Hardware-enforced security
No software vulnerability can create a return path. The data diode provides the highest level of network isolation available.
19.3 Rail Data Diode
Firewalls filter traffic bidirectionally using software rules. A misconfigured rule, a software vulnerability, or a zero-day exploit can bypass the filter. The Rail Data Diode eliminates this risk by enforcing one-way data flow at the hardware level.
What a Data Diode Is
Section titled “What a Data Diode Is”A data diode is a unidirectional network appliance. Data flows in one direction only. The return path does not exist physically. No software vulnerability, misconfiguration, or attacker action can create a return channel because the hardware does not support it.
How It Differs from a Firewall
Section titled “How It Differs from a Firewall”| Property | Firewall (EAGLE) | Data Diode (RDD) |
|---|---|---|
| Enforcement | Software rules | Hardware (physical) |
| Bidirectional | Yes (filtered) | No (one direction only) |
| Return path | Exists (filtered) | Does not exist |
| Vulnerability to exploits | Possible | Not possible (no return path) |
| Protocol support | Any (with rules) | Protocols that tolerate one-way (syslog, OPC UA pub, database replication) |
| Interactive protocols | Supported | Not supported (no handshake possible) |
Use Cases
Section titled “Use Cases”Process automation: A chemical plant exports historian data from the OT network to the corporate analytics platform. The data diode ensures no traffic from IT reaches the DCS, even if the corporate network is compromised.
Transportation: A railway control center receives telemetry from trackside equipment through a data diode. Attackers who compromise the control center network cannot send commands back to the trackside equipment.
Power generation: A power plant exports SCADA data to the utility’s central monitoring system. The data diode prevents remote access to the plant control system, meeting regulatory requirements for critical infrastructure protection.
Deployment Architecture
Section titled “Deployment Architecture”The OT-side historian collects process data and pushes it through the data diode. A receiving proxy on the DMZ side reconstructs the data and makes it available to IT systems. No IT system has any path back to the OT network.
Key Takeaways
Section titled “Key Takeaways”Use for one-way data export
Historian replication, monitoring data, and telemetry export. Not suitable for interactive protocols that require bidirectional communication.
What Comes Next
Section titled “What Comes Next”Security products protect the network boundary. The next chapter covers industrial wireless: HiLCOS operating system, BAT series access points, and wireless design for OT environments.
References
Section titled “References”- Belden/Hirschmann. (2024). Rail Data Diode Data Sheet. Belden Inc.