Security Framework 9: Protecting Communications and Connectivity
9.2.6 UNIDIRECTIONAL GATEWAYS
The term unidirectional gateways is used by IEC 62443-1 and NIST 800-82 1 standards to refer to devices that can replicate servers and emulate devices via communications hardware that physically permits information to flow in only one direction.
Currently, unidirectional gateways are deployed most commonly at the IT / OT network interface in large industrial facilities and at the LAN / WAN interface in smaller facilities, such as remote substations and pumping stations. When they are deployed as the sole online connections to a trusted network segment, no online attack from any external segment can affect the operation of the trusted network segment.
Unidirectional gateways using optical isolation have a fiber-optic laser as a transmitter, but no receiving hardware. A receiving module contains a fiber-optic photocell as a receiver, but no transmitter. A short fiber-optic cable connects the two modules. Other unidirectional gateways use electrical isolation.
Unidirectional server replication copies queries servers on a source network, filters the information and transmits it unidirectionally to a destination network. In the destination network, the replication technology inserts data received from the unidirectional gateway into a replica server. Users and applications on the destination network query the replica for information. No query can be forwarded from the destination network to the source network.
Figure 9-5: Unidirectional Plant Historian Replication
Figure 9-5 illustrates a typical unidirectional gateway deployed at an IT / OT interface replicating a plant historian server to a corporate database. The transmit( TX) agent queries the plant historian server for historical data points and pushes it to a corporate IT network across the unidirectional hardware. The receive( RX) agent uses the historical data to populate a replica historian server. External users and applications query the replica to access historical data. No attack from the corporate network or on the corporate historian server can affect the operation of a unidirectionally protected plant network.
1
See [ IEC-62443-11 ] and [ NIST-800-82 ] IIC: PUB: G4: V1.0: PB: 20160926- 91-