GB2608662A - An isolation unit - Google Patents

An isolation unit Download PDF

Info

Publication number
GB2608662A
GB2608662A GB2200936.9A GB202200936A GB2608662A GB 2608662 A GB2608662 A GB 2608662A GB 202200936 A GB202200936 A GB 202200936A GB 2608662 A GB2608662 A GB 2608662A
Authority
GB
United Kingdom
Prior art keywords
connection
switch
interface
layer
isolation unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB2200936.9A
Other versions
GB202200936D0 (en
Inventor
Penny Stuart
Grave Simon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Circuits And Software Ltd
Original Assignee
Circuits And Software Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Circuits And Software Ltd filed Critical Circuits And Software Ltd
Publication of GB202200936D0 publication Critical patent/GB202200936D0/en
Publication of GB2608662A publication Critical patent/GB2608662A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Virology (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

An isolation unit 100 for preventing access to one or more computer devices or network segments 102 by malicious software (e.g. ransomware). The isolation unit has first 104 and second 108 connection interfaces, at least one of which is configured to connect the isolation unit to a data carrying input 106, and the other being at least for outputting data to the computer devices/network segments. Connection circuitry 110 connects the first and second interfaces, and has at least one switchable connection path 112 with a layer 1 switch 114 (i.e. a switch operable at the OSI physical layer). A controller 116 is configured to switch the switch between a closed state, in which the first and second interfaces are connected by the switchable connection path, and an open state, in which the switchable connection path is disconnected between the first and second interfaces. The isolation unit may be used to isolate a data storage back-up device.

