A small piece of hardware makes connecting devices to the cloud secure, affordable and thus suitable for the mass market. That is a big step for the industrial internet of things, where the highest possible security is crucial if its potential is to be completely exploited. A new data diode from Siemens makes it impossible for hackers to control systems over the Internet, an important criterion for operators of critical infrastructure.
by Sandra Zistl
In these times of massive digitalization and interconnection, the requirements to be met by operators of critical infrastructure have changed dramatically. Never before has it been so easy to collect and analyze data on the condition of systems such as rail networks, power grids and production facilities, in order to reduce down times, for example. But the flip side is the growing danger of attacks by hackers, who could cause critical disruptions to rail traffic by gaining access to data and systems due to the fact that parts of the infrastructure are connected to the Internet or even cloud platforms.
A new piece of hardware from Siemens is now opening up a full range of new cybersecurity possibilities. “Before now, it was not possible in this form to connect critical infrastructure via a cloud platform and offer new digital services,” explained Martin Wimmer, IT security expert in the global research department Corporate Technology (CT). “Together with us, the Mobility Division developed a hardware device which makes this secure and economically feasible.”
The little silver box that offers this new dimension of security is a data diode (Data Capture Unit, or DCU for short), which is roughly the size of an external computer hard drive. It is less than spectacular-looking, but holds enormous potential. The DCU securely connects a closed network with a storage medium, server or cloud platform by way of a unidirectional data channel. “That is like a one-way data street,” Wimmer said. “The diode allows us to look at the data flow and logs all operations. Whether or not an unauthorized person can see the data flow is usually not relevant to security in the intended application areas.” Take signal boxes, for example. In this case, the ability of hackers to read the data and determine the system’s condition does not impact the security of gates and switches. Since the diode is based on a physical principal and the data can only flow in one way, it is not possible to access it from the internet. This makes it possible to connect systems to the cloud.
Since the data can only flow in one way, it is not possible to access the diode from the internet. This makes a connection to the cloud possible.
Data diodes are already being used in areas in which data confidentiality is essential, including government agencies and the military. “However, the functioning of these devices is much more complex, which also makes them considerably more expensive,” said Matthias Seifert, who oversaw the cooperation leading to the development of the data diode at Siemens Mobility. “Moreover, the way the providers of these systems prove that they are secure is also complex. By contrast, the security of the DCU is comprehensible and demonstrable to anyone.” The Federal Railway Authority has already approved the new DCU. Now when German customers order a signal box from Siemens, this hardware allowing for a secure connection to the Internet of things is already installed. Seifert added: “Our DCU is much less expensive than what has been available in the market before now.” That is an essential criterion for a mass market product. In a first pilot installation in Belgium, for example, the operator of a rail network is using the DCU to monitor its track circuits through a connection to the cloud.
“We relied on a physical principle,” Seifert explained. “You hang the diode on a line and watch the signals go by.” This is done by means of inductive coupling with the line, he explained. “It is a semiconductor electronic device that can only read, but not write,” he explained further. “When I clamp it to a cable, I can read the power flow and extract the ones and zeros, so to speak.” The diode sends the data unidirectionally and operates as an “Ethernet tap” – a device that is used to monitor data signals but cannot alter them – in the customer’s system. It does not have its own IP address and cannot be located by third parties. Because it is protected against shocks, vibrations, temperature changes and electromagnetic oscillations, it is also perfectly suited for use in harsh environments such as train cars and factories.
According to Seifert, the installation is also remarkably easy: “The DCU can be latched onto any data transfer unnoticed and connected with an external evaluation system consisting of one or more computers. If the DCU is removed or turned off, this cannot be detected by the monitored system. The customer’s system continues to work totally normally.” For this reason, he is confident enough to say that the DCU can potentially also be used as so-called Intrusion Detection Systems (IDS) – meaning the effective and controlled scanning of networks for abnormal or malicious activities – and Juridical Recording Systems (JRS) – meaning data recording for legal purposes. “Depending on how much I add on upstream and downstream at the application level,” Wimmer added, “the integrity and confidentiality of data recording can also be guaranteed.”
Traditionally, networks in security-critical sectors are protected by firewalls or even by so-called “air gaps,” meaning that they are completely isolated data islands. Both solutions have their shortcomings. Air gaps – of the kind that are used in power plant networks, for example – do not allow any transmission of live data out of the network. Therefore, the potential of the existing abundance of data cannot be exploited. And firewalls are prone to misconfigurations and back doors. In the case of machines with strong communication capabilities and functional variability, for example, the filter rules of a firewall must be frequently checked and adapted because new cyber threats are always emerging.
The DCU is an example of how a specific solution for Mobility turned out to be a universal cybersecurity application that is vitally important for Siemens in the strategic implementation of digitalization. “Thanks to the data diode, users can not only make their contribution to secure, smart mobility, but also advance the digitalization of energy and industrial production,” said Mobility CEO Michael Peter.
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.
It looks like you are using a browser that is not fully supported. Please note that there might be constraints on site display and usability. For the best experience we suggest that you download the newest version of a supported browser: