Cross-domain use case: Critical infrastructure
If the controls of an infrastructure object must not fall into the wrong hands, it is imperative that the connections between it and other networks are sufficiently secured. All the more so if the object in question is a system that is critical to national safety. A Cross-domain interface can ensure that unauthorized control of essential systems is impossible.
The use case described below shows how the connection between a flood barrier and a commercial service provider can be secured using a Cross-domain interface. More Cross-domain use cases.
The situation: Flood barrier shares sensitive data
A flood barrier is operated from a control room on site. For maintenance purposes, log files of the barrier are shared with a commercial service provider. The log files contain data on control of the barrier and other statistics. A permanent connection has been set up between the control room and the service provider to facilitate the sharing of information.
The risk: Unauthorized control
The integrity of the control room of the flood barrier is literally a matter of life and death. If control fall into the wrong hands, this could lead to danger to life, for example by floods if the barrier is opened at the wrong moment.
The log files are transmitted to the commercial service provider from the control room using a file transfer application. The file transfer protocol (FTP) requires a bi-directional data connection. This means there is a risk that the connection might be used to gain access to the controls of the flood barrier.
The solution: Cross-domain interface with data diode
A PrimeDiode 3010 is installed in the control room of the flood barrier. This blocks reception of external data, which means it is impossible to take over control of the barrier. Transmission of information to the commercial service provide continues to be possible.
A 19” PrimeProxy server is fitted either side of the data diode; especially developed PrimeDocks software will run on this, which we will configure to support the transmission of log files through FTP.
All physical devices (3U rack space in size) will be installed in the control room.
Related information
