high secure network (reducing print costs)
274:
250:
240:
115:
55:, this technology can now be found at the industrial control level for such facilities as
42:) is a network appliance or device that allows data to travel in only one direction. Data
219:
started recommending and implementing regulations on the use of unidirectional gateways.
679:
578:
544:
494:
442:
As of June 2015, unidirectional gateways were not yet commonly used or well understood.
422:
No reported cases of data diodes being bypassed or exploited to enable two-way traffic.
88:
17:
1122:
298:
111:
76:
843:
465:
197:
52:
1113:
Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies
103:
964:
603:
560:
451:
Specific use cases that require a two-way data flow can be difficult to achieve.
265:
135:
80:
1097:
Patton Blog: Employing Simplex Data Circuits for Ultra-High-Security Networking
890:
370:
308:
Sending/receiving alerts or alarms from open to critical/confidential networks
1024:
860:
791:"Safely Opening the Door to the Cloud for Critical Manufacturing Facilities"
107:
877:
770:"Protecting Oil and Gas Pipelines from Cyberattack Using Fend Data Diodes"
339:
331:
259:
1068:
942:
572:
160: in this section. Unsourced material may be challenged and removed.
311:
Sending/receiving emails from open to critical/confidential networks
110:(between flight control units and in-flight entertainment systems),
675:"Tactical Data Diodes in Industrial Automation and Control Systems"
512:, uses electromagnetic induction and new chip design to achieve an
528:(SIL) 4 to enable secure IoT and provide data analytics and other
43:
718:
366:
129:
460:
The simplest form of a unidirectional network is a modified,
27:
Network device that permits data flow in only one direction
878:
2006 USENIX/ACCURATE Electronic Voting Technology Workshop
566:
508:
unidirectional gateway solution in which the data diode,
1023:
Myong, H.K., Moskowitz, I.S. & Chincheck, S. 2005,
736:"ANSSI - Cybersecurity for Industrial Control Systems"
468:removed or disconnected for one direction, and any
1107:Guide to Industrial Control Systems (ICS) Security
874:Secure Data Export and Auditing Using Data Diodes
730:
728:
668:
666:
664:
662:
660:
658:
640:Cybersecurity and Infrastructure Security Agency
215:In Europe, regulators and operators of several
295:Time synchronization in highly secure networks
8:
283:Secure credential/ certificate provisioning
626:
624:
280:Secure data exchange for data marketplaces
921:"ST Engineering Data Diode in Industries"
361:This model is applicable to a variety of
176:Learn how and when to remove this message
187:
620:
1009:: CS1 maint: archived copy as title (
1002:
872:Douglas W. Jones and Tom C. Bowersox,
7:
158:adding citations to reliable sources
377:One-way flow to more secure systems
350:One-way flow to less secure systems
192:Unidirectional gateway in a cabinet
1025:'The Pump: A Decade of Covert Fun'
470:link failure protection mechanisms
363:critical infrastructure protection
226:) stated that is forbidden to use
210:safety instrumented systems (SISs)
25:
516:safety assessment, guaranteeing
134:
95:(FEC), secure communication via
145:needs additional citations for
673:Scott, Austin (30 June 2015).
286:Secure cross-data base sharing
1:
541:US Naval Research Laboratory
277:solutions (private / public)
880:, 1 August 2006, Vancouver.
395:information classifications
1150:
965:"Innotras 2018 highlights"
609:Intrusion detection system
328:Industrial control systems
1134:Computer network security
1037:"Cross-Domain Solutions"
464:, with send and receive
462:fiber-optic network link
405:Traditionally, when the
239:Real time monitoring of
93:forward error correction
522:safety critical systems
217:safety-critical systems
67:like railway networks.
65:safety critical systems
34:(also referred to as a
18:Unidirectional networks
812:"Real-time Monitoring"
526:Safety integrity level
193:
85:certificate management
36:unidirectional gateway
32:unidirectional network
891:U.S. Patent 5,703,562
876:, Proceedings of the
848:27 March 2011 at the
477:Controlled Interfaces
427:operating cost (OPEX)
246:Secure OT – IT bridge
191:
830:6 April 2011 at the
520:of new and existing
418:physical in nature.
317:Commercial companies
201:automated solution.
