Building Your own Data Diode with Open Source Solutions
Building Your own Data Diode with Open Source Solutions

Introduction

In the final part of our three part series on data diodes:

Part 1 - Defending Industrial Control Systems with Data Diodes

Part 2 - Data Diodes and Security in the Real World

Part 3 - Building Your own Data Diode with Open Source Solutions

we will investigate the possibility of creating your own data diode from readily available parts and open source software solutions.

Introduction

Originally designed by government organizations to protect top secret information, data diodes are still most commonly used in applications requiring the highest level of security such as state secret protection, banking or battlefield up-links.  In recent years we have seen an increasing demand for data diodes in the world of industrial control and automation to protect critical infrastructure due to the simple and virtually impenetrable nature of these devices.

Strength in simplicity

The strength of a Data Diode is in its simplicity.  At the core of all data diodes is a simple duplex fiber optic connection ( fiber optic connections often have a dedicated send / receive fiber strand ) with either the send or receive fiber disconnected.  Severing one of the physical fiber connections makes it impossible to send data in one direction.

Unidirectional Network Gateway Fiber Optic Connection

Figure 1 – Fiber Optic Patch Cable link at the Heart of a Data Diode

How to roll your own data diode

If you were to crack open a typical data diode you will see it is simply made up of two mini-pcs with a fiber-optic link running between them.  There are dozens of patents around variants of data diode’s and data diode software.  For example there is a patent for a data diode that only uses a single computer to handle both ends of the connection (which seems less secure to me).  A fiber link between two computers is far too simple a concept to patent, so you won’t end up in court creating a data diode in this configuration.  Now let’s step through the process of creating our own data diode.

Step 1 – Purchase two computers

It is important to find a small form factor computer which supports a PCI-Express card for our two fiber optic PCI-Express cards (reverse) proxy servers.  For most industrial applications I would purchase a couple of fan-less industrial PCs with solid state hard drives that can be stored in a locked computer panel box or server room.  For the purposes of our proof of concept I will purchase two low cost PCs:

  • Slim Bare bones PC with a PCI-Express card slot
  • Solid State Hard Disk drive
  • 2 Gigs memory
  • i5 Processor
  • These PCs should come with an integrated Ethernet card which we will plug our network connection through.

2 x – Barebones PC with PCI-Express card slot – $600.00 each

Two Bare Bone Mini-PCs for our homemade data diode

Figure 2 – Two Bare Bone Mini-PCs for our homemade data diode

Step 2 – Purchase two fiber optic PCI-Express cards

If you don’t have experience with fiber optic networks you need to be aware of the many standards and modes that are available.  It is critical that you select fiber optic cards and a patch cable that are all compatible.  I have selected multi-mode “Fiber-to-the-desk” PCI-Express card with ST connectors which make it very easy to disconnect one of the fiber links.

2 x – Gigabit Ethernet Multi-Mode ST Fiber Card 1000Mbps PCI-Express – $200.00 each

Two PCI Express Fiber Optic ST Cards for the Fiber Optic Link in our do-it-yourself Data Diode

Figure 3 -Two PCI Express Fiber Optic ST Cards for the Fiber Optic Link in our do-it-yourself Data Diode

Step 3 – Purchase a fiber optic patch cable

I have found a suitable multi-mode fiber patch cord with male connectors on each end:

3m Multi-Mode 62.5/125 Duplex Fiber Patch Cable ST – ST – $12.00

The heart of our handcrafted unidirectional gateway is the ST Fiber Optic Patch cable

Figure 4 – The heart of our handcrafted unidirectional gateway is the ST Fiber Optic Patch cable

Step 4 – Install a Secure Operating System on the PCs

I prefer to use OpenBSD because it is free, open source, Ultra-secure out of the box and I have friends here in Calgary who are OpenBSD gurus.

openBSD Blowfish - openBSD is a secure open source OS choice for our homegrown data diode

Figure 5 – openBSD is a secure open source OS choice for our homegrown data diode

Step 5 – Configure your Reverse Proxy

Depending on the data you want to replicate you can either configure an open source reverse proxy like nginx (engine x) and use your database’s web services to replicate the data.

nginx Logo The open source reverse proxy for our hand crafted data diode is nginx (engine x)

Figure 6 – The open source reverse proxy for our hand crafted data diode is nginx (engine x)

Step 6 – Disconnect one of the fiber optic ST connectors

Once you have your two proxy servers configured and communicating to each other you can simply disconnect one of the two fiber ST connectors.  You will likely need to spend time properly configuring your reverse proxy servers to relay the information correctly and you will need to write some scripts in your database to perform the continuous data replication.

Our completed home brew data diode configuration

Figure 7 – Our completed home brew data diode configuration

Conclusion

For a total cost of $1612 and some tender loving coding, you too can have your own home-brew Data Diode.

Data Diodes represent a simple yet virtually impenetrable way of segmenting a network.  They have been used for years to secure classified information by government organizations and are an excellent complement to firewalls in a typical control system’s defense in depth strategy.  Adding a data diode to your network doesn’t have to cost tens of thousands of dollars either.  You can reap the benefits of a unidirectional data diode for a few thousand dollars and some technical elbow grease.

Previous articles:

Part 1 - Defending Industrial Control Systems with Data Diodes

Part 2 - Data Diodes and Security in the Real World

Part 3 - Building Your own Data Diode with Open Source Solutions

About the Author

Austin Scott is CEO of Synergist SCADA Inc and heads up a talented team that offers a consummate blend of controls expertise, industry know-how, and advanced software development skills. “Synergist SCADA Inc. is focused on maximizing the effectiveness of our customers’ SCADA investment. We provide control systems design, upgrade strategies, HMI / SCADA / PLC programming, security audits, and field services.” Austin Scott is currently authoring a book on pragmatic ICS Security practices that is due out this summer.

Further Reading:

nginx - an HTTP and reverse proxy server

OpenBSD: Free, Functional and Secure

ICS Firewall Article Community Feedback Round 2

About Synergist SCADA Inc.

Comments are closed.