OWA Integration and Connectivity Platform
Preserving the integrity, performance and usability of your data flows across strictly unidirectional architectures
OWA Key Connectivity Capabilities Overview
Native multi-protocol unidirectional connectivity across secure domains
Real-time, application-aware data transfer and replication
Application-level Layer 7 Protocol Deconstruction and Reconstruction
OWA Core Connectors and Software Replicator Agents
From native, protocol-level connectors embedded in OWA to offloaded agents handling advanced and proactive data replication scenarios.
Software Replicator Agents
SFTP, FTP/S/ES Core Connector
The SFTP, FTP/S/ES Connector enables secure file-based data exchange across security domains, supporting both legacy and modern file transfer workflows widely used in industrial, infrastructure and enterprise environments. Within a strictly unidirectional Data Diode architecture, it preserves standard file transfer mechanisms while preventing any bidirectional session from crossing the security boundary.
On the source side, applications push files to a local file-transfer endpoint hosted on the upstream proxy. The proxy validates, buffers and serializes file payloads for deterministic one-way transfer through the diode. On the downstream proxy, files are reconstructed and exposed to receiving systems via standard SFTP / FTPS services, allowing downstream platforms to retrieve data normally — without establishing any return channel.
This architecture ensures compatibility with both real-time operational exports and scheduled batch transfers, while maintaining strict one-way enforcement and controlled file handling
The connector supports direct interoperability with platforms such as Bently Nevada (System 1), GE OSM (On-Site Manager), Honeywell PHD, Emerson DeltaV AgileOps and Windows WSUS, and integrates with Hexagon PAS via dedicated agents. It also leverages SQL Agents and File Transfer Agent (for automated, queue-based one-way file movement where upstream directories are emptied as downstream repositories are populated) for advanced or customized data replication workflows.
Native Support for:
HTTP/S API Core Connector
The HTTP/S API connector enables secure, structured and scalable REST-based data exchanges across security domains, widely adopted in industrial, infrastructure and enterprise architectures. Within a strictly unidirectional Data Diode environment, it preserves API-driven integration models without allowing any bidirectional HTTP session to traverse the security boundary.
On the source side, applications interact with a local HTTP/S endpoint hosted on the upstream proxy. This proxy captures and serializes API requests or structured outputs (JSON, XML) for one-way transfer through the diode. On the downstream proxy, corresponding API endpoints or connectors reconstruct and expose the data to receiving systems, maintaining native REST compatibility — without any end-to-end HTTP session crossing domains.
This approach maintains full ecosystem interoperability while enforcing strict one-way communication. It supports direct integrations with platforms such as Emerson AMS Optics and Cisco Splunk, enabling native interoperability without deploying additional agents, while preserving strict domain separation and eliminating any control return path.
Native Support for:
MQTT Core Connector
The MQTT connector enables secure, lightweight and scalable publish/subscribe data streaming across security domains, widely adopted in industrial, infrastructure and enterprise architectures. Within a strictly unidirectional Data Diode environment, it preserves the MQTT model without allowing any bidirectional session to traverse the security boundary.
On the source side, applications publish data to a local MQTT broker located on the upstream proxy. This proxy extracts and serializes topic data for one-way transfer through the diode. On the downstream proxy, a corresponding MQTT broker reconstructs the MQTT topics and operates as a local publisher, allowing downstream clients to subscribe normally — without any end-to-end MQTT session crossing domains.
This approach maintains full ecosystem compatibility while enforcing strict one-way communication. It supports a wide range of telemetry use cases, including electrical grid protocols such as IEC 60870-5-104 and DNP3/DNCP via the Electrical Protocol Agent, enabling structured operational data to be securely uplifted without introducing any control return path.
Native Support for:
UDP Core Connector
The UDP connector enables lightweight, low-latency datagram transmission across security domains, preserving strict unidirectional enforcement. Designed for event-driven and telemetry-based architectures, it supports simple, stateless communication models without introducing any bidirectional session.