154:improve this article
106:, water/wastewater,
72:information security
57:nuclear power plants
1129:Networking hardware
991:on 11 November 2020
893:, 30 December 1997.
598:Bell–LaPadula model
518:secure connectivity
532:digital services.
251:cloud connectivity
194:
567:Fend Incorporated
510:Data Capture Unit
356:electronic voting
186:
185:
178:
118:connectivity for
16:(Redirected from
1141:
1084:
1083:
1081:
1079:
1065:
1059:
1058:
1056:
1054:
1045:. Archived from
1033:
1027:
1021:
1015:
1014:
1008:
1000:
998:
996:
990:
984:. Archived from
983:
975:
969:
968:
961:
955:
954:
952:
950:
934:
928:
927:
925:
917:
911:
910:
908:
900:
894:
887:
881:
870:
864:
858:
852:
840:
834:
822:
816:
815:
808:
802:
801:
795:
787:
781:
780:
774:
766:
760:
759:
757:
749:
743:
742:
740:
732:
723:
722:
715:
709:
708:
706:
698:
692:
691:
689:
687:
670:
653:
652:
650:
648:
643:. September 2016
636:
628:
506:industrial grade
502:Siemens Mobility
425:Lower long-term
271:Trusted back-end
181:
174:
170:
167:
161:
138:
130:
61:power generation
21:
1149:
1148:
1144:
1143:
1142:
1140:
1139:
1138:
1119:
1118:
1093:
1088:
1087:
1077:
1075:
1067:
1066:
1062:
1052:
1050:
1049:on 7 March 2019
1042:Lockheed Martin
1035:
1034:
1030:
1022:
1018:
1001:
994:
992:
988:
981:
979:"Archived copy"
977:
976:
972:
963:
962:
958:
948:
946:
936:
935:
931:
923:
919:
918:
914:
906:
902:
901:
897:
888:
884:
871:
867:
859:
855:
850:Wayback Machine
841:
837:
832:Wayback Machine
823:
819:
810:
809:
805:
793:
789:
788:
784:
772:
768:
767:
763:
755:
751:
750:
746:
738:
734:
733:
726:
717:
716:
712:
704:
700:
699:
695:
685:
683:
672:
671:
656:
646:
644:
634:
630:
629:
622:
617:
594:
557:
555:Notable vendors
458:
439:
403:
379:
352:
324:
304:Streaming video
241:safety-critical
236:
182:
171:
165:
162:
151:
139:
128:
28:
23:
22:
15:
12:
11:
5:
1147:
1145:
1137:
1136:
1131:
1121:
1120:
1117:
1116:
1110:
1104:
1099:
1092:
1091:External links
1089:
1086:
1085:
1060:
1028:
1016:
970:
956:
929:
912:
895:
882:
865:
853:
835:
817:
803:
782:
761:
744:
724:
719:"IoT Security"
710:
693:
680:SANS Institute
654:
619:
618:
616:
613:
612:
611:
606:
601:
593:
590:
589:
588:
582:
579:ST Engineering
576:
570:
564:
556:
553:
545:covert channel
495:ST Engineering
457:
454:
453:
452:
449:
446:
443:
438:
435:
434:
433:
430:
423:
402:
399:
378:
375:
351:
348:
323:
320:
319:
318:
315:
312:
309:
306:
301:
296:
293:
290:
287:
284:
281:
278:
268:
263:
257:
247:
244:
235:
232:
184:
183:
142:
140:
133:
127:
124:
120:industrial IoT
89:data integrity
79:features like
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
1146:
1135:
1132:
1130:
1127:
1126:
1124:
1114:
1111:
1108:
1105:
1103:
1100:
1098:
1095:
1094:
1090:
1074:
1070:
1069:"Data Diodes"
1064:
1061:
1048:
1044:
1043:
1038:
1032:
1029:
1026:
1020:
1017:
1012:
1006:
987:
980:
974:
971:
966:
960:
957:
945:
944:
939:
933:
930:
922:
916:
913:
905:
899:
896:
892:
886:
883:
879:
875:
869:
866:
862:
857:
854:
851:
847:
844:
839:
836:
833:
829:
826:
821:
818:
813:
807:
804:
799:
792:
