We have reached a turning point in OT network security. As traditional firewalls are losing the battle to protect critical infrastructures, hardware-based network isolation is becoming the architecture of reference.
This article explores the practical implementation of data diodes, unpacks the real-world limitations that have historically made them difficult to deploy, and analyses how the CetraC product family addresses these challenges to deliver true operational resilience.
The Attacker Always Gets In, Eventually
A fundamental premise now widely accepted in the cybersecurity community is that no shield, however well designed, guarantees permanent protection. Given sufficient time, resources, and motivation, an attacker will eventually find a way through. It is the starting point for a more mature architectural discipline: cyber resilience.
The challenge, is not to build an impenetrable perimeter, but to design a network architecture that protects the vital parts of an entity. That primarily maintains the Operational Technology (OT), the expensive production equipment, and the critical connected utilities, even when the IT layer has been compromised.
"A hospital can work in degraded mode without IT, but cannot without lifts, oxygen and X-ray equipment."
This distinction between IT resilience and OT resilience is not merely semantic. Consider a hospital: email servers going offline is disruptive; elevators, medical gas systems, and imaging equipment going offline is life-threatening. The same logic applies to power plants, water treatment facilities, manufacturing lines, and avionics ground systems. The OT layer must be treated as totally different from the IT layer and isolated accordingly.
Focus on a hardware-based network isolation solution: the data diode
The conventional response to OT/IT segregation is a firewall. Firewalls offer fine-grained flow control, stateful inspection, and deep packet filtering. But they remain fundamentally software-defined. Their security properties depend entirely on the correctness of their configuration, the absence of exploitable vulnerabilities in their operating stack, and the quality of the rules written by a human operator. Any of these can, and will eventually, fail.
The data diode takes a different approach. Rather than restricting bidirectional communication, it physically prevents one direction from existing at all. Data flows from the secured OT domain toward the more open IT or supervision layer, but there is no return path at the hardware level. The optical or electronic asymmetry of the component makes reverse communication not merely forbidden, but physically impossible.
How it works
Data diodes use hardware asymmetry, typically an optical transmit-only path, to enforce unidirectional data flow. You can know the current floor position of an elevator; you cannot send it a command. If you cannot communicate with the OT system, you cannot attack it, regardless of what software vulnerabilities may exist on either side of the boundary.
This yields a security property that is provable by design, not by policy. There are no rules to misconfigure, no CVEs to patch in the enforcement mechanism, no privileged accounts to compromise. The attack surface of the isolation boundary is reduced to near zero.
The Three Drawbacks: And Why They Have Prevented Adoption
Despite these compelling advantages, data diodes have historically remained confined to the most sensitive environments as a classified government network, nuclear facilities, tier-1 defense systems. Three practical obstacles have limited broader adoption:
1. Cost
Traditional data diode hardware has been priced at levels accessible only to organizations with substantial security budgets. The combination of specialized hardware, integration services, and ongoing support has kept per-deployment costs high.
2. TCP/IP Incompatibility
The standard internet protocol family (TCP/IP) is inherently bidirectional. TCP's acknowledgement mechanism requires a return channel. Without it, the connection cannot be established. Deploying a data diode in a TCP/IP network traditionally requires software proxies on both sides of the diode to simulate the acknowledgement exchange. These proxies are complex to configure, expensive to license, and introduce software-layer risk at the very boundary that was supposed to be hardware-enforced.
3. Functional Constraints in Real-World Applications
Strict unidirectionality is not always architecturally appropriate even within an OT security context. Consider again the elevator example:
- You want to monitor the elevator remotely: connectivity is required.
- You want to prevent remote actuation: the network access must be unidirectional, OT-to-IT only.
- But you also need duplex voice when the alarm button is pressed: an inherently bidirectional requirement that a standard data diode cannot satisfy.
In the real-world OT environment, these are normal operations. The inability of classical data diodes to address them has forced architects toward compromise solutions, often firewalls with tightened rule sets, that reintroduce exactly the software-layer risks they were trying to eliminate.
