Abstract
The growing number of cyber-attacks targeting critical infrastructures, as well as the effort to ensure compliance with security standards (e.g. Common Criteria certifications), has pushed for Industrial Automation Control Systems to move away from the use of conventional firewalls in favor of hardware-enforced strict unidirectional gateways (data diodes). However, with the expected increase in the number of interconnected devices, the sole use of data diodes for network isolation may become financially impractical for some infrastructure operators.
This paper proposes an alternative, designed to leverage the benefits of Software Defined Networking (SDN) to virtualize the data diode. Besides presenting the proposed approach, a review of data diode products is also provided, along with an overview of multiple SDN-based strategies designed to emulate the same functionality. The proposed solution was evaluated by means of a prototype implementation built on top of a distributed SDN controller and designed for multi-tenant network environments. This prototype, which was developed with a focus in performance and availability quality attributes, is able to deploy a virtual data diode in the millisecond range while keeping the latency of the data plane to minimal values.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barbosa, R.: Anomaly detection in SCADA systems: a network based approach. Ph.D. thesis, University of Twente (2014). https://doi.org/10.3990/1.9789036536455
Berde, P., Gerola, M., et al.: ONOS: towards an open, distributed SDN OS. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking - HotSDN 2014, pp. 1–6 (2014). https://doi.org/10.1145/2620728.2620744
FoxIT: Fox DataDiode Data Sheet (2018). https://www.fox-it.com/datadiode/downloads/
FoxIT: Fox IT FAQ. Online (2018). https://www.fox-it.com/datadiode/faq/
Genua: Data Diode Cyber-diode. Brochure (2018). https://www.genua.de/fileadmin/download/produkte/cyber-diode-flyer-en.pdf
Heo, Y., et al.: A design of unidirectional security gateway for enforcement reliability and security of transmission data in industrial control systems. In: International Conference on Advanced Communication Technology (2016). https://doi.org/10.1109/ICACT.2016.7423372
Jeon, B.S., Na, J.C.: A study of cyber security policy in industrial control system using data diodes. In: 18th International Conference on Advanced Communication Technology (ICACT), p. 1, January 2016. https://doi.org/10.1109/ICACT.2016.7423373
Jones, D.W.: RS-232 data diode - Tutorial And Reference Manual. Technical report, United States (2006)
Mckay, M.: Best practices in automation security (2012). https://doi.org/10.1109/CITCON.2012.6215678
Mraz, R.: Data Diode Cybersecurity Implementation Protects SCADA Network and Facilitates Transfer of Operations Information to Business Users. Presentation (2016)
Okhravi, H., Sheldon, F.T.: Data diodes in support of trustworthy cyber infrastructure. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW 2010, pp. 23:1–23:4. ACM, New York (2010). https://doi.org/10.1145/1852666.1852692
Oktian, Y.E., et al.: Distributed SDN controller system: a survey on design choice. Comput. Netw. 121, 100–111 (2017). https://doi.org/10.1016/j.comnet.2017.04.038
Open NF: OpenFlow Switch Specification Version 1.5.1 (Protocol v. 0x06) (2015). https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf
Owl Cyberdefense: Learn About Data Diodes. Online (2018)
Peterson, D.G.: Air Gaps Dead, Network Isolation Making a Comeback. Online. http://www.digitalbond.com/blog/2011/07/19/air-gaps-dead-network-isolation-making-a-comeback/
Scott, A.: Tactical data diodes in industrial automation and control systems. Technical report, United States (2015)
Stouffer, K.A., et al.: NIST SP 800–82 rev2. Guide to Industrial Control Systems (ICS) Security: SCADA Systems, DCS, and Other Control System Configurations Such As Programmable Logic Controllers (PLC). Technical report, USA (2015)
Sun, Y., Liu, H., Kim, M.S.: Using TCAM efficiently for IP route lookup. In: 2011 IEEE Consumer Communications and Networking Conference, CCNC’2011, pp. 816–817 (2011). https://doi.org/10.1109/CCNC.2011.5766609
Waterfall Security: Unidirectional security gateways vs. comparing costs. Technical report, Israel, Firewalls (2012)
Waterfall Security: Unidirectional Security Gateways (2018). https://static.waterfall-security.com/Unidirectional-Security-Gateway-Brochure.pdf
Waterfall Security: Waterfall FLIP (2018). https://waterfall-security.com/wp-content/uploads/Waterfall-FLIP-Brochure.pdf
Waterfall Security: Waterfall WF-500 product datasheet. Product Datasheet (2018). https://waterfall-security.com/wp-content/uploads/WF-500-Data-Sheet.pdf
Acknowledgements
This work was partially funded by the ATENA H2020 Project (H2020-DS-2015-1 Project 700581) and Mobiwise P2020 SAICTPAC/0011/2015 Project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
de Freitas, M.B., Rosa, L., Cruz, T., Simões, P. (2019). SDN-Enabled Virtual Data Diode. In: Katsikas, S., et al. Computer Security. SECPRE CyberICPS 2018 2018. Lecture Notes in Computer Science(), vol 11387. Springer, Cham. https://doi.org/10.1007/978-3-030-12786-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-12786-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12785-5
Online ISBN: 978-3-030-12786-2
eBook Packages: Computer ScienceComputer Science (R0)