Professional Documents
Culture Documents
Siemens Mobility Whitepaper - Data Diodes Vs Firewalls
Siemens Mobility Whitepaper - Data Diodes Vs Firewalls
Data diodes
vs firewalls
ENABLING INDUSTRIAL IoT AND DIGITALIZATION: FIREWALLS OR DATA DIODES?
siemens.de/ industrialsecurity
White Paper | Data Capture Unit (DCU) | 10.2020
Contents
2
White Paper | Data Capture Unit (DCU) | 10.2020
3
White Paper | Data Capture Unit (DCU) | 10.2020
A firewall separates two networks or systems and amount of time, and uses several criteria for
permits a restricted bi-directional data flow between forwarding or rejecting data packets. It tracks the
them. According to pre-defined rules, firewalls deter- entire session, checks packet headers, and needs
mine which data is allowed to flow to the OT and IT fewer open ports. On the downside, the comprehen-
networks. All firewalls are software-based and can be sive analysis can cause performance issues and like the
installed directly on the host device like a computer. A basic firewalls, it does not check the packet content.
dedicated hardware firewall is still software-based but The direct exchange of IP packets between the
the software runs on a separate, external physical connected networks also enables attacks on protocol
device, designed to be the carrier of the firewall soft- stacks in the participating computers.
ware and positioned between the OT and IT network.
Proxy firewall: Serving as an intermediary, a proxy
There are several types of firewall technologies: firewall or application firewall checks packets at the
application level, thus averting direct contact between
Basic firewall: To decide whether a data packet should
the OT network to be protected and other IT networks.
be delivered or not, packet filtering uses integrated
It also ensures user anonymity: To protect the OT
packet filters that are based on a static set of rules.
network, a proxy firewall hides the identification and
Filtering packets statically, however, limits the inspec-
geolocation of the original request source and
tion to the packet headers, with information only
forwards the request as its own. To ensure overall
about source IP and source port as well as destination
encryption, a complex configuration needs to be
IP and destination port. This leaves the door open for
performed, which leaves open the potential for
attackers to infiltrate the system by using a packet
misconfigurations and maintenance. Firewalls of this
with a permitted header and malicious content.
type are complex to maintain and not compatible with
Circuit-level gateway: It checks the transmission all network protocols.
control protocol (TCP) handshake to verify if a packet is
Next-generation firewalls: They do not just combine
legitimate and allowed to pass. Like a packet-filtering
packet filtering, SPI technology, and TCP handshake
firewall, it does not check the packet itself. As it is not
verification; they also use deep packet inspection (DPI)
made for content filtering, a circuit-level gateway can
technology. Thanks to DPI, they inspect the header as
let malicious packets pass that are smart enough to
well as the content of the data packets to detect
provide the right TCP handshake.
protocol violations, viruses, spam, and other unwanted
Stateful packet inspection (SPI): It combines both content and they block or re-route packets that fall
above-mentioned technologies, packet-filtering tech- into these categories. But like the SPI technology, the
nology and TCP handshake verification. This firewall implementation of DPI with TLS sessions is complex,
type controls the state of active connections, monitors resource intensive, and could be mismanaged.
incoming and outgoing packets over a specified
4
White Paper | Data Capture Unit (DCU) | 10.2020
Data diodes:
Protected by hardware and physical separation
In contrast to firewalls, data diodes use a different The edge layer, often located in the company’s IT
approach to separate two networks: They are hard- network, enables great flexibility when deploying
ware-based devices made for unidirectional commu- data analytics applications with fast response times
nication. Data flows exclusively in a single and data storage. This can be complemented with
pre-defined direction: from the secured critical another layer by providing a controlled remote
network to the less secure open network, with no connection to a cloud platform. This enhances the
possibility of a reverse data flow. This allows for functionality of edge applications because it aggre-
complete protection and isolation of networks and gates data from several locations and enables mobile
overcomes vulnerabilities that can be associated with working and centralized rollouts of security patches
firewalls because its design makes it invulnerable to and system updates over-the-air. With recent develop-
mismanagement by any user or IT system. ments in data diode technology, the security of crit-
ical systems never needs to be compromised in the
In a simplified architecture, Figure 1 shows the appli-
context of digitalization; data diodes like the Siemens
cation of data diodes for collecting and securing data
CoreShield Data Capture Unit completely mitigate the
from OT networks. The Siemens CoreShield Data
risk of a remote attack or operational disruption.
Capture Unit is used as an example of how data diode
technology is being applied to enable secure data Even though data diodes are a proven technology,
transfer to enterprise networks or the Internet for their high cost and the engineering effort for deploy-
cloud-based applications and services without ment created a barrier that prevented widespread use
compromising the security of critical networks. of this technology – until developments like the
Siemens CoreShield Data Capture Unit managed to
In this reference architecture, we can observe a
reduce the size, deployment complexity, and most
complete end-to-end solution with three layers, the
importantly the cost, the latter by a factor of 10. This
OT and IT network as local networks and the Internet/
was achieved by means of an electromagnetic induc-
cloud. In this case, the data diode defines a clear
tion design that has been patented, fully developed,
network segregation between the OT and IT network,
and manufactured by Siemens in Germany.
guaranteeing no operational disruptions and enabling
the development of a strong on-premise edge envi-
ronment because any attempt to send data to the OT
network will effectively be impossible.
