Unidirectional Security Gateways:

NOT your grandma’s data diodes

by Andrew Ginter, VP Industrial Security
Waterfall Security Solutions

WWW.WATERFALL-SECURITY.COM
Executive Summary
Waterfall’s Unidirectional Security Gateways, which protect the safe and reliable operation of industrial control
systems, are sometimes referred to as "data diodes" by security practitioners. However, there are big
differences between the two technologies. Data diodes (historically used in a military or defense context) and
unidirectional gateways differ in terms of their hardware, the strength of the unidirectional protection offered,
the breadth their software, the wide array of functionality and supported use cases, as well as in the array of
industrial systems supported.

Waterfall Unidirectional Data Diodes

Security Gateways
Purpose Built Yes – motherboards, hardware Varies
modules, and software

Electrical vs Optical Hardware Gold-Standard Optical Varies

Data Integrity High quality hardware and Varies widely

software supporting all integrity
techniques

Certifications and Security Common Criteria, ANSSI, NITES, Rarely

Assessments NISA, ISO 9001, US DHS, Idaho
National Laboratories, Digital
Bond Laboratories
COTS Software World’s largest library of COTS Rarely
support for industrial, IT and
other systems
COTS vs Custom Engineering 100% COTS, no custom Custom software +
development costs additional costs

Table 1: Unidirectional Gateways vs. Data Diodes

Waterfall’s Unidirectional Gateways and related products lead the field of industrial unidirectional
communications in every way. Unidirectional gateways are an evolution of data diode technology offering a
combination of hardware and software – the hardware is physically able to transmit information in only one
direction, and the software makes copies of servers and emulates devices in real-time. Unidirectional gateways
have been deployed for a decade as safe IT/OT integration at industrial sites, enabling enterprises to monitor
industrial control system (ICS) networks without exposing those networks to cyber threats.

This eBook explores the difference between data diodes and unidirectional gateway technologies and illustrates
how Waterfall Security Solutions’ family of Unidirectional Security Gateway products is advancing the state of
the art for stronger-than-firewall protections for industrial networks.

WWW.WATERFALL-SECURITY.COM Page 2 of 12
Legal Notice & Disclaimer
Any and all third-party intangible and/or proprietary and/or intellectual property rights ("Third Parties’ Rights"),
mentioned herein, whether registered or not, including, without limitation, patents, trademarks, service marks,
trade names, copyrights and computer applications, belong to their respective owners. Waterfall Security
Solutions Ltd. disclaims any and all interest in all such Third Parties’ Rights. It is forbidden to copy, modify,
amend, delete, augment, publish, transmit, create derivative works of, create or sell products derived from,
display or post, or in any other way exploit or use such Third Parties’ Rights without the express authorization of
their respective owners.

Except as specified herein, Waterfall Security Solutions Ltd. does not guarantee nor make any representations
with regard to any and all third party tangible and/or intangible and/or proprietary and/or intellectual property
("Third Party Property") mentioned herein. Waterfall Security Solutions Ltd. does not endorse nor makes
warranties as to the completeness, accuracy or reliability of such Third Party Property, and all such warranties
are hereby expressly and strictly disclaimed.

WWW.WATERFALL-SECURITY.COM Page 3 of 12
Table of Contents
1. Background ........................................................................................................................................................5
2. Data Diodes ........................................................................................................................................................5
2.1 Inconsistent Hardware ....................................................................................................................................5
2.2 Limited to Local Vendors .................................................................................................................................5
2.3 Limited or No Software ...................................................................................................................................6
3. Unidirectional Gateways – Hardware & Software ...........................................................................................6
3.1 Server Replication ............................................................................................................................................6
3.2 Device Emulation .............................................................................................................................................7
4. Waterfall Unidirectional Security Gateways.....................................................................................................8
4.1 Off-The-Shelf Replication and Emulation Connectors ....................................................................................8
4.2 Data Integrity ...................................................................................................................................................9
4.3 Robust Unidirectionality ..................................................................................................................................9
5. Waterfall Leads Industrial Cybersecurity ....................................................................................................... 12
6. About Waterfall .............................................................................................................................................. 12

WWW.WATERFALL-SECURITY.COM Page 4 of 12
1. Background
Data diodes are hardware components that transmit information in only one direction. The diodes have been used
in military applications for decades, sending information into classified networks with no risk of leaking
information out of those networks.

