Security Validation For Data Diode With PDF
Security Validation For Data Diode With PDF
channel
1 Introduction
Traditionally, SCADA systems are physically disconnected from outside net-
works to block external threat. However, the recent trend is integrating SCADA
systems into IT networks. The operation data of SCADA systems can be used
for financial purposes such as production optimization; thus securit solutions are
needed for data transmission from SCADA systems to IT networks. These solu-
tions can have different security levels depending on application characteristics
and its environment.
A unidirectional data transfer system is a network device that enables out-
going data flow, but it restricts incoming data flow for removing incoming data
lines. Its function seems similar to that of a firewall; however, a significant dif-
ference exists between two devices. Specifically, the firewall enables bidirectional
communication if it satisfies the access control list (ACL), whereas a unidirec-
tional data transfer system enables only a unidirectional data transfer although
it satisfies ACL. The unidirectional data transfer system is thus referred to as
a data diode or unidirectional security gateway owing to this characteristic. We
use the term ‘data diode’ to refer to any type of physical unidirectional network
devices in this paper.
When a firewall has a security vulnerability – such as an ACL misconfig-
uration, vulnerabilities of permitted services, or authentication bypassing – an
adversary can penetrate the network through the firewall. However, in the case
2
of a data diode, the attacker cannot enter the protected area through the net-
work line because it has no route of entrance. Therefore, many SCADA security
guidelines (NIST special publication 800-82, NRC regulatory guide 5-71, IEEE
standard criteria for digital computers in safety systems of nuclear power gener-
ating stations (7-4.3.2), NEI 08-09 cyber security plan for nuclear power reactors,
and ANSSI cybersecurity for industrial control systems1 ) recommend utilities to
use data diodes for protection of SCADA systems.
In a SCADA system having critical infrastructures, some utilities use their
unique or customized protocol for data transmission. To support such protocols,
we developed data diode hardware and proxy applications to send information
from a SCADA network to a corporate network in a power grid system.
When we installed and tested our data diode in real power grid systems, as
shown in Figure 1, operators wanted to manage proxy applications and confirm
data transmission to a destination server in the corporate network. However,
because our data diode removed the physical path, operators could not check
the current status of the proxy application and the destination server. Thus data
reliability cannot be logically achieved despite our data diode experimentally
supporting a 100% success rate of data transmission between unidirectional data
paths.
The hardware-based data diode is a powerful security method that removes
the reverse physical path. In case of Figure 1, the data diode protects the control
network against all attacks from the corporate network. However, simple removal
cannot ensure data reliability and the removal forbids checking the status of data
receivers. However, if a reverse channel can be securely used, the data diode
with a reverse channel can solve these issues. To the best of our knowledge, no
systematic approach exists for security validation and verification of data diode,
which has a restricted reverse channel. We thus implemented a data diode with a
reverse channel, and we validated its security by unit/integration/system testing
based on our security criteria shown in Figure 2. The main contribution of our
1
http://www.ssi.gouv.fr/uploads/2014/01/industrial_security_WG_detailed_
measures.pdf
3
To execute real testing for security validation of reverse channels in data diodes,
we implemented a TOS(Traffic One-way System). TOS is a physical unidirec-
tional data transfer system with reverse channels for an acknowledgement mech-
anism. In this section, we introduce the internal structure of TOS and outline
the experiment conducted to assess its performance.
TOS consists of two separate embedded systems for applying the physical uni-
directional data transfer technology. Its structure is shown in Figure 3. TOS
basically has the same architecture as a typical data diode using RJ45 Ethernet
5
Fig. 4. TOS
Pin No. Description (System code) Pin No. Description (Error code)
1 Rx Node power-on/off 5 Storage is available
2 Rx Node network status 6 Storage is almost full
3 Feedback 7 Same file exists already
4 N packet acknowledgment 8 Reserved
We then confirmed that TOS does not allow reverse data transmission, although
TOS was attacked at the external network connected to the TOS receiver. Our
validation process followed the V-model, as shown in Figure 2, with a unit test,
integration test, and system test. To ensure due diligence in the objectivity of
the verification tests, all processes were carried out by external specialists3 to
test the equipment of the control system and infrastructure.
TOS was installed in the internal network of the control system and in-
frastructures to block intrusion form the external network. If the attacker can
physically access TOS, the attacker can alter all aspects of TOS. Thus, we as-
sumed that the attacker cannot have direct physical access, and we only focused
on attacks against TOS from an external network. Aside from the physical ac-
cess, we considered all of possibilities of attacks against TOS as Assumptions 2
and 3.