Description

Intellectual Property Office Application No GI322009369 RTM Date:26 May 2022 The following terms are registered trade marks and should be read as such wherever they occur in this document: Wi-H, Bluetooth, IEEE,
USB
Intellectual Property Office is an operating name of the Patent Office www.gov.uk /ipo
AN ISOLATION UNIT
FIELD OF THE INVENTION
The present invention relates to an isolation unit, specifically an isolation unit for isolating one or more computer devices or network segments. The isolation unit may be suitable for preventing access by malicious software. The isolation unit may preferably be for isolating one or more data storage back-up devices. The isolation unit may provide protection against attack from malicious software such as ransomware attacks.
BACKGROUND
Ransomwarc is a form of malicious software which targets data on a networked device by encrypting the data, preventing the owner from accessing the data until a ransom demand is met. When the ransom demand has been met, the target is provided with a decryption key to decipher the encrypted data. The data is inaccessible when encrypted, as deciphering without the decryption key is known as an intractable problem. Other types of malicious software such as vials and worms can be used to attack stored data.
Historically, ransomware attacks have been implemented with software Trojans.
Targets unknowingly allow software carrying ransomware into the system of a networked target device. Once in the system, the ransomware encrypts the user's data, and can continue to spread the ransomware to other devices on the network.
Mitigation of ransomware can be implemented with the use of anti-virus software; these actively scan all data on a device in order to detect malware or other potentially harmful software and data. However, the anti-virus software can sometimes only detect a ransomware attack once it is happening, resulting in at least a partial encryption of the data. Data storage back-up devices can also be used to make copies of a device's data. The data copied will be an instance in time of the device data, and can be used to restore data encrypted by a ransomware attack.
Conventional data storage back-up devices are manually connected to a network when a data storage back-up occurs, or can be left connected to carry out automated backups. When a data storage back-up device is connected to a network it is however also vulnerable to sophisticated malwarc attacks, such as ransomwarc attacks.
It is an object of the invention to address one or more of the above-mentioned problems. In particular, it is desired to provide a defence against ransomware attacks in which a data backup may be encrypted along with the original copy of the data.
SUMMARY OF THE INVENTION
According to a first aspect, the present application provides an isolation unit for isolating one or more computer devices or network segments to prevent access by malicious software, comprising any one or more of: a first connection interface and a second connection interface, at least one of the first and second connection interfaces configured to connect the isolation unit to a I5 data carrying input, and the other being at least for outputting data to the one or more computer devices or network segments; connection circuitry connecting between the first connection interface and the second connection interface, the connection circuitry having at least one switchable connection path, wherein the switchable connection path comprises a layer 1 switch arranged to switch between a closed state and an open state, wherein the switchable connection path is switchable by the switch at the OSI physical layer; and a controller configured to switch the layer I switch between the closed state and the open state.
In the closed state the first connection interface and the second connection interface are connected via the switchable connection path, and in the open state the switchable connection path is disconnected between the first connection interface and the second connection interfaces.
The connection circuitry may further comprise a logical switching device forming part of the switchable connection path between the first and second interfaces. The logical switching device may comprise a plurality of connection points, and is arranged to allow data routing between any one of the connection points to any other of the connection points.
The logical switching device may be an Ethernet switching device, and the first and second connection interfaces may be Ethernet ports.
The layer 1 switch may be a first layer 1 switch, and the isolation unit may further comprise a third connection interface, wherein: the switchable connection path is a first switchable connection path extending between the first connection interface and the second connection interface via the logical switching device, and includes the first layer I switch; the connection circuitry comprises a second switchable connection path extending between the first connection interface and the third connection interface via the switching device, the second switchable connection path comprising a second layer I switch; wherein each of the first and second layer 1 switches are configured to switch between a closed state and an open state to independently isolate the first connection interface from the second and/or third connection interface, and the first and second switchable connection paths are switchable by the respective layer 1 switch at the 0S1 physical laver; and wherein the controller is configured to switch the first and second layer 1 switches between their respective closed and open stages.
The first interface may be configured to act (only) as an input interface and is connectable to a data carrying input interface, and the second and third interfaces are configured to act (only) as output interfaces and are connectable to respective computer devices or network segments.
The first, second and third interfaces may each be configured to act as both an input interface or an output interface. For example, they may be non-specific input/output connection interfaces (e.g. multiple-direction interfaces). The non-specific connection interfaces may each be connected to a connection point on the logical switching device via a respective layer 1 switch.
The controller may be configured to operate the layer I switches such that they are operated in groups, whereby the layer 1 switches of a first group are all in a closed state and the layer 1 switches of a second group arc all in an open state, or the layer 1 switches of the first group are all in an open state and the layer 1 switches of the second group are all in a closed state.
The layer 1 switch (or each layer 1 switch if there are more than one) may be a semiconductor switch.
The first connection interface may be an input connection interface configured to connect the isolation unit to the data carrying input; and the second connection interface may be one of one or more output connection interfaces for outputting data to the one or more computing devices.
According to a second aspect of the present application, there is provided an isolation unit for isolating one or more computer devices or network segments to prevent access by malicious software, comprising any one or more of the following features: I5 an input connection interface configured to connect to a data carrying input; one or more output connection interfaces for outputting data to the one or more computer devices or network segments; connection circuitry connecting between the input connection interface and the one or more output connection interfaces, the connection circuitry having at least one switchable connection path, wherein the switchable connection path comprises a (e.g. layer 1) switch arranged to switch between a closed state in which the input connection interface and a respective one of the one or more output connection interfaces are connected via the switchable connection path, and an open state in which the switchable connection path is disconnected between the input connection interface and the respective one of the one or more output connection interfaces, wherein the switchable connection path is switchable by the switch at the OSI physical layer; and a controller configured to switch the (e.g. layer I) switch between the dosed state and the open state.
By providing the isolation unit with a switch, switchable at the OSI physical layer, the input connection interface and output connection interface may be isolated at the lowest OSI layer from one another when the switch is in the open state to prevent malicious software or the like crossing between them. When use of the computing device or network segment is required (e.g. if the computing device is a data backup storage device and is required to perform a data backup), the layer I switch can be moved to the closed state so that a temporary connection is provided.
The following statements may apply to either of the first and second aspects above: The input connection interface may comprise at least one data input connection interface and at least one power input connection interface. The output connection interface may comprise at least one data output connection interface and at least one power output connection interface.
The switchable connection path may connect one of the data input connection interfaces and/or one of the power connection interfaces to the output connection interface. The layer 1 switch may therefore be used to provide an isolation point in either or both of a data carrying connection, or a power carrying connection, across I5 the isolation unit.
The first, second or wut connection interface may comprise a wired connection interface.
The first, second or input connection interface may comprise a USB interface, a Fibre-Optic interface, or a modular connector connection interface.
The first, second or input connection interface may comprise a wireless connection interface. The wireless connection interface may be a Wi-Fi or Bluetooth connection interface.
The first, second or input interface may comprise an IEEE 802. I I type interface.
The first, second or input connection interface may be configured to connect to a Wide 30 Area Network (WAN), such as the internet, or a Local Area Network (LAN).
The switch is an electronically activated layer I switch. The layer I switch may be a semiconductor switch.
The controller may be arranged to control or activate the layer I switch or layer I switches. The controller may operate the layer 1 switch or layer 1 switches automatically or by being triggered by a user input to change the state of the switch.
The controller may be configured to activate (e.g. switch) the layer 1 switch or layer 1 switches between the closed and open states according to one or more time parameters.
The time parameters may define any one or more of: a closing time of the layer 1 switch or layer 1 switches; an opening time of the layer 1 switch or layer 1 switches; or a time duration in which the layer 1 switch or switches are closed or open. The time parameters may therefore define a time during which the connected computer device/network segment is not isolated and is required for use. The time parameter may be set according to another device which requires intermittent connection to the computer device/network segment connected at the first, second or output interface e.g. a time when a data backup or similar operation is to occur.
The one or more time parameters may be stored in a local computer readable memory of the controller. By storing the parameters locally within the controller they may be protected from being manipulated by a malicious program attempting to access the computer device/network segment connected at the input or output interface.
The isolation unit may comprise an input/output interface via which the one or more time parameters are set by the user. This may allow the user to program the controller as desired so that isolation/connection is provided when required.
The input/output interface may comprise: a data connection port, such as a USB port; a keyboard and screen interface; or touch screen interface.
The controller may be configured to determine when to activate (e.g. switch) the layer 1 switch or layer 1 switches to the open state from the closed state, or from the closed state to the open state. The determination may be based on a (e.g. stored or preprogrammed) condition or event.
The determination may be based on any one or more of: if the data transfer has been activated, if data transfer has been completed; if the data transfer has been ended; if a specific operation procedure has been complete or, if malware has been detected.
The controller may be configured to operate the layer 1 switch or layer 1 switches based on a user input received by the controller. This may allow the user to manually isolate or connect the input and output interfaces when desired.
The isolation unit may comprise a plurality of output connection interfaces, each configured to connect to a separate computer device or network segment. The input connection interface may be connected to each of the plurality of output connection interfaces via the connection circuitry. The switchable path may be one of a plurality of switchablc paths each connecting between the input interface and a respective one of the plurality of output connection interfaces. Each of the switchable paths may comprise a layer 1 switch arranged to switch between a closed state in which the input connection interface and the respective output connection interface are connected, and an open state in which the switchablc connection path is disconnected between the input connection interface and the respective output connection interface. The switchable connection paths may be switchable by the respective layer 1 switch at the OSI physical layer (layer 0.