Unidirectional gateways are an evolution of data diode technology. The gateways are a combination of hardware
and software – the hardware is physically able to transmit information in only one direction, and the software
makes copies of servers and emulates devices in real-time. Unidirectional gateways have been deployed for a
decade as safe IT/OT integration at industrial sites, enabling enterprises to monitor industrial control system (ICS)
networks without exposing those networks to cyber threats.

2. Data Diodes
In principle, a data diode is any component that can transmit information in only one direction. In practice, data
diodes have a poor reputation in the eyes of most security practitioners for three reasons: inconsistent
implementations, limited choice of vendors and most importantly, limited or no software support.

2.1 Inconsistent Hardware

In practice, there is a wide variety of technologies and products that are called data diodes, with varying levels of
enforcement of unidirectionality:

 Serial connections and twisted-pair ethernet connections with only one pair of signalling wires are
thought by many to be unidirectional, but such connections, even with a single pair of signalling wires,
are easily compromised, bi-directional connections.

 Hardware solutions based on a variety of one-way electrical signalling mechanisms are often sold as
data diodes, but all electric circuits are circular, and it is impossible to enforce a truly unidirectional
connection with a circular flow of electricity.

 Optical isolation with both transmitting and receiving functions on the same circuit board is
considered stronger than electrical data diodes, but again, it can be difficult for auditors and
certification bodies to verify that there is no return path for information embedded in the board’s
internal circuit routing.

Customers considering data diode equipment must study their vendors’ offerings very carefully to determine
whether such “diode” offerings really are unidirectional.

Note: Practitioners new to the concept of unidirectional communications sometimes imagine that they can create
a “unidirectional firewall.” All TCP and other connections through firewalls are intrinsically bidirectional. There is
no such thing as a “unidirectional firewall”.

2.2 Limited to Local Vendors

Data diodes are used most commonly for high-security government and military networks. Government and
military customers often have a requirement to purchase their diodes from local vendors with a local, militarily-

WWW.WATERFALL-SECURITY.COM Page 5 of 12
certified supply chain. Such vendors generally sell lower volumes of their products than suppliers with a large,
international market, and so are not able to benefit from economies of scale in design or manufacturing.

As a result, commercial off-the-shelf data diode offerings tend to be very basic, with an expectation that additional
sophisticated features required by the customer are produced on a custom engineered basis.

2.3 Limited or No Software

Data diode software is universally primitive. Some diodes are sold with no software at all – just a pair of network
appliances with twisted-pair ethernet interfaces on either side and a short fiber in the middle. In practice, such
solutions are used nearly-exclusively to transmit UDP/IP broadcast packets between two switched Ethernet
networks. Since no normal communications protocols use such broadcasts, all useful data transfer across such
diodes involves custom software.

Other diodes might be supported by software able to do primitive TCP proxying or simple file transfers. TCP
proxying though, is much less useful than it sounds. Even with such proxying, custom software is almost always
required for data transfer more complex than a simple file transfer. With limited software support, data diode
implementations are unable to participate effectively in a modern, IT or ICS ecosystem of standard operating
systems, applications and communications protocols.

3. Unidirectional Gateways – Hardware & Software

The National Institute of Standards and Technology (NIST) in their 2015 Special Publication 800-82 Revision 2
Guide to Industrial Control Systems (ICS) Security defines a unidirectional gateway as:

Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from
one network to another, but is physically unable to send any information at all back into the source network. The
software replicates databases and emulates protocol servers and devices.