The CetraC Response: Three Products, Three Solutions
CetraC has designed a family of three FPGA-based hardware IP cores that directly address each of the three obstacles described above while preserving the fundamental security property of hardware-enforced isolation.
|
Product |
Architecture |
TCP/IP |
Use Case |
Price point |
|
diOđe |
Plain unidirectionnel diode |
No (raw data only) |
Sensor telemetry, log export, simple monitoring |
Low |
|
bi-Ôđe |
Unidirectional diode with native TCP/IP support |
Yes, native |
OT monitoring over standard IP networks, no proxy required |
Medium |
|
gemini |
Hybrid bidirectional diode behavior on each side via address translation |
Yes |
Applications requiring controlled bidirectionality (voice, alarm return channel) |
Medium |
The Accessible Entry Point: diOđe
diOđe is a cost-accessible plain data diode: unidirectional, hardware-enforced, with no software stack to manage or secure.
It is well suited to use cases where the monitored OT system generates data streams that need to reach a supervision layer without any possibility of a return channel being established (sensor readings, equipment logs, positional telemetry…). Its low price point makes it practical to deploy at scale across multiple isolation points within a single facility.
Solving the TCP/IP Problem in Hardware: bi-Ôđe
bi-Ôđe addresses the single biggest deployment barrier for data diodes in modern network infrastructure: TCP/IP incompatibility. By implementing a native TCP/IP support within the hardware IP itself, bi-Ôđe eliminates the need for software-based proxies on either side of the isolation boundary. The result is a unidirectional hardware diode that is directly compatible with standard IP network infrastructure without reintroducing software vulnerability at the enforcement layer.
Controlled Bidirectionality with Diode-Level Safety on Each Path: gemini
gemini is the architecturally novel product in the family. It addresses the class of use cases, see example of the elevator alarm scenario, where pure unidirectionality is insufficient.
gemini operates as a hybrid device: bidirectional at the functional level, but with diode-like isolation enforced independently on each direction of flow, implemented through address translation at the hardware level. Each communication path is treated as a separate isolated channel. No return traffic can traverse the boundary via the opposing path. This enables voice duplex, acknowledgement channels, and other bidirectional protocols to operate safely within a fully isolated architecture.
Security by Hardware: The Core Argument
The common thread across all three products? The security property is enforced in hardware, not software. This distinction matters for several reasons beyond the absence of CVEs[1]:
- Determinism: unlike software, hardware behavior is fully deterministic and verifiable by formal analysis.
- Certification: CetraC’s products are designed to meet the most stringent safety and reliability requirements, providing a verifiable and robust certification path that software-based solutions cannot match.
- Resilience to supply-chain attack: a hardware diode cannot be remotely updated to change its security policy. Its behavior is fixed at silicon or FPGA bitstream level.
- Auditability: the isolation boundary is a physical component, not a logical rule set. Its behavior can be verified independently of the configuration state of adjacent systems.
Bug Bounty
gemini is currently deployed online as a live private bug-bounty target. Organizations with penetration testing teams are invited to attempt to breach the isolation boundary. Contact CetraC to arrange access.
Conclusion
The data diode represents the correct architectural answer to OT isolation in critical infrastructure, but its traditional drawbacks in cost, TCP/IP compatibility, and functional flexibility have prevented widespread adoption. CetraC's diOđe, bi-Ôđe, and gemini IP cores address these obstacles directly, providing a hardware-enforced isolation solution that is accessible, standards-compatible, and adaptable to the real-world complexity of OT network architectures.
For infrastructure operators, system integrators, and FPGA/ASIC design teams working on critical network equipment, these products offer a path to genuine cyber resilience, not through better rules, but through physics.About CetraC.io
CetraC is a French hardware IP company developing FPGA-based network isolation solutions for safety-critical and secure systems. Its product family, diOđe, bi-Ôđe, and gemini, provides hardware-enforced data diode capabilities with native TCP/IP support and flexible deployment architectures. CetraC products are targeted at defense, automotive, critical infrastructure, avionics, and industrial OT applications.
Available as COTS hardware or DO-254 IP core.
contact@cetrac.io · www.cetrac.io
[1] Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities