In the final part of our three part series on data diodes:
we will investigate the possibility of creating your own data diode from readily available parts and open source software solutions.
Originally designed by government organizations to protect top secret information, data diodes are still most commonly used in applications requiring the highest level of security such as state secret protection, banking or battlefield up-links. In recent years we have seen an increasing demand for data diodes in the world of industrial control and automation to protect critical infrastructure due to the simple and virtually impenetrable nature of these devices.
Strength in simplicity
The strength of a Data Diode is in its simplicity. At the core of all data diodes is a simple duplex fiber optic connection ( fiber optic connections often have a dedicated send / receive fiber strand ) with either the send or receive fiber disconnected. Severing one of the physical fiber connections makes it impossible to send data in one direction.
How to roll your own data diode
If you were to crack open a typical data diode you will see it is simply made up of two mini-pcs with a fiber-optic link running between them. There are dozens of patents around variants of data diode's and data diode software. For example there is a patent for a data diode that only uses a single computer to handle both ends of the connection (which seems less secure to me). A fiber link between two computers is far too simple a concept to patent, so you won't end up in court creating a data diode in this configuration. Now let's step through the process of creating our own data diode.
Step 1 - Purchase two computers
It is important to find a small form factor computer which supports a PCI-Express card for our two fiber optic PCI-Express cards (reverse) proxy servers. For most industrial applications I would purchase a couple of fan-less industrial PCs with solid state hard drives that can be stored in a locked computer panel box or server room. For the purposes of our proof of concept I will purchase two low cost PCs:
- Slim Bare bones PC with a PCI-Express card slot
- Solid State Hard Disk drive
- 2 Gigs memory
- i5 Processor
- These PCs should come with an integrated Ethernet card which we will plug our network connection through.
2 x - Barebones PC with PCI-Express card slot - $600.00 each
Step 2 - Purchase two fiber optic PCI-Express cards
If you don't have experience with fiber optic networks you need to be aware of the many standards and modes that are available. It is critical that you select fiber optic cards and a patch cable that are all compatible. I have selected multi-mode "Fiber-to-the-desk" PCI-Express card with ST connectors which make it very easy to disconnect one of the fiber links.
2 x - Gigabit Ethernet Multi-Mode ST Fiber Card 1000Mbps PCI-Express - $200.00 each
Step 3 - Purchase a fiber optic patch cable
I have found a suitable multi-mode fiber patch cord with male connectors on each end:
3m Multi-Mode 62.5/125 Duplex Fiber Patch Cable ST - ST - $12.00
Step 4 - Install a Secure Operating System on the PCs
I prefer to use OpenBSD because it is free, open source, Ultra-secure out of the box and I have friends here in Calgary who are OpenBSD gurus.
Step 5 - Configure your Reverse Proxy
Depending on the data you want to replicate you can either configure an open source reverse proxy like nginx (engine x) and use your database's web services to replicate the data.
Step 6 - Disconnect one of the fiber optic ST connectors
Once you have your two proxy servers configured and communicating to each other you can simply disconnect one of the two fiber ST connectors. You will likely need to spend time properly configuring your reverse proxy servers to relay the information correctly and you will need to write some scripts in your database to perform the continuous data replication.
For a total cost of $1612 and some tender loving coding, you too can have your own home-brew Data Diode.
Data Diodes represent a simple yet virtually impenetrable way of segmenting a network. They have been used for years to secure classified information by government organizations and are an excellent complement to firewalls in a typical control system's defense in depth strategy. Adding a data diode to your network doesn't have to cost tens of thousands of dollars either. You can reap the benefits of a unidirectional data diode for a few thousand dollars and some technical elbow grease.
About the Author
Austin Scott is CEO of Synergist SCADA Inc and heads up a talented team that offers a consummate blend of controls expertise, industry know-how, and advanced software development skills. "Synergist SCADA Inc. is focused on maximizing the effectiveness of our customers’ SCADA investment. We provide control systems design, upgrade strategies, HMI / SCADA / PLC programming, security audits, and field services." Austin Scott is currently authoring a book on pragmatic ICS Security practices that is due out this summer.