Cloud
Deploy Security
Patches
Vendor VPN – Worldwide
Edge App Device Management
Product R&D
Rollout Applications
and Updates APP
– Worldwide
Cloud Connector
IT Network
Edge
PC
App Storage
Diagnostics and
Connection Local Data Storage
Rail Operator – Edge Apps
DCU
0% Risk of Customer
Data
OT Network Collector
Operation Disruption
PC – DCU
Real-time
Data Collection
TVD IXL OCS – DCU
Figure 1: Secure access to OT data with the Siemens CoreShield Data Capture Unit (DCU)
5
White Paper | Data Capture Unit (DCU) | 10.2020
These advances in data diode technology enable the The integrated TAP consists of a total of eight RJ-45
Siemens CoreShield Data Capture Unit to be viable sockets in four independent pairs that can be used for
both technically and commercially – and this as the protocol-independent recording of data traffic on up to
world’s first data diode with a safety assessment that four 100 Mbit/s Ethernet connections in full-duplex
enables the secure and safe connection of signaling mode. Each pair is considered a capture port. The
equipment up to Safety Integrity Level 4 (SIL 4). The capture ports, which are the only interface to the OT
Siemens CoreShield Data Capture Unit is also the network, are physically separated (galvanically
world’s first data diode in the industry to achieve isolated) from the PHYs. The physical separation
Security Level 3 (SL 3) according to IEC 62443-4-2. ensures the unidirectionality of the communication
Advantages of data diodes include that they need no and protection from remote access to or cyberattacks
maintenance and have a mean time between failures on the OT network.
(MTBF) of 16 to 50 years, making them a key element
The Siemens CoreShield Data Capture Unit ensures
in modern security concepts and industrial IoT applica-
that there is no write access possibility to the custom-
tions.
er’s Ethernet interface in the OT network because the
The Siemens CoreShield Data Capture Unit has no IP transmission direction of the Ethernet transceivers
address of its own: It has an integrated safe Ethernet used on the Siemens CoreShield Data Capture Unit is
TAP (terminal access point) that is designed to provide not connected to the capture ports.
access to data flowing across a network and to collect
it with no interaction and independently of the
protocol using electromagnetic induction. The TAP
cannot be detected by third parties, and it is
completely undetectable in the OT network.
4 x Ethernet Tap
Critical Network Open Network
Rx Tx
8x Tx Rx PHY
Ethernet Tx
PHY Rx
Rx Tx
Tx Rx PHY
6
White Paper | Data Capture Unit (DCU) | 10.2020
Network tap
OT server
Monitored
device
7
White Paper | Data Capture Unit (DCU) | 10.2020
Network tap
OT server OT server
Optional DCU will optionally
local data filter output by
storage protocol, IP address, Remote monitoring
port or data content and/or data storage
application
Mirror port
OT server
Figure 4: Siemens CoreShield Data Capture Unit: Traffic monitoring using port mirroring
8
White Paper | Data Capture Unit (DCU) | 10.2020
MindSphere
0110
0101
0110
1101 Cloud or IT Direct secure connection 4
OWG software OWG SW – Receives and pushes data to... 3 Client Proxy – Critical DCU Server Proxy – Open
Receiver Network Network
Open Network
(IT)
DCU – Data diode security – physical isolation 2
DCU
Operational Network hardware
(OT)
OWG software OWG SW – Data collection and sender to DCU 1
Sender
9
White Paper | Data Capture Unit (DCU) | 10.2020
Firewalls allow a bi-directional data flow and there- Maintenance is also a key differentiator when
fore potential interference from the open network to comparing both technologies. Firewalls demand time,
the operational or critical one. Firewalls are also just effort, and expense for patch management, constant
as good as their configuration, maintenance, and rule maintenance, monitoring, and audits to ensure
management. They can become a risk factor due to optimal security. Data diodes on the other hand do
poor configuration, which is likely because their not require any maintenance or audits to ensure their
configuration is complex and requires continuous security function throughout their lifecycle.
adjustment to keep up with the unremitting changes
A data diode like the Siemens CoreShield Data
to the network. Filtering rules for smart machines
Capture Unit (DCU) does not require rule manage-
with high functional variability, for example, should
ment because its security function is achieved only
be checked and modified regularly because software-
via hardware. Therefore, it is not vulnerable to soft-
enhanced security firewalls are vulnerable to back
ware changes or mismanagement: It is secure by
doors, viruses, DDOS attacks, and hacker attacks.
default, and no misconfiguration or software vulner-
There are many examples in the past of successful
ability can make it insecure. Without a physical
firewall breaches and bypasses. Insecure protocols
connection between the critical and open networks,
and commonly allowed ports also create the potential
the DCU offers no opportunity for back doors being
for malicious applications. Nevertheless, even though
left open, unintentionally or otherwise so. Also,
significant improvements have been made to the
unlike software, data diode hardware security cannot
software security testing, no development techniques
be hacked. The integrity of the tapped data is always
or testing tools to date offer a guarantee of vulnera-
guaranteed with encryption via TLS signing, forward
bility-free firewalls. That is why the use of data diodes
error correction (FEC), and Siemens secure long-life
is becoming part of the standard network security
(S2L2) Linux OS.
toolkit, to raise the security level of specific critical
systems with little or no tolerance for cybersecurity
risk or as complement to existing firewalls to protect
on-premise OT networks and edge environments.
