Tunneling Out of the Air-Gap: Software Data Diodes for Industrial IoT

In the high-stakes world of critical infrastructure — encompassing nuclear power plants, water treatment facilities, and electrical grids — the ultimate defense mechanism has historically been the “air gap.” By physically disconnecting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks from the public internet, organizations theoretically eliminated the threat of remote cyberattacks. If there is no wire, there is no hack.

But as we move deeper into 2026, the strict air-gap model is fundamentally clashing with the demands of Industrial IoT (IIoT), predictive maintenance, and real-time big data analytics. Modern industrial operations require constant telemetry streams to optimize efficiency, detect mechanical anomalies before catastrophic failures, and feed cloud-based machine learning models. Organizations are faced with a seemingly impossible paradox: how do you extract continuous, high-fidelity data from a secure facility without opening a two-way communication channel that could be exploited by nation-state threat actors?

The market has already spoken. The global data diode solution market was valued at $619.3 million in 2025 and is projected to reach $696.7 million in 2026, growing at a CAGR of 12.2% toward $1.75 billion by 2034, according to Fortune Business Insights. North America leads with a 31.8% market share, driven by the concentration of Owl Cyber Defense, Forcepoint, and Cisco in the region. This is not a niche product category. This is infrastructure-grade security at scale.

The traditional answer to the connectivity paradox was the hardware data diode. The modern answer, driven by advancements in network virtualization, edge computing, and formalized mathematical verification, is the software data diode and the deployment of unidirectional network tunnels.

---

The Threat Landscape That Made This Urgent

Before examining the architecture, it is worth being precise about what is at stake. The September 2025 cyberattack on Jaguar Land Rover — claimed by a group calling itself “Trinity of Chaos” — shut down global production for over a month and reportedly caused $2.5 billion in immediately attributable losses, according to Reuters. The UK’s Cyber Monitoring Centre described the incident as concentrated on a single primary victim whose systemic effects rippled through more than 5,000 organizations via economic interdependencies. It is the clearest recent demonstration that the consequences of IT/OT boundary failures are no longer theoretical.

Earlier incidents include attacks on Romania’s national pipeline operator and intrusions targeting Polish grid infrastructure — all exploiting the vulnerable seam between corporate IT networks and operational technology. A Keystone Technology Consultants study found that over 75% of leading manufacturers in 2025 had implemented some form of IT/OT network convergence, driving up to 20% gains in operational efficiency. Connectivity creates efficiency. It also creates exposure. Data diodes exist precisely to preserve the former while eliminating the latter.

---

From Hardware to Software: The Evolution of the Data Diode

The Hardware Data Diode

Data diode technology first emerged in the 1980s as a means to protect highly sensitive military, government, and nuclear networks. The hardware implementation is elegant in its simplicity: a fiber optic cable connecting two network segments, with only a light transmitter (an LED or laser) on the secure “send” side and only a light receiver (a photodetector) on the less-secure “receive” side. Because it is physically impossible for light to travel backward from a photodetector to an LED, the connection is perfectly unidirectional. Physics, not policy, enforces the boundary.

While incredibly secure, hardware data diodes carry significant operational drawbacks:

• Cost. Enterprise-grade hardware diodes can cost tens or hundreds of thousands of dollars per unit.
• Scalability. As IIoT sensors proliferate across thousands of remote endpoints, managing physical cables and hardware nodes for every new data stream becomes unmanageable.
• Protocol rigidity. They struggle with modern, dynamic IIoT protocols, requiring complex proxy servers on both sides of the hardware link to translate protocols like TCP — which requires bidirectional handshakes — into unidirectional streams.

Modern hardware diodes have evolved significantly. State-of-the-art Protocol Filtering Diodes (PFDs), such as those made by Owl Cyber Defense, now perform deep packet inspection and filtering directly in hardware using Field-Programmable Gate Arrays (FPGAs). Every packet is inspected at the hardware level, ensuring only authorized and safe information leaves the secure network while blocking unauthorized or malicious content before transmission. This combines hardware-enforced unidirectionality with real-time protocol filtering — a level of assurance that goes beyond basic optical isolation.

