Industrial Internet Security Framework v 1.0 | Page 92
Security Framework
9: Protecting Communications and Connectivity
When emulating devices, unidirectional replication software on the source network sends
snapshots of source device states to the destination network. The replication software on the
destination network emulates the source devices, responding to polls or other queries as those
devices would have responded. For example, Open Platform Communications (OPC) servers can
be replicated unidirectionally to supply data to enterprise historian servers reducing risk of an
attack.
Unlike firewalls, a unidirectional gateway generally does not forward messages from source
networks to destination networks, as the gateway software maintains independent
communications connections on each. The gateways are physically connected to the hosts
running the unidirectional replication software packages, and so forward only unidirectional
application replication information flows.
A periodically reversible unidirectional gateway can be deployed when periodically scheduled
updates are needed for unidirectionally protected networks. Figure 9-6 illustrates an optical
unidirectional gateway with electromagnetic switches to control copper connectivity to the
optical hardware. The switching permits a unidirectional connection into a protected industrial
network, or out of that network, but never both at the same time.
Figure 9-6: A Reversible Unidirectional Gateway
IIC:PUB:G4:V1.0:PB:20160926
- 92 -