Objective
Managers of facilities and equipment across the Department of Defense (DoD), energy infrastructure, water treatment, and other critical sectors need real-time control systems interfacing with remote monitoring environments or the industrial internet of things. The connectivity that makes these advancements possible has traditionally opened the door to attackers who would steal data, inject ransomware, and modify or destroy equipment. The economic and mission benefits of real-time monitoring are great enough that operators continue to bring this equipment online with defenses borrowed from the information technology world that are not well-suited to operational technology environments: firewalls require patches and updates that only protect against known threats and prepare the user for yesterday’s war: software and intrusion-detection systems alert operators only after an attacker may have already caused irreparable harm to an industrial system.
The objective of this project was to demonstrate that Fend Incorporated’s low-cost, easy-to-install data diode provides the security of an air gap between high-security and low-security networks while increasing the accessibility and quantity of data to managers across DoD in order to enhance energy and water management and operational efficiency. To ensure the product can achieve this goal, the project focused on the following specific performance objectives:
- Complete isolation of protected equipment
- Uninterrupted equipment operation
- Interoperability with various equipment
- Ease of installation
- Data transmission to desired network location
- Cost performance
Technology Description
Fend’s next-generation data diode is a low-cost device that provides physically-enforced one-way data transfer while removing the need for extensive on-site configuration. On-board processors enable the data diode to communicate with protected equipment using common protocols and communicate this information to an on-site network or cloud service. Fend’s data diode would serve the unmet needs of critical infrastructure managers across DoD by quickly enabling secure access to equipment data.
To test the objectives listed above, the project team, including Fend and the United States Army Corps of Engineers Engineer Research and Development Center, Construction Engineering Research Lab, performed and oversaw tests that fell into two main categories: functional tests and cybersecurity tests. This evaluation involved sending data from a variety of controller types using several common industry protocols. Long-term tests required data collection from running building systems to test reliability and accuracy. Cybersecurity testing included reverse direction penetration tests.
Demonstration Results
The functional tests showed that the diode was able to successfully send files and streams of data in a variety of common protocols, enabling the collection of facility performance data in an efficient manner. Cybersecurity testing showed the data diode’s ability to block malicious data transmissions and withstand outside attacks. The following table summarizes results by objective:
These results show both the capabilities and limitations of the current state of this technology. Several common communication standards can be accommodated, but some projects may require additional equipment and effort to convert data into a supported format. Some data-intensive projects may exceed the transmission bandwidth of these devices. Data diode technology may not be appropriate for system designs requiring a two-way connection.
Performance data collected as part of an energy savings performance contract is often done through physical retrieval of hard drives. This process can cost thousands of dollars in travel and labor and result in stale data that may be six months old. A continuous stream of data sent through a data diode could be obtained with data diodes for less than the cost of one business trip.
When compared to other methods of data acquisition, these next-generation data diodes can be economically attractive on a cost basis alone. For technologies with substantial annual costs, attractive paybacks can be achieved by switching to a diode at any point in the incumbent technology lifecycle. In other cases, where no data acquisition technology is currently installed, the project team calculated breakeven use cases, which resulted in fairly short breakeven periods.
Implementation Issues
For applications where a one-way stream of information would satisfy the technical requirements of a facility management approach (e.g., equipment status monitoring), this class of industrial data diode can prove a secure, cost-effective option relative to manual data collection or data transfers using physical media. These devices have the potential to open the door to Federally-approved, cloud-based tools that make use of predictive analytics and machine learning. By providing access to information that was previously locked behind an air gap, these next generation of data diodes can enable greater operational efficiency and resilience staff.