The Software Data Diode

As industrial environments adopted edge computing, hypervisors, and Software-Defined Networking (SDN), a parallel concept emerged: the software data diode. A software data diode is a mathematically verified software boundary that mimics the unidirectional properties of its physical counterpart. Instead of relying on optical isolation, it uses custom network stacks, kernel-level packet filtering, and rigorous state-machine logic to ensure traffic can only move from a higher-security domain to a lower-security domain.

It is important to be precise about what differentiates a software data diode from simply a well-configured firewall. NIST 800-82, the Guide to Industrial Control Systems Security, defines the modern evolution as a Unidirectional Gateway: “a combination of hardware and software where the hardware permits data to flow from one network to another but is physically unable to send any information back into the source network, while the software replicates databases and emulates protocol servers and devices.” This distinction matters: unidirectional gateways combine the physical security guarantee of one-way hardware with the operational flexibility of software that can handle complex industrial data sources.

---

Technical Architecture: How Unidirectional Network Tunnels Work

Building a software data diode is not as simple as writing a firewall rule that says Block All Inbound. Firewalls are inherently two-way stateful devices — they remember connection states and allow return traffic. If a firewall is compromised, its rules can be rewritten. Software data diodes rely on a multi-layered architectural approach using microkernels, eBPF (Extended Berkeley Packet Filter), and protocol breaks.

1. The Protocol Break: TCP to UDP

The most significant hurdle in unidirectional networking is that the modern internet runs on TCP. TCP is inherently bidirectional: if Server A sends data to Server B, Server B must send back an acknowledgment (ACK) packet. If the ACK is blocked, the TCP connection drops.

Software data diodes solve this via a protocol break:

• Inside Proxy (Secure Zone). The SCADA system sends telemetry via TCP (e.g., Modbus TCP, OPC UA) to a local proxy server sitting just inside the secure boundary.
• Conversion. The proxy terminates the TCP connection and wraps the payload in UDP (User Datagram Protocol) — a connectionless, “fire-and-forget” protocol.
• Unidirectional Tunnel. The proxy blasts UDP packets out through the software diode across the network boundary.
• Outside Proxy (Insecure Zone). A receiving proxy catches the UDP packets, repackages them into standard TCP or MQTT, and forwards them to the cloud or monitoring dashboard.

Contemporary solutions support TCP/IP, UDP, OPC UA, Ethernet/IP, Modbus, and custom industrial protocols — often simultaneously across multiple channels.

2. Forward Error Correction (FEC)

Because the connection is strictly one-way, the outside proxy cannot tell the inside proxy if a packet was lost in transit. To prevent data loss, software data diodes employ heavy Forward Error Correction. By transmitting redundant mathematical parity bits alongside the payload — analogous to RAID storage logic — the receiving proxy can reconstruct missing or corrupted packets without ever requesting a retransmission. Modern data diodes also employ adaptive buffering and optimized protocol handling to ensure reliable data transfer in high-throughput environments where operational data must flow continuously without interruption.

3. Kernel-Level Packet Dropping and eBPF

The core security guarantee of the software data diode resides in its custom network stack. Modern implementations use eBPF loaded directly into a stripped-down Linux microkernel or a hypervisor layer. This eBPF program is compiled with mathematically verified logic and attaches to the lowest possible level of the network interface card (NIC).

The logic is unambiguous: for the network interface facing the outside world, the TX (transmit) queue is completely disabled, and the RX (receive) queue is hardcoded to permanently drop all incoming frames before they reach the operating system’s standard network stack. There is no routing table, no IP stack listening on the outside interface, and no open ports. If a malicious actor sends a packet to the diode from the outside, the eBPF filter drops it into the void. It cannot route inward because the routing logic simply does not exist in the compiled code.

4. Memory Isolation

To prevent buffer overflow attacks originating from malformed packets designed to compromise the diode itself, the software diode uses strict memory partitioning. The process handling outflowing data and the process connected to the external network interface are isolated in separate memory spaces or virtual machines, communicating only via a one-way shared memory buffer (a ring buffer). Data can be written into the buffer by the secure side and read by the insecure side, but the read process has no write privileges to the buffer.

