Tunneling Out of the Air-Gap: Software Data Diodes for Industrial IoT

In the high-stakes world of critical infrastructure — nuclear power plants, water treatment facilities, electrical grids — the ultimate defence mechanism has historically been the “air gap.” By physically disconnecting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks from the public internet, organisations eliminated the theoretical threat of remote cyberattacks. If there is no wire, there is no hack.

That logic is now colliding with reality on two fronts.

First, the relentless pressure of Industrial IoT (IIoT): modern industrial operations require constant telemetry streams to power predictive maintenance, real-time anomaly detection, and cloud-based machine learning. Second, and more urgently, the threat landscape itself has dramatically escalated. Attacks on OT protocols rose 84% in 2025 compared to the previous year, with Modbus accounting for 57% of those attacks and Ethernet/IP for a further 22%, according to Forescout research. A separate TXOne Networks report found that 96% of OT incidents in 2025 could be traced back to an initial IT system compromise — proving that the old IT/OT boundary is not holding.

The human cost of getting this wrong is no longer theoretical. The September 2025 cyberattack on Jaguar Land Rover — attributed to a group calling itself Scattered Lapsus$ Hunters — halted global production for nearly six weeks, cost JLR £196 million in a single quarter, triggered a £1.5 billion UK government loan guarantee to stabilise its supply chain, and inflicted an estimated £1.9 billion in wider economic damage on Britain. The UK’s Cyber Monitoring Centre rated it a Category 3 systemic event — described as potentially the most economically damaging cyberattack in British history. A JLR security expert noted the attack confirmed that “in modern factories, IT and OT are inseparable.”

The lesson is not that connectivity must be abolished. The lesson is that it must be architected correctly. The answer to the paradox — how do you extract continuous, high-fidelity data from a secure facility without opening a two-way channel that nation-state actors can exploit — is the software data diode and the implementation of unidirectional network tunnels.

---

A Market Responding to Crisis

The urgency is reflected in the numbers. The global data diode market was valued at approximately $1.23 billion in 2025 and is projected to reach $1.37 billion by the end of 2026, growing at a CAGR of around 11–12% and expected to exceed $2 billion by 2030. Critical infrastructure accounts for the largest segment by application (22% market share in 2025), with the energy and power sector growing fastest, driven by smart grid deployments and industrial automation. Key players include Siemens AG, BAE Systems, Thales Group, Owl Cyber Defense, and ST Engineering, with notable M&A activity including OPSWAT’s acquisition of Fend Incorporated in December 2024 to bolster its unidirectional gateway portfolio.

Beyond market growth, a wave of regulatory modernisation is accelerating adoption. In the EU, the NIS2 Directive — which entered enforcement in July 2025 — expands mandatory cybersecurity obligations to sectors including energy, transport, water, and manufacturing, with supply chain security explicitly covered and fines for non-compliance now active. IEC 62443, the global standard for securing Industrial Automation and Control Systems (IACS), maps directly to NIS2 requirements and mandates layered defence architectures that unidirectional data flows are uniquely suited to satisfy. In the US, NERC CIP standards for the power sector and the TSA’s Security Directive for pipelines create parallel obligations. Across the industry, unidirectional gateway architectures have emerged as a preferred means of satisfying strict network-segmentation obligations while giving boards and executives a defensible, auditable position.

---

The Evolution: From Hardware to Software Data Diodes

Hardware Data Diodes

The original data diode was a strictly hardware-based device rooted in optical physics, with origins in military and government networks dating to the 1980s. A fiber optic cable connected two network segments. On the “send” side — the highly secure network — there was only a light transmitter (an LED or laser). On the “receive” side — the corporate network or cloud gateway — there was only a light receiver (a photodetector). Because light cannot physically travel backward from a photodetector to an LED, the connection was perfectly unidirectional.

The security properties were impeccable. The operational properties were not. Hardware diodes come with three structural disadvantages:

Cost. Enterprise-grade hardware diodes command price tags ranging from tens of thousands to hundreds of thousands of dollars per unit — cost-prohibitive for anything beyond the most critical single chokepoints.

Scalability. As IIoT sensor proliferation accelerates, managing physical cables and hardware nodes for every new data stream becomes unmanageable. First Analysis managing director Howard Smith has noted that economies of scale are only beginning to reduce hardware diode costs, and that a “tipping point” for broader adoption is still forming.

Protocol rigidity. The modern internet runs on TCP, which requires bidirectional handshakes. Hardware diodes must completely deconstruct data to convert it into light pulses and reconstruct it on the far side — a process that requires complex proxy servers on both ends and historically limited compatibility with dynamic IIoT protocols.

The 2026 Shift: Software Data Diodes

As industrial environments adopted edge computing, hypervisors, and Software-Defined Networking, a new architecture emerged: the software data diode. Rather than relying on optical isolation, a software data diode is a highly engineered, mathematically verified software boundary that enforces the same unidirectional property using custom network stacks, kernel-level packet filtering, and rigorous state-machine logic.

The key advantage is deployability. A software data diode can be instantiated as a lightweight container or virtual machine on an IIoT edge gateway — viable across thousands of remote wind turbines or solar inverters where a hardware device would be logistically impossible. The key challenge — and the reason this architecture has taken time to mature — is that “software can always be hacked” is not an unreasonable starting assumption. Modern software diode architecture addresses this systematically.

---

Technical Architecture: How Unidirectional Network Tunnels Work

Building a software data diode is not as simple as writing a firewall rule that says Block All Inbound. Firewalls are inherently two-way stateful devices: they remember connection states and allow return traffic. If a firewall is compromised, its rules can be rewritten. True software data diodes rely on a multi-layered architectural approach combining protocol breaks, forward error correction, kernel-level enforcement, and memory isolation.

1. The Protocol Break: TCP to UDP

The most significant architectural hurdle is that TCP (Transmission Control Protocol) is inherently bidirectional. If Server A wants to send data to Server B, Server B must return an acknowledgment (ACK) packet. Block the ACK, and the TCP connection drops.

Software data diodes resolve this through a protocol break:

• The inside proxy (secure zone): The SCADA system sends telemetry via TCP — Modbus TCP, OPC UA, or similar — to a local proxy server sitting just inside the secure boundary.
• Protocol conversion: The proxy terminates the TCP connection and wraps the payload in UDP (User Datagram Protocol), a connectionless, fire-and-forget protocol with no acknowledgment requirement.
• The unidirectional tunnel: The proxy transmits UDP packets outward through the software diode across the network boundary.
• The outside proxy (corporate zone): A receiving proxy catches the UDP packets, repackages them back into standard TCP or MQTT, and forwards them to the cloud or monitoring dashboard.

No ACK packet is ever sent. No return channel exists at the protocol level.

2. Forward Error Correction (FEC)

Because the connection is strictly one-way, the outside proxy cannot tell the inside proxy if a packet was lost in transit. Software data diodes compensate through heavy Forward Error Correction (FEC). By transmitting redundant mathematical parity bits alongside the payload — analogous to RAID storage parity — the receiving proxy can reconstruct missing or corrupted packets without ever requesting a retransmission. This preserves telemetry integrity across an inherently lossy one-way channel.

3. Kernel-Level Packet Dropping and eBPF

The core security guarantee resides in the custom network stack. Modern implementations use eBPF (Extended Berkeley Packet Filter) loaded into a stripped-down Linux microkernel or hypervisor layer — attached to the lowest accessible level of the network interface card (NIC).

The compiled eBPF logic is mathematically verified. For the network interface facing the outside world, the TX (transmit) queue is completely disabled. The RX (receive) queue is hardcoded to permanently drop all incoming frames before they ever reach the operating system’s standard network stack. There is no routing table, no IP stack listening on the outside interface, no open ports. If a malicious actor sends a packet to the diode from the outside, the eBPF filter drops it before it can be processed. Inbound routing does not exist in the compiled code — it is not a blocked state; it is an absent one.

4. Memory Isolation

To prevent advanced attacks such as buffer overflows triggered by malformed incoming packets, the software diode separates the process handling outflowing data from the process connected to the external network interface using strict memory partitioning — separate memory spaces or virtual machines communicating only via a one-way shared ring buffer. The secure side can write into the buffer; the insecure side can only read from it. The read process has no write privileges to the buffer, making the boundary structurally asymmetric at the memory level.

