What Is a Data Diode? Learn About One of Our Core Technologies

If you’ve ever wondered about the science behind data diodes – such as how the technology outperforms firewalls and traditional intrusion detection/protection systems to safeguard critical networks – you’re in for a real treat.

In this post, we’re going to explore how simple yet perfect physics is helping to protect some of the most sensitive information from potentially hostile networks, incoming malware, and other cybersecurity threats.

Data diode technology is the only guaranteed way to achieve unidirectional data flow. And after you read this blog, you’ll know why. And don’t worry, you won’t need an advanced science degree to understand it.

What Is a Data Diode?

A data diode is a physical piece of hardware that allows sensitive data to flow only in one direction between two sensitive environments.

The hardware device itself is fitted with two separate circuits or components for enhanced network segmentation:

• The sender, which can only transmit data over a specified channel to the receiver. 
• The receiver, which actively listens for incoming data from the sender on that same channel. 

Because data diodes are not physically built to be bidirectional, there is simply no way for outside data to travel back up into your network, eliminating potential vulnerabilities. This is more secure than software-based rules, which can be bypassed. 

Data diodes (sometimes mistakenly called data dioders) encompass both the physical hardware and its supporting software, which is why it’s often called ‘hardware-enforced’ technology, with software as an enabler for real-world protocols like TCP/IP or OPC UA.

This technology securely bridges IT and OT networks by allowing data to flow out from vulnerable OT systems to safer IT environments without allowing cyberthreats back in, providing assurance for secure data transfer.

How Does a Data Diode Work?

We said that data flows in only one direction by design and that it’s impossible for it to travel in the opposite direction. But what do we mean by that? 

In most data diode designs, the one-way mechanism is implemented using light pulses over fibre links. 

• The network is connected to the data diode Ethernet cable
• The send-side component uses a laser diode to convert your network data into blinking light pulses that are similar (at least in principle) to Morse code. The pulses travel down a thin fibre tube no wider than a hair with a reflective glass coating, which keeps the light pulses trapped inside the wire. This way, the pulses can travel long distances with zero to little data loss. 
• Then, the receiver-side component, comprising a light sensor or photodiode, intercepts these pulses and converts the light into electric signals for the receiving network’s proxy to repackage as data files. 

The receiver side component doesn’t have a laser like the send-side component. Therefore, it cannot transmit light and send data back the other way. In other applications, fibre optic cables can be bidirectional, but the sophisticated design of the data diode physically prevents that process.

You might be wondering, what happens if someone from the destination network tries to send data packets (e.g., patches) back to the source network, making the secure environment the destination rather than the source?

Nothing.

If someone tries to send something to the secure network, it will encounter the receiver’s sensor, which has no mechanism for generating or transmitting light pulses, so the signals simply vanish, ensuring high-security against data exfiltration.

While relatively simple in design, data diodes eliminate accidental data leakage and entire classes of cyber threats, which is why they are the security tools of choice in industries where security is a matter of national interest.

Data Diodes Are More Than Just Hardware

While hardware enforces unidirectional security, that’s not to say that software isn’t involved in the running of data-diode technology. It’s just not the thing that makes data diodes so secure.

Where does software get involved?

• From the sender side, a proxy agent on the secure network grabs data from the source, strips it of its bidirectional protocols (e.g., TCP handshakes) and converts it into a simple stream for the send-side component to transfer.​
• On the receiving end, the destination proxy reconstructs the electrical signals from the light pulses back into recognisable formats, adds filters, corrects errors, and delivers the transmission to IT tools.​

A 4Secure Software Example

VARA CDS (Cross Domain Solution) combines 4Secure’s TrustedFilter® software with Oakdoor’s hardware-enforced one-way data technology in a fully UK and European sovereign product. All supporting software runs directly on the single-box solution without needing flanking infrastructure. 

When running on VARA CDS and other Cross Domain Solutions, TrustedFilter® plays a crucial role in ensuring secure data exchange and aligns with NCSC guidance through:

• Stripping protocols to eliminate malicious data formats at the pre-processing stage
• Transforming complex protocols at the application layer
• Verifying structured data 
• Inspecting, normalising, and verifying content
• Reconstructing protocols to enforce ‘known good’ data transfer

Industries That Use Data Diode Technology

To recap, this hardware-based technology is used to safely transfer various data types between networks of different security levels thanks to its technology that physically enforces one-way data flow. As such, they really show their strength in high-stakes environments, especially where OT and IT are involved. For example:

• Industrial control systems (ICS) and supervisory control and data acquisition (SCADA): Factories, power grids, and water plants export sensor data, logs, or historian records to IT for analysis. Using data diodes prevents malware or ransomware from accessing the OT network.
• Critical Infrastructure: Nuclear plants, oil/gas pipelines, and utilities companies will use data diodes to protect data as a matter of safety, cybersecurity, and regulatory compliance (e.g., NERC CIP, IEC 62443).
• Government/Military: Networks housing classified information use data diodes to import data into secure environments and to support bidirectional command and control of unmanned vessels between security classifications. Learn more about government and defence Cross Domain Solutions.

Why Data Diodes Are a Safer Security Solution Than Firewalls and Air Gaps

Firewalls have long been used as the standard network security tool, but because they are inherently software-based, they are far more vulnerable to bugs, misconfigurations, and zero-day threats. Additionally, their attack surface needs constant monitoring and patching and updating – even then, they’re still highly vulnerable.

While data diodes do have operating systems for system management, the core one-way data link itself is pure hardware. Because of this, they have virtually no attack surface. The hardware-enforced unidirectionality can’t be changed even if systems on either side are compromised.

Thanks to physics, data diodes are far superior at securing data and keeping threat actors out of critical networks.

They also provide a more sophisticated alternative to air gaps, which present their own list of risks, as people (usually unauthorised) will always find ways to circumvent them, e.g., malware via USB sticks and other on-site devices.

Which brings up a fair point: data diodes should be installed and mounted in a secure location that can only be accessed by authorised personnel.

Is Two-Way Communication Ever Possible in Data Diodes?

By now, you might be wondering if it’s possible for data diodes to face both ways. The hardware we’ve been discussing so far in this piece is the standard design, which points data in one direction. 

But if you want two-way information security, you will have to set up a second data diode with a reversed data flow, or invest in a two-way data diode, often called a bidirectional data diode. To be clear, 4Secure doesn’t recommend or offer this, as it’s less secure. The best option is a bidirectional CDS solution that enables secure two-way flow with multiple diodes.

We should probably point out that the physics behind two-way diodes is the same as the standard unit we’ve been discussing. Data can only flow in one direction, but a two-way unit features two pairs, each installed in opposite directions.

Learn More About 4Secure’s Data Diode Solutions

We’ve covered the ins and outs of data diode technology and how it’s inherently far superior to firewalls and other unidirectional data security tools. It’s why we call this technology secure-by-design, and it’s the same principle behind our data diode solutions. Combined with TrustedFilter®, we keep critical systems protected without compromising performance.