5. Content Filtering and Inspection

Advanced software data diodes add a further security layer beyond unidirectional transfer: content sanitization, malware scanning, and policy-based filtering. This ensures that even data leaving the secure network has been inspected, preventing data exfiltration of sensitive operational information alongside legitimate telemetry.

---

SCADA Secure Tunneling in Practice

Power Generation: Predictive Maintenance

A natural gas power plant operates turbines with hundreds of vibration, temperature, and pressure sensors. Its SCADA network is air-gapped. Historically, engineers walked the plant floor with USB drives to download logs — a significant security risk reminiscent of the Stuxnet vector. By deploying a software data diode at the edge of the SCADA network, the plant can stream telemetry in real-time to a cloud-based AI platform that analyzes vibration harmonics and predicts bearing failures weeks in advance. Because the tunnel is unidirectional, even if the cloud platform is breached, attackers cannot send a single command back through the diode to alter turbine operations.

In the power sector, data diodes support compliance with NERC-CIP standards, which require strong network segmentation between critical systems and less secure zones, and IEC 62443, the global standard for securing Industrial Automation and Control Systems.

Water Treatment: Chemical Monitoring

Water treatment facilities are prime targets for cyber-terrorism. Municipal dashboards need to display water quality metrics in real-time, but the internal PLCs controlling chemical mix levels must be absolutely isolated. A software data diode acts as the perfect intermediary: internal PLCs stream chemical telemetry through the unidirectional tunnel to the municipal web server. Data flows out; commands cannot flow in. The air-gap remains conceptually intact.

Distributed Renewable Energy Grids

Hardware data diodes are economically impossible to deploy across thousands of remote solar inverters or wind turbines. Software data diodes, deployed as lightweight containers or virtual machines directly on IIoT edge gateways, allow decentralized energy producers to transmit grid health data to central operators without exposing remote hardware to botnets or ransomware. This use case is particularly significant given that the energy and power sector is the fastest-growing segment in the data diode market, driven by smart grid deployments and industrial automation demands.

---

The Regulatory Imperative: Compliance Is Now the Forcing Function

For many industrial operators in 2026, the calculus around unidirectional architectures has shifted from voluntary best practice to regulatory necessity.

EU NIS2 Directive. Enacted in 2024 and enforceable since late 2024 through national laws across EU member states, NIS2 establishes a unified legal framework covering cybersecurity across 18 critical sectors. One of its cornerstone requirements is the adoption of robust network segmentation strategies, both for preventing lateral movement and limiting breach impact across IT and OT environments. NIS2’s enforcement mechanisms are notably punitive: organizations must make compliance violations public and identify the natural and legal persons responsible. Data diodes are increasingly cited as the preferred control for meeting NIS2’s segmentation mandates.

NERC-CIP. The North American Electric Reliability Corporation’s Critical Infrastructure Protection standards require strong network segmentation between critical systems and less secure zones. Data diodes are regularly cited as complying with segmentation and one-way communications requirements in both electric generation and transmission environments.

IEC 62443. This global OT cybersecurity standard, developed by the International Electrotechnical Commission and the International Society of Automation, provides the framework for securing Industrial Automation and Control Systems. IEC 62443-2-1 is the most relevant standard for NIS2 compliance for asset owners and operators. Organizations experienced with IEC 62443 are well-positioned to achieve NIS2 compliance, and deploying certified components — including certified data diodes — helps demonstrate a secured supply chain.

---

Overcoming the Limitations of One-Way Communication

Relying on unidirectional network tunnels introduces unique operational challenges that operators must plan for explicitly.

Out-of-band management. Routine updates and patching still require physical presence or highly controlled, temporary, out-of-band connections. The software diode is strictly for telemetry extraction, not remote administration.

Time synchronization. NTP requires bidirectional communication. Secure facilities must rely on internal atomic clocks or secure, receive-only GPS time signals rather than pulling time from the internet.

