Tunneling Out of the Air-Gap: Software Data Diodes for Industrial IoT
IT
Tunneling Out of the Air-Gap: Software Data Diodes for Industrial IoT
In the high-stakes world of critical infrastructure — nuclear power plants, water treatment facilities, electrical grids — the ultimate defence mechanism has historically been the “air gap.” By physically disconnecting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks from the public internet, organisations eliminated the theoretical threat of remote cyberattacks. If there is no wire, there is no hack.
That logic is now colliding with reality on two fronts.
First, the relentless pressure of Industrial IoT (IIoT): modern industrial operations require constant telemetry streams to power predictive maintenance, real-time anomaly detection, and cloud-based machine learning. Second, and more urgently, the threat landscape itself has dramatically escalated. Attacks on OT protocols rose 84% in 2025 compared to the previous year, with Modbus accounting for 57% of those attacks and Ethernet/IP for a further 22%, according to Forescout research. A separate TXOne Networks report found that 96% of OT incidents in 2025 could be traced back to an initial IT system compromise — proving that the old IT/OT boundary is not holding.
The human cost of getting this wrong is no longer theoretical. The September 2025 cyberattack on Jaguar Land Rover — attributed to a group calling itself Scattered Lapsus$ Hunters — halted global production for nearly six weeks, cost JLR £196 million in a single quarter, triggered a £1.5 billion UK government loan guarantee to stabilise its supply chain, and inflicted an estimated £1.9 billion in wider economic damage on Britain. The UK’s Cyber Monitoring Centre rated it a Category 3 systemic event — described as potentially the most economically damaging cyberattack in British history. A JLR security expert noted the attack confirmed that “in modern factories, IT and OT are inseparable.”
The lesson is not that connectivity must be abolished. The lesson is that it must be architected correctly. The answer to the paradox — how do you extract continuous, high-fidelity data from a secure facility without opening a two-way channel that nation-state actors can exploit — is the software data diode and the implementation of unidirectional network tunnels.
A Market Responding to Crisis
The urgency is reflected in the numbers. The global data diode market was valued at approximately $1.23 billion in 2025 and is projected to reach $1.37 billion by the end of 2026, growing at a CAGR of around 11–12% and expected to exceed $2 billion by 2030. Critical infrastructure accounts for the largest segment by application (22% market share in 2025), with the energy and power sector growing fastest, driven by smart grid deployments and industrial automation. Key players include Siemens AG, BAE Systems, Thales Group, Owl Cyber Defense, and ST Engineering, with notable M&A activity including OPSWAT’s acquisition of Fend Incorporated in December 2024 to bolster its unidirectional gateway portfolio.
Beyond market growth, a wave of regulatory modernisation is accelerating adoption. In the EU, the NIS2 Directive — which entered enforcement in July 2025 — expands mandatory cybersecurity obligations to sectors including energy, transport, water, and manufacturing, with supply chain security explicitly covered and fines for non-compliance now active. IEC 62443, the global standard for securing Industrial Automation and Control Systems (IACS), maps directly to NIS2 requirements and mandates layered defence architectures that unidirectional data flows are uniquely suited to satisfy. In the US, NERC CIP standards for the power sector and the TSA’s Security Directive for pipelines create parallel obligations. Across the industry, unidirectional gateway architectures have emerged as a preferred means of satisfying strict network-segmentation obligations while giving boards and executives a defensible, auditable position.
The Evolution: From Hardware to Software Data Diodes
Hardware Data Diodes
The original data diode was a strictly hardware-based device rooted in optical physics, with origins in military and government networks dating to the 1980s. A fiber optic cable connected two network segments. On the “send” side — the highly secure network — there was only a light transmitter (an LED or laser). On the “receive” side — the corporate network or cloud gateway — there was only a light receiver (a photodetector). Because light cannot physically travel backward from a photodetector to an LED, the connection was perfectly unidirectional.