That is – a unidirectional gateway uses strong data diode style hardware; hardware that is physically able to
transmit information in only one direction, as well as specialized software. It is the software that is the most
important part of this definition. It is the real-time server replication and device emulation software that makes a
unidirectional gateway so compatible with modern IT and ICS servers, applications and query/response
communications.

3.1 Server Replication

Server replication software replicates database and other servers from industrial networks to enterprise networks
through unidirectional gateway hardware. Users and other applications interact naturally with the replica servers
in normal enterprise IT environments.

For example, a unidirectional gateway transmitting information from an industrial network to an enterprise
network is often used to replicate a historian database, relational database or other server. The gateway software
on the industrial network is a normal database client which queries the server for data. The software transmits
data through the unidirectional hardware to the gateway software on the enterprise network. There, the gateway

WWW.WATERFALL-SECURITY.COM Page 6 of 12
software logs into an identical database server, inserts the data into the replica server and keeps the two
synchronized. The replica database is a fully functional database and participates normally in the enterprise IT
ecosystem.

3.2 Device Emulation

Device emulation polls industrial devices on industrial networks and then emulates those devices to enterprise
networks through unidirectional gateway hardware. Users and applications interact naturally with the emulated
devices in normal enterprise environments.

For example, a unidirectional gateway at the IT/OT interface might be configured to gather device information
from one or more OPC-UA servers on the industrial network. The gateway software is a standard OPC-UA client
issuing normal OPC-UA HTTPS/SOAP to the server. The gateway client typically queries the OPC-UA servers for all
their data, once per second. The software then transmits the data through the gateway hardware to the enterprise
network. The gateway software on the enterprise network implements one or more standard OPC-UA servers,
that serve responses to OPC-UA queries. The emulated devices are standard industrial protocol servers and
participate normally and naturally in the enterprise IT ecosystem.

Waterfall Unidirectional Data Diodes

Security Gateways
Unidirectionality Gold-standard optical Varies

Vendor Global industry leader Small, local

Industrial Server Replication Software World’s largest library of No

industrial server replication
software

Industrial Device Emulation Software World’s largest library of No

industrial device emulation
software

COTS Software All hardware and software None or almost

products are COTS none

Custom Engineering Costs No Yes

Table 2: Waterfall Unidirectional Gateways as SOTA

WWW.WATERFALL-SECURITY.COM Page 7 of 12
4. Waterfall Unidirectional Security Gateways
Waterfall Security Solutions is the industry leader for unidirectional gateway technology, serving an international
market across all sectors. Waterfall provides a portfolio of high-quality, feature-rich products that are based on
or complement our flagship Unidirectional Security Gateway product. Waterfall’s products and technologies
represent the state-of-the-art in unidirectional hardware, software, features and use cases. In this section, we
explore the needs of a wide variety of industrial control system and how Waterfall technology and business
practices address those needs.

4.1 Off-The-Shelf Replication and Emulation Connectors

Waterfall has the world’s largest set of unidirectional, industrial server replication and device emulation software
connectors. All of these software products, as well as Waterfall’s hardware products are commercial off-the-shelf
(COTS) products. Waterfall has a host of enterprise-software connectors as well. While industrial connectors and
replications may be the primary reason for purchasing and deploying Unidirectional Security Gateways, IT-style
connectors, such as Syslog, electronic mail and others are often needed to keep corporate infrastructure
components working on industrial networks just as effectively as they do on enterprise networks.

When customers need additional connectors or connector features, Waterfall builds those capabilities into
standard product offerings available to all customers. Unlike government and military customers who may
tolerate costly, feature-poor, custom-built and maintained solutions, industrial customers demand off-the-shelf,
commercially supported functionality.