Blind transmission. Internal systems transmit without confirmation. They do not know if the cloud server is down or if the external network is severed. Internal caching and alerting mechanisms must therefore be robust, ensuring that if data cannot leave the facility, it is securely stored locally until the external connection is restored.

Protocol complexity. Because data diodes cannot participate in TCP/IP client/server conversations, systems are constrained to connectionless protocols such as broadcast Ethernet and UDP/IP at the boundary. This makes native integration into conventional networks difficult and requires the proxy architecture described above. It is worth noting that Waterfall Security’s Unidirectional Gateway architecture addresses this by replicating process historians, OPC-DA servers, and relational databases on the external network, allowing enterprise users and applications to interact with replica servers bidirectionally on the IT side while the OT side remains strictly protected.

---

Security Assurance: Can a Software Diode Be Hacked?

The primary criticism of software data diodes is the belief that “software is malleable.” If it is written in code, it can be rewritten in code.

The 2026 answer to this objection has two parts.

First, formal verification. Enterprise-grade software diodes are now developed using mathematically proven microkernels and routing logic that are verified to lack the necessary computational states to process inbound traffic. This is not a claim that the software is bug-free; it is a claim that the routing state machine provably cannot enter a state that processes inbound packets, regardless of the input it receives.

Second, read-only media deployments. Many software diodes are deployed with the OS and diode software booted from a physically write-blocked medium — an SD card with a physical lock switch or a specialized read-only EEPROM. Even if an attacker found a zero-day that allowed code execution via a malformed incoming packet (an exceptionally difficult feat given the absence of an IP stack on the receiving interface), they cannot persist the change because the underlying filesystem is physically immutable. On reboot, the diode returns to its mathematically verified state. The attack surface for persistence is not just reduced — it is removed.

This combination of software-level formal verification and hardware-level immutability is the architectural answer to the hackability objection. It does not claim invulnerability; it removes the persistence and lateral movement capabilities that make successful exploitation operationally meaningful.

---

The Market and the Key Players

The global data diode solution market is consolidating around a core set of vendors:

• Owl Cyber Defense — Protocol Filtering Diodes with FPGA-based hardware inspection; increasingly prominent in US defense and critical infrastructure.
• Waterfall Security — Unidirectional Gateways widely deployed in power generation, rail, and refining.
• OPSWAT — Following its acquisition of FEND, OPSWAT now offers MetaDefender Optical Diodes scaled from compact remote-facility deployments to large industrial applications.
• Siemens AG, BAE Systems, Thales Group, ST Engineering — Enterprise players embedding unidirectional gateway capabilities into broader OT security portfolios.

North America accounts for the largest regional share ($221.2 million in 2026), while Asia Pacific is the fastest-growing region, driven by rapid digitalization and government-led cybersecurity initiatives. Europe’s market is expanding under NIS2 pressure, with Germany projected at $35.8 million and the UK at $33.5 million in 2026.

---

Conclusion: The Architecture of Necessity

The myth of the absolute physical air-gap is fading, giving way to the reality of interconnected, data-driven industrial environments. But the requirement for absolute security in critical infrastructure remains uncompromising. The September 2025 Jaguar Land Rover attack, the Polish grid intrusion, and Romania’s pipeline compromise are not warnings of what might happen. They are precedents for what does happen when IT/OT boundaries are inadequately enforced.

Software data diodes and unidirectional network tunnels represent the architecture that resolves this tension. By utilizing protocol breaks, rigorous Forward Error Correction, kernel-level packet dropping, and formally verified routing logic, these systems ensure telemetry flows freely to the dashboards that need it while mathematically guaranteeing that no malicious packet can ever tunnel back in.

The data flows out. Nothing flows back in. The machines that power the world can be monitored without being controllable by anyone other than the engineers who built them. That distinction — precisely engineered, formally verified, and now mandated by regulators from Brussels to Washington — is where IIoT security in 2026 is staked.

---

Market figures sourced from Fortune Business Insights and Polaris Market Research (2025–2026). Incident data sourced from Reuters, the UK Cyber Monitoring Centre, Forescout, and TXOne Networks. Regulatory references sourced from the European Commission, NERC, and IEC/ISA publications.