1. Field of the Invention
Embodiments of the invention relate to computer and data networks and, more particularly, to systems, methods, and non-transitory computer-readable medium having one or more computer programs stored therein to transfer data between networks.
2. Description of the Related Art
Organizations and entities that have multiple networks sometimes protect those networks from unauthorized access by establishing different, higher security or protection levels for one or more networks. For example, an entity may choose to establish stronger protections for one network—such as a process automation system network—that the entity prioritizes as more important, or even essential, to its operations than for another network—such as a corporate business network, for instance. Many industries, entities, and government agencies use one or more networks that require a higher level of security but nevertheless must be able to communicate with other, lower security networks. These high-security networks, therefore, may be physically isolated from other networks. In some circumstances, a high-security network must be totally isolated from other networks. That is, the high-security network must have no path of communication with other networks.
In the process automation industry, for example, network security may be essential to an entity's ability to maintain production at production facilities. It also may be important to the health and security of employees at production facilities, as well as part of environmental protection strategies. It has grown more difficult over time, however, to ensure the integrity of process automation systems. One reason behind the increasing difficulty is that newer process automation systems incorporate open system designs, which are more difficult to protect than legacy process automation systems. Newer process automation systems' combined use of open networking equipment, which transfers data using TCP/IP communication protocols, and widely-used operating systems, such as Microsoft Windows, has meant that corporate business networks and process automation system networks may be seamlessly integrated. That is, ease of communication between corporate business networks and process automation system networks has increased. Although the increased ease of communication may have some advantages, it has also exposed critical process automation system networks to new vulnerabilities.
Process automation and control engineers are constantly working to secure process automation systems from unauthorized intrusion and virus infection. Some of the approaches they use include anti-virus patch management, Microsoft Windows patch management, network designs (such as demilitarized zones) that eliminate direct communication between a low-security network and a high-security network, Microsoft Windows operating system hardening, constant firewall and network screening (e.g., 24/7/365), process automation system user accounts and password management, and access control lists for network equipment. Technicians and engineers, for example, may follow a depth in defense strategy, such as the standards outlined in ISA-99, “Industrial Automation and Control Systems Security,” or in the United States Department of Homeland Security's “Chemical Facilities Anti-Terrorism Standards,” or in standards developed by the Nuclear Regulatory Commission as a protocol or regimen to defend against the unauthorized intrusions. Even when these protective measures are used, however, process automation systems are still vulnerable because data can be transferred from a low-security network, such as a corporate business network, to the process automation system network when data is “written” to the process automation system network for business continuity purposes.
To prevent an intruder or virus from reaching a process automation system network or compromising a process automation system, organizations and other entities have taken several protective measures to prevent a low-security network from “writing” data to the process automation system network through traditional networking practices. For example, entities sometimes use demilitarized zones (DMZs), as illustrated in FIG. 7. As depicted, a company wide area network 202 is in communication with the Internet 201 and a corporate business server 203, as will be understood by those skilled in the art. Together, the company wide area network 202 and corporate business server 203 may form a corporate network for an entity. A separate process automation system network includes two process automation system servers 221 and 222, which are in communication with one another through a network switch 208. As illustrated in FIG. 7, a DMZ may protect the process automation system network. That is, although data transfer is bidirectional between a facility business server 220 and the process automation system servers 221 and 222, transferred data passes through the network switch 208, a firewall 207, a DMZ router 205, and a DMZ switch 206. Data transfer is also bidirectional between the facility business server 220 and the corporate business server 203, but transferred data passes through a different firewall 204, a DMZ router 205, and a DMZ switch 206.