PROTECTING OT NETWORKS

Data diodes
vs firewalls
ENABLING INDUSTRIAL IoT AND DIGITALIZATION: FIREWALLS OR DATA DIODES?

Whether it be the transportation, manufacturing, energy or healthcare sector:

The growing digitalization of critical infrastructure with an increasing number of IoT
devices is raising the bar for network security. For many years, one of the most
common components in the first line of defense of OT and IT networks were software
firewalls. But as times change, security requirements change too. Considering the
ever-increasing connectivity and rapidly increasing cyberattacks, firewalls are no
longer the only go-to cybersecurity option. Today, the development and use of data
diodes is setting a new benchmark in network security technology, aiming to mitigate
the increasing cybersecurity risk that critical infrastructures are facing in the digital
age. But what are the differences between firewalls and data diodes like the Siemens
CoreShield Data Capture Unit, and what potential use cases exist?

siemens.de/ industrialsecurity
 White Paper | Data Capture Unit (DCU) | 10.2020

Contents

3 Digitalization needs networks –

and networks need security
4 Firewalls: Protected by software
5 Data diodes: Protected by hardware and
physical separation
6 Data diode application 1:
Monitoring a networked asset
7 Data diode application 2:
Monitoring network traffic
8 DCU application: Unidirectional gateway
9 Security: Firewalls vs. data diode/DCU
10 Official recommendations
11 Conclusion

2

Digitalization needs networks –
and networks need security
Digitalization offers great opportunities for more
efficient, reliable, and flexible processes in almost all
industries and sectors of the economy: High-precision
processes, devices, and user data are now enabling
continuous process optimization as well as new busi-
ness opportunities. Therefore, additional connectivity
to the Internet, sensors as well as wired and wireless
networks are being used to collect, analyze, and
leverage data on premise and in the cloud. Data-
driven applications for industrial IoT are diverse but
often focus on productivity, ranging from remote
monitoring to supporting service technicians in the
field and management in administration.
In order to use relevant data, it must be transmitted –
whether it be within the company (on-premise) or
off-site (cloud, mobile devices). Vertical networking –
from the operational OT network with the connected
assets and devices to the open office IT network – is
now a prerequisite. With vertical networking, the risk
increases that IT threats will cause problems within
the OT network. In addition, with the increase in
networking and data exchange on the operational
level, connected assets, plants, and infrastructures
are becoming more vulnerable and are attracting the
interest of potential cyber attackers with malicious
motivations.
White Paper | Data Capture Unit (DCU) | 10.2020
Today, the increasing number and sophistication of
cyberattacks and threats towards OT systems signal
that we cannot keep using the same network security
toolkit we have been using the past 20 years. In 2010,
the malicious computer worm Stuxnet caused signifi-
cant damage to Iran’s nuclear facilities. The malware
Industroyer is believed to have been used for a cyber-
attack on a 200-MW Ukrainian transmission substa-
tion. In 2017, the ransomware NotPetya started
targeting IT systems in Ukrainian companies first,
then it spread wormlike around the globe, attacking
OT systems and causing serious damage. In the same
year, the malware Triton targeted industrial control
systems in the Middle East. In fact, the “X-Force
Threat Intelligence Index 2020” from IBM states that
attacks on OT in companies were up by 2,000%
between 2018 and 2019.
But whether it be viruses, malware, hacker attacks or
industrial espionage: To protect operations, processes,
assets, and even lives, the resilience of the first line of
defense of OT networks needs to be improved.
3