HISTORIANS & INDUSTRIAL IT APPLICATIONS RELATIONAL DATABASES

APPLICATIONS • FireEye: TAP, Helix, NX • Microsoft SQL Server, Oracle
• OSIsoft: PI System, PI Asset and FaaS • MySQL, PostgreSQL
Framework, PI Backfill • Log Files, SMTP, SNMP,
• GE: iHistorian, iHistorian Backfill, Syslog INDUSTRIAL PROTOCOLS
OSM, Bently-Nevada System1, • HP Openview, IBM Tivoli, • OPC DA, A&E, HDA, HDA Backfill and
Proficy HMI HP ArcSight, McAfee UA
• Schneider-Electric: Instep eDNA, ESM, Splunk, Qradar, CA • Siemens S7
Wonderware Historian, Unicenter, CA SIM • Modbus, Modbus Plus, DNP3, ICCP,
Wonderware Historian Backfill, • MSMQ, IBM Websphere IEC 60870-5-104, IEC 61850,
ClearSCADA MQ, Active Message Omniflow
• Siemens: SIMATIC, WinCC, WinTS, Queue, TIBCO
SINAUT, Spectrum
REMOTE ACCESS
• Emerson: Ovation, EDS, EMS OTHER CONNECTORS • Remote Screen View
• Areva: PowerPlex, PowerTrax • UDP, TCP, NTP, Multicast • Secure Bypass
• AspenTech IP.21, Rockwell Ethernet
FactoryTalk Historian, Honeywell • Video & audio streaming
Alarm Manager, Scientech R*Time • Anti-virus updater, WSUS FILE TRANSFER
updater, OPSWAT • Folder mirroring, Rsync, Local Folders
updater • FTP, FTPS, SFTP, TFTP, RCP, SMB,
• Remote printing HTTPFS
• NFS, CIFS

WWW.WATERFALL-SECURITY.COM Page 8 of 12
4.2 Data Integrity
In truly unidirectional systems, there is no way for receivers to signal that they successfully received a message or
request retransmission for messages back to the transmitter. It is therefore vital that a unidirectional solution
provide data integrity mechanisms. Waterfall’s standard support for such protection includes:

Waterfall Unidirectional Data Diodes

Security Gateways

Forward Error Correction Always Rarely

High Availability Standard Option Rarely

Backfill Standard Option Rarely

Table 3: Data Integrity

4.3 Robust Unidirectionality

Data diode manufacturers often take shortcuts and liberties with their unidirectional hardware. They may take
standard network interface circuit boards or cards and disable functionality, cut wires on the boards, or otherwise
modify bi-directional boards for one-way information flow. Vendors using this method of manufacturing are
gambling with their customer’s security.

Waterfall Unidirectional Data Diodes

Security Gateways

Purpose-Built Boards Always Varies

Electrical vs Optical Optical Varies

Table 4: Hardware-enforced Unidirectionality

Such diode manufacturers may also design “acknowledgement circuits” or other mechanisms to permit the
receiving system to signal receipt of communications and/or request retransmission of failed messages. This of
course is not a unidirectional system at all, but a bi-directional one. Even if the return channel is limited, attackers
can use this channel as a covert means for bi-directional communications. Waterfall’s Unidirectional Gateways
never provide such covert channels.

WWW.WATERFALL-SECURITY.COM Page 9 of 12
4.4 Layers of Unidirectionality
Diode manufacturers frequently include only a single layer of unidirectionality in their product designs to reduce
their hardware costs. Waterfall’s product designs include multiple layers of unidirectionality, including all of the
below:

Waterfall Unidirectional Data

Security Gateways Diodes

Both Unidirectional Transmitter Always Sometimes

and Unidirectional Receiver
Internal Electrical Isolation Always Rarely

Optical Isolation Always Sometimes

Software Doing Low-Level Never – all Waterfall Almost Always

Unidirectional Control boards use gate array logic,
not CPUs
Separate TX/RX Circuit Boards Always Sometimes

Separate Power Supplies Always Sometimes

Separate Appliances Customer configurable Sometimes

Table 5: Layers of Unidirectionality

Multiple layers of unidirectionality increase confidence in Waterfall’s solutions, dramatically reduce audit and
certification costs, and reflect robust defense-in-depth practices.