The isolation unit may comprise a plurality of output connection interfaces including at least a first output connection interface and a second output connection interface, each configured to connect to a separate computer device or network segment. The input connection interface may be connected to each of the first and second output connection interfaces via the connection circuitry. The switchable path may be a first switchable path, switchable at the physical layer, and the layer 1 switch is a first layer 1 switch connecting between the input interface and the first output connection interface. The connecting circuitry may further comprise a second switchablc path, having a second layer 1 switch, the second switchablc path, switchablc at the physical layer, connecting between the input connection interface and the second output connection interface. The second layer 1 switch may be arranged to switch between a closed state in which the input connection interface and the second output connection interface are connected via the second switchablc connection path, and an open state in which the second switchable connection path is disconnected between the input connection interface and the second output connection interface. By providing two output interfaces two separate devices/network segments may be connected for use at different times.
The plurality of layer 1 switches are electronically activated switches. The controller may be configured to switch the plurality of layer 1 switches between respective closed and open states to connect and disconnect the input connection interface to the respective output connection interfaces such that at least one of the layer I switches is in the open state at a given point in time (e.g. at least one is always open). This means that if a malicious software attack occurs when one of the switches is closed, a device/network segment connected to at least one of the other output interfaces will remain isolated and protected.
The controller may be configured to operate the plurality of layer 1 switches (or the first, second and third layer I switches) such that only one of them is in the closed state at a given point in time.
The controller may be configured to control the plurality of layer 1 switches (or the first, second and third layer 1 switches) according to a timed switching sequence. This may define an order or sequence in which the output interfaces are connected (e.g. one at a time, or so that at least one is in the open state). The sequence may repeat once all of the output interfaces have been connected once.
The first, second or one or more output connection interfaces may be for outputting data to a data storage device, such as a data backup device (the isolation unit may be connected directly to a data storage device, or may be connected to a data storage device via connection to a network segment). This may allow the data storage device to be protected from malicious software attack.
The data storage back-up device may comprise a non-volatile memory, such as a hard drive disc, or a solid-state drive, or a Network Attached Storage, NAS, device, or an optical disc, or a USB flash drive.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which: FIG 1 shows a schematic view of an isolation unit according to an embodiment connected to a data storage device via an output connection interface, the isolation unit comprises a switchable connection path having a layer 1 switch in a closed state; FIG 2 shows a schematic view of the isolation unit of FIG I with the layer 1 switch in an open state; FIG 3 shows a schematic view of an isolation unit having both data and power connection interfaces according to another embodiment; FIG 4 shows a schematic view of an isolation unit connected to a plurality of separate data storage devices according to another embodiment; FIG 5 shows a schematic view of an isolation unit according to another embodiment having an Ethernet (logical) switching device; I5 FIGS 6 and 7 show a schematic view of an isolation unit according to another embodiment having an Ethernet (logical) switching device in different layer 1 switch states; FIGS 8 and 9 show a schematic view of an isolation unit according to another embodiment in which each of the connection interfaces are non-specific input/output connection interfaces in two different layer I switch states; FIGS 10 and 11 show a schematic view of an isolation unit according to another embodiment in which the layer 1 switches are operated in groups.
DETAILED DESCRIPTION
Figures 1 and 2 show a schematic illustration of an isolation unit 100 according to an embodiment. The isolation unit 100 is used for isolating a data storage back-up device 102 (referred to as a data backup device or more generally a data storage device). The isolation unit 100 may provide protection against ransomware attacks or other forms of malicious software attack, such as, attack from viruses, or worms, by isolating the data backup device when it is not being used. The isolation unit may take the form of a consumer device that can be used to isolate a data backup device connected to a home computer or home network. In other embodiments, it may be used for the isolation of a data backup device forming part of a computer server system or the like e.g. for businesses or organisations. The isolation unit is however not limited to either of these uses. and can be implemented for home. business. organisation, or the like, purposes, e.g. as a part of any IT network, stand-alone systcm, or the like.
The isolation unit 100 generally comprises: an input connection interface 104; an output connection interface 108; connection circuitry 110 having a switchable connection path 112 and a layer 1 switch 114; and a controller 116. The switch 114 is termed a "layer I" switch because it switches at the OSI physical layer (layer 1) as will be described later, and so that it is distinguished from logical switching devices introduced later. It may be otherwise referred to more simply as a "switch".
The input connection interface 104 is arranged to connect the isolation unit 100 to a data carrying input 106. The input connection interface 104 provides a means of data communication (and in some embodiments power transfer as will be described later) into the isolation unit 100. The data carrying input 106 is any input which carries and transfers data being communicated to the isolation device 100, and which is intended to be communicated via the isolation unit 100 to the data storage back-up device 102. The data carrying input 106 may be any wireless or wired data communication signal.
The input connection interface 104 may be a wired connection interface, or a wireless connection interface. The first of these alternatives allows the isolation unit to be directly connected to a local device or network 117 (e.g. a PC, server, or wired/wireless network router) via a connecting cable to receive a data input to be stored at the connected data backup device 102. The second of these alternatives allows the isolation unit to be wirelessly connected to other computing devices, or to a network, so that data for storage can be received.
in embodiments where the input connection interface 104 is a wired connection interface, the input connection interface 104 may comprise a USB interface, a Fibre-Optic interface, a modular connector connection (e.g. it may be an R.145 connection or similar), or other suitable interface at which data is received from a wired data carrying input (e.g. via a cable). In these embodiments, the input connection interface 104 may comprise a USB port or socket which is configured to connect to an input USB connector so that a data carrying input can be received by the isolation unit 100. In other embodiments, the input connection interface 104 may comprise a fibre-optic cable connector socket arranged to connect to an optical fibre, or a modular connector connection port. Other types of wired data carrying input methods may also be used, with a corresponding input connection interface 104 chosen as appropriate.
In embodiments where the input connection interface 104 is a wireless connection interface, the input connection interface 104 may comprise a Wi-Fi interface, such as IEEE 802.11, or a Bluetooth interface, or an interface using other wireless connection technologies known in the art (e.g. a cellular network interface). The input connection interface 104 may be connected to a Wide Area Network, such as the Internet, or a local area network (LAN). This allows the input connection interface 104 to receive data that is to be stored at the connected data backup device from any device on a local wireless network, or which may access the data backup device over a WAN or the internet. The input connection interface 104 may comprise a Wi-Fi module or Bluetooth module as are known in the art. In other embodiments, other wireless communication modules may be provided according to the type of wireless technology being used.
The output connection interface 108 is arranged for outputting data to the data storage backup device 102. The output interface 108 may be any suitable interface via which data received from the input interface 104 can be output from the isolation unit 100.
Similarly, to the input interface 104, the output interface 108 can be a wireless or wired output interface. Any of the types of interface used for the input interface can also be used for the output interface, which can therefore be a USB, fibre-optic, modular connector (e.g. RJ45 connection), Wi-Fi or Bluetooth interface or other suitable interface as described above or known in the art. In some embodiments, the input and output interfaces may both be of the same type, but in other embodiments, they may differ in type.
The isolation unit 100 can be connected to a number of different types of data backup device (e.g. any computer data storage device or memory) via the output interface. For example, the data storage back-up device 102 may be a non-volatile memory, such as a hard drive disc, a solid-state drive, a Network Attached Storage (NAS) device, an optical disc, a USB flash drive, or any other suitable storage device. Other types of device or network component can also be connected, as will be described later.
The connection circuitry 110 connects the input connection interface 104 and the output connection interface 108. The connection circuitry 110 comprises a switchable connection path 112 as illustrated in Figures 1 and 2 between the input and output interfaces 104, 108. The switchable connection path 112 comprises a layer 1 switch 114, which is arranged to switch between a closed state (shown in Figure 1) and an open state (shown in Figure 2). In the closed state, the connection circuitry 110 connects the input connection interface 104 to the output connection interface 108 via the switchable connection path 112. In the dosed state therefore, data received at the input interface 104 can be transmitted via the connection circuitry 110 to the output interface 108. The data backup device 102 is therefore connected to the input interface 104 so that data can be stored without being affected by the presence of the isolation unit 100. in the open state (Figure 2), an isolation point disconnecting the input connection interface 104 and the output connection interface 108 is formed by the switch 114. The switchable connection path 112 is switchable by the switch 114 at the OSI physical layer (OST Layer 1). This means that the input and output interfaces 104, 108 are disconnected from each other, and so the data backup device 102 is separated from the input interface by the isolation at the lowest OSI layer. This means that data communication with the data storage device 102 is not possible when the switch is in the open state.
The physical layer referred to herein is Layer 1 of the Open Systems Interconnection model (OST model) that characterises communications in telecommunications, and computer networks and systems. The physical layer provides standards on transmission and receiving raw data between a device and physical transmission medium. The physical layer characterises signalling physical data rates, voltage levels and voltage change timings, maximum transmission distances, modulation schemes, physical connectors, pin layouts, line impedance, cable specifications, etc. The physical layer is the first and lowest layer of the OST model, and is concerned with physical data transport and in particular defines the characteristics of the hardware needed to carry out data transmissions (i.e. it constitutes the wires which connect two devices i.e. a USB cable or CAT 5 or CAT 6 cables).
The switch or switches of the present application are arranged to switch the respective switchable path at the OSI physical layer. The connection circuitry, switchable connection path and/or switch are therefore at the physical layer, rather than being in higher layer (e.g. layers 2 to 7). As a result, when the switch 114 is in the open state it ensures no traffic is sent across it. As such, this is safer as an isolation method compared to methods that work at a higher layer in the ISO 7-layer model. For example, a router may be susceptible to ransomware attacks and other attacks because switching is provided at a higher OSI layer.
The switch may be any suitable switch that may provide a switchable connection between the input and output interfaces. The switch of the present application can be considered as an airgap' switch because it is in the physical layer.
In some embodiments, the isolation may be formed by a switch with a physical air-gap, which provides a physical space between electrical contacts within the switch that are physically separated, such as a electromechanical (e.g. relay) switch, when the switch is moved to the open or disconnected state. In other embodiments, the switch may comprise an integrated circuit, or a discrete electronics device such as a diode, transistor, or the like. Such a switch does not provide such an actual physical air-gap, but can nonetheless be described as an airgap switch as it is in the physical layer.
In any of the embodiments herein, the switch may be biased towards the open state so that, in the event of a loss of electrical power to the isolation unit, it may return to the open state and maintain isolation.
Referring again to the Figures, the controller 116 is arranged to switch the switch 114 between the closed state and open state. This allows the isolation unit to selectively connect and disconnect the input interface 104 from the data storage device 102. The controller is arranged to provide temporary connection between the input interface and the output interface. The switch 114 is therefore operated by signals from the controller, which is isolated from the input connection interface (and in some embodiments from other external connections). This ensures isolation from malicious software which could otherwise control the switch via the input connection interface.
The isolation of a data storage back-up device 102 allows the data which it stores to be protected from being accessed by malicious software. The data storage back-up device 102 can be accessed to allow data back to occur when the switch 114 is in the closed state. When data is not being backed up, the switch 114 can be opened such that no access to the data storage 102 is possible. This means that the stored data I3 cannot be attacked by malicious software seeking to encrypt or otherwise tamper with it.
Having data stored on the data storage back-up device 102 at a particular instance in time is advantageous as it allows for the data at that particular instance in time to be used as the current data in a situation when the current data is unable to be used anymore i.e. due to a ransomware attack. The data stored on the data storage back-up device 102 may be the most recent data backed-up onto the data storage, or at any other instance before. For example, in the case of a ransomware attack, where the data has been encrypted and a ransom payment is required in order for a decryption key to be provided to allow the data to be usable again, the data backed-up at the data backup storage device at an earlier instance in time can be used to allow a system to be restored with a copy of the data in some embodiments, the isolation unit 100 may be formed by a self-contained unit as illustrated schematically in the Figures. It does not therefore have any operative connection to another remote device via which the switch 114 can be operated to allow unauthorised access to the data storage device 102. Another device may be connected for configuration only, and is disconnected during normal operation. In some embodiments, the switch 114 may be operated only by the controller (e.g. based on locally stored parameters, locally automatically determined condition or via local interaction with the user) or operated by the user via the controller. This means that the isolation unit 100 is not susceptible to attack from malicious software that could close the switch and gain access to the data backup. The isolation unit may therefore be provided in some embodiments as a separate unit having a data input and output that can be connected between two devices or networks to isolate them from each other. in some embodiments, the isolation unit is therefore formed from components mounted within a self-contained housing, or provided on a single server rack unit.
The controller 116 is arranged to control operation of the switch 114 and may be implemented using any suitable hardware and software components, and may for example comprise one or more processors 123 in communication with a computer readable memory 124. The computer readable memory is configured to store one or more computer readable instructions or programs which may be read by the processors in order for the controller 116 to perform functions to control the isolation unit.
The controller 116 may be arranged to switch the switch 114 between the closed state and the open state according to one or more time parameters. The time parameters may define any one or more of: a closing time of the switch 114, an opening time of the switch 114 or a time duration in which the switch 114 is closed or open. The controller 116 may switch the switch 114 between open and closed states according to a time schedule. The switch may therefore be closed at a time when data backup is required to take place, but is otherwise open to maintain isolation. The time parameters may be synchronised with the data backup schedule of a device connected to the input interface from which data is received, thus ensuring that the switch can be open and closed at an appropriate time for data to be backed up.
The one or more time parameters may be stored by the controller 116 in the computer readable memory 124. This allows the time parameters to be stored locally to the controller 116 (e.g. locally within the isolation unit) rather than being remotely accessed. This may reduce the risk of malicious software being able to open and close the switch 114 by interfering with the controller operation.
The controller 116 further comprises an input/output interface 126. This may allow a user to set the time parameters, or provide other access or to set other functions of the isolation unit 100. The time parameters are set via the input/output interface, e.g. so that they can be programmed by the user. The input/output interface 126 may be any form of input/output interface, such as: a data connection port, e.g. a USB port or similar via which another device can be connected when required for configuration; a keyboard and screen interface; or a built in touch screen or other interface. The input/output interface may be a wired connection to another device only, so that no unauthorised access to the controller may occur by malicious software. The input/output 126 interface may allow the user to configure the controller to open and close the switch according to a desired time schedule. By accessing the controller 116 via the input/output interface 126 it can remain isolated from other devices to prevent it from being attacked by malicious software.
In some embodiments, the controller 116 may be arranged to determine when to switch the switch 114 to the open state from the closed state, or from the closed to the open state. This may be done additionally or alternatively to operation via a time schedule. This may allow the controller to operate the switch based on factors other than the pre-programmed time schedule.
The controller 116 may be arranged to determine whether to switch the switch between the closed and open states based on various different conditions. These conditions may be set by the user and stored in the memory of the controller 116. For example, the controller 116 may be arranged to actively determine when to switch the switch 114 based on the current operation of the isolation unit, such as a data transfer state. The determination may be based on any one or more of: if data transfer to the data storage device has been activated; if data transfer has been completed; if the data transfer has been ended. The determination may alternatively or additionally be based on any one or more of: if a specific procedure has been complete (such as compiled code transferred from network section to network section) or if malware has been detected.
For example, the controller 116 may be arranged to monitor the flow of data through or within a part of the connection circuitry 110 and operate the switch according to when data transfer has started, finished (i.e. successfully completed) or is stopped. The controller 116 may determine whether data transfer was stopped abruptly (e.g. due to a power outage) rather than being completed successfully, and may open the switch in response.
Any of the conditions in response to which the switch may be operated may be determined automatically (e.g. in real time) by the controller 116, and the state of the switch changed accordingly.
in other embodiments, the controller 116 may be arranged to switch the switch 114 between the open and closed states based on a manual input from the user. Such an input may be received via the input/output interface 126, or any other suitable user input interface provided as part of the controller (e.g. a switch provided on the outside of the isolation unit to control the internal electronic switch 114). For example, the user may choose to close the switch 114 so that the data backup device 102 can be accessed to pull back a prior backed up file or set of files.
in the embodiments described above, the switch 114 is arranged to selectively switch a data connection path through the isolation unit so that data can and cannot be transmitted between the input interface and output interfaces. In other embodiments, the switch may instead be arranged to (additionally or alternatively) selectively switch a power transmission path through the isolation unit 100. Such an embodiment is illustrated in Figure 3.
Figure 3 shows an embodiment in which the isolation unit 100 comprises a connection circuitry 110 connecting an input interface 104 to an output connection interface 108.
In this embodiment the isolation unit 100 is configured to support a USB input connection interface. The connection circuitry 110 may have a configuration that supports a USB 1, 1.1, or 2 standard, and a standard Type-A connector or other types of USB standard (other USB standards may be used, and the present application is not limited to a particular one). Various standards for USB connectors have two power supply connecting pins and two data connection pins. The input interface therefore comprises both at least one data input connection interface and at least one power connection interface to receive data and electrical power respectively. The output interface 108 is arranged in this embodiment to supply both electrical power and transfer data to the connected data storage device 102. It may therefore also comprise at least one data output connection interface and at least one power connection interface. In the present embodiment, it may also be a USB interface.
Referring to Figure 3, the connection circuitry comprises four connection paths 112a, 112b, 112c, 112d: two complementary signalling connection paths 112a, 112b (for data transmission), and two complementary electrical power paths 112c, 112d. One of the power paths may provide a DC voltage connection, with the other providing a ground connection.
In the embodiment shown in Figure 3, one of the power paths 112d is provided with the switch 114 so that a single switchablc power path is provided. By selectively switching one of the power paths, the data storage device may be isolated in a similar manner to as is achieved by switching a data carrying connection. Either or both of the power paths may be provided with a switch. In these embodiments, the switch is also in the physical layer to ensure isolation.
in the open state an isolation point is formed within the power connecting path so that electrical power cannot be supplied to the data storage device 102. If the data storage device 102 is not powered, it is not susceptible to attack from malicious software. When the switch 114 is switched to the closed state, the power supply connection circuit to the data storage device 102 is completed and it can be powered for data backup or other operation.
The switchable connection path 112 may be any one of the aforementioned connection paths 112a, 112b, 112c, 112d shown in Figure 3. In some embodiments, any one or more of the connection paths provided in the connection circuitry may comprise a respective switch. In other embodiments a single switch may be provided for one or more (or all) of the connection paths. For example, switches may be provided for one or both data carrying connection paths and electrical power paths, or for only one of these. The controller 116 is arranged to control the operation of the switch 114 IS similarly to as described above in connection with Figures 1 and 2, such that the switch or switches are switched between open and closed states as required.
Although Figure 3 illustrates an example in which a USB input interface is provided, other combined electrical power and data carrying communication methods may be used. The switching of a data carrying path between the input and output interface may therefore apply to other interface technologies.
in the embodiments shown in Figures Ito 3, a single output interface 108 is provided to connect to a single data storage device 102. In other embodiments, more than one output interface may be provided. Such an embodiment is shown in Figure 4, which shows an isolation unit 200 which has a connection circuitry 210, connecting an input connection interface 204 to a plurality of output connection interfaces 208a-208d. The embodiment of Figure 4 includes features corresponding to those of Figures I to 3, with corresponding reference numbers used accordingly.
In the embodiment shown in Figure 4, the connection circuitry 210 comprises a plurality of switchable paths 212a-212d, each having a respective switch 214a-2I4d (i.e. a first switch 214a, second switch 214b, third switch 214c and fourth switch 214d), each connected to a separate one of the output connection interfaces 208a- 208d. The switches 214a-214d again switch the respective switchable path at the Is physical layer, and so may be referred to as layer 1 switches. Each output connection interface 208a-208d is connected to a separate respective data storage back-up device 202a-202d. The controller 216 in this embodiment is arranged to control the switches 214a-214d in such a way that only one of the switches 214a-214d on the switchable connection paths 212a-212d are closed at any one time. That switch is preferably closed only for a limited period for data backup to occur, and otherwise all other switches are open. The closure of only one of the switches 214a-214d on the switchable connection paths 2I2a-212d at a time ensures that the other data storage back-up devices 202a-202d are protected during the period of time in which that one switch 214a-214d is closed. This means that even if malicious software were to attack during a time in which a data backup was taking place, only one of the data backup devices would be compromised as the others would remain isolated.
The controller 216 may be configured to control the switches as follows to ensure only one output interface 208a-208d is connected at any one time. Firstly, the switch 214a- 214d that is currently closed is opened, thus disconnecting the respective data backup storage device 202a-202d from the input connection interface 204, via the respective switch 214a-214d on the respective switchable connection path 212a-212d. All of the switches 214a-214d on the switchable connection paths 212a-212d are then in an open state. Secondly, the next switch 214a-2I4d in the switching sequence, that connects a different data back-up storage device 202a-202d to the input connection interface 204, can now be dosed. This process can be repeated for all of the switches.
The controller 216 may be configured to operate the switches according to one or more time parameters or other conditions as described above, or manually. The controller may store a timed sequence defining which of the switches are in the open state and when. The timed sequence may further define which of the switches 214a-214d should be closed at a particular time. A sequence is therefore defined in which one (or more) of the plurality of switches is closed for a limited time period in turn (with the others remaining in the open state) so that the connected data backup devices 202a-202d can be used in turn during that closed period. For example, the first data backup device 202a can be used for backup with the first switch 214a in the closed state, with the others isolated, then the second data backup device 202b used while the others remain isolated and so on. Once each of the data backup devices have been connected and used for data backup. the sequence may return to the first data backup device 202a and continually repeat as required.
While the embodiment shown in Figure 4 includes four output interfaces connected to four different data backup devices 208a-208d, any number may be provided, such as two or more. In one preferable embodiment, seven (or eight) output interfaces are provided.
In the embodiment shown in Figure 4, the controller 216 is configured to operate the switches 214a-214d automatically according to the timed sequence. For example, the time sequence may define a first time period (e.g. on a first day) during which the first switch is closed so that a data backup can occur, a second time period (e.g. on a second day) during which the second switch is closed to allow backup using a different data storage, and so on for each of the switches. In other embodiments, the controller may be configured to operate the switching according to other conditions as described elsewhere herein. In yet other embodiments, the switches 214a-214d may be operated manually by the controller based on user input.
In the embodiments already described, the isolation unit 100 includes a single input interface 104. in other embodiments, multiple input interfaces may be provided, each connected to the same one or to multiple separate output interfaces. The isolation unit may therefore be used to isolate more than one input source from a single backup storage device shared between them.
Another embodiment of an isolation unit 300 is illustrated in Figure 5. In this embodiment, the isolation unit 300 comprises first and second connection interfaces 304, 308 which are configured to connect the isolation unit 300 to a data carrying input and a computer device or network segment. in this example, the first connection interface 304 is configured to act as an input connection interface (connected to the data carrying input 306), with the second interface 308 configured to act as an output connection interface (connected to a data back-up device 302). In other examples, the connection to the first and second interfaces may be reversed. The isolation unit 300 further comprises a connection circuitry 310 connecting between the first and second connection interfaces 304, 308 (and any further connection interfaces that may be provided). The connection circuitry 310 includes a switchable connection path 312 having a layer 1 switch 314 arranged to switch between closed and open states, under the control of a controller 316. The first and second connection interfaces 304, 308, connection circuitry 310, layer 1 switch 314 and controller 316 correspond to those of the embodiments described above, thus corresponding reference numbers are used for consistency. Any of the features described in connection with the embodiments of Figures 1 to 4 may also therefore apply to that of Figure 5.
in the embodiment shown in Figure 5, the connection circuitry 310 further comprises a logical switching device 330 (or more simply referred to as a switching device). The logical switching device has a plurality of connection points (e.g. ports) 330a, 330b and is arranged to allow data received at any connection point to be routed to any other connection point. in the presently described embodiment, the logical switching device is an Ethernet switching device. By "Ethernet switching device" we mean an Ethernet Switch, Ethernet Hub or Ethernet Router as known in the art. The Ethernet switching device 330 allows logical routing of data from each connection point to one, many or all other connection points. This logical routing (also called switching) allows multiple Ethernet Connections to be essentially connected together in a way simply connecting the cables at layer 1 would not achieve. In the embodiment shown in Figure 5, the first and second connection interfaces 304, 308 comprise Ethernet ports so that the isolation unit 300 can form part of an Ethernet network. Other types of connection interface may be used in other embodiments.
The layer I (air-gap) switch 314 in the embodiment of Figure 5 may be as described in other embodiments herein, and controlled by the controller 316 as previously described. In the embodiment of Figure 5, the switch 314 comprises a semiconductor switch (e.g. rather than a relay switch). The Ethernet switching device 330 similarly comprises semiconductor switches. By utilising semiconductor switches for the layer 1 (air-gap) switch 314 and the Ethernet switching device 330, in a powered off situation of the isolation unit 300, no route needs to be connected as would be the case in an implementation which relied on relays as an air-gapped solution alone. This may reduce security vulnerability.
The switchable connection path 312 of Figure 5 extends between the first and second interfaces 304, 308 via the logical switching device 330. Although the layer 1 switch 314 in Figure 5 is shown between the first interface 304 and a connection point of the logical switching device 330, it may in other embodiments be between a connection point of the logical switching device 330 and the second interface 308.
The addition of the logical Ethernet switching device 330 is advantageous because it can reduce the risk of Ethernet connectivity degradation and avoid shortening the Ethernet connection length. This is because Ethernet networks require a maximum specified length of physical connection over which operation is guaranteed. If an air-gap gayer 1) switch alone is used to form the switchable path, the isolation unit can only be used to connect two physical connections which together do not exceed the Ethernet maximum specified length, and may result in signal degradation over the connection. By use of the Ethernet switching device 330 the isolation unit 300 can ensure that a connection through the air-gap switch will meet performance requirements of the relevant standards bodies which define Ethernet network requirements.
Figure 6 illustrates a further embodiment of an isolation unit 400 in which further connection interfaces are provided in combination with a logical switching device 430 having a plurality of connection points 430a, 430b, 403c, 430d. In this embodiment, the logical switching device 430 is again an Ethernet switching device. The isolation unit 400 comprises a first and second connection interfaces 404, 408a similar to those of the embodiment of Figure 5, connection circuitry 410, the logical switching device 430 and a controller 416. These components correspond with those of the other embodiments described herein, and will not be described in detail again. The features described in connection with other embodiments may apply also to that of Figure 6.
The isolation unit 400 of the embodiment of Figure 6 includes two further connection interfaces, and so includes four in total. The connection circuitry 410 includes a first switchable path 412a connecting the first connection interface 404 to the second connection interface 408a via the switching device 430. The first switchable path 412a has two layer 1 (air-gap) switches in this embodiment (the first and fourth switches 414a, 414d) which are switchable between an open and a closed state as described in connection with other embodiments. The isolation unit 400 further comprises a second switchable path 412b, connecting the first connection interface and the third connection interface 408b via the logical switching device 430, and having a corresponding second layer 1 (air-gap) switch 414b (as well as the fourth switch 414d). The connection circuitry further comprises a third switchable connection path 412c, connecting the first connection interface 404 and the fourth connection interface 408c via the logical switching device 430, and having a corresponding third layer 1 (air-gap) switch 414c (as well as the fourth switch 414d). Each of the first, second, third and fourth switches arc arranged to provide an "air-gap" switch by operating at OSI layer 1 as described elsewhere herein, and so may be termed "layer 1" switches. The controller 416 is configured to move the layer 1 switches between respective open and dosed states to provide the desired isolation and connection between the connection interfaces. Each of the first, second and third switchable connection paths 412a-c include the part of the connection circuitry 410 linking the first interface 404 to the switching device 430 as shown in Figure 6, along with the relevant part of the connection circuitry after the switching device 430.
By combining the layer 1 (air-gap) switches and the logical switching of the logical switching device 430 a one to many air-gap isolation unit can be formed, which allows air-gap switching of multiple connection points to allow or dis-allow connections between multiple connection interfaces.
In one embodiment, the first interface 404 is configured to act as an input interface, and is configured to connect to a data carrying input 406 as shown. The second, third and fourth connection interfaces 408a, 408b. 408c are configured to act as output interfaces, and so are configured to connect to respective computer devices (e.g. data back-up storage devices) or network segments 402a, 402b, 402c to which data is to be communicated from the first connection interface 404. The controller 416 is configured to operate the layer 1 switches so that the output interfaces 408a, 408b, 408c can be selectively connected to, or isolated from, the input interface 404. This is shown in Figures 6 and 7. In Figure 6 the second and fourth switches 414b, 414d are closed to allow connection between the first connection interface 404 and the third connection interface 402b, with the second and fourth connection interfaces 408b, 408c isolated from them (because their respective layer 1 switches are open). in Figure 7, the third and fourth switches 414c, 414d are closed to allow connection between the first connection interface 404 and fourth connection interface 408c, with the second and third connection interfaces 402a, 402b isolated from them (because their respective layer 1 (airgap) switches 414a, 4146 are open).
in another embodiment the fourth switch, 414d, may not be present as the layer 1 switches 414a, 414b and 414c arc sufficient to provide an air gapped solution (similarly any other single one of the switches may be omitted). More generally therefore, each of switchable connection paths 412a, 412b, 412c extending between the first connection interface 404 and a respective one of the second, third and fourth connection interfaces 408a. 408b. 408c comprise at least one layer 1 switch. The switches are located in the connection circuitry 410 so that the first connection interface 404 can be independently isolated from the second, third and fourth connection interfaces 408a, 408b, 408c such that none, or any one or more of them, arc connected to the first connection interface 404 at a time.
Although three output interfaces 408a, 408b, 408c are shown in Figures 6 and 7, other numbers may be provided such as two, or more than three. Each output interface may be connected to the input interface by a switchable connection path having at least one layer I switch.
In other embodiments, the first, second, third and fourth connection interfaces are each configured to act as both an input interface or an output interface, dependent on which kind of device or network component they are attached. This provides egalitarian operation of the connection interfaces, and allows more connection flexibility. The controller may, in such an embodiment, operate the switches so that each can act as in input and be connected to, or isolated from, any of the other connection interfaces as required. Data can be received or output by each of the connection interfaces as required. Examples of this are shown in Figures 8 and 9.
These figures show an embodiment of an isolation unit 500 with connecting circuitry 510 having components corresponding to those of the embodiment shown in Figures 6 and 7, including four layer 1 (air-gap) switches 5I4a, 514b, 514c, 514d, a logical switching device 530 (e.g. an Ethernet switching device) having a plurality of connection points 530a, 530b, 530c, 530d, and a controller 516, and corresponding switchablc connection paths between the connection interfaces and the logical switching device 530.
In the embodiment of Figures 8 and 9, the first, second, third and fourth connection interfaces 530a-d can each act as either an input or an output interface. The function of each may be set according the kind of device they are connected to or whether data is being sent or transmitted by that device, and they can each receive or output data as and when required. The isolation unit 500 therefore includes first, second, third and fourth connection interfaces 532a-d which each form a multiple direction, non-specific connection interface. These connection interfaces are each connected to a respective network segment 517a-d, but any of them could alternatively be connected to a data storage device as desired. In this embodiment each of the connection interfaces 532a-d are connected to a connection point on the switching device 530 via a respective one of the switches 514a-d as shown in the Figures. Each switchable connection path between any two of the interfaces therefore includes two switches. In other embodiments, a single one of the switches may be omitted, so that more generally each of the connection paths include at least one switch.
Figure 8 shows a state in which the first, third and fourth switches 514a, 514c, 514d arc closed to allow communication between the first, third and fourth connection interfaces 532a, 532c, 532d, while the second connection interface 532b is isolated from them. This allows interconnectivity between the first, third and fourth interfaces. Figure 9 shows another state in which the first, second and third switches 514a, 514b, 514c are closed to allow communication between the first, second and third connection interfaces 532a, 532b, 532c, while the fourth connection interface 532d is isolated from them.