Firewalls: Protected by software
A firewall separates two networks or systems and
permits a restricted bi-directional data flow between
them. According to pre-defined rules, firewalls deter-
mine which data is allowed to flow to the OT and IT
networks. All firewalls are software-based and can be
installed directly on the host device like a computer. A
dedicated hardware firewall is still software-based but
the software runs on a separate, external physical
device, designed to be the carrier of the firewall soft-
ware and positioned between the OT and IT network.
There are several types of firewall technologies:
Basic firewall: To decide whether a data packet should
be delivered or not, packet filtering uses integrated
packet filters that are based on a static set of rules.
Filtering packets statically, however, limits the inspec-
tion to the packet headers, with information only
about source IP and source port as well as destination
IP and destination port. This leaves the door open for
attackers to infiltrate the system by using a packet
with a permitted header and malicious content.
Circuit-level gateway: It checks the transmission
control protocol (TCP) handshake to verify if a packet is
legitimate and allowed to pass. Like a packet-filtering
firewall, it does not check the packet itself. As it is not
made for content filtering, a circuit-level gateway can
let malicious packets pass that are smart enough to
provide the right TCP handshake.
Stateful packet inspection (SPI): It combines both
above-mentioned technologies, packet-filtering tech-
nology and TCP handshake verification. This firewall
type controls the state of active connections, monitors
incoming and outgoing packets over a specified
White Paper | Data Capture Unit (DCU) | 10.2020
amount of time, and uses several criteria for
forwarding or rejecting data packets. It tracks the
entire session, checks packet headers, and needs
fewer open ports. On the downside, the comprehen-
sive analysis can cause performance issues and like the
basic firewalls, it does not check the packet content.
The direct exchange of IP packets between the
connected networks also enables attacks on protocol
stacks in the participating computers.
Proxy firewall: Serving as an intermediary, a proxy
firewall or application firewall checks packets at the
application level, thus averting direct contact between
the OT network to be protected and other IT networks.
It also ensures user anonymity: To protect the OT
network, a proxy firewall hides the identification and
geolocation of the original request source and
forwards the request as its own. To ensure overall
encryption, a complex configuration needs to be
performed, which leaves open the potential for
misconfigurations and maintenance. Firewalls of this
type are complex to maintain and not compatible with
all network protocols.
Next-generation firewalls: They do not just combine
packet filtering, SPI technology, and TCP handshake
verification; they also use deep packet inspection (DPI)
technology. Thanks to DPI, they inspect the header as
well as the content of the data packets to detect
protocol violations, viruses, spam, and other unwanted
content and they block or re-route packets that fall
into these categories. But like the SPI technology, the
implementation of DPI with TLS sessions is complex,
resource intensive, and could be mismanaged.
4

Data diodes:
Protected by hardware and physical separation
In contrast to firewalls, data diodes use a different
approach to separate two networks: They are hard-
ware-based devices made for unidirectional commu-
nication. Data flows exclusively in a single
pre-defined direction: from the secured critical
network to the less secure open network, with no
possibility of a reverse data flow. This allows for
complete protection and isolation of networks and
overcomes vulnerabilities that can be associated with
firewalls because its design makes it invulnerable to
mismanagement by any user or IT system.
In a simplified architecture, Figure 1 shows the appli-
cation of data diodes for collecting and securing data
from OT networks. The Siemens CoreShield Data
Capture Unit is used as an example of how data diode
technology is being applied to enable secure data
transfer to enterprise networks or the Internet for
cloud-based applications and services without
compromising the security of critical networks.
In this reference architecture, we can observe a
complete end-to-end solution with three layers, the
OT and IT network as local networks and the Internet/
cloud. In this case, the data diode defines a clear
network segregation between the OT and IT network,
guaranteeing no operational disruptions and enabling
the development of a strong on-premise edge envi-
ronment because any attempt to send data to the OT
network will effectively be impossible.
Cloud
Vendor
Edge App Device Management
Product R&D
IT Network
Edge
PC
Rail Operator
DCU
Data
OT Network Collector
PC
TVD
Figure 1: Secure access to OT data with the Siemens CoreShield Data Capture Unit (DCU)
White Paper | Data Capture Unit (DCU) | 10.2020
The edge layer, often located in the company’s IT
network, enables great flexibility when deploying
data analytics applications with fast response times
and data storage. This can be complemented with
another layer by providing a controlled remote
connection to a cloud platform. This enhances the
functionality of edge applications because it aggre-
gates data from several locations and enables mobile
working and centralized rollouts of security patches
and system updates over-the-air. With recent develop-
ments in data diode technology, the security of crit-
ical systems never needs to be compromised in the
context of digitalization; data diodes like the Siemens
CoreShield Data Capture Unit completely mitigate the
risk of a remote attack or operational disruption.
Even though data diodes are a proven technology,
their high cost and the engineering effort for deploy-
ment created a barrier that prevented widespread use
of this technology – until developments like the
Siemens CoreShield Data Capture Unit managed to
reduce the size, deployment complexity, and most
importantly the cost, the latter by a factor of 10. This
was achieved by means of an electromagnetic induc-
tion design that has been patented, fully developed,
and manufactured by Siemens in Germany.
Deploy Security
Patches
VPN – Worldwide
Rollout Applications
and Updates APP
– Worldwide
Cloud Connector
App Storage
Diagnostics and
Connection Local Data Storage
– Edge Apps
0% Risk of Customer
Operation Disruption
– DCU
Real-time
Data Collection
IXL OCS – DCU
5