The security properties were impeccable. The operational properties were not. Hardware diodes come with three structural disadvantages:
Cost. Enterprise-grade hardware diodes command price tags ranging from tens of thousands to hundreds of thousands of dollars per unit — cost-prohibitive for anything beyond the most critical single chokepoints.
Scalability. As IIoT sensor proliferation accelerates, managing physical cables and hardware nodes for every new data stream becomes unmanageable. First Analysis managing director Howard Smith has noted that economies of scale are only beginning to reduce hardware diode costs, and that a “tipping point” for broader adoption is still forming.
Protocol rigidity. The modern internet runs on TCP, which requires bidirectional handshakes. Hardware diodes must completely deconstruct data to convert it into light pulses and reconstruct it on the far side — a process that requires complex proxy servers on both ends and historically limited compatibility with dynamic IIoT protocols.
The 2026 Shift: Software Data Diodes
As industrial environments adopted edge computing, hypervisors, and Software-Defined Networking, a new architecture emerged: the software data diode. Rather than relying on optical isolation, a software data diode is a highly engineered, mathematically verified software boundary that enforces the same unidirectional property using custom network stacks, kernel-level packet filtering, and rigorous state-machine logic.
The key advantage is deployability. A software data diode can be instantiated as a lightweight container or virtual machine on an IIoT edge gateway — viable across thousands of remote wind turbines or solar inverters where a hardware device would be logistically impossible. The key challenge — and the reason this architecture has taken time to mature — is that “software can always be hacked” is not an unreasonable starting assumption. Modern software diode architecture addresses this systematically.
Technical Architecture: How Unidirectional Network Tunnels Work
Building a software data diode is not as simple as writing a firewall rule that says Block All Inbound. Firewalls are inherently two-way stateful devices: they remember connection states and allow return traffic. If a firewall is compromised, its rules can be rewritten. True software data diodes rely on a multi-layered architectural approach combining protocol breaks, forward error correction, kernel-level enforcement, and memory isolation.
1. The Protocol Break: TCP to UDP
The most significant architectural hurdle is that TCP (Transmission Control Protocol) is inherently bidirectional. If Server A wants to send data to Server B, Server B must return an acknowledgment (ACK) packet. Block the ACK, and the TCP connection drops.
Software data diodes resolve this through a protocol break:
- The inside proxy (secure zone): The SCADA system sends telemetry via TCP — Modbus TCP, OPC UA, or similar — to a local proxy server sitting just inside the secure boundary.
- Protocol conversion: The proxy terminates the TCP connection and wraps the payload in UDP (User Datagram Protocol), a connectionless, fire-and-forget protocol with no acknowledgment requirement.
- The unidirectional tunnel: The proxy transmits UDP packets outward through the software diode across the network boundary.
- The outside proxy (corporate zone): A receiving proxy catches the UDP packets, repackages them back into standard TCP or MQTT, and forwards them to the cloud or monitoring dashboard.
No ACK packet is ever sent. No return channel exists at the protocol level.
2. Forward Error Correction (FEC)
Because the connection is strictly one-way, the outside proxy cannot tell the inside proxy if a packet was lost in transit. Software data diodes compensate through heavy Forward Error Correction (FEC). By transmitting redundant mathematical parity bits alongside the payload — analogous to RAID storage parity — the receiving proxy can reconstruct missing or corrupted packets without ever requesting a retransmission. This preserves telemetry integrity across an inherently lossy one-way channel.
3. Kernel-Level Packet Dropping and eBPF
The core security guarantee resides in the custom network stack. Modern implementations use eBPF (Extended Berkeley Packet Filter) loaded into a stripped-down Linux microkernel or hypervisor layer — attached to the lowest accessible level of the network interface card (NIC).