786:
783:
778:
771:
765:
762:
754:
748:
745:
737:
731:
729:
725:
720:
714:
711:
703:
697:
694:
682:
681:
676:
669:
667:
665:
663:
661:
659:
655:
642:
641:
633:
627:
625:
621:
614:
610:
607:
605:
602:
599:
596:
595:
591:
587:- Netherlands
586:
583:
580:
577:
574:
571:
568:
565:
562:
559:
558:
554:
552:
548:
546:
542:
537:
533:
531:
527:
523:
519:
515:
511:
507:
503:
498:
496:
492:
489:
485:
480:
478:
473:
471:
467:
463:
455:
450:
447:
444:
441:
440:
436:
431:
428:
424:
421:
420:
419:
416:
412:
408:
400:
398:
396:
392:
391:Bell–LaPadula
387:
384:
376:
374:
372:
368:
364:
359:
357:
349:
347:
343:
341:
335:
333:
329:
321:
316:
313:
310:
307:
305:
302:
300:
299:File transfer
297:
294:
291:
288:
285:
282:
279:
276:
272:
269:
267:
264:
261:
258:
256:
252:
248:
245:
242:
238:
237:
233:
231:
229:
225:
220:
218:
213:
211:
206:
202:
199:
190:
180:
177:
169:
159:
155:
149:
148:
143:This section
141:
137:
132:
131:
125:
123:
121:
117:
113:
112:manufacturing
109:
105:
104:oil & gas
100:
98:
94:
90:
86:
82:
78:
77:cybersecurity
73:
68:
66:
62:
58:
54:
50:
45:
41:
37:
33:
19:
1076:. Retrieved
1072:
1063:
1051:. Retrieved
1047:the original
1040:
1031:
1019:
993:. Retrieved
986:the original
973:
959:
947:. Retrieved
941:
932:
915:
898:
885:
868:
856:
838:
820:
806:
797:
785:
776:
764:
747:
713:
696:
684:. Retrieved
678:
645:. Retrieved
638:
600:for security
585:Technolution
549:
538:
534:
530:cloud hosted
504:released an
499:
493:
481:
474:
466:transceivers
459:
404:
388:
380:
360:
353:
344:
336:
325:
275:cloud hosted
253:of critical
234:Applications
221:
214:
207:
203:
198:confidential
195:
172:
163:
152:Please help
147:verification
144:
101:
69:
53:digitization
39:
35:
31:
29:
995:11 February
604:Network tap
581:- Singapore
561:BAE Systems
273:and hybrid
266:Data mining
262:replication
255:OT networks
81:secure boot
1123:Categories
615:References
456:Variations
437:Weaknesses
415:OT network
407:IT network
371:floodgates
314:Government
40:data diode
798:fend.tech
777:fend.tech
575:- Germany
500:In 2018,
409:provides
228:firewalls
166:July 2023
108:airplanes
1073:MicroArx
1005:cite web
949:15 April
846:Archived
828:Archived
686:15 April
647:15 April
592:See also
401:Benefits
383:air gaps
340:Internet
332:Internet
260:Database
243:networks
1078:6 March
1053:6 March
943:Siemens
861:Slay, J
573:Siemens
563:- US/UK
484:INFODAS
389:In the
249:Secure
126:History
524:up to
44:diodes
989:(PDF)
982:(PDF)
924:(PDF)
907:(PDF)
794:(PDF)
773:(PDF)
756:(PDF)
739:(PDF)
705:(PDF)
635:(PDF)
488:GENUA
322:Usage
224:ANSSI
116:cloud
1080:2019
1055:2019
1011:link
997:2015
951:2023
688:2023
649:2023
569:- US
539:The
486:and
114:and
63:and
51:and
514:EBA
411:DMZ
367:dam
156:by
97:TLS
49:IoT
38:or
1125::
1071:.
1039:.
1007:}}
1003:{{
940:.
796:.
775:.
727:^
677:.
657:^
637:.
623:^
334:.
91:,
87:,
83:,
59:,
30:A
1082:.
1057:.
1013:)
999:.
967:.
953:.
926:.
909:.
814:.
800:.
779:.
758:.
741:.
721:.
707:.
690:.
651:.
179:)
173:(
168:)
164:(
150:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
