The North American Electric Reliability Corp. has recognized hardware-enforced unidirectional communication connections as providing strong "non-routable" security. NERC is responsible for the Critical Infrastructure Protection standards that secure the North American Bulk Electric System from cyber attacks. The NERC action provides guidance to NERC auditors who increasingly encounter unidirectional communications technologies at sites in the North American electric system.
NERC's updated guidelines come in the form of the Dec. 15 Compliance Application Notice CAN-0024, entitled "CIP-002 R3 Routable Protocols and Data Diode Devices." The CAN describes "data diodes" as network equipment that provides a hardware-enforced "one-way" or unidirectional path for data to flow out of critical networks, while allowing nothing back in to those networks. Unidirectional hardware lets information leave critical networks without any risk of hackers, viruses, worms, or any other attacker reaching back into the critical network over that same communications path and disrupting or sabotaging components essential to the power grid. The CAN provides guidance as to when unidirectional communications should be interpreted as strong "non-routable" communications, that is: communications which do not use the Internet Protocol or any comparable Wide Area Networking protocol.
Unidirectional Security Gateways represent a newer and stronger approach to network security than do conventional firewalls. Waterfall Security Solutions' Unidirectional Gateways are currently deployed in many NERC-regulated conventional power plants, the majority of North America's nuclear generation utilities, and a number of oil & gas facilities and water utilities. Interest in Waterfall's Unidirectional Gateways is increasing quickly in several other industries within North America as well.
With a number of civilian and government agencies citing the vulnerability of the North American power grid to cyber attack, the NERC recognition of hardware-enforced unidirectional communications technologies is timely. Where Unidirectional Gateways are used to successfully isolate control system networks, those networks become immune to remote administration tools and other Internet-based cyber attacks. These are the attacks preferred by the vast majority of nation-state-sponsored "Advanced Persistent Threat" actors. Strong cyber security protections for power plants and for other critical elements of the bulk electric system should help us all sleep a little easier.