Laboratory infrastructure: one-way data connections using data diodes
For many applications, it is useful or necessary to access systems and plants in protected network areas. Data from machines, systems and sensors is required for monitoring and predictive maintenance. Further scenarios are the extraction of logging data and backups, the transfer of sensor data and status messages, the replication of servers (e.g. Historian), the extraction of video/audio streaming or screen displays as well as information about the system status (e.g. patch version). A data diode is ideal for precisely these use cases. It allows data to be transferred in exactly one direction, i.e. from one network area to another, without the possibility of reverse data flow or access. This prevents unauthorized access to the protected network area with its equipment and sensors.
There are basically two different types of data diodes: physical and logical. With the physical data diode, data transmission in only one direction is ensured by a physical medium. This is realized, for example, by means of an optical waveguide in which there is a light-emitting diode on one side and a light sensor on the other. Transmission of information in the opposite direction is thus physically impossible. However, two problems arise from the advantage of this physical security. First, the successful transmission of data to the receiver cannot be guaranteed. Secondly, it is not possible to use protocols for data transmission that require mandatory confirmation from the other party for the connection to be established or for communication to take place. This is where logical data diodes come in. Although a bidirectional data connection exists at the physical level, suitable software logic ensures that data can only be transmitted in one direction. The advantage is that a minimal return channel (1 bit) is enabled in the logic for acknowledgement of receipt of the data. This means that protocols that require confirmation from the other side can also be used.
With its technical training courses, the Fraunhofer IOSB-AST cybersecurity learning laboratory offers the opportunity to learn in detail about the different types of data diodes using real application scenarios in a laboratory environment and to understand how they work as well as their advantages and disadvantages. In addition, we advise companies from the energy and water supply sectors on the use of data diodes and analyze their suitability and implementation options on the basis of concrete and individual use cases.