OWA Unidirectional Data Diode Appliances

Hardware-enforced unidirectional network segmentation,
built around a certified optical data diode core.
  • One-way by design. Data leaves your OT network. Threats never enter.
  • Multi-protocol OT and IT compatibility, from 1 Gbps to 25+ Gbps.
  • Delivered, deployed, and supported across North America by Arista Cyber, powered by Cyberium technology.
Request a Proof of Concept Talk to an OT Security Expert

What is an OWA data diode appliance?

An OWA appliance is a hardware-enforced unidirectional gateway, also known as a data diode, that allows information to flow out of a critical OT network in one direction only. A physical optical core makes a return path electrically impossible, so operational data reaches IT, the SOC, or the cloud while outside cyber threats have no way back in. This is airgap-grade separation that a firewall cannot provide.

Why choose an OWA appliance?

Maximum Safety
One-Way by Design

  • Physically prevents any backflow into the OT network.
  • Removes the inbound attack surface that firewalls leave exposed.
  • Built on independently evaluated, certified optical diode cores.

Real-Time
Operational Efficiency

  • Near-zero latency for continuous production.
  • Deterministic, loss-free transfer of SCADA, DCS, and historian data.
  • Optimized for high-availability industrial environments.

Lower
OPEX and CAPEX

  • A single appliance replaces complex multi-device diode stacks.
  • Very low maintenance and long service life in the field.
  • Stronger cybersecurity insurance positioning and simpler audits.

How the OWA data diode works

The OWA platform pairs an optical data diode that physically enforces one-way flow with modular upstream and downstream proxy software that handles real-world, multi-protocol data transfer across security domains.

OT systems feed the upstream proxy through native connectors and replicator agents. The optical core carries that data one way to a physically separate downstream proxy, which delivers it to IT systems such as SIEM, data lakes, and the cloud. The two sides share no return path, no acknowledgements, and no control traffic.

1,000+ f/s

More than 1,000 files per second in FTPS, including encrypted flows.

500 GB

Support for very large files, up to 500 GB on the top models.

25+ Gbps

Sustained throughput from 500 Mbps to 25+ Gbps depending on model.

Key capabilities

01

True Layer 1 to Layer 7 protocol break

02

Unmatched reliability and resilience

03

Patented high
availability

True Layer 1 to Layer 7
Protocol Break

OWA enforces one-way isolation in hardware across the physical, data link, and network layers (L1 to L3). Intelligent proxy connectors then operate at L4 to L7 to terminate, reconstruct, and optimize application traffic.

The result is a full protocol break with no shared state, no return path, and no acknowledgements, with multiple protocols interleaved into a single optical data stream.

Protocol Break
Protocol Break

Unmatched Reliability
and Resilience

Zero packet loss and zero file corruption, by design. OWA hashes data in transit and applies built-in CRC and Forward Error Correction (FEC) to detect and repair errors without any return channel. Downstream buffering and replay preserve data during network outages and resume automatically once connectivity returns, while the upstream domain is never informed of the failure.

Patented High
Availability

On the enterprise models, a patented active-active architecture maintains continuous transfer through downstream outages, component failures, and network disruptions. Distributed buffering, automatic failover, and autonomous recovery resume data flow without loss or manual intervention, even under the strict constraints of a one-way link.

Protocol Break
OWA 1U

OWA 1U – 500M/1G

Compact 1U OWA Proxy + Optical Isolator for OT deployments, supporting up to 1 Gbps on selected connectors

Download Datasheet
OWA 2U

OWA 2U/3U – 1G

Enterprise-grade OWA Optical Diode + Proxies appliance delivering sustained 1+ Gbps performance with high availability

Download Datasheets
OWA 10G

OWA 2U/3U – 10/25G

Extreme-performance OWA Optical Diode + Proxies appliance designed for large-scale data transfers up to 25+ Gbps

Download Datasheet

Protocols, connectors, and agents

OWA connectors provide native protocol support and convert bidirectional communications into secure, hardware-enforced one-way flows. Replicator agents add application-level replication logic on both sides of the diode.

Replication and OT/industrial integration

Replication: File system replication, SQL database replication, OT protocol replication, and custom replication workflows.

OT systems and historians: AVEVA Pi (Pi2Pi via MICA), AspenTech InfoPlus.21, Bently Nevada S1, Emerson AMS Optics and DeltaV, GE OSM, Hexagon PAS, Siemens WinCC, Yokogawa, Cisco Splunk, and more.

Industrial protocols: MQTT, OPC UA/DA, Modbus, DNP3, IEC 104.

