SDN-enabled virtual data diode
Authors
Abstract
The growing number of cyber-attacks targeting critical infrastructures, as well as the effort to ensure compliance with security standards (e.g. Common Criteria certifications), has pushed for Industrial Automation Control Systems to move away from the use of conventional firewalls in favor of hardware-enforced strict unidirectional gateways (data diodes). However, with the expected increase in the number of interconnected devices, the sole use of data diodes for network isolation may become financially impractical for some infrastructure operators.This paper proposes an alternative, designed to leverage the benefits of Software Defined Networking (SDN) to virtualize the data diode. Besides presenting the proposed approach, a review of data diode products is also provided, along with an overview of multiple SDN-based strategies designed to emulate the same functionality. The proposed solution was evaluated by means of a prototype implementation built on top of a distributed SDN controller and designed for multi-tenant network environments. This prototype, which was developed with a focus in performance and availability quality attributes, is able to deploy a virtual data diode in the millisecond range while keeping the latency of the data plane to minimal values.
Keywords
Data Diode, Unidirectional gateways, Software Defined Networks, Industrial and Automation Control Systems.Related Project
H2020 ATENA (Advanced Tools to assEss and mitigate the criticality of ICT compoNents and their dependencies over Critical InfrAstructures)Conference
4th ESORICS Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems (CyberICPS 2018) , September 2018PDF File
DOI
Cited by
Year 2020 : 1 citations
D. Pliatsios, P. Sarigiannidis, T. Lagkas and A. G. Sarigiannidis, "A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics," in IEEE Communications Surveys & Tutorials. April 2020. DOI: 10.1109/COMST.2020.2987688
Year 2019 : 1 citations
Aasen, Øyvind, "Using Bi-directional Data Diodes to Limit Propagation of Network Attacks", MSc Thesis, Norwegian University of Science and Technology, Faculty of Information Technology and Electrical Engineering - Department of Information Security and Communication Technology. July 2019. Available at: http://hdl.handle.net/11250/2617747