Marc, thanks for the input.
Yes, I've considered a number of other scenarios including SPAN ports, both virtualized and hardware.
In this case, it may reduce the parts count, but the protection and isolation offered by the optical tap is too good to pass up. I'd love to see a diagram of what you're thinking, just to make sure we're considering the same idea.

I like the redundancy concept, and as I am using Proview v5.5 already...

Thanks again!
-Matt

Hi Matt,

I need to think about this.
To be honest it is already 10 years ago I was "completely up-to-date" concerning your problem.
Even I have worked the last couple of months in high secure areas where a LAN doesn't really exists and
sneakernet and encrypted USB-sticks are only allowed for data transfer.
Time flies, so does technology.

But after I re-read your post it's not clear for me what the permissions are for the "low security area".
Is this area only allowed for virtualization of historical (real-time) MySQL data?

/Marc

Marc,

Thanks for the consideration.
We are a sneakernet/USB sort of place, and we are trying to get to a better way of doing things.
What we really want is something that out-modes sneakernet, but prevents access to the control system.

Devices like those made by Waterfall achieve this, but they cost a whole lot.
Waterfall unidirectional gateways:
waterfall-security.com/products/unidirec...al-security-gateways

Those systems may be more cost effective now (we haven't asked to look at their pricing for several years), but I doubt it.

A fiber tap will absolutely prevent return data, as it is a two way mirror that splits the beam and only provides outputs on the tap side. It is physically impossible to feed data back into the system in this case.

If we can leverage this with duplication, then we get the ability to to feed any data we choose to the replicated data set, with no possibility of accidental or surreptitious control system access. This would give our students and researchers access to the data they would like in near-real-time while preserving the security of the facility.

To answer your question, yes, the lower-security areas may only look at(copy, read, etc.) the data. They may not alter or adjust anything in the database.

Again, I really appreciate the discussion.
-Matt

Hi Matt,

Short brainstorm.

Without doubt a read-only fiber tap is the most secure solution.

I know it's possible to spoof a MAC-address.
But what are the downsides, in your case, rleated to a pwrsev (storage station) with 2 NIC's (static IP/iptables/MAC related)
in combination with an operator station with a limited Proview user login, if I consider you are already in a secure LAN?

/Marc

Because of the public nature of the forum, I can' go into the specific risks.

I can say that the regulator will not allow me to create a link that could be hacked from a remote place in the knowledge that it might be used that way.
Attaching two computers by any bi-directional means across the safety/security boundary, for my purposes, simply won't be allowed. Honestly, the real risks are relatively low, but non-zero.

Thus we use sneaker-net.

The other issue is that if this can be made to work, I see a number of use-cases that make it a valuable tool. That, in and of itself, is worth pursuing.

Thanks,
Matt

Hi Matt,

I am in doubt if it is necessary to have a duplication of the process station in your "lower secured area".
If you use two NIC's on the Duplicated Storage Station, one connected to the tap and the other to the Op/HMI.
Shouldn't that be enough to show the histoy?

/Marc