Documentation Index

Fetch the complete documentation index at: https://docs.senhasegura.io/llms.txt

Use this file to discover all available pages before exploring further.

Diode Edition

Prev Next

Privileged Access Management with Built-in Unidirectional Data Flow for OT Environments

Overview

Segura® Appliance – Diode Edition is a privileged access management (PAM) solution with integrated unidirectional data diode capabilities, purpose-built for deployment in industrial environments

It enables secure, auditable control over privileged sessions within OT networks while allowing policy-based, one-way export of authorized operational data - such as telemetry, logs, alerts, process outputs, and historian exports - from OT to IT domains.

Unlike traditional data diodes, the Segura® Appliance combines full PAM functionality, including session proxying, credential vaulting, MFA, approval workflows, and session recording, with built-in support for both logical and physical segmentation, audit enforcement, and human-in-the-loop validation of outbound flows.

In its highest security mode, the appliance enforces physical one-way communication using a TX (Transmit) channel that is disabled by default and can only be activated locally by an operator via a hardware switch or biometric mechanism. This design supports compliance with critical infrastructure cybersecurity standards, including ISA/IEC 62443 SL3 and SL4, and makes the appliance suitable for use in air-gapped or semi-isolated industrial networks.

Deployment form factor

Segura® Appliance – Diode Edition is delivered as a hardened, rack-mountable physical appliance, designed for deployment in critical industrial environments where reliability, isolation, and operational integrity are essential.

It is suitable for use in:

  • Control rooms, industrial DMZs, and air-gapped networks
  • Sites with restricted or no inbound connectivity to OT
  • Environments requiring strict segmentation between IT and OT domains
  • Infrastructures operating under ISA/IEC 62443 SL3 or SL4

The appliance supports continuous operation in harsh conditions and allows local operator validation (e.g., button or biometric trigger) to enable time-limited TX activation when operating in physical diode mode.

Key capabilities

Capability Description
Privileged Access Management Session proxy (RDP, SSH, Web), MFA, RBAC, session recording, command control
Unidirectional Data Flow Secure one-way export of OT data to IT (logical or physical)
TX Activation Control Hardware button or biometric required to enable TX (physical mode)
Data Export Governance Policy-based export control and operator approval
Format Compatibility Syslog, JSON, CSV, historian files, telemetry (binary/text)
Integration Options Compatible with SIEM, SCADA, PAM, and monitoring systems

Deployment scenarios

Scenario Description
Logical Diode Mode Reverse connector in OT initiates secure outbound tunnel to IT
Physical Diode Mode TX/RX path enforced via dedicated interface; TX activated locally only
Standalone PAM Mode Full PAM functions in segmented OT networks with direct access

Security architecture

Layer Control Mechanism
Network Segmentation Logical or physical separation between OT and IT enforced
One-Way Flow Enforcement Export-only communication via logical or physical diode
TX Activation Control Human-in-the-loop validation using physical trigger (button/biometrics)
Audit and Monitoring Logging of all exports and operator-triggered events
Platform Hardening Secure boot, signed firmware, encrypted storage, TPM-based integrity check

Embedded security features

Feature Purpose
TPM 2.0 Ensures system boot integrity and tamper resistance
HSM Protects cryptographic keys in isolated hardware module
Full-Disk Encryption AES-256 encryption for all data at rest
Firmware Signing Allows execution only of signed system components
Anti-Tamper Architecture Prevents unauthorized physical or firmware-level modifications

Cryptographic Trust & Identity Management

Capability Functionality
Integrated CA Issues and manages X.509 certificates
mTLS Authentication Validates user and device identity via certificate
Device Whitelisting Allows only pre-enrolled endpoints to initiate communication
Certificate-Based Access Users can authenticate using certificates instead of passwords
Lifecycle Controls Manages expiration, revocation, renewal, and policy enforcement

Compliance mapping

Framework / Standard Key Controls Supported
ISA/IEC 62443 FR5–FR7, SL3–SL4, zone separation, unidirectional flow enforcement. Physical Diode Mode with biometric/hardware-switch TX activation satisfies SL3 and SL4 requirements.
NERC CIP CIP-005: hardware diode enforces unidirectional perimeter control; sessions brokered through PAM with MFA and session termination. CIP-007: ports/services management via PAM proxy; command filtering; SIEM forwarding; automated credential rotation. CIP-010: configuration changes brokered through PAM with approval workflows and immutable audit records. CIP-015: UEBA-based behavioral monitoring inside Electronic Security Perimeters; session recording for INSM evidence.
NIST SP 800-82 Data flow control, perimeter protection, audit requirements, access control (AC), identification and authentication (IA), system integrity (SI).
NIST Cybersecurity Framework Protect: RBAC, MFA, credential vaulting, session proxy, policy-based export control. Detect: UEBA, behavioral anomaly detection, real-time SIEM integration. Respond: automated session termination, credential lockout, SOAR playbook triggering. Recover: immutable audit trail, DR procedures, break-glass credential access.
MITRE ATT&CK for ICS Prevents lateral movement, enforces access boundaries. Covers Lateral Tool Transfer, Valid Accounts, and Remote Services ICS techniques via session isolation and command filtering.
ISO/IEC 27001 A.9 (Access Control), A.12 (Logging), A.13 (Communication Security), A.17 (Business Continuity) — all natively supported with automated evidence generation.
ISO/IEC 27019 Energy utility sector extension. Process control system security controls supported.
TSA Security Directives (SD02E) Privileged access controls and continuous monitoring for US pipeline and rail operators. Annual review support via audit report generation.
NIS2 Directive (EU) Essential entities in energy, water, and critical infrastructure. Privileged access controls, incident logging, and regulatory evidence export.
CNEN (Brazil) Air-gap compatibility and physical control enforcement for nuclear facilities.
ANEEL (Brazil) PAM controls aligned with Brazilian electric sector cybersecurity requirements.

