The Internet of Things (IoT) has already reached almost all areas of life – and keeps growing rapidly. Roads and railways, buildings and machines, products and processes carry sensors and exchange data. This opens the previously closed doors to an immense universe of data, a universe that offers countless new options for manufacturers, operators, and end users. Existing business models keep changing and new ones emerge. Mobility is increasingly developing into a service, intermodal travel becomes reality. Industrial processes can be remotely monitored and controlled.
Protecting people, data, and technology
To steer this development, a holistic, non-proprietary approach across industries is essential; and reliable protection of people, data and systems is simply vital. For secure connection of smart devices to a cloud solution, protected interfaces and communication channels are crucial – across all stages of a product’s or system’s lifecycle, from development and manufacturing right up to operation and use. Only when functional safety and IT / cyber security are guaranteed throughout the entire production chain, companies will be able to make full use of their digital potential. The goal is to protect people and provide full information security.
Data diodes are an important complement to firewalls
All this is especially relevant for networks in safety- and security-relevant industries such as power or mobility, as well as in key manufacturing sectors. In these areas, networks are commonly protected by firewalls and/or so-called „air gaps“, i.e. the systems are operated as completely isolated data islands. Both solutions have certain weaknesses. With air gaps – a typical solution for power station networks – no transmission of live data to a recipient outside of the network is possible, which strongly limits the benefits to be won from the available abundance of data. The secure connection of such applications would allow plant operators to profit from advanced tools such as live monitoring, comprehensive data analysis and predictive maintenance.
Firewalls, on the other hand, are prone to misconfiguration and vulnerabilities. For machines with a wide variety of functions and extensive communication capabilities, for instance, the firewall’s filter rules must be frequently reviewed and adapted. For this reason, experts such as the authors of the IT security guidelines of the German association of machinery and plant engineering (Verband Deutscher Maschinen- und Anlagenbau e.V., VDMA) recommend the use of data diodes as an additional security measure for “especially vulnerable network segments” since data diodes will let data “pass only in a pre-defined direction.“
Data Capture Unit delivers comprehensive connectivity and controlled monitoring
Siemens is a market-leading provider of transport infrastructure solutions. “We have the necessary expertise and experience and thus also the responsibility to accompany, support and shape the digital transformation that we are all affected by. We are committed to living up to this responsibility. For this reason we are continuously investing in research and development,“ underlines Siemens Mobility CEO Michael Peter. Among the results of these efforts is an innovation recently presented by Siemens: a compact and easy to install, but highly effective data diode. It provides comprehensive connectivity and controlled monitoring also for security-relevant networks. The “Data Capture Unit” (DCU) is a one-way data gateway for the secure connection of a closed network to a storage medium, a server or the IoT. This one-way data street offers an enormous potential and opens up totally new possibilities.
Secure connection means safe travel
In the transport infrastructure sector, the diode – embedded in the MindConnect Rail or Road hard- and software solution – helps optimize the connected control, safety and security systems etc. used in rail and road infrastructure. Via Railigent X, Siemens’ IoT system, customers can merge operational train data, for example, with historical consumption data, weather forecasts, or information on major events in a city. This helps make traffic flow smoothly, resulting in a perfect trip from starting point to destination. Thanks to connected technologies, this may become standard already in the near future. MindConnect Rail has recently been launched on the market and offers connectivity in an environment that complies with the highest Safety Integrity Level (SIL4).
The new Siemens “Data Capture Unit” (DCU) delivers a high level of system security and flexibility while providing controlled access to the system from the outside. The DCU is a passive network gateway that allows “live” data transmission, but only in one direction, i.e. from the hardware to the cloud. Connected by cable to the customer’s system, the DCU can “read” the entire full-duplex data exchange between two systems, for example a traffic management system and an interlocking, independent of the transmission protocols used. Then it passes the data on to a storage medium for monitoring or analysis purposes, or makes it available to users outside the security-critical network. (For details of these use cases, please see our web page).
A passive gateway providing freedom of interference
The new hardware network component ensures reliable physical (galvanic) separation that prevents interaction between the critical network and the open one. Data transmission is carried out by induction, with the additional advantage of only minimal impact on the properties of the tapped signal. There is no direct wire connection between the two networks. This will effectively block any attempt to send data via the DCU into the critical network. Another decisive advantage: Neither data communication nor the functionality of the critical network will be impacted or influenced by the DCU in any way, not even if the diode loses power or breaks down completely. At the same time, the integrity of the tapped data is guaranteed at all times. Siemens Mobility CEO Peter: “When developing the DCU, our absolute priority was to provide safety and security for people and technology.”
Undetectable, robust, and competitive
The diode allows data to be transferred only in one direction; it has no IP address of its own and functions within the customer’s system as a so-called Ethernet TAP (terminal access point) that cannot be detected by third parties. Once installed, the DCU provides a fast, transparent, and easy way of implementing the required data transfer for a variety of monitoring applications and analysis purposes.
The diode scores not only with an excellent price-performance ratio, but also with its robust design. Its excellent protection against shock, vibration, temperature fluctuations, and electromagnetic interferences makes it the solution of choice for harsh environments such as rail vehicles or factories, opening up a wide range of applications for the DCU.
Examples for possible DCU applications
Intrusion detection systems (IDS): An IDS is a security technology that detects unauthorized access attempts to the network, for instance when malware uses so-called “exploit” codes to profit from security gaps in the system. The secure and trustworthy network connection provided by the DCU allows the IDS to scan the connected networks in an effective and controlled way to detect abnormal or malicious activities. Hence, besides the firewall, the diode is an additional protective element in the network.
Juridical recording: A so-called “juridical recording system” (JRS) records operating data, e.g. of wayside signaling applications. In case of an accident, the recorded data allows conclusions as to possible technical causes and the analysis of the operational data in terms of its juridical relevance. A DCU provides a TLS-secured connection to the recording unit and is able to record the data at the earliest possible moment. Every log file contains documentation about which DCU has recorded the data set in question, and it shows proof that data was not manipulated.
Remote diagnosis and monitoring: Companies need to collect valuable data from various security-relevant control systems in factories, plants, trains, and railway signaling systems. This data is required for remote monitoring of the system’s condition, for remote operation or for detailed data analysis as the basis for efficiency improvements.
The DCU supports the most common application-specific protocols such as File Transfer or OPC UA. In addition, Siemens makes it possible for customers to implement their own, proprietary protocols. Hence the DCU enables a trustworthy connection to security-critical networks without offering an additional point for attack by cyber criminals.
Fundamental principles are being disrupted
The DCU reflects a major paradigm shift for Siemens since it goes against technological principles that have held fast for 150 years, such as the separation of safety-relevant systems. And at a breathtaking speed: As of 2018, all interlocking installations that German customers order from Siemens will already be “ready to connect”, i.e. the hardware will be equipped for secure and controlled connection to the IoT.
Siemens assures you: Our IT experts, researchers, developers, and #engineersofnext are working every day to integrate their extensive experience and combined digital expertise in our products and solutions, right from the design phase. Our objective is to establish security as a feature of the product instead of implementing it as an add-on at a later stage. This approach allows us to deliver reliable protection of people as well as ensuring data integrity and confidentiality while facilitating data availability. We will help you fully leverage the potential of your data!
For more details and data on the DCU – such as transmission speed, range, and encryption – please go to this Web page.