On the source side, systems emit UDP datagrams — such as SNMP traps or application-level telemetry — toward a local UDP interface hosted on the upstream proxy. These packets are captured, validated and transferred one-way through the Data Diode. On the downstream side, the corresponding interface reconstructs and forwards the datagrams to designated receiving systems, maintaining protocol transparency while enforcing strict domain separation.
This connector is particularly suited for generic SNMP trap forwarding, infrastructure monitoring alerts and lightweight telemetry streams requiring minimal overhead and deterministic one-way delivery.
Native Support for:
Syslog Core Connector (Forwarding)
The Syslog Connector enables secure, unidirectional log forwarding across security domains, preserving standard syslog-based monitoring workflows while enforcing strict one-way communication. It allows infrastructure devices, security appliances or applications to emit logs upstream, which are then relayed across the Data Diode without establishing any bidirectional logging session.
On the source side, systems send syslog messages to a local syslog listener hosted on the upstream proxy. Logs are captured, validated and transferred one-way through the diode. On the downstream side, a corresponding syslog service reconstructs and forwards events to designated log collectors or SIEM platforms, maintaining full compatibility with enterprise security monitoring infrastructures.
The connector supports integrations with ArcSight as well as generic SIEM solutions, enabling centralized security monitoring without exposing operational environments to return traffic or control paths.
Native Support for:
SMTP Core Connector (Email Forwarding)
The SMTP Connector enables secure, unidirectional email forwarding across security domains, preserving standard messaging workflows while enforcing strict one-way communication. It allows systems to generate alerts, reports or notifications upstream, which are then relayed across the Data Diode without establishing any bidirectional SMTP session.
On the source side, applications send emails to a local SMTP relay hosted on the upstream proxy. Messages are captured, validated and transferred one-way through the diode. On the downstream side, a corresponding SMTP service reconstructs and forwards the emails to designated mail servers or recipients, maintaining full compatibility with standard enterprise messaging infrastructures.
This connector is particularly suited for alert-driven environments, including integrations such as Hexagon PAS, where secure event notification across security domains is required without exposing return communication paths.
Native Support for:
MICA Aveva Pi-to-Pi Replication Agent
MICA is a dedicated replication agent designed for secure, unidirectional synchronization of Aveva PI infrastructures across security domains.
It enables continuous PI-to-PI data and metadata replication from OT environments toward centralized or enterprise PI systems, supporting high tag volumes and long-term historical consistency without introducing any bidirectional connectivity.
Fully integrated with Cyberium’s OWA unidirectional architecture, MICA ensures deterministic, loss-free PI synchronization even in the event of downstream outages.
Its resilient design guarantees data continuity and operational visibility at scale, making it a trusted solution for industrial groups consolidating PI data across sites, zones or security levels.
File Transfer Agent
For automated, directory-driven workflows, the File Transfer Agent can complement the FTP connector by monitoring upstream folders and transferring newly generated files through the same unidirectional pipeline.
Unlike interactive SFTP sessions, the agent operates in a controlled queue-based mode: files are extracted, transferred one-way, and cleared upstream as the downstream repository is populated — without any synchronization logic or bidirectional exchange.
Native Support for:
SQL Databases Agents
Cyberium SQL Agents enable unidirectional data transfer between two trusted zones for both DCS/SCADA environments and IT-based business applications built on relational databases, with full support for MS SQL and Oracle.
Designed as generic agents, they are deployed alongside source databases and adapted through lightweight scripting to reflect the specific structure, logic and transaction model of each application.
Two complementary transfer models are supported. The first enables incremental, batch-oriented data transfer for operational or application use cases where real-time replication is not required. The second provides real-time SQL replication driven by committed database changes, ensuring timely data availability for monitoring, analytics and compliance — while maintaining strict unidirectional enforcement and minimal impact on source systems.
Native Support for:
Typical Architecture Example
WSUS Agent
The WSUS Agent enables controlled, unidirectional Windows update distribution from IT environments toward OT or restricted zones. It is designed for infrastructures where patch validation and staging occur centrally, but deployment must remain strictly one-way.