Technical highlights

Feature Description
TX Flow Control Default-disabled TX path; local activation required
Export Audit Trail Complete logging with metadata, user ID, timestamps, and integrity checks
Format Compatibility JSON, syslog, .tar/.zip, CSV, historian export, telemetry
Rugged Industrial Design Operates in vibration, temperature, and dust-prone environments
Deployment Flexibility Logical connector mode or physical diode interface

Strategic Benefits

  • Combines PAM and industrial data diode in one integrated platform
  • Enables secure export of any authorized OT data
  • Supports physical operator-controlled activation for high-assurance environments
  • Adds cryptographic trust via integrated CA and mTLS
  • Reduces operational complexity and infrastructure sprawl
  • Suitable for both segmented OT and full air-gapped architectures

OT Protocol Support

Segura® Diode Edition supports the following protocols for privileged access and unidirectional data flow in OT/CPS environments:

Category Protocols / Formats
Industrial OT protocols OPC UA (IEC 62541): secure channel brokering for SCADA-to-historian and PLC-to-SCADA communications with certificate-based authentication. Modbus TCP/RTU: read-only monitoring and pass-through proxy for PLC and field device polling; command filtering prevents unauthorized write operations. DNP3: monitoring for SCADA/RTU communications in energy and water sectors, including DNP3 Secure Authentication v5. IEC 60870-5 (101/104): telemetry forwarding for energy sector SCADA systems in read-only mode enforced by the diode layer.
Messaging & streaming MQTT (v3.1.1 / v5.0): write-only topic publishing for IIoT sensor data forwarding with topic ACL enforcement. AMQP: enterprise messaging forwarding (write-only). Kafka: write-only topic forwarding for IIoT telemetry pipelines.
Events & logs Syslog (RFC 5424 / RFC 3164): structured event forwarding with TLS transport for tamper-evident log delivery. SNMP (v1/v2c/v3): network device monitoring with trap forwarding to IT SIEM; SNMPv3 with AES/DES authentication and privacy. Windows Event Forwarding.
Real-time & media RTP: process video and audio feed forwarding for remote monitoring of safety-critical operations. UDP multicast: real-time data broadcast (OT→IT). NTP (TX only): time synchronization broadcast.
Web & applications HTTP, HTTPS (mirrored, read-only): web proxy for browser-based industrial management interfaces. REST (read-only).
Database & files PostgreSQL (read replica), Oracle (logs), CSV: process historian access. SFTP, FTP, CIFS (via proxy or unidirectional file system): configuration backups and log exports (OT→IT); firmware updates (IT→OT via approval workflow).
IT protocols (OT context) SSH / Telnet: CLI sessions to engineering workstations and managed field devices with full keystroke logging. RDP: graphical sessions to Windows-based HMI/SCADA workstations with screen recording. HTTP/HTTPS: web proxy for browser-based industrial management interfaces.

The hardware data diode physically enforces unidirectional communication at the hardware layer across all supported protocols. Software-only OT proxies are also available for environments that do not require physical separation.

OEM Integration Layer

Segura® offers a structured OEM integration layer for technology partners operating in the CPS/OT ecosystem:

Partner Type Integration Scope
SCADA and Historian vendors Certified unidirectional data export from OT historians to IT analytics platforms. Read-only API integration for operational dashboards without compromising OT network integrity. Compatible with major SCADA and Historian platforms.
Industrial Firewall vendors Upstream diode integration for non-IP industrial traffic (Modbus serial, DNP3 serial, proprietary protocols). Co-management of Electronic Security Perimeters (ESP) for NERC CIP compliance.
System Integrators Plugin-ready proxy modules (Node.js, Rust, and Go-based) for custom OT-to-IT telemetry pipelines. Open integration APIs for connection to CMDB, ticketing systems, and OT asset management platforms. Certified SI partner program in energy, defense, critical manufacturing, and utilities sectors.
Open Development Program Joint development available for: energy (NERC CIP-015 INSM integration), defense (air-gapped PAM with biometric physical control), critical manufacturing (PAM integration with MES/ERP for change management), utilities (smart grid PAM with SCADA/DMS/OMS integration).