NIST Cyber Security Risk Management Framework

CI Data Diode technology satisfies a specific NIST security control: AC-4 (7) "One-way information flow control", which may be verified by visual inspection.

In a broader sense, by using a hardware data diode to satisfy security control AC-4(7), a variety of other security controls may also be satisfied. CI technology enables separation of process domains according to NIST security control AC-6 (4) and boundary protections compliant with SC-7. Interactions and dependencies among security controls depend strongly on implementation details.

Early implementations of hardware data diodes secured high-integrity database storage archives maintained by the US government to track fissile nuclear materials.

The NSA's campaign to "Raise The Bar" for cyber security at network boundaries explicitly recommends use of hardware data diodes.

Data Diode Use Cases are largely differentiated by what kinds of information systems are linked together, and direction of data flow through the diode.

Use Case 1: Critical Infrastructure Defense

Data Diodes protect integrity of critical infrastructure networks by permitting data export (for real-time remote monitoring) while denying malware entry through network interfaces. For example, hardware data diodes now protect every nuclear power plant operating in the US, as required by the Nuclear Regulatory Commission (NRC RG 5.71).

Data Diodes have also been widely adopted in the oil/gas industry, notably by ARAMCO after a costly cyber attack in 2012.

Legacy industrial controllers that lack cyber-defense features may be isolated within a network domain, and "inherit" protections offered by a Data Diode at the network boundary.

Use Case 2: Intelligence Gathering

Data Diodes protect confidentiality of intelligence networks by assuring that data can be gathered (inward flow) while denying outward flow of secret information. Military and police networks often deploy Data Diodes this way.

This use case frequently requires integration of one or more data filters for anti-malware scanning and/or protocol parsing in series the Data Diode in order to protect the integrity of the confidential network.

Use Case 3: Software Development Pipelines

Data Diodes enforce one-way information flow controls in Assured Pipelines, which include software development/supply chains. Software flows from development networks, to test networks, to production networks which may be isolated from each other. A growing number of software-centric corporations, including most prime contractors, are hardening their internal infrastructures following this use case.

Use Case 4: Self-protecting network infrastructures

Data Diodes address emerging use cases that require sensing capability and active network protection (countermeasures) while maintaining strict isolation among closely related network enclaves. A target network may be "tapped" with a data diode; enabling pattern recognition tools to examine network traffic for malicious activity while protecting pattern recognition tools from exposure or corruption. Similarly, countermeasure software may be injected into a target network through a data diode; protecting the integrity of the isolated countermeasure tool enclave.

Use Case 5: Data Distribution to Isolated Recipients

It is often desirable to distribute information to multiple recipients while assuring that the same recipients cannot communicate with each other. It is also desirable to assure that information recipients cannot adversely affect the cyber security posture of the sender. Data diodes provide unique solutions for these challenges.