Cybersecurity of Water Infrastructure with Data Diodes

Digital tools have changed the water industry, making remote access to data and critical instruments a part of everyday work. Yet the convenience offered by remote access comes with an increased cybersecurity risk for control systems. The options for remote access and cybersecurity have gotten so complex and the threats so sophisticated that IT and OT teams struggle to keep up with the latest developments.

At Fend, we’ve been working with GZA, MCPlus and others to limit that risk and reduce technological complexity through the use of data diodes, which send data in only one direction and physically block hackers, but allow protected actionable data out for immediate analytics.

If you are like most organizations in the water industry, you probably fall into one of two categories:

1. You live with air gaps, with disconnected systems, offering protection through isolation at the cost of real-time insight into system performance and with the increased cost of using “sneaker ware” for data collection.
2. You use firewalls and intrusion detection systems to protect connected equipment and OT systems, which require constant patching and updating to keep up with ever-evolving threats.  

A data diode combines the security of an air gap (no physical inbound pathway) with many of the benefits of connected equipment (remote monitoring and outbound data). 

What Is A Data Diode, And How Does It Support Water Security?

Image

A typical internet connection goes in both directions: Your devices are in constant communication with your network nodes, sharing information back and forth. However, this also creates multiple points of access for nefarious actors.

An attack can be executed by accessing an enterprise network through publicly facing websites/domains or with equipment attached to radio towers, routers, and other nodes. Capably engineered attacks may not even register until it’s too late. Any time an inbound connection from the outside world can reach critical equipment, that equipment is at risk.

Alternatively, when you connect a data diode to a sensitive piece of infrastructure, it only communicates data out, using light, which prevents any inbound transmission. A data diode is like a gateway that only works in one direction, eliminating the possibility of inbound threats using physics, not software, to keep you safe.  

The Cybersecurity & Infrastructure Security Agency recently issued guidance on how water and wastewater systems can take action to protect against malicious cyber activity. One-way communication diodes were recommended for securely segmenting IT and OT networks.  

Fend data diodes can be used by the water industry to:

• Send files from one domain to another using one-way FTP functions. 
  • Extraction from data loggers
  • Historian data backups 
  • Automated database replication
• Monitor new and legacy equipment from anywhere.
• Bridge OT and IT networks.
  • Transmit a stream of data points
  • Visualize time-series data
  • Receive alerts
• Safely open the door to the cloud
  • Monitor to industrial network traffic and send relevant data to the cloud

Diodes are ideal for protecting equipment that needs to be monitored remotely, but should only be accessed manually on-site.

Who Uses Fend's Data Diodes?

Fend data diodes have been deployed across arrange of defense, industrial, energy, and water systems, including at a water utility in the Mid-Atlantic region supporting nearly 2 million customers, which relies on our diodes to pull real-time data from the operational SCADA historian to a duplicate SCADA historian on the enterprise side. The duplicate allows the utility to perform analysis and share data without giving up access to their control systems.

The Fend data diode has successfully withstood simulated remote attacks in penetration testing conducted by the US Army’s Threat Systems Management Office (TSMO), the US Navy’s Naval Facilities Engineering Command (NAVFAC), and the National Cyber Range. 

Ease Of Use

Since diodes are physical cybersecurity solutions that don’t rely on software for security, data diodes don’t need to be patched and once deployed can be left in place indefinitely. This reduces operational maintenance costs and downtime.

Use of Fend's data diodes and optional cloud service can utilize automated analysis tools while keeping a human in the loop when it comes to systems control.

Fend diodes:

• Can be easily configured on site. Configuration is matter of connecting to the diode to set the communications channel and the protocol mode and to enter network-specific configuration details like IP addresses. Configuration can be done in under an hour. 
• Support a range of protocols. Each diode is compatible with a number of standard protocols and can perform some protocol conversions (such as serial to TCP) onboard.
• Are designed for industry. Rugged design and small form factor allow Fend diodes to live alongside the equipment they protect. 
• Are made in the USA. Fend products are design and manufactured in the USA.

Diodes are perfect for sharing information with external groups. Allowing you to safely create public dashboards, give contractors and maintenance personnel useful real time data, or quickly and efficiently offer access to state and federal authorities, in compliance with industrial cybersecurity standards. 

As the need for data grows, security will only become a more pressing issue. Data diodes offer water and wastewater systems a way to provide real-time actionable data, while greatly limiting risk.

Learn more at https://www.fend.tech/water-security or contact the team below.