One-way / data diode / unidirectional technology is a powerful security control. It’s physics, rather than software so it can’t be hacked. It will only allow information to flow in one direction. When one-way is set up at a security perimeter it can allow communication out of an OT zone, e.g. historical data, reports, email notifications and screen shares, and still prevent any communication coming from the outside into the OT Zone via this pathway. If you have a one-way device as the sole communication path between your OT zone and your IT zone, there is no way a cyber attack from IT can reach OT directly from the IT zone.
Why is this powerful one-way security control not used almost everywhere on the OT security perimeter? The benefits are not viewed as being worth the limitations in most cases.
Remember the last time you had to drive 15 miles per hour (mph) through a school zone. One where you saw the police officer and actually went that slow. It was hard to drive at 15 mph or less even when you were focusing on it.
We know that we would dramatically reduce traffic fatalities if everyone drove at a maximum speed of 15 mph. Almost all people decide that the benefit of reduced driving time and ability to go farther are worth the increased risk of driving much faster than 15 mph. We have deployed seatbelts, airbags, and our driving skill to reduce the risk to a level individually we accept.
It’s the same with our OT security perimeters. Companies accept the added risk of allowing network traffic from IT into the OT zone even though they know it increases the likelihood of compromise. They put in advanced firewalls, perimeter monitoring and other controls to reduce, but not eliminate the added likelihood of compromise. The business cases and benefits of two-way communication between OT and other networks are increasing, and this means the locations where one-way makes sense will be reduced.
One-way still has a place in your OT strategy, see earlier article. If you only need to send data in one direction, why are you deploying a firewall and accepting this unnecessary increase in risk? Are all of the existing two-way communications worth the increased risk? Did you simply capture the existing communication and turn it into a firewall ruleset? Consider and answer these questions.
The OT one-way product market size will both increase in gross revenue and decrease in percentage of deployed OT perimeter security solutions. The reason: we are still in the early adopter phase of OT security.