Protecting SCADA and PLCs from Lateral Attacks with Data Diodes

Industrial control systems (ICS) are the backbone of modern civilization, yet their most critical components, SCADA systems and PLCs, are often the most vulnerable. Initially designed for reliability and longevity, not cyber resilience, these systems were built in an era when isolated environments were the norm. Today, as connectivity expands across IT and OT domains, these once air-gapped assets are increasingly exposed to sophisticated cyber threats.

A single disruption can trigger cascading failures, impacting electricity distribution, public safety, or national security. Yet many of these systems run outdated operating systems, lack basic encryption, and allow overly permissive network access. Even patching is rare in OT due to concerns about operational downtime. This vulnerability makes SCADA and PLC environments a prime target for lateral attacks.

Understanding Lateral Attacks in OT Networks

A lateral attack involves an adversary breaching one part of the network, often through a seemingly innocuous entry point, and moving sideways to reach more sensitive or isolated systems. In OT environments, this can mean infiltrating a less-protected workstation or engineering laptop, then pivoting through network connections to access critical assets, such as PLCs.

Unlike typical IT attacks that focus on data theft, lateral movement in OT is often about gaining control over the network. Once inside, attackers may issue malicious commands, manipulate sensor data, or disable physical safety systems.

The challenge is that traditional security tools, such as firewalls or intrusion detection systems, were not designed to operate reliably in OT environments with low-latency requirements and legacy protocols. Even when network segmentation is implemented, misconfigurations or insider threats can render it ineffective.

A Real-World Example: Industroyer2 Targeting Ukraine’s Power Grid

In April 2022, cybersecurity researchers uncovered a sophisticated malware campaign targeting Ukraine’s electrical substations. Dubbed Industroyer2, this attack was built upon the original Industroyer malware, which was used in 2016. Its goal: to manipulate industrial control protocols and directly impact circuit breakers in power substations.

According to ESET Research, attackers used compromised IT systems as an initial foothold, then moved laterally into OT networks. Once inside, they deployed malware specifically crafted to communicate with ICS protocols, such as IEC-104, and issued commands to cut power.

This was not a brute-force attack. It was a deliberate, multi-stage process that depended entirely on lateral movement from less-protected systems into core operational environments. It highlighted how the convergence of IT and OT, without proper segmentation, can become a highway for adversaries.

Segmenting Control Systems with One-Way Transfer Technologies

To prevent this kind of escalation, organizations must enforce strict separation between zones that handle monitoring and control. This is where data diodes come into play.

Unlike firewalls, which still allow bidirectional traffic under set rules, a data diode enforces physically unidirectional communication. It allows information to flow in only one direction, ensuring that data can be extracted from a critical system but never inserted back into it.

This model is particularly effective for protecting SCADA and PLC environments:

• SCADA Monitoring: Operators can collect real-time process data and securely send it to upstream systems for analysis, without exposing the SCADA network to external commands or malware.

• PLCs and Safety Systems: Configuration and firmware updates can be staged via controlled manual processes, while sensor data flows out through a one-way channel, blocking command-and-control attempts.

Why Traditional Segmentation Falls Short

Network segmentation, in theory, should provide strong isolation. But in practice, it relies heavily on configuration, policy enforcement, and human discipline. A single misconfigured rule, shared credential, or compromised device can bridge the gap between supposedly secure zones.

Data diodes eliminate this risk by removing the possibility of backflow. There is no TCP handshake, no return route, and no negotiation. The physical layer enforces directionality regardless of protocol or software vulnerabilities.

For example, a typical deployment might involve connecting a SCADA network’s historian server to a corporate IT environment using a data diode. Process data flows out to IT for analytics, reporting, or regulatory compliance, while the SCADA system remains invisible to external systems.

Implementing Hardened One-Way Protection with DataDiodeX

At DataFlowX, we’ve engineered DataDiodeX to meet the needs of highly sensitive OT environments. Certified with Common Criteria EAL4+, it offers tamper-proof isolation with hardware-enforced unidirectional logic.

Deployed between PLC/SCADA segments and enterprise or cloud systems, DataDiodeX allows:

• Secure outbound data replication (e.g., logs, telemetry, alarms)

• Protocol-aware integration (supports MQTT, OPC UA, Kafka, SFTP, etc.)

• Zero Trust segmentation even in flat or legacy networks

• Resilience to malware, misconfigurations, or insider threats

Confidence in Control

Protecting SCADA and PLC systems from lateral attacks isn’t just a cybersecurity best practice—it’s an operational necessity. As adversaries become more sophisticated and geopolitical risks escalate, defending critical infrastructure necessitates more than reactive tools.

It demands hardened boundaries, tamper-proof isolation, and guaranteed one-way traffic flow.

DataDiodeX delivers precisely that. It gives organizations confidence that no attacker can move laterally into the systems that keep power flowing, water clean, and transportation safe.

Contact our expert team to learn more about how you can integrate data diodes into your cyber defenses.