How do I provide guaranteed unidirectional traffic to my security and monitoring tools?
ICS environments face challenges to protect critical network segments from incoming threats through the very network infrastructure designed to protect them. Most OT and IT network environments send out-of-band Ethernet packet copies to security monitoring tools to analyze and respond to threats. Many visibility architectures or fabrics flow this out-of-band traffic from the separate facilities to a centralized or enterprise network for this analysis. These IT solutions and integrated systems, connect the network to the internet, indirectly exposing this once siloed infrastructure to outside vulnerabilities and threats.
In these network deployments, using SPAN simply is not acceptable. SPAN or port mirroring from a network switch are bi-directional, which creates an opportunity for hacking by deploying a device for monitoring or security.
Data Diode TAPs
Data diode TAPs are a purpose-built network hardware device that allows raw data to travel only in one direction. Data diode TAPs can be used as a traffic enforcer, guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks.
A network TAP creates an exact copy of both sides of the traffic flow, continuously 24/7/365 and do not drop packets, introduce delay, or alter the data. They are either passive or “failsafe,” meaning traffic continues to flow between network devices if power is lost or a monitoring tool is removed, ensuring it isn’t a single point of failure.