The agent replicates both WSUS database metadata and update payload files across security domains through the Data Diode, preserving Microsoft update workflows without introducing any bidirectional session.
Deployed alongside WSUS infrastructure components, it ensures that approved updates can be propagated into isolated environments while maintaining strict domain separation and eliminating any return communication path.
This approach supports compliant, auditable and deterministic IT-to-OT patch distribution in regulated or safety-critical infrastructures.
Native Support for:
OPC UA Agent
The OPC UA Agent enables secure, unidirectional extraction of structured operational data from OPC UA servers across security domains. It supports environments where process data must be consolidated centrally without exposing control systems to return communication paths.
Deployed alongside upstream OPC UA infrastructures, the agent reads and serializes selected data nodes for one-way transfer through the Data Diode. On the receiving side, data can be ingested by compatible platforms or historians while preserving structured context.
The agent supports integrations with leading industrial platforms such as AspenTech (InfoPlus.21) and Yokogawa Data Historian, enabling reliable data consolidation for analytics, monitoring and enterprise reporting.
This architecture ensures strict separation between operational control layers and enterprise systems while preserving interoperability with modern OPC UA ecosystems.
Native Support for:
Typical Architecture
Electrical Protocols Agent
The Electrical Protocols Agent enables secure, unidirectional transfer of structured electrical telemetry across security domains. It supports widely adopted utility and substation protocols, including IEC 60870-5-104, DNP3, ICCP and Modbus.
Deployed alongside SCADA, RTU or substation environments, the agent captures operational telemetry and serializes protocol data for deterministic one-way transfer through the Data Diode.
On the receiving side, structured grid data is reconstructed for integration into monitoring, EMS or analytics platforms — without exposing operational networks to control return paths.
This approach ensures that electrical infrastructure telemetry can be centrally consolidated while preserving strict separation between field operations and enterprise or supervisory layers.
Native Support for:
OWA core platform Connectors
SFTP, FTP/S/ES Core Connector
The SFTP, FTP/S/ES Connector enables secure file-based data exchange across security domains, supporting both legacy and modern file transfer workflows widely used in industrial, infrastructure and enterprise environments. Within a strictly unidirectional Data Diode architecture, it preserves standard file transfer mechanisms while preventing any bidirectional session from crossing the security boundary.
On the source side, applications push files to a local file-transfer endpoint hosted on the upstream proxy. The proxy validates, buffers and serializes file payloads for deterministic one-way transfer through the diode. On the downstream proxy, files are reconstructed and exposed to receiving systems via standard SFTP / FTPS services, allowing downstream platforms to retrieve data normally — without establishing any return channel.
This architecture ensures compatibility with both real-time operational exports and scheduled batch transfers, while maintaining strict one-way enforcement and controlled file handling
The connector supports direct interoperability with platforms such as Bently Nevada (System 1), GE OSM (On-Site Manager), Honeywell PHD, Emerson DeltaV AgileOps and Windows WSUS, and integrates with Hexagon PAS via dedicated agents. It also leverages SQL Agents and File Transfer Agent (for automated, queue-based one-way file movement where upstream directories are emptied as downstream repositories are populated) for advanced or customized data replication workflows.
Native Support for:
HTTP/S API Core Connector
The HTTP/S API connector enables secure, structured and scalable REST-based data exchanges across security domains, widely adopted in industrial, infrastructure and enterprise architectures. Within a strictly unidirectional Data Diode environment, it preserves API-driven integration models without allowing any bidirectional HTTP session to traverse the security boundary.
On the source side, applications interact with a local HTTP/S endpoint hosted on the upstream proxy. This proxy captures and serializes API requests or structured outputs (JSON, XML) for one-way transfer through the diode. On the downstream proxy, corresponding API endpoints or connectors reconstruct and expose the data to receiving systems, maintaining native REST compatibility — without any end-to-end HTTP session crossing domains.