WWW.WATERFALL-SECURITY.COM Page 10 of 12
4.5 Industrial Fit-For-Purpose
The vast majority of data diode providers design their products for military and government markets, serving the
needs of industrial sites only accidentally, if at all. Waterfall’s Unidirectional Security Gateways are designed
intentionally for industrial sites. In addition to the distinguishing features discussed thus far, Waterfall’s
Unidirectional Security Gateways support:

Waterfall Unidirectional Data

Security Gateways Diodes

Software Hosting Support Waterfall, customer & Limited

virtual hosts
OS Support Windows, Linux, Solaris, Very limited
AIX, VxWorks and others
Modular Hardware Design Always No

DIN Rail Option Yes Rarely

Choice Of 1u, 2u, 4u And Other Yes Rarely

Hardware Configs
Industrial Experience For Always Rarely
Installation Engineers
Industrial Experience For Presales Always Rarely
Architects
Certifications and Security Common Criteria, ANSSI, Rare
Assessments NITES, NISA, ISO 9001, US
DHS, Idaho National
Laboratories, Digital Bond
Laboratories
Safe Remote Support Yes – Remote Screen View Rarely
and Secure Bypass
Support For Scheduled Updates of Yes - Waterfall FLIP No
ICS Networks
Support For Safe Internet & Cloud Yes – Waterfall No
Connectivity Unidirectional
CloudConnect
Support for Tamper-Proof Yes - Waterfall BlackBox No
Unidirectional Forensics
Free Consultation with Solution Always Rarely
Architects
Table 6: Industrial Fit-For-Purpose

WWW.WATERFALL-SECURITY.COM Page 11 of 12
None of this should come as any surprise – Waterfall invented the unidirectional replication of industrial servers
and emulation of industrial devices and has been the market and technology leader for industrial applications of
Unidirectional Security Gateways ever since.

5. Waterfall Leads Industrial Cybersecurity

In addition to industry-leading products, technologies and business models, Waterfall Security Solutions is widely
seen as a thought leader for industrial cybersecurity. Waterfall’s leadership activities include:

 Contributing widely to security regulations, standards and best-practice advice including NERC CIP,
the Industrial Internet Consortium, ISA SP-99, Australian Rail Industry Safety and Standards Board,
American Waterworks Association, Department of Homeland Security ICS Joint Working Group,
commercial training providers, post-secondary curricula, National Institute of Standards and
Technology, National Cybersecurity Center of Excellence and many more,

 Deployed on the US DHS National SCADA Security test bed, the Japanese national CSSC test bed and
the Canadian nuclear generation test bed,

 Contributing to and distributing industrial cybersecurity textbooks and other advanced training
materials,

 Contributing to peer-reviewed industrial cybersecurity research and research groups, and

 Testifying at government hearings regarding the state of industrial cybersecurity.

Waterfall not only contributes expertise, time, resources and equipment to these undertakings, but learns from
these activities as well, as our experts interact with the world’s best and brightest IT, ICS and cybersecurity experts.
Waterfall applies all of this knowledge, experience and expertise to the task of producing the world’s most
advanced COTS unidirectional gateway products and technologies, designed to the stringent requirements of the
most demanding industrial sites.

6. About Waterfall
Waterfall Security Solutions is the global leader in industrial cybersecurity technology. Waterfall products, based
on its innovative unidirectional security gateway technology, represent an evolutionary alternative to firewalls.
The company’s expanding array of customers includes national infrastructures, power plants, nuclear plants,
offshore oil and gas facilities, railway networks, refineries, manufacturing plants, utility companies, and many
more. Deployed throughout North America, Europe, the Middle East and Asia, Waterfall products support the
widest range of leading industrial remote monitoring platforms, applications, databases and protocols in the
market. For more information, visit www.waterfall-security.com

WWW.WATERFALL-SECURITY.COM Page 12 of 12