These advances in data diode technology enable the
Siemens CoreShield Data Capture Unit to be viable
both technically and commercially – and this as the
world’s first data diode with a safety assessment that
enables the secure and safe connection of signaling
equipment up to Safety Integrity Level 4 (SIL 4). The
Siemens CoreShield Data Capture Unit is also the
world’s first data diode in the industry to achieve
Security Level 3 (SL 3) according to IEC 62443-4-2.
Advantages of data diodes include that they need no
maintenance and have a mean time between failures
(MTBF) of 16 to 50 years, making them a key element
in modern security concepts and industrial IoT applica-
tions.
The Siemens CoreShield Data Capture Unit has no IP
address of its own: It has an integrated safe Ethernet
TAP (terminal access point) that is designed to provide
access to data flowing across a network and to collect
it with no interaction and independently of the
protocol using electromagnetic induction. The TAP
cannot be detected by third parties, and it is
completely undetectable in the OT network.
4 x Ethernet Tap
Critical Network
8x
Ethernet
PHY
Figure 2: Siemens CoreShield Data Capture Unit security hardware
White Paper | Data Capture Unit (DCU) | 10.2020
The integrated TAP consists of a total of eight RJ-45
sockets in four independent pairs that can be used for
protocol-independent recording of data traffic on up to
four 100 Mbit/s Ethernet connections in full-duplex
mode. Each pair is considered a capture port. The
capture ports, which are the only interface to the OT
network, are physically separated (galvanically
isolated) from the PHYs. The physical separation
ensures the unidirectionality of the communication
and protection from remote access to or cyberattacks
on the OT network.
The Siemens CoreShield Data Capture Unit ensures
that there is no write access possibility to the custom-
er’s Ethernet interface in the OT network because the
transmission direction of the Ethernet transceivers
used on the Siemens CoreShield Data Capture Unit is
not connected to the capture ports.
Open Network
Rx Tx
Tx Rx PHY
Tx
Rx
Rx Tx
Tx Rx PHY
6
 White Paper | Data Capture Unit (DCU) | 10.2020

Data diode application 1:

Monitoring a networked asset
The Siemens CoreShield Data Capture Unit enables
the secure monitoring of the network traffic of a
single device without increasing the attack surface
(Figure 3): The integrated TAP of the Siemens
CoreShield Data Capture Unit is used to securely
export monitored network traffic. The captured
network traffic is transmitted or stored in pcapng
format with a timestamp, sequence numbers, and
a signature.
Benefits:
• No data is allowed to pass into the critical network.
• Passive TAP via direct wire connection enables easy
integration in existing network installations.
• Captures any bit stream, independent of protocol,
over any network segment.
• Captured data can be filtered by protocol, source/target
IP and port, and data content.
• Network operation is uninterrupted, even if the Siemens
CoreShield Data Capture Unit is offline or has failed.

Critical Network Open Network

Network tap

OT server OT server Network DCU will optionally

local data filter output by
storage protocol, IP address, Remote monitoring
port or data content and/or data storage
application

OT server

Monitored
device

“I want to securely monitor network

traffic to / from a critical network
component.“

Figure 3: Siemens CoreShield Data Capture Unit monitoring a networked asset

7
 White Paper | Data Capture Unit (DCU) | 10.2020

Data diode application 2:

Monitoring network traffic
If network traffic seen on one switch port (or entire
VLAN) needs to be securely monitored without
increasing the attack surface, the Siemens CoreShield
Data Capture Unit can be used to securely export
monitored network streams (Figure 4). The captured
network streams are transmitted (via ETH 0) or stored
(via high-speed USB) in a pcapng frame with
sequence numbers and a timestamp.
Benefits:
• No data is allowed to pass into the critical network.
• Secure and continuous monitoring of critical networks,
independent of protocol.
• Captured data can be filtered by protocol, source/target
IP and port, and data content.
• Network operation is uninterrupted, even if the Siemens
CoreShield Data Capture Unit is offline or has failed.