– Requirement 1 (data): When the sender receives information from the TOS
reverse channel, the sender does not store the information in the files.
3
TestMidas co., Ltd. (http://www.testmidas.com)
8
Because we assume that the attacker can assume control of the receiver as
Assumption 3, it is necessary to ensure the security of TOS in a situation in
which an attacker can arbitrarily modify the receiver. Thus, all verifications
performed for TOS consisted of an original sender and an arbitrary receiver that
is transformed by the attack.
Test case generation. Based on our assumptions about attacks, the reverse
channel comprised of eight digital signal lines is the only way for an attack.
In the source code, the receiver sends only 0 or 1 through each digital signal
line. However, if the receiver is attacked as in Assumption 3, the receiver sends
any value; i.e., infinite cases. For efficient tests, we used eight inputs for each
input case: 0, 1, negative number, negative large number (for checking overflow),
positive number, positive large number (for checking overflow), Unicode, and
ASCII code. To cover all possible combination cases of eight digital signal lines,
we required 88 (16,777,216) test cases. It is practically impossible to test the
all test cases. Thus, we selected 95 test cases to use the pairwise technique [6].
Pairwise (a.k.a. all-pairs) testing is an effective test case generation technique
that is based on the observation that most faults are caused by interactions of at
most two factors. Pairwise-generated test suites cover all combinations of two;
therefore, they are much smaller than exhaustive ones while being very effective
in finding defects.
We reviewed the source code of the sender. The test case execution order of
the sender did not affect the current results of the test. Figure 4b represents the
state transition of the sender during execution. If we performed all test cases
10
for the six states in Figure 4b, we could have covered all possible cases of the
sender. The total number of test cases was 570 (= 95 (number of possible digital
signal line inputs) × 6 (state number)).
5 Applications
If a reverse channel can be securely used, the data diode with a reverse channel
can provide a more secure method for data flow control than software-based
security solutions as shown in Figure 7.
5.2 Suggestion
The application shown in Figure 7b is similar to those in Figure 7a. A traffic
message control server can safely send data to end systems through TOS. TOS
directs data flow and blocks all reverse data transmission. If necessary, TOS
can allow limited requests and status checking of end systems using the reverse
channel. Although one of end system is compromised, it cannot attack the central
server and compromise other end systems. In a similar manner TOS can be
applied to a patch management system.
TOS can be applied for security enhancement of data receivers, as shown in
Figure 7c and Figure 7d. TOS blocks data leak from log server in Figure 7c.
Using the reverse channel, a system manager can remotely check the status of a
log server. In case of Figure 7d, CCTV control server can safely gather security
information and send limited orders to CCTV devices using the reverse channel.
Although an attacker can control one unprotected CCTV device, the attacker
cannot connect and steal information from other systems.
6 Conclusion
In this paper, we proposed security criteria based on an application environment
for a data diode with a reverse channel. We implemented a data diode with
a reverse channel using digital signal lines, and we validated its security by
unit/integration/system testing based on our security criteria. Our research can
be a starting point for expanding application areas of the data diode for security
enhancement.
References
1. K. Forsberg and H. Mooz, “The Relationship of System Engineering to the Project
Cycle”, Proceedings of the First Annual Symposium of National Council on System
Engineering, 57-65, October (1991)
2. J. Cai, C. Chen. “FEC-based video streaming over packet loss networks with pre-
interleaving,” Proceeding of International Conference on Information Technology:
Coding and Computing, 10–14 (2001)
3. Y. Namioka and T. Miyao. “Data communication method and information pro-
cessing apparatus for acknowledging signal reception by using low-layer protocol,”
Hitachi, Ltd., U.S. Patent 20060026292 A1, Feb 2 (2006)
4. K. Kim, E. Na, and I. Kim. “Gateway device of physically unidirectional communi-
cation capable of re-transmitting data, as single device, and method of transferring
data using the same,” NNSP, Korea Patent 1015623120000, October 15 (2015)
5. K. Kim, Y. Chang, H. Kim, J. Yun, and W. Kim. “Reply-Type based Agent Gen-
eration of Legacy Service on One-way data transfer system”, KIISC, vol. 23, no. 2,
299–305 (2013)
6. D. R. Wallace and D. R. Kuhn. “Failure Modes in Medical Device Software: an
Analysis of 15 Years of Recall Data”, International Journal of Reliability, Quality
and Safety Engineering, vol. 8, no. 4 (2001)
12