While data diodes have been used for a long time on classified networks, the high cost and complexity of implementation have kept them away from a lot of valid use cases on industrial control systems. During our assignments, we encountered many situations in which time or availability constraints were not really high -but the security risk was- and a commercial data diode way too costly. This often meant directly connecting external networks to the ICS, only to exchange a flat file once a day or near real-time data at a very slow rate.
We developed a working data diode using standard components and open source libraries. We want to prove with this project that it is possible to produce a simple, working, ICS oriented data diode for about $200. We absolutely do not aim at replacing current commercial data diodes, but hopefully open the way for cheaper, simpler devices that are currently not available on the market by providing a working example with open-source code (that will soon be published on github). The principles of using COTS components to make a data diode are not brand new (see "previous work" below), but we aim at providing a package software solution to ease the creation process, with a specific focus on ICS.
This is an ongoing project, with a lot of room for improvement, but it is already working for basic functions.
Arnaud SoulliƩ (@arnaudsoullie) is a senior security auditor working at Wavestone. In five years, he performed 100+ penetration tests and security audits. His topics of interest include Industrial Control Systems and Windows Active Directory security, two topics that tend to collide nowadays. His hobbies include motorbike riding and drinking (french) wine (not at the same time fortunately).