Firewalls vs. Data Diodes: An OT Placement and TCO Guide
Both firewalls and data diodes are network security controls. The similarity ends there. One is a configurable gate. The other is a physical law. Understanding which belongs where and what each actually costs over a five-year horizon is the difference between a security architecture that holds under pressure and one that fails at the worst possible moment. Data diodes are hardware, not software. They are covered here because the decision to deploy one directly displaces a software-defined firewall, and because the TCO comparison — including the software subscription and licensing costs that firewall ownership carries — is a software procurement decision as much as a hardware one.
The core distinction
Enforces policy. Can be misconfigured, exploited, or administratively bypassed. Rule sets require ongoing maintenance and generate ongoing audit overhead. The attack surface is the rule set itself.
Enforces physics. Transmits data in one direction only. The hardware design makes reverse communication physically impossible regardless of what an attacker does at the software layer. There is no rule set to misconfigure or exploit.
That distinction has two direct operational consequences. First, a data diode on a high-consequence asset provides a guarantee that no firewall can match: even a fully compromised downstream network cannot send commands back upstream. Second, the audit evidence a diode produces is simpler and more defensible than a firewall rule set, because there is no rule set to audit — only a direction of data flow.
The trade-off is architectural constraint. A data diode cannot replace a firewall everywhere. Anywhere bidirectional communication is genuinely required — vendor remote access, SCADA polling, engineer workstation connectivity — a firewall is the correct tool. The question is not which is better in the abstract. It is which belongs at each specific point in your network.
Placement across the Purdue model
The placement decision follows a straightforward principle: use a firewall where bidirectional communication is operationally required, and a data diode where data flows in one direction and the consequence of a reverse communication is unacceptable.
| Location | Correct control | Rationale |
|---|---|---|
| IT/OT boundary (Level 3.5 DMZ) | Firewall | Bidirectional traffic required: SCADA data up to enterprise, patch distribution down to OT, vendor remote access |
| Level 3 to Level 2 (DCS/SCADA to control network) | Firewall | Engineering workstations require bidirectional access to controllers for configuration and diagnostics |
| Historian data extraction (Level 2 to Level 3/IT) | Data diode | Data flows one direction only: process data out to historian. No reverse path required or acceptable. |
| Safety Instrumented System (SIS) isolation | Data diode | SIS must receive no commands from any external network. Diode enforces this in hardware. |
| Protection relay telemetry | Data diode | Relay status data flows out for monitoring. No inbound path required. Any inbound path is a risk. |
| Nuclear, high-consequence generation | Data diode | Regulatory requirement in many jurisdictions. Hardware guarantee required, not policy-based control. |
| Remote access path (any level) | Firewall + JIT | Bidirectional by definition. Diode is not applicable. |
The historian extraction use case is the most common entry point for data diode deployment. Most OT environments already have historians pulling data from Level 2. Replacing the network connection with a diode is often a single-segment change with no operational impact — and it removes a bidirectional path that has no operational justification.
The SIS use case is the highest-consequence. A safety instrumented system that can receive inbound commands from a compromised network is a liability that no firewall policy reliably eliminates. Hardware-enforced unidirectionality is the correct control.
Vendor landscape
The industrial data diode market is small and specialized. Four vendors account for the majority of deployments in critical infrastructure.
The largest pure-play OT diode vendor. Strong presence in energy, oil and gas, and utilities. Their Unidirectional Security Gateway includes protocol replication software for common OT historians and SCADA systems. Well-documented NERC CIP compliance evidence packages.
Originally developed for government and defense. Strong in nuclear and high-consequence industrial environments. Hardware is NSA-evaluated. Protocol support is broad but professional services requirements are higher than Waterfall.
Takes a software-defined approach alongside hardware diodes. Better fit for environments that need selective filtering of OT data before it crosses the boundary, not just bulk historian replication.
European market leader, strong NIS2 compliance positioning. Good fit for multinationals with EU operations requiring hardware-enforced isolation evidence.