---

SCADA Secure Tunneling in Practice

The implementation of unidirectional network tunnels is changing how critical infrastructure interacts with the modern IT and cloud stack across multiple sectors.

Power Generation: Predictive Maintenance

A natural gas power plant operating turbines with hundreds of vibration, temperature, and pressure sensors once faced a grim choice: keep the SCADA network air-gapped and accept manual log collection via USB (itself a significant attack vector — Stuxnet, the 2009–2010 cyberweapon that destroyed centrifuges at Iran’s Natanz uranium enrichment plant, initially infiltrated via removable media), or connect and accept the risk.

A software data diode at the edge of the SCADA network breaks the dilemma. The SCADA system streams sensor data to the diode proxy; the diode pushes it unidirectionally to a cloud AI platform. The AI can analyse vibration harmonics and predict bearing failures weeks in advance. Even if the cloud platform is compromised by a nation-state actor, the unidirectional architecture makes it structurally impossible to send a command back through the tunnel to alter the turbine’s operations.

Water Treatment: Protecting Chemical Integrity

Water treatment facilities have been explicit targets for cyber-terrorism — attackers have previously attempted to alter chemical dosing levels remotely. These facilities need strict network isolation, but municipal authorities increasingly demand real-time water quality metrics for public dashboards and regulatory reporting.

A software data diode serves as the ideal intermediary. Internal PLCs stream chemical telemetry outward through the unidirectional tunnel. The outside proxy receives it and populates the public-facing monitoring infrastructure. The conceptual air-gap remains intact: data flows out; commands cannot flow in.

Distributed Renewables: Scale Without Hardware

Hardware data diodes are economically and logistically impossible to deploy across thousands of remote solar inverters or wind turbines. Software data diodes, deployed as lightweight containers directly on IIoT edge gateways, allow decentralised energy producers to transmit grid health data to central operators without exposing remote hardware to botnets or ransomware. This use case is particularly significant given the energy and power sector’s position as the fastest-growing segment in the data diode market, driven by smart grid implementation and the demands of industrial automation.

---

Regulatory Compliance as a Forcing Function

For many industrial operators in 2026, the calculus around unidirectional architectures has shifted from voluntary best practice to regulatory necessity.

The EU’s NIS2 Directive, which entered enforcement in July 2025, mandates network segmentation, incident response, and supply chain security across critical infrastructure sectors. IEC 62443 — the international standard for IACS cybersecurity — provides the technical implementation framework that maps to NIS2 requirements. Its zone-and-conduit model, combined with requirements for Security Levels (SL), aligns naturally with unidirectional gateway architectures: a software data diode between a high-security SCADA zone and a lower-trust corporate network is a well-defined, auditable conduit with a verifiable security level.

In the US, NERC CIP imposes mandatory cybersecurity controls on bulk electric system assets, and TSA Security Directives govern pipeline operations. The EU’s forthcoming Cyber Resilience Act adds “secure by design” obligations for connected devices. Across jurisdictions, unidirectional data flow is increasingly recognised not just as a security control but as a compliance artefact — one that provides operators with a defensible position that limits executive liability when incidents do occur.

Over 75% of leading manufacturers were estimated to have implemented some form of IT/OT network convergence by 2025, according to Rockwell Automation and Keystone Technology Consultants, driving up to 20% gains in operational efficiency. The regulators are watching. The attackers are watching. The architecture of the conduit between those two worlds has never mattered more.

---

Overcoming the Limitations of One-Way Communication

The security benefits of unidirectional tunnels are significant. The operational challenges are real and require deliberate engineering to manage.

Gestión fuera de banda. Las actualizaciones y parches rutinarios requieren presencia física o conexiones temporales controladas fuera de banda. La diode de software es estrictamente un mecanismo de extracción de telemetría, no un canal de administración remota.

Sincronización horaria. NTP (Protocolo de Tiempo de Red) requiere comunicación bidireccional. Las instalaciones seguras deben confiar en relojes atómicos internos o en señales GPS de solo recepción en lugar de obtener la hora de internet — una consideración arquitectónica que debe planearse en la implementación.

