Is data diode a good idea for a cloud based design of Ignition


Is using data diode will be a good idea to include for a cloud based design of Ignition for added security? Thanks in advance.

“Cloud-based” isn’t really a factor. A data diode can protect a secure part of a plant from the rest, but there’s no such thing as an Internet data diode. Something at each plant will have a TCP connection to Ignition or a MQTT broker or another OPC server. That is fundamentally bi-directional, if only for packet acknowledgements.

1 Like

Found this Proxy-Based Unidirectional Connection architecture.

And a ‘Bidirectional Connection’ if it can’t be one way.

Does any one have a comment on this please?

How is that bidirectional connection fundamentally different from a direct connection? How are the proxies secured?

The diagram showing the data diode at the plant, then inherently bidirectional traffic to the cloud, is a good example of my point above.

The data diode would have to be two independent brains with a single one way communications channel between them for this to be valuable (and even then only useful if you have no need to remotely access the site, e.g. for maintenance or CCTV). If the gap is just implemented in software within one device, it’s just a protocol converter and gaining access to it from the internet means gaining access to the network.