Critical Network Open Network

Network tap

OT server OT server
Optional DCU will optionally
local data filter output by
storage protocol, IP address, Remote monitoring
port or data content and/or data storage
application

Mirror port

OT server

“I want to securely monitor network

traffic in my critical infrastructure
without introducing any risk or harm.“

Figure 4: Siemens CoreShield Data Capture Unit: Traffic monitoring using port mirroring

8
 White Paper | Data Capture Unit (DCU) | 10.2020

Siemens CoreShield Data Capture Unit application:

Unidirectional gateway
The Siemens CoreShield Data Capture Unit can also 2. The Siemens CoreShield Data Capture Unit works
be used in conjunction with CoreShield One-Way as a full duplex communication link, isolating both
Gateway software to securely establish a one-way the OT and IT network physically with electromag-
transfer of data from critical to open networks that is netic induction: Data is only allowed to pass from
impenetrable to any software or cyberattack (see critical to open network – not the other way
Figure 5). Building this unidirectional gateway solu- around. (DCU)
tion and secure IT/OT bridge with the Siemens
3. T
 he one-way gateway (OWG) receiver used as the
CoreShield Data Capture Unit entails the following:
second component of the CoreShield One-Way
1. The one-way gateway (OWG) sender used as the Gateway software receives data from the Siemens
first component of the CoreShield One-Way CoreShield Data Capture Unit and prepares it to be
Gateway software collects data in the critical or sent directly to the cloud or enterprise IT network.
operational network, prepares it, and sends it to (PC 2)
the Siemens CoreShield Data Capture Unit. (PC 1)
4. The cloud or IT – the less-secure remote or on-site
destination networks – are focused on application
hosting, storage, and other functions.

MindSphere

0110
0101
0110
1101 Cloud or IT Direct secure connection 4

OWG software OWG SW – Receives and pushes data to... 3 Client Proxy – Critical DCU Server Proxy – Open
Receiver Network Network
Open Network
(IT)
DCU – Data diode security – physical isolation 2
DCU
Operational Network hardware
(OT)
OWG software OWG SW – Data collection and sender to DCU 1
Sender

Assets – Critical equipment or systems 0

01 01 01 01 01 01
01 01 01 01 01 01
01 01 01 01 01 01
11 11 11 11 11 11

Figure 5: Solution concept architecture

9
 White Paper | Data Capture Unit (DCU) | 10.2020

Security: Firewalls vs. data diodes

Firewalls allow a bi-directional data flow and there- Maintenance is also a key differentiator when
fore potential interference from the open network to comparing both technologies. Firewalls demand time,
the operational or critical one. Firewalls are also just effort, and expense for patch management, constant
as good as their configuration, maintenance, and rule maintenance, monitoring, and audits to ensure
management. They can become a risk factor due to optimal security. Data diodes on the other hand do
poor configuration, which is likely because their not require any maintenance or audits to ensure their
configuration is complex and requires continuous security function throughout their lifecycle.
adjustment to keep up with the unremitting changes
A data diode like the Siemens CoreShield Data
to the network. Filtering rules for smart machines
Capture Unit (DCU) does not require rule manage-
with high functional variability, for example, should
ment because its security function is achieved only
be checked and modified regularly because software-
via hardware. Therefore, it is not vulnerable to soft-
enhanced security firewalls are vulnerable to back
ware changes or mismanagement: It is secure by
doors, viruses, DDOS attacks, and hacker attacks.
default, and no misconfiguration or software vulner-
There are many examples in the past of successful
ability can make it insecure. Without a physical
firewall breaches and bypasses. Insecure protocols
connection between the critical and open networks,
and commonly allowed ports also create the potential
the DCU offers no opportunity for back doors being
for malicious applications. Nevertheless, even though
left open, unintentionally or otherwise so. Also,
significant improvements have been made to the
unlike software, data diode hardware security cannot
software security testing, no development techniques
be hacked. The integrity of the tapped data is always
or testing tools to date offer a guarantee of vulnera-
guaranteed with encryption via TLS signing, forward
bility-free firewalls. That is why the use of data diodes
error correction (FEC), and Siemens secure long-life
is becoming part of the standard network security
(S2L2) Linux OS.
toolkit, to raise the security level of specific critical
systems with little or no tolerance for cybersecurity
risk or as complement to existing firewalls to protect
on-premise OT networks and edge environments.