The compiled eBPF logic is mathematically verified. For the network interface facing the outside world, the TX (transmit) queue is completely disabled. The RX (receive) queue is hardcoded to permanently drop all incoming frames before they ever reach the operating system’s standard network stack. There is no routing table, no IP stack listening on the outside interface, no open ports. If a malicious actor sends a packet to the diode from the outside, the eBPF filter drops it before it can be processed. Inbound routing does not exist in the compiled code — it is not a blocked state; it is an absent one.
4. Memory Isolation
To prevent advanced attacks such as buffer overflows triggered by malformed incoming packets, the software diode separates the process handling outflowing data from the process connected to the external network interface using strict memory partitioning — separate memory spaces or virtual machines communicating only via a one-way shared ring buffer. The secure side can write into the buffer; the insecure side can only read from it. The read process has no write privileges to the buffer, making the boundary structurally asymmetric at the memory level.
SCADA Secure Tunneling in Practice
The implementation of unidirectional network tunnels is changing how critical infrastructure interacts with the modern IT and cloud stack across multiple sectors.
Power Generation: Predictive Maintenance
A natural gas power plant operating turbines with hundreds of vibration, temperature, and pressure sensors once faced a grim choice: keep the SCADA network air-gapped and accept manual log collection via USB (itself a significant attack vector — Stuxnet, the 2009–2010 cyberweapon that destroyed centrifuges at Iran’s Natanz uranium enrichment plant, initially infiltrated via removable media), or connect and accept the risk.
A software data diode at the edge of the SCADA network breaks the dilemma. The SCADA system streams sensor data to the diode proxy; the diode pushes it unidirectionally to a cloud AI platform. The AI can analyse vibration harmonics and predict bearing failures weeks in advance. Even if the cloud platform is compromised by a nation-state actor, the unidirectional architecture makes it structurally impossible to send a command back through the tunnel to alter the turbine’s operations.
Water Treatment: Protecting Chemical Integrity
Water treatment facilities have been explicit targets for cyber-terrorism — attackers have previously attempted to alter chemical dosing levels remotely. These facilities need strict network isolation, but municipal authorities increasingly demand real-time water quality metrics for public dashboards and regulatory reporting.
A software data diode serves as the ideal intermediary. Internal PLCs stream chemical telemetry outward through the unidirectional tunnel. The outside proxy receives it and populates the public-facing monitoring infrastructure. The conceptual air-gap remains intact: data flows out; commands cannot flow in.
Distributed Renewables: Scale Without Hardware
Hardware data diodes are economically and logistically impossible to deploy across thousands of remote solar inverters or wind turbines. Software data diodes, deployed as lightweight containers directly on IIoT edge gateways, allow decentralised energy producers to transmit grid health data to central operators without exposing remote hardware to botnets or ransomware. This use case is particularly significant given the energy and power sector’s position as the fastest-growing segment in the data diode market, driven by smart grid implementation and the demands of industrial automation.
Regulatory Compliance as a Forcing Function
For many industrial operators in 2026, the calculus around unidirectional architectures has shifted from voluntary best practice to regulatory necessity.
The EU’s NIS2 Directive, which entered enforcement in July 2025, mandates network segmentation, incident response, and supply chain security across critical infrastructure sectors. IEC 62443 — the international standard for IACS cybersecurity — provides the technical implementation framework that maps to NIS2 requirements. Its zone-and-conduit model, combined with requirements for Security Levels (SL), aligns naturally with unidirectional gateway architectures: a software data diode between a high-security SCADA zone and a lower-trust corporate network is a well-defined, auditable conduit with a verifiable security level.
In the US, NERC CIP imposes mandatory cybersecurity controls on bulk electric system assets, and TSA Security Directives govern pipeline operations. The EU’s forthcoming Cyber Resilience Act adds “secure by design” obligations for connected devices. Across jurisdictions, unidirectional data flow is increasingly recognised not just as a security control but as a compliance artefact — one that provides operators with a defensible position that limits executive liability when incidents do occur.