in some embodiments, the layer 1 switches 514a-d may be controlled by the controller 516 so that they are operated in groups. They may be operated such that the connection interfaces of a first group are never connected by the controller to those of a second group. Interconnection may be allowed however between connection interfaces of the same group (when the respective air-gap switches are closed to provide interconnectivity within that group). An example of this can be seen in Figures 10 and II. In this example, the first and third connection interfaces 532a, 532c form a first group, with the second and fourth connection interfaces 532b, 532d forming a second group. The controller 516 is configured to allow interconnection between the first and third connection interfaces 532a, 532c, and between the second and fourth connection interfaces 532b, 532d by operating the air-gap switches 514a- 514d accordingly, but to disallow interconnection between the connection interfaces of the different groups c.g. the first connection interface 532a is never connected by the controller to the second connection interface 532b. The switches of the first group are therefore controlled to all be in a closed state and the switches of the second group all in an open state, or vice versa.
Although four multiple-direction connection interfaces 532a-d are shown in Figures 8, 9, 10 and 11 other numbers could be provided such as only two, or more than four. In such embodiments, each additional multiple-direction connection interface may be provided with a corresponding layer I switch between it and its respective connection point on the switching device 530.
The controller of the embodiments shown in Figures 6, 7, 8, 9, 10 and 11 may be arranged to control the layer 1 (air-gap) switches of the respective isolation module similarly to that of the controller of any other embodiment described herein. For example, the controller of the embodiments of Figures 6, 7, 8, 9, 10 and 11 may be arranged to control the switches according to a timed switching sequence as described in connection with the embodiment of Figure 4.
In any of the embodiments described herein, the layer 1 (air-gap) switches comprise semi-conductor switches. By utilising semiconductor switches for the layer 1 and an ethernet switching device, in a powered off situation, no route needs be connected as would be the case in an implementation which relied on relays as an air-gapped solution alone, which could present a security vulnerability in some circumstances. In other embodiments, relay switches, or other types of switch may be used.
In embodiments described above the logical switching device 330, 430 530 provided in the isolation unit is an Ethernet switching device. The connection interfaces comprise Ethernet ports in such embodiments, to allow the isolation unit to form part of an Ethernet network. in other embodiments however, other kinds of logical switching device may be used which allow data routing between all connection points. For example, other types of network switch such as a USB hub may be used (in which case the connection interfaces comprise USB ports) in the previously described embodiments the isolation units 100, 200, 300, 400, 500 are configured for connection to one or more data backup devices. The present application is not however limited to only that use. In other embodiments, the isolation unit may be used to isolate other computing devices that may be susceptible to attack from malicious software. The output interface may therefore more generally be configured for connection to a computing device or network segment. This may include data backup devices, network components or other types of computing device or network architecture. For example, the isolation unit may allow a part of a network to be isolated from another part of a network. Similarly, the isolation unit may be configured to receive input data from any computing device or network segment, and is not limited to a particular source of data that is to be backed up, or via which communication between devices or parts of a network takes place.
In use the output interface of the isolation module 100, 200 (or an appropriate one or more of the interfaces of the isolation modules 300, 400, 500) is connected to a device or network segment which is to be isolated. The input interface (or other appropriate interface or interfaces of the isolation modules 300, 400, 500) is then connected to a device or network segment which is to communicate with the other device/network IS segment. The devices/network segments can be isolated so that power flow and/or data transfer cannot take place between them when the switch is in the open state. When power flow and/or data flow is required, the layer 1 switch is closed. The layer 1 switch may be closed by the controller (e.g. either automatically according to a time schedule or other factors, or via a user input). This allows the device or network segment connected at the output interface to be protected from attack by malicious software.
The isolation unit of the present application may be implemented using any suitable hardware and software modules, or a mixture thereof. The connection circuitry described and claimed herein may be formed by any set of hardware components that are used to link the input interface to the output interface or interfaces (e.g. output wired connection port or wireless connection modules) to allow data communication or transmission of a power supply between them. The same may apply to the other interfaces described herein. The isolation unit may be provided with any suitable internal or externally connected power supply.
in the embodiments described herein, the processor and memory provided in the controller form a microcontroller (MCU) configured to carry out any of the functions of the controller described herein. In other embodiments, the controller may take different forms. The controller may comprise any combination of hardware and software that operates to control and process information and carry out programmed instructions. The controller may comprise any suitable processing circuitry including microprocessors, programmable logic devices, application specific integrated circuits (AS1C), application specific instruction set processors (ASIP) or the like. The controller may be any device suitable for controlling the operations of the control system according to the functions defined herein (or additional functions) by processing information (e.g. information received from sensors, stored in local memory or received from an external source) in some embodiments, the controller I 16 may be formed from distributed components within the isolation unit.
In embodiments having a logical switching device (e.g. an Ethernet switching device) it may be included in the same unit or modules as the layer 1 (air-gap) switches as shown in the figures, with separate hardware provided for each. In other embodiments, however, the air-gap switches and switching device may be integrated onto one I5 integrated circuit device providing the same functionality as separate components.
Various modifications will be apparent to the skilled person without departing from the scope of the claims. Any feature disclosed in connection with one embodiment may be used in combination with the features of another embodiment.
Although the appended claims are directed to particular combinations of features, it should be understood that the scope of the disclosure of the present invention also includes any novel feature or any novel combination of features disclosed herein either explicitly or implicitly or any generalisation thereof, whether or not it relates to the same invention as presently claimed in any claim and whether or not it mitigates any or all of the same technical problems as does the present invention.
Features which are described in the context of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features which arc, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination. The applicant hereby gives notice that new claims may be formulated to such features and/or combinations of such features during the prosecution of the present application or of any further application derived therefrom.
For the sake of completeness, it is also stated that the term "comprising" does not exclude other elements or steps, the term "a" or "an" does not exclude a plurality, a single processor or other unit may fulfil the functions of several means recited in the claims and any reference signs in the claims shall not be construed as limiting the scope of the claims.
The following clauses may define various aspects of the present application (these are not claims): Clause 1. An isolation unit for isolating one or more computer devices or network segments to prevent access by malicious software, comprising: an input connection interface configured to connect to a data carrying input; one or more output connection interfaces for outputting data to the one or more computer devices or network segments; connection circuitry connecting between the input connection interface and the one or more output connection interfaces, the connection circuitry having at least one switchablc connection path, wherein the switchable connection path comprises a switch arranged to switch between a closed state in which the input connection interface and a respective one of the one or more output connection interfaces are connected via the switchable connection path, and an open state in which the switchable connection path is disconnected between the input connection interface and the respective one of the one or more output connection interfaces, wherein the switchable connection path is switchable by the switch at the OSI physical layer; and a controller configured to switch the switch between the closed state and the open state.
Clause 2. An isolation unit according to Clause 1, wherein the input connection interface comprises at least one data input connection interface and at least one power connection interface.
Clause 3. An isolation unit according to Clause 2, wherein the switchablc connection path connects one of the data input connection interfaces and/or one of the power connection interfaces to the output connection interface.
Clause 4. An isolation unit according to any preceding Clause, wherein the input connection interface comprises a wired connection interface.
Clause 5. An isolation unit according to Clause 4, wherein the input connection interface comprises a USB interface, a Fibre-Optic interface, or a modular connector connection interface.
Clause 6. An isolation unit according to any preceding Clause, wherein the input connection interface comprises a wireless connection interface, preferably a Wi-Fi or Bluetooth connection interface.
Clause 7. An isolation unit according to Clause 6, wherein the input interface comprises an IEEE 802.11 type interface.
Clause 8. An isolation unit according to any preceding Clause, wherein the input connection interface is configured to connect to a Wide Area Network (WAN), such as the internet, or a Local Area Network (LAN).
Clause 9. An isolation unit according to any preceding Clause, wherein the controller is configured to switch the switch between the closed and open states according to one or more time parameters.
Clause 10. An isolation unit according to Clause 9, wherein the time parameters define any one or more of: a closing time of the switch, an opening time of the switch or a time duration in which the switch is closed or open.
Clause 11. An isolation unit according to clause 9 or clause 10, wherein the one or more time parameters are stored in a local computer readable memory of the controller.
Clause 12. An isolation unit according to any of clauses 9 to 11, wherein the isolation unit comprises an input/output interface via which the one or more time parameters are set by the user.
Clause 13. An isolation unit according to clause 12, wherein the input/output interface comprises: a data connection port, such as a USB port; a keyboard and screen interface, or touch screen interface.
Clause 14. An isolation unit according to any preceding Clause, wherein the controller is configured to determine when to switch the switch to the open state from the closed state, or from the closed state to the open state, wherein optionally the determination is based on any one or more of: if the data transfer has been activated, if data transfer has been completed; if the data transfer has been ended; if a specific operation procedure has been complete; or if malware has been detected.
Clause 15. An isolation unit according to any preceding Clause, wherein the controller is configured to operate the switch based on a user input received by the controller.
Clause 16. An isolation unit according to any preceding Clause, wherein: the isolation unit comprises a plurality of output connection interfaces, each configured to connect to a separate computer device or network segment; the input connection interface is connected to each of the plurality of output connection interfaces via the connection circuitry; the switchable path is one of a plurality of switchable paths each connecting between the input interface and a respective one of the output connection interfaces; each of the switchable paths comprises a switch arranged to switch between a closed state in which the input connection interface and the respective output connection interface are connected, and an open state in which the switchable connection path is disconnected between the input connection interface and the respective output connection interface, wherein the switchable connection paths are switchable by the respective switch at the OSI physical layer.
Clause 17. An isolation unit according to Clause 16, wherein the controller is configured to switch the switches between respective dosed and open states to connect and disconnect the input connection interface to the respective output connection interfaces such that at least one of the switches is in the open state at a given time.
Clause 18. An isolation unit according to Clause 17, wherein the controller s configured to control the switches according to a timed switching sequence.
Clause 19. An isolation unit according to any preceding Clause, wherein the one or more output connection interfaces are for outputting data to a data storage device, such as a data backup device.
Clause 20. An isolation unit according to Clause 19, wherein the data storage back-up device comprises a non-volatile memory, such as a hard drive disc, or a solid-state drive, or a Network Attached Storage, NAS, device, or an optical disc, or a USB flash drive.

