An OWA appliance is a hardware-enforced unidirectional gateway, also known as a data diode, that allows information to flow out of a critical OT network in one direction only. A physical optical core makes a return path electrically impossible, so operational data reaches IT, the SOC, or the cloud while outside cyber threats have no way back in. This is airgap-grade separation that a firewall cannot provide.
The OWA platform pairs an optical data diode that physically enforces one-way flow with modular upstream and downstream proxy software that handles real-world, multi-protocol data transfer across security domains.
OT systems feed the upstream proxy through native connectors and replicator agents. The optical core carries that data one way to a physically separate downstream proxy, which delivers it to IT systems such as SIEM, data lakes, and the cloud. The two sides share no return path, no acknowledgements, and no control traffic.
More than 1,000 files per second in FTPS, including encrypted flows.
Support for very large files, up to 500 GB on the top models.
Sustained throughput from 500 Mbps to 25+ Gbps depending on model.
OWA enforces one-way isolation in hardware across the physical, data link, and network layers (L1 to L3). Intelligent proxy connectors then operate at L4 to L7 to terminate, reconstruct, and optimize application traffic.
The result is a full protocol break with no shared state, no return path, and no acknowledgements, with multiple protocols interleaved into a single optical data stream.
Zero packet loss and zero file corruption, by design. OWA hashes data in transit and applies built-in CRC and Forward Error Correction (FEC) to detect and repair errors without any return channel. Downstream buffering and replay preserve data during network outages and resume automatically once connectivity returns, while the upstream domain is never informed of the failure.
On the enterprise models, a patented active-active architecture maintains continuous transfer through downstream outages, component failures, and network disruptions. Distributed buffering, automatic failover, and autonomous recovery resume data flow without loss or manual intervention, even under the strict constraints of a one-way link.
Compact 1U OWA Proxy + Optical Isolator for OT deployments, supporting up to 1 Gbps on selected connectors
Download Datasheet
Enterprise-grade OWA Optical Diode + Proxies appliance delivering sustained 1+ Gbps performance with high availability
Download Datasheets
Extreme-performance OWA Optical Diode + Proxies appliance designed for large-scale data transfers up to 25+ Gbps
Download DatasheetOWA connectors provide native protocol support and convert bidirectional communications into secure, hardware-enforced one-way flows. Replicator agents add application-level replication logic on both sides of the diode.
Replication: File system replication, SQL database replication, OT protocol replication, and custom replication workflows.
OT systems and historians: AVEVA Pi (Pi2Pi via MICA), AspenTech InfoPlus.21, Bently Nevada S1, Emerson AMS Optics and DeltaV, GE OSM, Hexagon PAS, Siemens WinCC, Yokogawa, Cisco Splunk, and more.
Industrial protocols: MQTT, OPC UA/DA, Modbus, DNP3, IEC 104.
| Model |
OWA 1U 500M/1G |
OWA 2U/3U 1G |
OWA 2U/3U 10/25G |
|---|---|---|---|
| Best for | Compact OT to IT one-way gateway | Enterprise OT and Gov/Defense | Extreme-performance OT and Gov/Defense |
| Form Factor | 19" rack, 1U (two ½U proxies, physically separated) | 19" rack, 2U proxies + 1U optical diode | 19" rack, 2U proxies + 1U optical diode |
| File Transfer | 500 Mbps / 1 Gbps in FTPS | True 1+ Gbps | True 10+/25+ Gbps |
| Throughput Benchmark | 1,000+ files of 64 KB/sec at 500 Mbps | 1,000+ files of 125 KB/sec, files up to 100 GB | 1,000+ files of 1 MB/sec, files up to 500 GB |
| Connectors | 2 concurrent, off-proxy agents | Unlimited, on/off-proxy agents | Unlimited, on/off-proxy agents |
OWA appliances can be configured around independently evaluated optical diode cores, so the security boundary itself is validated by recognized authorities rather than asserted in software.
By enforcing one-way communication in hardware, OWA structurally shrinks the inbound attack surface, simplifies security proofs, and reduces the compensating controls needed to reach higher security levels.
Diode-core certifications apply to optional OEM components integrated and validated through Cyberium technology. Arista Cyber advises on the right configuration for your regulatory environment.
OWA extends hardware-enforced unidirectional security with integrated cross-domain protection mechanisms, enabling complex, asynchronous bidirectional workflows across multiple security domains, always relying on a strict unidirectional hardware Data Diode at its core, ensuring that data exchanged between environments remains safe, compliant and operationally usable, even in high-risk or reverse-flow scenarios, from public or less-secure zones to the most sensitive and classified environments.
Our OT/ICS cybersecurity training is suitable for organisations across a wide range of critical and industrial sectors.
Arista Cyber delivers, deploys, and supports the OWA platform across North America in partnership with Cyberium, the manufacturer of the technology. We bring local expertise where cybersecurity meets functional safety, helping critical infrastructure operators converge IT and OT without compromising integrity, availability, or safety.
→ Book an OT security consultationA data diode is a hardware device that allows network data to travel in one direction only. A physical, usually optical, mechanism makes reverse traffic impossible, so a protected network can send data out without any path for an attacker to send data back in.
OWA combines an optical diode core that physically enforces one-way flow with upstream and downstream proxies that handle multi-protocol transfer. Data moves from OT to IT across the diode with no return path, no acknowledgements, and no shared state.
A firewall inspects and filters two-way traffic and can be misconfigured or bypassed. A data diode physically permits traffic in one direction only, so the inbound attack surface is removed at the hardware level rather than managed by software rules.
The 1U 500M/1G suits compact OT to IT gateways up to 1 Gbps. The 2U/3U 1G adds high availability, certified diode options, and reverse mode for enterprise and government use. The 2U/3U 10/25G targets large-scale transfers up to 25+ Gbps.
Yes. OWA architectures are designed to support IEC/ISA 62443, NIST CSF 2.0, NERC CIP, and NIS2. Hardware-enforced one-way segmentation simplifies audits and helps reach higher security levels such as SL3 and SL4.
OWA supports SFTP, FTP/S/ES, HTTP/S API, MQTT, SMTP, UDP, and Syslog, plus OPC UA/DA, Modbus, DNP3, and IEC 104, with native connectors for AVEVA Pi, Emerson, GE, Honeywell, Yokogawa, Hexagon, Siemens, Cisco Splunk, and others.
The 2U/3U models support a controlled reverse mode for scenarios such as IT to OT updates, paired with dual antivirus and file filtering, while still relying on a strict hardware diode at the core.
Arista Cyber, based in Richmond Hill, Ontario, delivers and supports OWA appliances across North America in partnership with Cyberium. Contact info@aristacyber.io or +1 (437) 223-7770.