Over 75% of leading manufacturers were estimated to have implemented some form of IT/OT network convergence by 2025, according to Rockwell Automation and Keystone Technology Consultants, driving up to 20% gains in operational efficiency. The regulators are watching. The attackers are watching. The architecture of the conduit between those two worlds has never mattered more.
Overcoming the Limitations of One-Way Communication
The security benefits of unidirectional tunnels are significant. The operational challenges are real and require deliberate engineering to manage.
Out-of-band management. Routine updates and patching require physical presence or controlled, temporary out-of-band connections. The software diode is strictly a telemetry extraction mechanism, not a remote administration channel.
Time synchronisation. NTP (Network Time Protocol) requires two-way communication. Secure facilities must rely on internal atomic clocks or receive-only GPS time signals rather than pulling time from the internet — an architectural consideration that must be planned for at deployment.
Blind transmission. Internal systems transmit without knowing whether the external receiver is operational. If the cloud server is down or the external network is severed, the internal system has no feedback mechanism. Robust internal caching and local alerting must be built in to ensure telemetry is safely stored until the external connection is restored, without creating local data accumulation that itself becomes a security liability.
Protocol management. As First Analysis’s Smith has noted, managing protocol diversity remains a challenge. While demand and investment are gradually expanding the range of supported protocols, operators using highly proprietary ICS protocols should validate compatibility before deployment.
Security Assurance: Can a Software Diode Be Hacked?
The legitimate criticism of any software-based security control is that software is malleable. Code can be rewritten. The cybersecurity industry’s response, as of 2026, operates on two levels.
Formal verification. The microkernels and routing logic used in enterprise-grade software diodes are subject to mathematical proof techniques that verify the compiled code lacks the necessary computational states to process inbound traffic. This is not a claim that the software is bug-free; it is a proof that the routing logic for inbound packets does not exist in the compiled binary.
Read-only media deployment. Many implementations combine formal verification with physical write-protection. The OS and diode software are booted from a physically write-blocked medium — an SD card with a hardware lock switch, or a specialised read-only EEPROM. Even if a hypothetical zero-day vulnerability allowed code execution via a malformed incoming packet (an extraordinarily constrained attack surface given the absence of an IP stack), the attacker cannot persist any change. The underlying filesystem is physically immutable. On reboot, the diode returns to its mathematically verified state. The attack surface for persistence is not just reduced — it is removed.
This combination of software-level formal verification and hardware-level immutability is the architectural answer to the “software can be hacked” objection. It does not claim invulnerability; it removes the persistence and lateral movement capabilities that make successful exploitation operationally meaningful.
Looking Ahead
The September 2025 JLR attack — described by the UK’s Cyber Monitoring Centre as concentrated on a single primary victim whose systemic effects rippled through more than 5,000 organisations via economic interdependencies — is the clearest recent demonstration that the consequences of IT/OT boundary failures are no longer theoretical. When boards ask what a cyberattack on their OT infrastructure could cost, the answer in 2026 is: look at what it cost Jaguar Land Rover. The UK’s Q3 GDP growth was measurably weaker as a direct result.
The answer is not to disconnect. The imperative of real-time industrial data — for predictive maintenance, for AI-driven optimisation, for regulatory reporting — is structural and growing. The answer is to connect correctly: with architectures where the security guarantee is not a policy that can be misconfigured, but a mathematical property of the compiled code and the physical medium it runs on.
Software data diodes and unidirectional network tunnels represent exactly that guarantee. The data flows out. Nothing flows back in. The machines that power the world can be monitored without being controlled by anyone other than the engineers who built them.
That distinction, precisely engineered and formally verified, is where IIoT security now lives.
All market figures are derived from Fortune Business Insights, ResearchAndMarkets, and Precedence Research reports published in late 2025 and early 2026. Incident data is sourced from public filings, Forescout, TXOne Networks, the UK Cyber Monitoring Centre, and contemporaneous news reporting.
Comments
Post a Comment