Privileged Access Management with Built-in Unidirectional Data Flow for OT Environments
Overview
Segura® Appliance – Diode Edition is a privileged access management (PAM) solution with integrated unidirectional data diode capabilities, purpose-built for deployment in industrial environments
It enables secure, auditable control over privileged sessions within OT networks while allowing policy-based, one-way export of authorized operational data - such as telemetry, logs, alerts, process outputs, and historian exports - from OT to IT domains.
Unlike traditional data diodes, the Segura® Appliance combines full PAM functionality, including session proxying, credential vaulting, MFA, approval workflows, and session recording, with built-in support for both logical and physical segmentation, audit enforcement, and human-in-the-loop validation of outbound flows.
In its highest security mode, the appliance enforces physical one-way communication using a TX (Transmit) channel that is disabled by default and can only be activated locally by an operator via a hardware switch or biometric mechanism. This design supports compliance with critical infrastructure cybersecurity standards, including ISA/IEC 62443 SL3 and SL4, and makes the appliance suitable for use in air-gapped or semi-isolated industrial networks.
Deployment form factor
Segura® Appliance – Diode Edition is delivered as a hardened, rack-mountable physical appliance, designed for deployment in critical industrial environments where reliability, isolation, and operational integrity are essential.
It is suitable for use in:
- Control rooms, industrial DMZs, and air-gapped networks
- Sites with restricted or no inbound connectivity to OT
- Environments requiring strict segmentation between IT and OT domains
- Infrastructures operating under ISA/IEC 62443 SL3 or SL4
The appliance supports continuous operation in harsh conditions and allows local operator validation (e.g., button or biometric trigger) to enable time-limited TX activation when operating in physical diode mode.
Key capabilities
| Capability | Description |
|---|---|
| Privileged Access Management | Session proxy (RDP, SSH, Web), MFA, RBAC, session recording, command control |
| Unidirectional Data Flow | Secure one-way export of OT data to IT (logical or physical) |
| TX Activation Control | Hardware button or biometric required to enable TX (physical mode) |
| Data Export Governance | Policy-based export control and operator approval |
| Format Compatibility | Syslog, JSON, CSV, historian files, telemetry (binary/text) |
| Integration Options | Compatible with SIEM, SCADA, PAM, and monitoring systems |
Deployment scenarios
| Scenario | Description |
|---|---|
| Logical Diode Mode | Reverse connector in OT initiates secure outbound tunnel to IT |
| Physical Diode Mode | TX/RX path enforced via dedicated interface; TX activated locally only |
| Standalone PAM Mode | Full PAM functions in segmented OT networks with direct access |
Security architecture
| Layer | Control Mechanism |
|---|---|
| Network Segmentation | Logical or physical separation between OT and IT enforced |
| One-Way Flow Enforcement | Export-only communication via logical or physical diode |
| TX Activation Control | Human-in-the-loop validation using physical trigger (button/biometrics) |
| Audit and Monitoring | Logging of all exports and operator-triggered events |
| Platform Hardening | Secure boot, signed firmware, encrypted storage, TPM-based integrity check |
Embedded security features
| Feature | Purpose |
|---|---|
| TPM 2.0 | Ensures system boot integrity and tamper resistance |
| HSM | Protects cryptographic keys in isolated hardware module |
| Full-Disk Encryption | AES-256 encryption for all data at rest |
| Firmware Signing | Allows execution only of signed system components |
| Anti-Tamper Architecture | Prevents unauthorized physical or firmware-level modifications |
Cryptographic Trust & Identity Management
| Capability | Functionality |
|---|---|
| Integrated CA | Issues and manages X.509 certificates |
| mTLS Authentication | Validates user and device identity via certificate |
| Device Whitelisting | Allows only pre-enrolled endpoints to initiate communication |
| Certificate-Based Access | Users can authenticate using certificates instead of passwords |
| Lifecycle Controls | Manages expiration, revocation, renewal, and policy enforcement |
Compliance mapping
| Framework / Standard | Key Controls Supported |
|---|---|
| ISA/IEC 62443 | FR5–FR7, SL3–SL4, zone separation, unidirectional flow enforcement. Physical Diode Mode with biometric/hardware-switch TX activation satisfies SL3 and SL4 requirements. |
| NERC CIP | CIP-005: hardware diode enforces unidirectional perimeter control; sessions brokered through PAM with MFA and session termination. CIP-007: ports/services management via PAM proxy; command filtering; SIEM forwarding; automated credential rotation. CIP-010: configuration changes brokered through PAM with approval workflows and immutable audit records. CIP-015: UEBA-based behavioral monitoring inside Electronic Security Perimeters; session recording for INSM evidence. |
| NIST SP 800-82 | Data flow control, perimeter protection, audit requirements, access control (AC), identification and authentication (IA), system integrity (SI). |
| NIST Cybersecurity Framework | Protect: RBAC, MFA, credential vaulting, session proxy, policy-based export control. Detect: UEBA, behavioral anomaly detection, real-time SIEM integration. Respond: automated session termination, credential lockout, SOAR playbook triggering. Recover: immutable audit trail, DR procedures, break-glass credential access. |
