Did you know DataDiodes offer a vital layer of protection and enhanced usability that goes beyond traditional air gapping and firewalls? This is especially crucial in industries like manufacturing, power generation, and other OT environments, which are central to your business functions and revenue generation. Despite their importance, organizations often struggle with limited visibility into these critical assets. To address this challenge, leveraging tools like Splunk can be highly effective. Splunk provides robust capabilities for securely analyzing large volumes of data and detecting anomalous behavior through detailed logging. By utilizing Splunk's tools, you can enhance your ability to protect your operational environment, safeguard your workforce, and ensure your revenue streams remain secure. Johan Splinter, Senior Software Engineer at Fox Crypto goes more into depth about this topic.
How OT networks can securely transmit data
The key challenge for OT networks is to securely transmit data from their systems to SIEM systems, without introducing vulnerabilities. A DataDiode can solve that challenge. DataDiodes play a crucial role in securing the OT market against cyberattacks by adding an extra layer of protection beyond traditional air gapping, or firewalls. This layer enables raw data can safely be transmitted and converted into actionable intelligence for effective 24/7 threat detection and response.
Johan Splinter explains: "A DataDiode goes one step further than air gapping. If you have a network that is fully air gapped, it is secure until you have physical access." This means that while an air gapped network is already well protected against external threats, you need physical access for extracting SIEM data. This adds a time delay, and when using mobile data storage, introduces an infection risk. By implementing a DataDiode instead, data can only flow in one direction—from an OT to an IT environment, such as with a SIEM solution like Splunk. Also, a DataDiode provides user-friendliness while you can analyze Splunk data in real-time.
Johan clarifies: "What we usually do is direct a DataDiode from an untrusted network to a trusted network. For example, you have an OT network receiving software updates from a less secure network. By using a DataDiode in the reverse direction, (with data flowing from the trusted to the untrusted network), you enable data to leave the network, without someone being able to come from the other side to take over your network. This prevents hackers from accessing sensitive OT systems, like assembly robots, which can only be operated physically if someone is present within the OT network.”
Key data types transferred via DataDiodes
The specific types of data typically transferred from OT systems to IT networks using a DataDiode include various forms of monitoring and sensor data. Fox Crypto offers replicators developed in collaboration with partners to support specific OT protocols like OPC and PI. Johan notes that while Splunk is a more general solution initially developed for customers wanting to transfer data from a less trusted network to a trusted one, it can also be used in reverse. "We have seen a use case to utilize Splunk replicators in the opposite direction. So, if you have an OT system with a DataDiode, you can effectively use this Splunk replicator to get your Splunk data from a system that you want to monitor remotely. The types of data Splunk handles include all IT streaming and historical data, such as failed login attempts, live application logs, network feeds, system metrics, or other SIEM data.”
Benefits of using a DataDiode in OT environments
There are quite some benefits of using a DataDiode in OT environments; like secure real-time threat monitoring. The DataDiode allows continuous data flows to SIEM systems for immediate threat analysis and response. Also, the DataDiode protects the integrity of the OT network, ensuring that critical systems remain unaffected, available and operational.
When considering the biggest advantages of using a DataDiode in terms of compliance and operational integrity in an OT environment, Johan highlights several key benefits: "It depends on who you ask, but from the contacts I have, I know that there are oscilloscopes running on Windows. For example, an oscilloscope running on Windows XP, while technically working very reliably for over two decades, would be inherently insecure and shouldn’t be connected to a regular network. When accessing data from such an insecure system, you must ensure the system is not network-connected to mitigate potential security risks.
With a DataDiode in place, it doesn’t matter if your system is insecure. If you connect a poorly secured computer to the internet through a DataDiode, you don’t need to worry about someone accessing those insecure systems via the internet. This greatly reduces the need to constantly monitor and secure the OT network. Without DataDiodes, I would definitely not use such a setup. DataDiodes provide a way to use a system that is inherently insecure remotely, without compromising the security of your network. Essentially, DataDiodes offer peace of mind and enhance security by isolating vulnerable systems from potential external threats.”
Implementing DataDiodes in OT environments
When discussing the challenges faced during the implementation of DataDiodes in OT environments, Johan explains: "One challenge we encountered with the specific application of Splunk was how to transport a non-public format over a DataDiode. We quickly resolved this by consulting with Splunk, who advised us to use HEC (HTTP Event Collector). This configuration enables the data to be sent over an open protocol like HTTP, allowing us to transmit the data without needing to interpret or understand its content. For continuous access to data, like Splunk data, a DataDiode ensures that critical security information is consistently available while minimizing risk.”
NIS2 compliance rules
Regulations like NIS2 impose monitoring requirements, highlighting the need to secure OT environments that are connected to the outside world. Johan says: "There are concrete compliance rules that require SIEM data to be sent out and monitored, falling under hygiene measures. Regulatory measures involve both preventing unauthorized data from entering and ensuring proper monitoring. If you are okay with less frequent updates and extra manual labor, you might use a network setup where data is burned to a CD or DVD once a day and manually transferred. If you need real-time monitoring, a DataDiode is very effective.
Some OT companies may lack specific expertise in cybersecurity, which is why cyberattacks in this market are not unheard of. Companies often delay investing in cybersecurity until an attack makes the need clear. A DataDiode is an investment that, once made, allows you to focus less on network security while still maintaining continuous monitoring and production continuity. This approach minimizes the ongoing effort needed to address vulnerabilities and ensures consistent data monitoring and security.”