Hardware-enforced one-way data flow
No software vulnerability creates a return path. The data diode delivers the highest level of network isolation available.
19.3 Rail Data Diode
Firewalls filter traffic bidirectionally using software rules. A misconfigured rule, a software vulnerability, or a zero-day exploit bypasses the filter. The Rail Data Diode eliminates this exposure by enforcing one-way data flow at the hardware level.
What a Data Diode Is
Section titled “What a Data Diode Is”A data diode is a unidirectional network appliance. Data flows in 1 direction only. The return path does not exist physically. No software vulnerability, misconfiguration, or attacker action creates a return channel because the hardware does not support a return channel.
How the Data Diode Differs from a Firewall
Section titled “How the Data Diode Differs from a Firewall”| Property | Firewall (EAGLE) | Data Diode (RDD) |
|---|---|---|
| Enforcement | Software rules | Hardware (physical) |
| Bidirectional | Yes (filtered) | No (1 direction only) |
| Return path | Exists (filtered) | Does not exist |
| Vulnerability to exploits | Possible | Not possible (no return path) |
| Protocol support | Any (with rules) | Protocols that tolerate one-way (syslog, OPC UA pub, database replication) |
| Interactive protocols | Supported | Not supported (no handshake possible) |
Use Cases
Section titled “Use Cases”Process automation: A chemical plant exports historian data from the OT network to the corporate analytics platform. The data diode blocks traffic from IT reaching the DCS, even when the corporate network is compromised.
Transportation: A railway control center receives telemetry from trackside equipment through a data diode. Attackers who compromise the control-center network have no path to send commands back to the trackside equipment.
Power generation: A power plant exports SCADA data to the utility central monitoring system. The data diode blocks remote access to the plant control system, meeting regulatory requirements for infrastructure protection.
Deployment Architecture
Section titled “Deployment Architecture”The OT-side historian collects process data and pushes the data through the data diode. A receiving proxy on the DMZ side reconstructs the data and makes the data available to IT systems. No IT system has a path back to the OT network.
Key Takeaways
Section titled “Key Takeaways”Use for one-way data export
Historian replication, monitoring data, and telemetry export. Not suitable for interactive protocols that require bidirectional communication.
What Comes Next
Section titled “What Comes Next”Security products help safeguard the network boundary. The next chapter covers industrial wireless: HiLCOS operating system, BAT series access points, and wireless design for OT environments.
References
Section titled “References”- Belden/Hirschmann. (2024). Rail Data Diode Data Sheet. Belden Inc.