Claims (25)

  1. CLAIMS1. An isolation unit for isolating one or more computer devices or network segments to prevent access by malicious software, comprising: a first connection interface and a second connection interface, at least one of the first and second connection interfaces configured to connect the isolation unit to a data carrying input, and the other being at least for outputting data to the one or more computer devices or network segments; connection circuitry connecting between the first connection interface and the second connection interface, the connection circuitry having at least one switchable connection path, wherein the switchable connection path comprises a layer 1 switch arranged to switch between a dosed state and an open state, in the closed state the first connection interface and the second connection interface arc connected via the switchablc connection path, and in the open state the switchablc connection path is disconnected between the first connection interface and the second connection interfaces, and wherein the switchable connection path is switchable by the switch at the OS1 physical laver; and a controller configured to switch the layer 1 switch between the closed state and the open state.
  2. 2. An isolation unit according to claim 1, wherein the connection circuitry further comprises a logical switching device forming part of the switchable connection path between the first and second interfaces, wherein the logical switching device comprises a plurality of connection points, and is arranged to allow data routing between any one of the connection points to any other of the connection points.
  3. 3. An isolation unit according to claim 2, wherein the logical switching device is an Ethernet switching device, and preferably the first and second connection interfaces are Ethernet ports.
  4. 4. An isolation unit according to claim 2 or claim 3, wherein the layer 1 switch is a first layer I switch, and the isolation unit further comprises a third connection interface, and wherein: the switchable connection path is a first switchable connection path extending between the first connection interface and the second connection interface via the logical switching device, and includes the first layer 1 switch; the connection circuitry comprises a second switchable connection path extending between the first connection interface and the third connection interface via the logical switching device, the second switchable connection path comprising a second laver I switch; wherein each of the first and second layer I switches are configured to switch between a closed state and an open state to independently isolate the first connection interface from the second and/or third connection interfaces, and the first and second switchable connection paths are switchable by the respective layer 1 switch at the OSI physical layer; and wherein the controller is configured to switch the first and second layer 1 switches between their respective closed and open stages. I5
  5. 5. An isolation unit according to claim 4, wherein the first interface is configured to act only as an input interface and is connectable to a data carrying input interface, and the second and third interfaces are configured to act only as output interfaces and are connectable to respective computer devices or network segments.
  6. 6. An isolation unit according to claim 4, wherein the first, second and third interfaces are each configured to act as both an input interface or an output interface, and preferably are each connected to a connection point on the logical switching device via a respective layer 1 switch.
  7. 7. An isolation unit according to any of claims 4, 5 and 6, wherein the controller is configured to operate the layer 1 switches such that they are operated in groups, whereby the switches of a first group are all in a closed state and the switches of a second group are all in an open state at a given time, or the switches of the first group are all in an open state and the switches of the second group are all in a closed state at any given time.
  8. 8 An isolation unit according to any preceding claim, wherein the layer 1 switch, or each layer 1 switch when dependent on any of claims 4 to 7, is a semiconductor 35 switch.
  9. 9. An isolation unit according to claim 1, wherein: the first connection interface is an input connection interface configured to connect the isolation unit to the data carrying input; and the second connection interface is one of one or more output connection interfaces for outputting data to the one or more computing devices.
  10. 10. An isolation unit according to claim 9, wherein the input connection interface comprises at least one data input connection interface and at least one power connection interface, and optionally wherein the switchable connection path connects one of the data input connection interfaces and/or one of the power connection interfaces to the output connection interface. I5
  11. 11. An isolation unit according to any preceding claim, wherein the first and/or second connection interfaces comprises a wired connection interface.
  12. 12. An isolation unit according to claim 11, wherein the first and/or second interface comprises a USB interface, a Fibre-Optic interface, or a modular connector connection interface.
  13. 13. An isolation unit according to any preceding claim, wherein the first and/or second connection interfaces comprises a wireless connection interface, preferably a Wi-Fi or Bluetooth connection interface, and further preferably an IEEE 802. I I type interface.
  14. 14. An isolation unit according to any preceding claim, wherein the first and/or second connection interface is configured to connect to a Wide Area Network (WAN), such as the interne( or a Local Area Network (LAN).
  15. 15. An isolation unit according to any preceding claim, wherein the controller is configured to switch the layer 1 switch or layer 1 switches between the closed and open states according to one or more time parameters.
  16. 16. An isolation unit according to claim 15, wherein the time parameters define any one or more of: a closing time of the layer 1 switch or layer 1 switches; an opening time of the layer 1 switch or layer 1 switches; or a time duration in which the layer 1 switch or switches are closed or open.
  17. 17. An isolation unit according to claim 15 or claim 16, wherein the one or more time parameters are stored in a local computer readable memory of the controller.
  18. 18. An isolation unit according to any of claims 15 to claim 17, wherein the isolation unit comprises an input/output interface via which the one or more time parameters are set by the user.
  19. 19. An isolation unit according to claim 18, wherein the input/output interface I5 comprises: a data connection port, such as a USB port; a keyboard and screen interface; or touch screen interface.
  20. 20. An isolation unit according to any preceding claim, wherein the controller is configured to determine when to switch the layer 1 switch or layer 1 switches to the open state from the dosed state, or from the dosed state to the open state, wherein optionally the determination is based on any one or more of: if the data transfer has been activated, if data transfer has been completed; if the data transfer has been ended; if a specific operation procedure has been complete; or if malware has been detected.
  21. 21. An isolation unit according to any preceding claim, wherein the controller is configured to operate the layer I switch or layer 1 switches based on a user input received by the controller.
  22. 22. An isolation unit according to any of claims 9 to 21, wherein: the isolation unit comprises a plurality of output connection interfaces, each configured to connect to a separate computer device or network segment; the input connection interface is connected to each of the plurality of output connection interfaces via the connection circuitry; the switchable path is one of a plurality of switchable paths each connecting between the input interface and a respective one of the output connection interfaces; each of the switchable paths comprises a layer 1 switch arranged to switch between a closed state in which the input connection interface and the respective output connection interface are connected, and an open state in which the switchable connection path is disconnected between the input connection interface and the respective output connection interface, wherein the switchable connection paths are switchable by the respective layer 1 switch at the OSI physical layer.
  23. 23. An isolation unit according to claim 22, wherein the controller is configured to switch the layer 1 switches between respective closed and open states to connect and disconnect the input connection interface to the respective output connection interfaces such that at least one of the switches is in the open state at a given time.
  24. I5 24. An isolation unit according to any preceding claim, wherein the controller is configured to control the layer 1 switch or layer 1 switches according to a timed switching sequence.
  25. 25. An isolation unit according to any preceding claim, wherein the first or second connection interfaces are for outputting data to a data storage device, such as a data backup device, and optionally wherein the data storage back-up device comprises a non-volatile memory, such as a hard drive disc, or a solid-state drive, or a Network Attached Storage, NAS, device, or an optical disc, or a USB flash drive.
GB2200936.9A 2021-07-06 2022-01-25 An isolation unit Pending GB2608662A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GBGB2109751.4A GB202109751D0 (en) 2021-07-06 2021-07-06 An isolation unit

