September 2022 issue

For many applications, it is useful or necessary to access systems and plants in protected network areas. Data from machines, systems and sensors is required for monitoring and predictive maintenance. Further scenarios are the extraction of logging data and backups, the transfer of sensor data and status messages, the replication of servers (e.g. Historian), the extraction of video/audio streaming or screen displays as well as information about the system status (e.g. patch version). A data diode is ideal for precisely these use cases. It allows data to be transferred in exactly one direction, i.e. from one network area to another, without the possibility of reverse data flow or access. This prevents unauthorized access to the protected network area with its equipment and sensors.

There are basically two different types of data diodes: physical and logical. With the physical data diode, data transmission in only one direction is ensured by a physical medium. This is realized, for example, by means of an optical waveguide in which there is a light-emitting diode on one side and a light sensor on the other. Transmission of information in the opposite direction is thus physically impossible. However, two problems arise from the advantage of this physical security. First, the successful transmission of data to the receiver cannot be guaranteed. Secondly, it is not possible to use protocols for data transmission that require mandatory confirmation from the other party for the connection to be established or for communication to take place. This is where logical data diodes come in. Although a bidirectional data connection exists at the physical level, suitable software logic ensures that data can only be transmitted in one direction. The advantage is that a minimal return channel (1 bit) is enabled in the logic for acknowledgement of receipt of the data. This means that protocols that require confirmation from the other side can also be used.

With its technical training courses, the Fraunhofer IOSB-AST cybersecurity learning laboratory offers the opportunity to learn in detail about the different types of data diodes using real application scenarios in a laboratory environment and to understand how they work as well as their advantages and disadvantages. In addition, we advise companies from the energy and water supply sectors on the use of data diodes and analyze their suitability and implementation options on the basis of concrete and individual use cases.

The BMBF-funded project RESIST, led by Fraunhofer EMI, started in 2021 as a collaboration between the Fraunhofer Institutes EMI, ISE, IEE, IEG and IOSB-AST. Focusing on the resilience of our power grids, the project partners are researching methods to assess the vulnerability and resilience of power grids. Especially the power supply in Germany is currently still a strongly hierarchically (top-down) structured and massively regulated system. A few vital transmission networks ensure reliable and stable power supply at the regional and local level. If an outage occurs, many people and businesses are affected. Against this background, how do you plan and operate a resilient power supply for the future? The answer to this question requires a high degree of system competence that coherently links technological, economic and regulatory issues.

The overall goal of RESIST is to increase the resilience of the power supply. In this context, resilience is to be integrated and made measurable in all phases of the upcoming transformation towards the energy turnaround, presented in real time, and options for action to optimize system resilience across critical phases are to be identified.

As a result, RESIST is developing two planning and management tools as well as technical enhancements for core components to increase power system resilience. The resilience monitor enables real-time resilient operations management and can minimize technical and financial damage by forecasting damage scenarios. The strategic planning tool allows the implementation of a resilient-by-design approach to the long-term transformation of the power grid.

Identified failure and disruption scenarios of the power grids form the basis for the work in the project and also lead to a strong focus of IT security through possible attacks on the power grid. Fraunhofer IOSB-AST is investigating the digital (substation) in detail as a critical part of current and future power grids. For highly networked and digitized systems, one speaks of the need for cyber resilience as the next step in IT security. For this purpose, decentralized methods for resilience and security assessment are being researched with the combination of AI-based detection methods of IT attacks.

Also in this issue, we would like to draw your attention to our latest blog post on "Testing a new AI-based generation of safety systems".

"The AICAS project conducts research on the problem of detecting and handling security incidents in industrial plants - a problem of high economic and social relevance. Due to the constantly changing environment and the development of new attack technologies, currently available solutions show only limited effectiveness. The innovation of the project is to overcome these limitations through AI-based solutions."

Read more in our recent blog post:

In this section we would like to introduce you to our colleagues. Today we will introduce you to Adam Bartusiak -our research fellow. Adam has been working at the Learning Laboratory for Cybersecurity (LLCS) for Energy and Water Utilities since the very beginning. He explains what makes his job as a research associate at LLCS particularly exciting in this interview.

What exactly do you do at the learning lab as a research associate?

Currently, one of my main tasks is to conduct security assessments and penetration tests as part of various collaborative projects with our industry partner. This topic area provides a basis for my doctoral thesis, which I am currently working on. Furthermore, together with my team colleagues, I am responsible for the creation and implementation of technical trainings in the area of IT security. As part of this task, I have designed and implemented several attack scenarios for our training environment.

What do you think makes the learning lab so unique?

On the one hand, it's the structure of our labs at the Ilmenau and Görlitz sites: they integrate a real company structure as well as processes and technology from the energy sector. This infrastructure enables us to investigate current security issues in a practical way using state-of-the-art research approaches and tools. Another more significant feature of the learning lab is the development and active use of mobile training platforms, allowing the diverse aspects of IT security to be experienced first-hand in hands-on exercises using OT components and processes familiar to the training participants.

Where do you see the biggest challenges for energy and water utilities in the context of cybersecurity today?

I think one of the biggest challenges is integrating new security solution approaches into the entrenched, sometimes inflexible and sometimes outdated OT infrastructures. As an example, I would like to mention the implementation of intrusion detection systems (IDS), which is mandatory for operators of critical infrastructures under the IT Security Act 2.0. This requirement, which is very positive in itself, requires a lot of expertise and appropriate personnel to plan and operate such systems. Both factors are often not fundamentally present in the CRITIS organization.

You have been part of the cybersecurity learning lab team since the very beginning. How have you been able to develop and what personal strengths do you bring to the learning lab?

Working in the learning lab has allowed me to shift my perspective from the IT world to the OT world and better understand the specific cybersecurity challenges there. By working with colleagues from Ilmenau, I was able to gain technical insights into energy-related processes and learn about the technology used in the field. Based on this, I was able to further expand my expertise in the design and execution of security assessments and penetration tests and transfer them to the context of energy and water supply. Basically, my very structured and detail-oriented way of working proved to be an advantage. Likewise, I think I am very capable of facing difficult or changing circumstances with the necessary perseverance, flexibility and concentrated focus.

Describe the LLCS for Energy and Water Supply at Fraunhofer IOSB-AST in three words.

Innovative, flexible, practice-oriented.