Similar to head gaskets in modern automobiles, IT and OT networks perform very different functions and often require complete separation. In this post, we’ll cover why IT and OT networks are often separate, why they sometimes need to connect, and how data diodes and data guards can act like head gaskets to protect network security for critical infrastructure and industries when they do.
“Looks like you’ve got a blown head gasket.” Words you never want to hear from your mechanic. Why? The head gasket in an internal combustion engine performs two critical functions. First, it allows oil to pass through specific channels and openings to critical engine components that need lubrication to prevent seizing. Second, it allows coolant to flow through a different set of channels to allow heat to be pulled off the engine block and radiated out to prevent overheating. One very thin gasket sits in the middle of the engine block, controlling the flow of two very important liquids. But the most important role of this gasket is ensuring that the oil and coolant passing through NEVER mix. When they mix, major problems occur.
IT and OT Networks Don't Mix (Usually)
OT networks were not created with security in mind. They are designed for basic machine-level instructions (open this valve, turn that pump off). While this creates extremely efficient and responsive sensor and actuator function. It can open the door to malicious challenges if threat actors were able to gain access. IT networks, on the other hand, have many critical security functions running to ensure sensitive information stays safe (DLP, EDR, FWs, etc.) However, these tools often put a burden on the systems running them. Generally speaking, most organizations don’t want these two networks to intermingle. IT network users shouldn’t have the ability to adjust manufacturing controls, and OT sensor data really doesn’t belong on the IT side of the house.
There are some exceptions, however. Executives may need a dashboard accessible from their laptops that shows plant status and overall performance of OT devices at a high level. In addition, there may be a need to transfer patches and software updates to the OT network side. These are often downloaded from the Internet to the local IT network, copied onto a CD or USB device, and physically walked into the facility housing the equipment to be updated. Long live sneakernet!
Crossing the Boundary Safely with Data Diodes and Guards
How can critical infrastructure companies protect both network systems, yet be efficient in reporting and patching? Enter the one-way diode. Data diodes act like head gaskets; they keep OT data and IT data in their own separate channels, without allowing intermingling. But they do this while connected to both networks. Need to move historical data to the IT side for reporting purposes? No problem. Pushing patches and software updates to the OT side from an IT computer? Again, no problem. Diodes provide automated, unidirectional data flows and can move tons of data at light speed (how many photons are in a metric ton?) This is accomplished by utilizing only the transmit portion of a fiber connection and disabling the receive portion. Packets can physically only travel one direction. For bi-directional flows, pairs of diodes can be deployed to allow for two one-way data streams.
If additional inspection or transformation capabilities are required, data guards can be deployed alongside diodes to provide defense-grade protection at scale. For example, admins may not want the IP address of their water treatment equipment to be sent over to the IT network, but they do need water treatment statistics and reporting information sent across. Guards can manipulate the data by obfuscating or changing the equipment’s IP information as it crosses the IT/OT boundary.
Connect the Unconnectable
Critical infrastructure companies are under heightened scrutiny and pressure to ensure their OT networks are protected from threat actors. Nation-state APT groups are constantly trying to gain access to both monitor and control devices at the machine level. Review the US Maritime Advisory 2024-002 (opens a new window) for more details on what these actors are capable of and for recommendations on ways to mitigate and reduce risk. Network segmentation is a major key to protecting data and traffic flows. Data diodes (opens a new window) and guards (opens a new window)are purpose-built to handle the challenges of today’s IT/OT needs, allowing administrators to “connect the unconnectable.”
Daryl Crook
Senior Sales Engineer
Daryl Crook has worked on both the vendor and customer side of things, managing 65,000 endpoints in 180 countries. Building managed storage offerings and focusing on providing the best solutions. Daryl has helped investigate insider risks for over 10 years and has spent the last few years focused on Cross Domain protection for Critical Infrastructure and Regulated Industries. Daryl loves to learn, whether it’s new technology or rebuilding an engine or transmission. Recently having rewired his camping trailer to give him more off-grid time.