Supported transport and protocols:

🛡️ SFTP, FTP/S/ES
🛡️ HTTP/S API
🛡️ MQTT
🛡️ SMTP
🛡️ UDP
🛡️ Syslog
OWA Diagram

The OWA appliance range

A modular family that combines a certified optical diode core with integrated proxy architectures for secure, reliable data transfer.
Model

OWA 1U 500M/1G

OWA 2U/3U 1G

OWA 2U/3U 10/25G

Best for Compact OT to IT one-way gateway Enterprise OT and Gov/Defense Extreme-performance OT and Gov/Defense
Form Factor 19" rack, 1U (two ½U proxies, physically separated) 19" rack, 2U proxies + 1U optical diode 19" rack, 2U proxies + 1U optical diode
File Transfer 500 Mbps / 1 Gbps in FTPS True 1+ Gbps True 10+/25+ Gbps
Throughput Benchmark 1,000+ files of 64 KB/sec at 500 Mbps 1,000+ files of 125 KB/sec, files up to 100 GB 1,000+ files of 1 MB/sec, files up to 500 GB
Connectors 2 concurrent, off-proxy agents Unlimited, on/off-proxy agents Unlimited, on/off-proxy agents

Certifications and Compliance

OWA appliances can be configured around independently evaluated optical diode cores, so the security boundary itself is validated by recognized authorities rather than asserted in software.

Optical Core
Assurance

  • ANSSI qualified optical core for high-assurance sovereign deployments.

Classified
Environments

  • NATO Secret and EU Secret suitability for classified cross-domain environments.

Formal Security
Assurance

  • Common Criteria EAL7+ for the highest formal assurance on the enforcement component.

Global & Sectoral
Framework Alignment

  • IEC/ISA 62443 (supports higher security levels, SL3 to SL4), NIST CSF 2.0, NERC CIP, and NIS2.

By enforcing one-way communication in hardware, OWA structurally shrinks the inbound attack surface, simplifies security proofs, and reduces the compensating controls needed to reach higher security levels.

Diode-core certifications apply to optional OEM components integrated and validated through Cyberium technology. Arista Cyber advises on the right configuration for your regulatory environment.

Cross-Domain Solution (CDS)

OWA evolves from one-way gateway to fully integrated cross-domain security

OWA extends hardware-enforced unidirectional security with integrated cross-domain protection mechanisms, enabling complex, asynchronous bidirectional workflows across multiple security domains, always relying on a strict unidirectional hardware Data Diode at its core, ensuring that data exchanged between environments remains safe, compliant and operationally usable, even in high-risk or reverse-flow scenarios, from public or less-secure zones to the most sensitive and classified environments.

Integrated multi-engine antivirus scanning ensures files are inspected before crossing security domains.
Removes malicious content while preserving safe information.
Enables controlled reverse workflows without compromising hardware-enforced isolation.
Apply policies to inspect, validate and filter transferred content.
Integrate custom validation logic and enterprise workflows.

Industries We Supports

Our OT/ICS cybersecurity training is suitable for organisations across a wide range of critical and industrial sectors.

Why Arista Cyber

Arista Cyber delivers, deploys, and supports the OWA platform across North America in partnership with Cyberium, the manufacturer of the technology. We bring local expertise where cybersecurity meets functional safety, helping critical infrastructure operators converge IT and OT without compromising integrity, availability, or safety.

Book an OT security consultation

Frequently Asked Questions

A data diode is a hardware device that allows network data to travel in one direction only. A physical, usually optical, mechanism makes reverse traffic impossible, so a protected network can send data out without any path for an attacker to send data back in.

OWA combines an optical diode core that physically enforces one-way flow with upstream and downstream proxies that handle multi-protocol transfer. Data moves from OT to IT across the diode with no return path, no acknowledgements, and no shared state.

A firewall inspects and filters two-way traffic and can be misconfigured or bypassed. A data diode physically permits traffic in one direction only, so the inbound attack surface is removed at the hardware level rather than managed by software rules.

The 1U 500M/1G suits compact OT to IT gateways up to 1 Gbps. The 2U/3U 1G adds high availability, certified diode options, and reverse mode for enterprise and government use. The 2U/3U 10/25G targets large-scale transfers up to 25+ Gbps.

Yes. OWA architectures are designed to support IEC/ISA 62443, NIST CSF 2.0, NERC CIP, and NIS2. Hardware-enforced one-way segmentation simplifies audits and helps reach higher security levels such as SL3 and SL4.

OWA supports SFTP, FTP/S/ES, HTTP/S API, MQTT, SMTP, UDP, and Syslog, plus OPC UA/DA, Modbus, DNP3, and IEC 104, with native connectors for AVEVA Pi, Emerson, GE, Honeywell, Yokogawa, Hexagon, Siemens, Cisco Splunk, and others.

The 2U/3U models support a controlled reverse mode for scenarios such as IT to OT updates, paired with dual antivirus and file filtering, while still relying on a strict hardware diode at the core.

Arista Cyber, based in Richmond Hill, Ontario, delivers and supports OWA appliances across North America in partnership with Cyberium. Contact info@aristacyber.io or +1 (437) 223-7770.