What is a Data Diode?
A data diode is a hardware device that enforces unidirectional (one-way) data flow between two networks. It ensures that data can only travel in one direction, preventing information or commands from flowing back.
In OT networks, data diodes are used to safeguard the confidentiality and integrity of critical systems and to block any feedback path for threats.
🧠 How does a data diode work?
- A data diode typically has two physical network interfaces:
- The device has no return path (TCP acknowledgements are impossible)
- Specialised software handles:
- Protocol conversion (e.g. UDP tunnelling of TCP)
- Buffering and error correction
- Typical applications:
- Sending process data from OT → IT
- Protecting OT zones from feedback (e.g. malware, C2 traffic)
A data diode is physically immutable: the one-way operation is guaranteed by design, not just configuration.
🏭 Use of data diodes in industrial networks
- SCADA sends data exclusively to a Historian in the IDMZ
- PLC data is made available to MES/ERP without any write-back possibility
- Real-time OT logs (e.g. alarms, trends) are forwarded to a SIEM
- Use in critical infrastructure (energy, water, pharma) to achieve Air gap-like security
- Data diodes are often combined with anomaly detection and Firewalls
They are particularly suited to highly secured or regulated OT environments, such as those under IEC 62443.
🔍 Data diode vs. firewall
| Aspect | Data diode | Firewall |
|---|---|---|
| Traffic | Only physical one-way traffic possible | Bidirectional traffic, based on rules |
| Configuration | Independent of software or policy | Requires rules and updates |
| Bypass possible? | Not without physical modification | Yes, with misconfiguration or abuse |
| Use in OT | For ultimate isolation of systems | For granular access control |
🔐 Security considerations
- No remote access possible to the OT network through a data diode
- Reduces the risk of data breaches, malware feedback or ransomware spreading
- Often used as part of Zero Trust and Defense in Depth
- Supports compliance with IEC 62443, NIS2 and other critical infrastructure standards
- Note: some protocols (e.g. TCP) are difficult over one-way links → solution via protocol tunnelling
A data diode is not a replacement for a firewall, but an additional, hard physical separation.
📌 In summary
A data diode is a physical network security device that guarantees one-way traffic only. In OT environments this provides maximum isolation of critical systems, with controlled data export and no risk of feedback.