[mikewarot]

Connecting infrastructure to the internet is something that is done for many reasons. It would be a vast improvement of security if most of those connections went through a data diode[1] and only allowed monitoring.

Knowing what is happening now with critical infrastructure, through the internet, can be done in a completely safe manner. It is a solved problem.

[1] - https://en.wikipedia.org/wiki/Unidirectional_network

[jeffbee]

What would be the difference between having a data diode between your control and monitoring network and external monitoring systems, versus just splitting the monitoring part off into a completely separate network with ordinary two-way traffic?

[stunt]

What you explained doesn't solve the problem. You still want to have an unidirectional network in place at least between your critical infrastructure to the monitoring systems.

Monitoring systems are usually separate and often have their dedicated network too, but they still need some sort of network connection to your critical infrastructure to do their job (monitoring).

[mikewarot]

If you put a data diode between your infrastructure and the internet, you can see the status from anywhere, yet never compromise it from the outside.

[stunt]

Yes, I think we are on the same page.

I was trying to explain that having a separate monitoring infra and network group wouldn't work as a replacement for unidirectional network setup, because you sill need to open network access between critical infra and the monitoring system in your design, which will expose it to the internet.

So like you said, you still need to have an unidirectional network in place.