Harnessing the power of multi-scanning and data diodes

Harnessing the power of multi-scanning and data diodes

User convenience and uncompromising security at the same time? Impossible? Not when uniting multi-scanning with data diodes, writes Sertan Selcuk, VP of Sales, Middle East, Turkey, Africa, and Pakistan, at OPSWAT.

As the GCC invested in the infrastructure of tomorrow, it did so with confidence, adopting the latest and greatest advances on the technological stage to build enviable knowledge-based societies. While these success stories were being written, telecoms and critical utilities were not the targets of the average threat actor. And even when businesses connected themselves to the internet, anything critical was locked away, screened from the outside world in air-gapped safety bubbles.

Not so today. Where critical infrastructure — ICS, OT, SCADA — used to be managed by dedicated teams that had little, if any, crossover with IT, the region’s industrial organisations have now taken IIoT to heart and are merging OT and IT. What used to be isolated is now part of an expanding and increasingly complex ecosystem of data, machinery, remote endpoints, clouds, and more. So that leaves the industry with a problem. It must juggle a need for absolute security with the tempting efficiencies offered by cloud-connected technologies, all while remembering that the IT-OT merger, offers a tempting menu of attack paths for adversaries as data flows in and out of the environment with unprecedented freedom.

In response to this emerging risk, I propose a solution in two parts. First is the data diode, which solves the challenge of moving files, patches and software updates from IT to OT. Diodes allow data to enter a secure network but not to leave it. A pair of dedicated servers — a receiver and a sender — deliver this security. There is no communication between them and fibre-optic cables guarantee unidirectional transmission, eliminating the possibility of covert communication from inside the critical environment.

Many Pluses

While diodes are very good at controlling access, functional security requires being able to examine data content to detect threats. Diodes guard the in-roads and out-roads, but we need other technology to determine the nature of data in both directions, as well as the trustworthiness of the storage media on which it resided before being introduced to the secure environment. Zero-trust multi-scanning is the second part of the solution, and it is very powerful when combined with data diodes. It brings simultaneous analysis through multiple AV engines, improving detection and reducing dwell times.

Diodes admit data to the critical network and do not let it leave, which is very useful when managing critical infrastructure. They allow updates and other legitimate files in, but multiscanning agents check for nefarious content before these files pass through the diode. Any found to contain threats, or that do not fit the criteria defined by security policy, are not admitted.

When moving data from OT to IT, they are less concerned about sensitive data leaving than they are about malicious content entering. Failure of critical infrastructure brings costs that go way beyond monetary impact, to health and safety. Effective management of such systems calls for outbound data, such as log files, to be passed only to less secure networks. Multi-scanning can check the files for type before they pass through the diode and leave the network, so by combining multiscanning with data diodes, we also cover outbound traffic and prevent the spread of dangerous content from one network to another, while ensuring outbound files comply with security policy.

Better together

The introduction of data through unscreened media like USB drives presents a risk to any network. Malicious code can be hidden in firmware, which is an effective method for avoiding detection. This is why many organisations — especially those that operate critical infrastructure — have banned thumb drives and other external media. One way to combat this risk is through multiscanning. Instead of connecting external media directly, files can be scanned and the clean ones passed to the diode. Security teams can take the further step of disabling external media ports on secure systems to enforce this policy.

When combined, multi-scanning and data diodes become a potent force that provides unique options for securing critical networks. The regional threat landscape is heating up, with both the volume and sophistication of attacks on the rise. Diodes guarantee a predictable route for all content and make security policy easier to enforce, eliminating the possibility of employees skipping over policy, whether as a shortcut, by mistake, or for less innocent reasons. Meanwhile, with one path in and one out, multiscanning mitigates potential threats.

The advent of IIoT is a gift not to be ignored by the region’s heavy industry. But to operate viably within Industry 4.0 parameters, where OT and IT merge, data flows between separate networks must be trusted. At the same time, traditional workarounds can lead to a loss in productivity that threatens to cancel out any gains made from IIoT.

Combining data diodes and multiscanning would prevent the waste of so much time and effort on the part of users and systems administrators. They bring a new order of convenience, blended with uncompromising security — two things that normally are not found together. The result is a safe, efficient environment — in other words, the core mission of critical infrastructure organisations.