As networking increases so do attacks on critical infrastructure. When processing and storing electronic data they must be protected according to their level of sensitivity. This protection also has to be maintained when data are exchange between systems and organisational units. This requires systematic and well-documented processes, which involve two key elements: data classification and the creation of security zones, each subject to different treatment. It is important to develop clearly defined guidelines for both areas which must be consistently observed.
If data are exchanged between security zones with different levels of protection, a zone transition is required. When transferring data to a less secure zone, they must be declassified by previous authorization. Otherwise, they risk losing their confidentiality and integrity. The opposite applies for the transfer of data from a less protected zone to a more secure one. Otherwise, they could jeopardise the security of the entire target zone.
A data lock serves as a security gateway for data transfers between security zones with different classifications, and also between physically separate networks. To create this security, an intermediate storage unit similar to a ship lock is used. The data lock ensures that only one connection between a network segment and the intermediate storage unit exists at any one time. It prevents direct physical contact between the two network segments. While the files are in the intermediate storage unit, their content and form can be examined.
The data lock enables data transfer between networks that are physically and logically separated from each other. This ensures that a direct connection is never established between the different networks (store-and-forward principle). This core function enables the implementation of various solutions to meet frequently occurring needs.
- Filtered data transfer between physically separate networks.
- Automatic downloads of software updates or virus definitions.
- Time synchronisation.
- Use of e-mails from isolated systems.
- All applications operated via the data lock require only a temporary connection.
- Support and advice on defining customer-specific solutions for data transfers across zone lines.
Highly effective and reliable protective measures are needed to network critical infrastructure having the same and/or different levels of security. Crypto Security Gateway solutions are devised and used specifically for such scenarios. They have proven effective in power production infrastructure, for example.
The data lock physically separates the zones, thus preventing direct contact between the networks. Data can be analysed and, if need be, discarded in accordance with individual rules following the store and forward principle.
As a result, responsibility for the vital areas of economic and social infrastructure is protected with customised solutions.