Submitting your feedback...
Knowledge Base Article
KB01099 - Data Diodes
Product: PI API
Version(s): All

Issue

  • What are Data Diodes?
  • How do they work?
  • What are potential limitations?
  • Which Data Diodes are recommended for use with the PI System?

Solution

A data diode, or unidirectional security gateway, is used to fully isolate two systems or networks. Since the technology ensures that the transfer of digital data is limited to one direction, assets containing sensitive information are further segregated from external threats. In many cases, a data diode is used to maintain secure connections between a control system network and a business network.

Most data diode technologies have three components: a photo emitter, a fiber-optic cable, and a photo receiver. These components, coupled with software on each end, make up the unidirectional system. The photo emitter converts electric signals to light, the light signal is transferred via fiber-optic cable, and the photo receiver converts the light back into an electrical signal. The software on each end of the spectrum verifies the data integrity. This verification process is essential to the data diode system to guarantee that data are not corrupted during transmission.
 

st-widget-{image: 2014-=01-=28 10_14_33-=Data Diodes -= How they work and pros and cons 1-=10-=2014.pdf -= Adobe Reader.png}
 

 
While data diodes provide an excellent means of further securing a control network, there are a few aspects to consider prior to implementing them into an organization utilizing the PI System:

Recovery

Since data is limited to unidirectional flow, the source network is unable to verify what data has been received by the target network. Therefore, history recovery becomes a more complex issue when utilizing data diodes. Possible solutions include manual recovery or periodically recovering history, regardless of data gaps.

Governance

The lack of a bi-directional network connection means that files critical to a control system’s functionality must be transferred via removable media. As a security precaution, these files must be scanned accordingly, adding additional administrative tasks that can be difficult to audit.

PI Functionality

Some OSIsoft, LLC. Products and features may be limited as a result of the data diode architecture. Therefore, it is important to balance functional need versus security. For example, some data diode systems do not support PI Asset Framework (AF) or PI High Availability (HA).

Notes

OSIsoft, LLC. Partners offering data diode technologies:
  • BAE Detica
  • Fox-IT
  • Owl Computing Technologies, Inc.
  • Waterfall Security Solutions

Article ID: KB01099 Created: 2014-10-01
Article Type: Informational Last Updated: 2014-10-01