Publications (2)

Publication Number Publication Date
GB202200936D0 GB202200936D0 (en) 2022-03-09
GB2608662A true GB2608662A (en) 2023-01-11

Family

ID=77274605

Family Applications (2)

Application Number Title Priority Date Filing Date
GBGB2109751.4A Ceased GB202109751D0 (en) 2021-07-06 2021-07-06 An isolation unit
GB2200936.9A Pending GB2608662A (en) 2021-07-06 2022-01-25 An isolation unit

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GBGB2109751.4A Ceased GB202109751D0 (en) 2021-07-06 2021-07-06 An isolation unit

Country Status (1)

Country Link
GB (2) GB202109751D0 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180069832A1 (en) * 2006-06-27 2018-03-08 Waterfall Security Solutions Ltd. One Way Secure Link
US20210110068A1 (en) * 2019-10-14 2021-04-15 Michael Steven Voss Air gap system and method using out of band signaling
CN213241156U (en) * 2020-11-13 2021-05-18 北京天地和兴科技有限公司 Equipment for preventing virus from invading computer

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180069832A1 (en) * 2006-06-27 2018-03-08 Waterfall Security Solutions Ltd. One Way Secure Link
US20210110068A1 (en) * 2019-10-14 2021-04-15 Michael Steven Voss Air gap system and method using out of band signaling
CN213241156U (en) * 2020-11-13 2021-05-18 北京天地和兴科技有限公司 Equipment for preventing virus from invading computer

Also Published As

Publication number Publication date
GB202109751D0 (en) 2021-08-18
GB202200936D0 (en) 2022-03-09

Similar Documents

Publication Publication Date Title
AU2013309013B2 (en) Network access management via a secondary communication channel
KR102313543B1 (en) External terminal protection device and protection system
US10419479B2 (en) Testing environment cyber vaccine
Ghaleb et al. On PLC network security
CN114629861B (en) Enhanced intelligent process control switch port locking
US20030233573A1 (en) System and method for securing network communications
US20080040788A1 (en) Apparatus and method for protecting a medical device and a patient treated with this device against harmful influences from a communication network
EP3876121B1 (en) Data forwarding control method and system based on hardware control logic
CN109543435A (en) A kind of FPGA encryption protecting method, system and server
US10592668B2 (en) Computer system security with redundant diverse secondary control system with incompatible primary control system
US7340597B1 (en) Method and apparatus for securing a communications device using a logging module
CN103583019A (en) Connecting node for communication network
US7409563B2 (en) Method and apparatus for preventing un-authorized attachment of computer peripherals
CN103546478A (en) Internal and external network secure access method and system
GB2608662A (en) An isolation unit
US11374689B2 (en) Mission-critical communication links for industrial control systems
CN100471107C (en) Data one-way transmission system based on one-way isolated hardware channel
Grandgenett et al. Exploitation of Allen Bradley’s implementation of EtherNet/IP for denial of service against industrial control systems
US20100132046A1 (en) Electronic Circuit for Securing Data Interchanges Between a Computer Station and a Network
Skopik et al. Towards secure time-triggered systems
CN201072548Y (en) Multi-hard disk anti-disclosure safety recovery device for computer
CN115065498B (en) Peripheral ferry device and system thereof
CN109075979B (en) Electrical arrangement and DC powered device for monitoring unallowable operation data
GB2568145A (en) Poisoning protection for process control switches
Cusack et al. Innovating additional Layer 2 security requirements for a protected stack