| MITRE ATT&CK for ICS | Prevents lateral movement, enforces access boundaries. Covers Lateral Tool Transfer, Valid Accounts, and Remote Services ICS techniques via session isolation and command filtering. |
| ISO/IEC 27001 | A.9 (Access Control), A.12 (Logging), A.13 (Communication Security), A.17 (Business Continuity) — all natively supported with automated evidence generation. |
| ISO/IEC 27019 | Energy utility sector extension. Process control system security controls supported. |
| TSA Security Directives (SD02E) | Privileged access controls and continuous monitoring for US pipeline and rail operators. Annual review support via audit report generation. |
| NIS2 Directive (EU) | Essential entities in energy, water, and critical infrastructure. Privileged access controls, incident logging, and regulatory evidence export. |
| CNEN (Brazil) | Air-gap compatibility and physical control enforcement for nuclear facilities. |
| ANEEL (Brazil) | PAM controls aligned with Brazilian electric sector cybersecurity requirements. |
Technical highlights
| Feature | Description |
|---|---|
| TX Flow Control | Default-disabled TX path; local activation required |
| Export Audit Trail | Complete logging with metadata, user ID, timestamps, and integrity checks |
| Format Compatibility | JSON, syslog, .tar/.zip, CSV, historian export, telemetry |
| Rugged Industrial Design | Operates in vibration, temperature, and dust-prone environments |
| Deployment Flexibility | Logical connector mode or physical diode interface |
Strategic Benefits
- Combines PAM and industrial data diode in one integrated platform
- Enables secure export of any authorized OT data
- Supports physical operator-controlled activation for high-assurance environments
- Adds cryptographic trust via integrated CA and mTLS
- Reduces operational complexity and infrastructure sprawl
- Suitable for both segmented OT and full air-gapped architectures
OT Protocol Support
Segura® Diode Edition supports the following protocols for privileged access and unidirectional data flow in OT/CPS environments:
| Category | Protocols / Formats |
|---|---|
| Industrial OT protocols | OPC UA (IEC 62541): secure channel brokering for SCADA-to-historian and PLC-to-SCADA communications with certificate-based authentication. Modbus TCP/RTU: read-only monitoring and pass-through proxy for PLC and field device polling; command filtering prevents unauthorized write operations. DNP3: monitoring for SCADA/RTU communications in energy and water sectors, including DNP3 Secure Authentication v5. IEC 60870-5 (101/104): telemetry forwarding for energy sector SCADA systems in read-only mode enforced by the diode layer. |
| Messaging & streaming | MQTT (v3.1.1 / v5.0): write-only topic publishing for IIoT sensor data forwarding with topic ACL enforcement. AMQP: enterprise messaging forwarding (write-only). Kafka: write-only topic forwarding for IIoT telemetry pipelines. |
| Events & logs | Syslog (RFC 5424 / RFC 3164): structured event forwarding with TLS transport for tamper-evident log delivery. SNMP (v1/v2c/v3): network device monitoring with trap forwarding to IT SIEM; SNMPv3 with AES/DES authentication and privacy. Windows Event Forwarding. |
| Real-time & media | RTP: process video and audio feed forwarding for remote monitoring of safety-critical operations. UDP multicast: real-time data broadcast (OT→IT). NTP (TX only): time synchronization broadcast. |
| Web & applications | HTTP, HTTPS (mirrored, read-only): web proxy for browser-based industrial management interfaces. REST (read-only). |
| Database & files | PostgreSQL (read replica), Oracle (logs), CSV: process historian access. SFTP, FTP, CIFS (via proxy or unidirectional file system): configuration backups and log exports (OT→IT); firmware updates (IT→OT via approval workflow). |
| IT protocols (OT context) | SSH / Telnet: CLI sessions to engineering workstations and managed field devices with full keystroke logging. RDP: graphical sessions to Windows-based HMI/SCADA workstations with screen recording. HTTP/HTTPS: web proxy for browser-based industrial management interfaces. |
The hardware data diode physically enforces unidirectional communication at the hardware layer across all supported protocols. Software-only OT proxies are also available for environments that do not require physical separation.
OEM Integration Layer
Segura® offers a structured OEM integration layer for technology partners operating in the CPS/OT ecosystem:
| Partner Type | Integration Scope |
|---|---|
| SCADA and Historian vendors | Certified unidirectional data export from OT historians to IT analytics platforms. Read-only API integration for operational dashboards without compromising OT network integrity. Compatible with major SCADA and Historian platforms. |
| Industrial Firewall vendors | Upstream diode integration for non-IP industrial traffic (Modbus serial, DNP3 serial, proprietary protocols). Co-management of Electronic Security Perimeters (ESP) for NERC CIP compliance. |
| System Integrators | Plugin-ready proxy modules (Node.js, Rust, and Go-based) for custom OT-to-IT telemetry pipelines. Open integration APIs for connection to CMDB, ticketing systems, and OT asset management platforms. Certified SI partner program in energy, defense, critical manufacturing, and utilities sectors. |
| Open Development Program | Joint development available for: energy (NERC CIP-015 INSM integration), defense (air-gapped PAM with biometric physical control), critical manufacturing (PAM integration with MES/ERP for change management), utilities (smart grid PAM with SCADA/DMS/OMS integration). |