Key procurement criteria
| Criterion | What to evaluate |
|---|---|
| Protocol replication coverage | Does the vendor's software support your historian platform (OSIsoft PI, Aveva, Honeywell PHD)? Out-of-the-box replication vs. custom development significantly affects deployment cost. |
| Passive tap vs. inline deployment | Some diodes require inline deployment; others support passive tap configurations. Inline deployment carries operational risk during installation. |
| Compliance evidence package | What documentation does the vendor provide for NERC CIP-005, CIP-007, and NIS2 supervisory inspection? Has it been accepted by auditors in your sector? |
| Professional services requirement | Diode deployments typically require vendor professional services for protocol setup. Get a firm estimate before procurement. |
| Reference customers | Ask for references in your industry who have completed deployment and gone through at least one compliance audit cycle. |
TCO summary
The firewall vs. data diode cost comparison is frequently framed as a CapEx problem: diodes cost more upfront. That framing ignores the OpEx reality of firewall ownership.
Every industrial firewall carries ongoing costs that a data diode does not: annual subscription fees for threat intelligence and IPS signatures, engineering hours for patch cycles (typically two to four major firmware updates per year), rule audit and maintenance labor, and compliance audit documentation overhead. These costs compound over time.
The data diode carries higher upfront hardware cost and a one-time engineering investment for protocol replication setup. After that, the recurring cost is a hardware maintenance contract and near-zero labor.
For most OT environments, the firewall's cumulative OpEx surpasses the diode's total cost somewhere between 18 and 36 months after deployment. The exact crossover depends on your labor rate, the number of segments protected, and your compliance audit burden.
Enter your environment parameters — hardware costs, patch labor, subscription fees, compliance overhead — and see the exact month where the data diode's upfront cost is recovered by firewall OpEx savings. Produces a CFO-ready output you can take directly to a budget conversation.
Open the calculatorMaking the case to a CFO or COO
A data diode costs more upfront than a firewall. That is the objection you will face. Here is how to reframe it.
A firewall is a gate that can be opened — by misconfiguration, by exploit, or by an administrator under pressure. A data diode cannot be opened from the wrong direction by any means. That is not a policy difference. It is a physical one.
The comparison is not firewall cost versus diode cost. It is total firewall ownership cost — hardware, annual subscriptions, patch labor, rule maintenance, audit overhead — versus total diode ownership cost over the same period. In most environments, the diode is cheaper within three years. The TCO calculator produces the specific numbers for your environment.
A safety instrumented system or critical control asset that is reachable via a compromised firewall carries tail risk that is difficult to quantify and impossible to fully insure against. A data diode on that asset removes the risk category entirely, not just reduces it. That is a different conversation than comparing two controls of similar capability.
NERC CIP auditors and NIS2 supervisory authorities are increasingly distinguishing between firewall-protected assets and hardware-isolated assets in their risk assessments. A diode on a high-consequence asset is documentable risk reduction that a firewall rule set cannot replicate.
Common deployment mistakes
A data diode is hardware. It transmits bits in one direction. Without protocol replication software configured for your specific historian or SCADA platform, you are transmitting data that nothing on the receiving end can read. Protocol setup is not optional — it is half the deployment.
Engineering workstations need to push configuration changes to controllers. SCADA systems need to send setpoints. If you deploy a diode on a segment that has legitimate bidirectional requirements, you will either break the operation or create a workaround that bypasses the diode entirely. Map your traffic flows before selecting the control.
A data diode on a historian connection does not segment the OT network. If your Level 2 network is flat and an attacker reaches it from a compromised Level 3 system, the diode protects only the historian extraction path — not the PLCs. Diodes operate at specific chokepoints. Segmentation is a separate requirement.
First-time diode deployments consistently run over the initial engineering estimate. Protocol replication configuration — particularly for non-standard historian implementations or custom OT applications — requires vendor professional services that are not always scoped accurately at procurement. Budget a contingency.
Not all diode vendors have produced compliance evidence packages that have been accepted by NERC auditors or NIS2 supervisory authorities. A vendor with strong product and weak compliance documentation creates audit risk. Ask for references who have completed an audit cycle, not just a deployment.