What are the industrial uses of diodes

An industrial data diode for particularly critical systems and processes

Whitepapers

For monitoring or process optimization, well-isolated production facilities would also have to be digitally networked. For particularly critical systems, however, a direct coupling is extremely problematic. Therefore, the security concerns often outweigh the automation advantages. The genua cyber diode is a highly secure and suitable technology for current automation requirements.

1. Old and new systems should be monitored and the processes optimized

Operators of machines and systems expect the highest possible productivity and availability. Process monitoring is therefore a very effective tool for plant efficiency. However, it requires online access to the systems. This increases the security risks considerably.

Machines and systems that send data via the Internet can in principle also be attacked in this way. If systems are to be digitally networked, they must therefore be protected against intrusive malware and unauthorized access. Systems that control critical infrastructures (KRITIS) or other systems, on whose fault-free function high material assets or even life depend, have particularly high security requirements. B. Turbines in power plants, chemical manufacturing plants or industrial robots in production lines.

Classic IT security solutions are usually not applicable to production environments (Operational Technology, OT). Many systems run on outdated operating systems. Security updates or subsequent hardening measures often cannot be implemented. In addition, the systems with life cycles of 30 and more years usually only have a low level of security. Therefore, inter alia the interest group for automation technology in the process industry (NAMUR) with the NAMUR Open Architecture (NOA) set the goal of making production data easily and securely usable for system and device monitoring (monitoring) and for optimization - and that also for existing systems (brownfield).

2. Effective cyber protection for well-isolated systems

One of the key questions of current automation strategies is how well isolated systems can be protected from unauthorized access. The NAMUR initiative proposes a secure one-way channel for the direct transfer of process data, in addition to the existing automation structures. The data can be transmitted on this second channel without any retroactive effects.

"It must be ensured that there is no unwanted and uncontrolled feedback from the second communication channel that would change the primary communication or the primary systems in any way," according to the NAMUR specification. A diode is supposed to ensure the security of the data transfer, which prevents unwanted and uncontrolled feedback.

To date, fiber optic diodes have been used to connect data to isolated systems. However, fiber optic diodes have disadvantages. Even with multiple transmissions, there is no guarantee that the sent data will be received correctly and completely. In addition, the data throughput is very low, as there is no information from the recipient about the possible bandwidth of the data connection. After all, the use of fiber optic diodes is often associated with high costs.

3. Safe, industrial-grade data diode with hardened protective functions

The cyber-diode data diode enables secure one-way data transfer by using several complementary security measures (defense in depth). The industry-standard security hardware is supplemented by hardened software (security appliance). With components that are kept simple and functionality that is as simple and easily verifiable as possible, cyber-diode offers the smallest possible attack surface.

Core component L4 microkernel

The L4 microkernel divides the hardware into different isolated areas: the black side (genuscreen black) for data extraction, the red side (genuscreen red) for data provision and the "One Way Task" for forwarding the data from black to red. The black and the red side of the diode are two virtualized separate devices with their own, specially hardened OpenBSD operating system. Both genuscreens are based on certified and approved products.

Hardened operating system

The minimalistic and hardened OpenBSD operating system of the genuscreen devices and the minimalistic microkernel are reduced to the bare minimum with just a few lines of code compared to the millions of lines of code of a standard operating system and thus offer the smallest possible attack surface.

Highly secure boot process

The system can only be booted using signed software with a code that cannot be changed (Secure Boot). The signature of the kernel and the software is checked during the boot process.

One-way data transfer

The "One Way Task" has only one task. Thanks to a secure communication mechanism of the microkernel, it transmits the data in only one direction to the red side.

Microkernel and genuscreen components based on BSI-approved products

The safe diode function is additionally protected by a firewall on the black and red side. The data transfer is encrypted using the VPN functions of the genuscreen technology. The components in cyber-diode meet the highest security requirements and are based on the core capabilities of sister products that are certified according to Common Criteria (CC) EAL 4+.

Hardened protective function

With its staggered security measures, the system design ensures that the protective functions can neither be switched off nor changed due to configuration errors (security by design). This prevents security gaps caused by third-party software or a modified operating system. This means that even complex cyber attacks do not find any points of attack.

State of the art

cyber-diode corresponds to the current level of development of security technology (state of the art) and is approved in the technically similar version as vs-diode by the BSI for use up to the high level of secrecy "SECRET".

4. A data diode with delivery guarantee

In contrast to fiber optic diodes, cyber-diode enables a delivery guarantee.

Confirmation bit

At the end of the data transfer, a status message is transmitted via a limited feedback channel. The receiver reports back to the sender whether all data has been received correctly and completely. This feedback only consists of a status bit (ok / not ok).

Delivery guarantee

The status bit confirms that the receiver or the red side of the diode has received the data (guaranteed delivery).

Maximum transmission speed

The delivery guarantee enables a maximum transmission speed or a technically maximum throughput. cyber-diode allows a transmission rate of up to 1 Gbit / s, for TCP up to 400 Mbit / s are possible.

Supported protocols

cyber-diode supports the OPC UA, FTP, SMTP, TCP, UDP and Syslog protocols.

Logging information

The syslog data for connection establishment and data flow can be used for evaluation by a higher-level monitoring system or by a SIEM system.

Central Management Station

Companies that are already using other genua components can manage them together with cyber-diode from one place.

5. Support of the Industry 4.0 protocol OPC UA

The data diode cyber-diode supports the Industry 4.0 protocol Unified Architecture (OPC UA) for data export. Since OPC UA requires bidirectional communication between client and server, an OPC UA client was implemented in the diode on the black side and an OPC UA server on the red side.

Open standard

OPC UA is an open standard for the exchange of machine data. He supports z. For example, secure, reliable, manufacturer and platform-independent communication in systems in the manufacturing and process industries.

Field level up to the cloud

OPC UA can be used for the data connection of sensors and actuators from the field level to the cloud, regardless of the previous restrictions of the classic automation pyramid.

VPN encrypted

With the VPN appliance genuscreen, cyber-diode supports the encrypted transmission of machine data via its own virtual private network (VPN) using Internet Protocol Security (IPSec). This protects all communication against unauthorized access. This also applies to internal communication, for example between different security zones in the network. In addition, nobody can eavesdrop on, modify or re-import the data traffic.

6. Commitment to current automation requirements

With cyber-diode as an industrial data diode, the communication restrictions of traditional automation structures are overcome. Machines, plants and IT systems in general can send data to the outside world via insecure networks without their integrity being endangered. Critical zone and domain transitions are protected without feedback. Cyber-diode is also suitable for one-way data transfers between different security zones within a production network.

This means that the current possibilities can be used that are offered by the industrial Internet of Things (IIoT), Industry 4.0 and diverse cloud applications from data analytics to digital twins.

Applications for monitoring and process optimization are no longer tied to proprietary protocols thanks to the OPC UA data transfer. They become easier and cheaper. According to the NAMUR initiative, the core process automation (Core Process Control, CPC) in the process industry can remain largely unaffected in order to make Industry 4.0 innovations available in old systems as well.

Image source: © 胜 张 - stock.adobe.com