Firewall Disadvantages DCU Solution

Complex rule management Completely passive hardware device

Impede productivity Physical disconnect from

(users emply “back door“) critical to open network

Software can & has been hacked HW cannot be hacked

Most attacks occur via Hashed bit streams, TLS signing,

commonly allowed ports Secure Linux OS, PCAP file

Patches, monitoring & audits No patches, maintenance or audits

needed

Figure 6: Siemens CoreShield Data Capture Unit (DCU): more secure than firewalls

10

Official recommendations
Data diodes like the Siemens CoreShield Data Capture
Unit are recommended by the world’s major security
agencies in their guidelines, best practices, and
recommendations.
• France: The National Network and Information Security
Agency (ANSSI) recommends the implementation of data
diodes and unidirectional gateways in critical networks in
the “Cybersecurity for Industrial Control Systems Guide-
line.”1 When connecting any Class 3 network (OT) like
railway switching systems to a lower-class network or
corporate network (IT), only unidirectional gateways are
permitted.
• United Kingdom: The Department for Transport (DFT)
recommends the implementation of data diodes and
unidirectional gateways in signaling systems in the “Rail
Cyber Security Guidance to Industry.”2
• Germany: The German association of machinery and
plant engineering (VDMA) recommends data diodes to
protect critical network segments in the “Industrie 4.0
Security Guidelines.”3 And the Federal Ministry for Economic
Affairs and Energy (BMWi) recommends the same to
protect and isolate the transitions zones between critical
networks (OT) and IT networks in the guideline “IT Security
in Industrie 4.0.”4
White Paper | Data Capture Unit (DCU) | 10.2020
• Singapore: The Singapore Cybersecurity Agency (CSA)5
recommends the use of data diodes and unidirectional
gateways in their instructions for the 11 Critical Infor-
mation Infrastructure (CII) sectors to raise their levels
of network security. In addition, the Infocomm Media
Development Authority (IMDA) recommends data diodes
at the edge of cyber-physical systems in facilities like
nuclear power plants, electric power generation/distri-
bution, oil and gas production, water/wastewater, and
manufacturing in the “Annex Technology Roadmap –
Cybersecurity.”6
• United States of America: The Department of Homeland
Security (DHS) includes data diodes and unidirectional
gateways in the guideline “Improving industrial control
system cybersecurity with Defense-in-Depth strategies.”7
The Department of Energy (DOE) recommends data diodes
to protect critical network segments in the guideline “Pro-
tecting drinking water utilities from cyber threats.”8 The
Nuclear Regulatory Commission (NRC)9 recommends and
mandates the use of data diodes in the national regulato-
ry guide “Cybersecurity programs for nuclear facilities.”10
And the National Institute of Standards and Technology
(NIST) includes data diodes and unidirectional gateways in
its “Guide to Industrial Control Systems (ICS) Security”11
as an integral part of network boundary protection.
11
 White Paper | Data Capture Unit (DCU) | 10.2020

Conclusion

Both firewalls and data diodes can and should be
used to secure OT networks or critical parts of OT
networks. They can mitigate the increasing cyberse-
curity risk as data diodes complement existing
network architectures and prevent online hacks and
mismanagement risks because of their hardware-
based physical security approach. Also, data diodes
do not need maintenance, updates or adjustments,
they save a great deal of time, effort, costs, and
resources. However, not all data diodes are the same.
The Siemens CoreShield Data Capture Unit (DCU)
offers a one-of-a-kind data diode solution with a
small footprint, no maintenance, and high cost
efficiency, enabling the deployment of this
technology even in small networks. The DCU not
only provides a wide-ranging protection for critical
systems from cyber threats but also secure and
real-time data from OT networks to enable industrial
IoT. New and legacy systems can also be easily
protected and connected when needed to existing
network topologies. Siemens CoreShield Data Capture
Unit is suitable in any industrial context, from
automotive, manufacturing, and healthcare to
energy, transportation, and many more.

1 https://www.ssi.gouv.fr/uploads/2014/01/industrial_security_WG_Classification_Method.pdf

2 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/732888/rail-cyber-security-guidance-to-
industry.pdf
3 https://www.vdmashop.de/refs/Leitf_I40_Security_En_LR_neu.pdf
4 https://www.plattform-i40.de/PI40/Redaktion/EN/Downloads/Publikation/guideline-it-security-i40-action-fields.pdf?__blob=publicationFile&v=3
5 https://www.csa.gov.sg/news/press-releases/press-statement-on-the-government-lifting-the-pause-on-new-ict-systems
6 https://www2.imda.gov.sg/-/media/Imda/Files/Industry-Development/Infrastructure/Technology/Technology-Roadmap/
Annexes-A-3-Cyber-Security_Full-Report.pdf
7 https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
8 https://www.osti.gov/pages/servlets/purl/1372266
9 https://www.nrc.gov/docs/ML1703/ML17031A020.pdf
10 https://www.nrc.gov/docs/ML0903/ML090340159.pdf
11 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

12