Transmisión ciega. Los sistemas internos transmiten sin saber si el receptor externo está operativo. Si el servidor en la nube está caído o la red externa se corta, el sistema interno no tiene mecanismo de retroalimentación. Se debe construir almacenamiento en caché interno robusto y alertas locales para garantizar que la telemetría se almacene de forma segura hasta que se restablezca la conexión externa, sin crear acumulación de datos local que también pueda ser una vulnerabilidad.

Gestión de protocolos. Como ha señalado Smith de First Analysis, gestionar la diversidad de protocolos sigue siendo un desafío. Aunque la demanda y la inversión están expandiendo gradualmente la compatibilidad, los operadores que usan protocolos ICS altamente propietarios deben validar la compatibilidad antes del despliegue.

---

Garantía de Seguridad: ¿Puede ser hackeada una diode de software?

La crítica legítima a cualquier control de seguridad basado en software es que el software es maleable. El código puede ser reescrito. La respuesta de la industria de ciberseguridad, en 2026, opera en dos niveles.

Verificación formal. Los microkernels y la lógica de enrutamiento utilizados en diodos de software de grado empresarial están sujetos a técnicas de prueba matemática que verifican que el código compilado carece de los estados computacionales necesarios para procesar tráfico entrante. Esto no significa que el software sea libre de errores; es una prueba de que la lógica de enrutamiento para paquetes entrantes no existe en el binario compilado.

Despliegue en medios de solo lectura. Muchas implementaciones combinan verificación formal con protección física contra escritura. El sistema operativo y el software de la diode se inician desde un medio físicamente bloqueado contra escritura — una tarjeta SD con un interruptor de bloqueo de hardware, o una EEPROM de solo lectura especializada. Incluso si una vulnerabilidad de día cero permitiera la ejecución de código mediante un paquete entrante malformado (una superficie de ataque extremadamente limitada dada la ausencia de una pila IP), el atacante no puede mantener ningún cambio. El sistema de archivos subyacente es físicamente inmutable. Tras reiniciar, la diode vuelve a su estado matemáticamente verificado. La superficie de ataque para persistencia no solo se reduce — se elimina.

Esta combinación de verificación formal a nivel de software y inmutabilidad a nivel de hardware es la respuesta arquitectónica a la objeción “el software puede ser hackeado”. No afirma invulnerabilidad; elimina las capacidades de persistencia y movimiento lateral que hacen que la explotación exitosa tenga un impacto operacional.

---

Mirando hacia el futuro

El ataque de Jaguar Land Rover en septiembre de 2025 — descrito por el UK’s Cyber Monitoring Centre como concentrado en una víctima principal cuyo efecto sistémico se extendió a más de 5,000 organizaciones a través de interdependencias económicas — es la demostración más clara reciente de que las consecuencias de fallos en la frontera IT/OT ya no son solo teóricas. Cuando los consejos preguntan cuánto podría costar un ciberataque en su infraestructura OT, la respuesta en 2026 es: mira cuánto costó a Jaguar Land Rover. El crecimiento del PIB del Q3 en el Reino Unido fue claramente más débil como resultado directo.

La respuesta no es desconectar. La necesidad de datos industriales en tiempo real — para mantenimiento predictivo, optimización impulsada por IA, y reportes regulatorios — es estructural y está en crecimiento. La respuesta es conectar correctamente: con arquitecturas donde la garantía de seguridad no sea una política que pueda configurarse mal, sino una propiedad matemática del código compilado y del medio físico en el que se ejecuta.

Las diodos de software y los túneles de red unidireccionales representan exactamente esa garantía. Los datos salen. Nada entra de vuelta. Las máquinas que alimentan el mundo pueden ser monitoreadas sin ser controladas por nadie más que los ingenieros que las construyeron.

Esa distinción, precisamente diseñada y formalmente verificada, es donde reside ahora la seguridad del IIoT.

---

Todos los datos de mercado se derivan de informes de Fortune Business Insights, ResearchAndMarkets y Precedence Research publicados a finales de 2025 y principios de 2026. Los datos de incidentes provienen de informes públicos, Forescout, TXOne Networks, el UK’s Cyber Monitoring Centre y noticias contemporáneas.