Industrial Internet Security Framework v 1.0

Security Framework 9: Protecting Communications and Connectivity When emulating devices, unidirectional replication software on the source network sends snapshots of source device states to the destination network. The replication software on the destination network emulates the source devices, responding to polls or other queries as those devices would have responded. For example, Open Platform Communications (OPC) servers can be replicated unidirectionally to supply data to enterprise historian servers reducing risk of an attack. Unlike firewalls, a unidirectional gateway generally does not forward messages from source networks to destination networks, as the gateway software maintains independent communications connections on each. The gateways are physically connected to the hosts running the unidirectional replication software packages, and so forward only unidirectional application replication information flows. A periodically reversible unidirectional gateway can be deployed when periodically scheduled updates are needed for unidirectionally protected networks. Figure 9-6 illustrates an optical unidirectional gateway with electromagnetic switches to control copper connectivity to the optical hardware. The switching permits a unidirectional connection into a protected industrial network, or out of that network, but never both at the same time. Figure 9-6: A Reversible Unidirectional Gateway IIC:PUB:G4:V1.0:PB:20160926 - 92 -

Industrial Internet Security Framework v 1.0 | Page 92