Figure 6: Siemens CoreShield Data Capture Unit (DCU): more secure than firewalls
10
White Paper | Data Capture Unit (DCU) | 10.2020
Official recommendations
Data diodes like the Siemens CoreShield Data Capture • Singapore: The Singapore Cybersecurity Agency (CSA)5
Unit are recommended by the world’s major security recommends the use of data diodes and unidirectional
agencies in their guidelines, best practices, and gateways in their instructions for the 11 Critical Infor-
recommendations. mation Infrastructure (CII) sectors to raise their levels
of network security. In addition, the Infocomm Media
• France: The National Network and Information Security
Development Authority (IMDA) recommends data diodes
Agency (ANSSI) recommends the implementation of data
at the edge of cyber-physical systems in facilities like
diodes and unidirectional gateways in critical networks in
nuclear power plants, electric power generation/distri-
the “Cybersecurity for Industrial Control Systems Guide-
bution, oil and gas production, water/wastewater, and
line.”1 When connecting any Class 3 network (OT) like
manufacturing in the “Annex Technology Roadmap –
railway switching systems to a lower-class network or
Cybersecurity.”6
corporate network (IT), only unidirectional gateways are
permitted. • United States of America: The Department of Homeland
Security (DHS) includes data diodes and unidirectional
• United Kingdom: The Department for Transport (DFT)
gateways in the guideline “Improving industrial control
recommends the implementation of data diodes and
system cybersecurity with Defense-in-Depth strategies.”7
unidirectional gateways in signaling systems in the “Rail
The Department of Energy (DOE) recommends data diodes
Cyber Security Guidance to Industry.”2
to protect critical network segments in the guideline “Pro-
• Germany: The German association of machinery and tecting drinking water utilities from cyber threats.”8 The
plant engineering (VDMA) recommends data diodes to Nuclear Regulatory Commission (NRC)9 recommends and
protect critical network segments in the “Industrie 4.0 mandates the use of data diodes in the national regulato-
Security Guidelines.”3 And the Federal Ministry for Economic ry guide “Cybersecurity programs for nuclear facilities.”10
Affairs and Energy (BMWi) recommends the same to And the National Institute of Standards and Technology
protect and isolate the transitions zones between critical (NIST) includes data diodes and unidirectional gateways in
networks (OT) and IT networks in the guideline “IT Security its “Guide to Industrial Control Systems (ICS) Security”11
in Industrie 4.0.”4 as an integral part of network boundary protection.
11
White Paper | Data Capture Unit (DCU) | 10.2020
Conclusion
Both firewalls and data diodes can and should be The Siemens CoreShield Data Capture Unit (DCU)
used to secure OT networks or critical parts of OT offers a one-of-a-kind data diode solution with a
networks. They can mitigate the increasing cyberse- small footprint, no maintenance, and high cost
curity risk as data diodes complement existing efficiency, enabling the deployment of this
network architectures and prevent online hacks and technology even in small networks. The DCU not
mismanagement risks because of their hardware- only provides a wide-ranging protection for critical
based physical security approach. Also, data diodes systems from cyber threats but also secure and
do not need maintenance, updates or adjustments, real-time data from OT networks to enable industrial
they save a great deal of time, effort, costs, and IoT. New and legacy systems can also be easily
resources. However, not all data diodes are the same. protected and connected when needed to existing
network topologies. Siemens CoreShield Data Capture
Unit is suitable in any industrial context, from
automotive, manufacturing, and healthcare to
energy, transportation, and many more.
1 https://www.ssi.gouv.fr/uploads/2014/01/industrial_security_WG_Classification_Method.pdf
2 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/732888/rail-cyber-security-guidance-to-
industry.pdf
3 https://www.vdmashop.de/refs/Leitf_I40_Security_En_LR_neu.pdf
4 https://www.plattform-i40.de/PI40/Redaktion/EN/Downloads/Publikation/guideline-it-security-i40-action-fields.pdf?__blob=publicationFile&v=3
5 https://www.csa.gov.sg/news/press-releases/press-statement-on-the-government-lifting-the-pause-on-new-ict-systems
6 https://www2.imda.gov.sg/-/media/Imda/Files/Industry-Development/Infrastructure/Technology/Technology-Roadmap/
Annexes-A-3-Cyber-Security_Full-Report.pdf
7 https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
8 https://www.osti.gov/pages/servlets/purl/1372266
9 https://www.nrc.gov/docs/ML1703/ML17031A020.pdf
10 https://www.nrc.gov/docs/ML0903/ML090340159.pdf
11 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
12