This approach maintains full ecosystem interoperability while enforcing strict one-way communication. It supports direct integrations with platforms such as Emerson AMS Optics and Cisco Splunk, enabling native interoperability without deploying additional agents, while preserving strict domain separation and eliminating any control return path.
Native Support for:
MQTT Core Connector
The MQTT connector enables secure, lightweight and scalable publish/subscribe data streaming across security domains, widely adopted in industrial, infrastructure and enterprise architectures. Within a strictly unidirectional Data Diode environment, it preserves the MQTT model without allowing any bidirectional session to traverse the security boundary.
On the source side, applications publish data to a local MQTT broker located on the upstream proxy. This proxy extracts and serializes topic data for one-way transfer through the diode. On the downstream proxy, a corresponding MQTT broker reconstructs the MQTT topics and operates as a local publisher, allowing downstream clients to subscribe normally — without any end-to-end MQTT session crossing domains.
This approach maintains full ecosystem compatibility while enforcing strict one-way communication. It supports a wide range of telemetry use cases, including electrical grid protocols such as IEC 60870-5-104 and DNP3/DNCP via the Electrical Protocol Agent, enabling structured operational data to be securely uplifted without introducing any control return path.
Native Support for:
UDP Core Connector
The UDP connector enables lightweight, low-latency datagram transmission across security domains, preserving strict unidirectional enforcement. Designed for event-driven and telemetry-based architectures, it supports simple, stateless communication models without introducing any bidirectional session.
On the source side, systems emit UDP datagrams — such as SNMP traps or application-level telemetry — toward a local UDP interface hosted on the upstream proxy. These packets are captured, validated and transferred one-way through the Data Diode. On the downstream side, the corresponding interface reconstructs and forwards the datagrams to designated receiving systems, maintaining protocol transparency while enforcing strict domain separation.
This connector is particularly suited for generic SNMP trap forwarding, infrastructure monitoring alerts and lightweight telemetry streams requiring minimal overhead and deterministic one-way delivery.
Native Support for:
Syslog Core Connector (Forwarding)
The Syslog Connector enables secure, unidirectional log forwarding across security domains, preserving standard syslog-based monitoring workflows while enforcing strict one-way communication. It allows infrastructure devices, security appliances or applications to emit logs upstream, which are then relayed across the Data Diode without establishing any bidirectional logging session.
On the source side, systems send syslog messages to a local syslog listener hosted on the upstream proxy. Logs are captured, validated and transferred one-way through the diode. On the downstream side, a corresponding syslog service reconstructs and forwards events to designated log collectors or SIEM platforms, maintaining full compatibility with enterprise security monitoring infrastructures.
The connector supports integrations with ArcSight as well as generic SIEM solutions, enabling centralized security monitoring without exposing operational environments to return traffic or control paths.
Native Support for:
SMTP Core Connector (Email Forwarding)
The SMTP Connector enables secure, unidirectional email forwarding across security domains, preserving standard messaging workflows while enforcing strict one-way communication. It allows systems to generate alerts, reports or notifications upstream, which are then relayed across the Data Diode without establishing any bidirectional SMTP session.
On the source side, applications send emails to a local SMTP relay hosted on the upstream proxy. Messages are captured, validated and transferred one-way through the diode. On the downstream side, a corresponding SMTP service reconstructs and forwards the emails to designated mail servers or recipients, maintaining full compatibility with standard enterprise messaging infrastructures.
This connector is particularly suited for alert-driven environments, including integrations such as Hexagon PAS, where secure event notification across security domains is required without exposing return communication paths.
Native Support for:
OWA Software Replicator Agents
MICA Aveva Pi-to-Pi Replication Agent
MICA is a dedicated replication agent designed for secure, unidirectional synchronization of Aveva PI infrastructures across security domains.
It enables continuous PI-to-PI data and metadata replication from OT environments toward centralized or enterprise PI systems, supporting high tag volumes and long-term historical consistency without introducing any bidirectional connectivity.
Fully integrated with Cyberium’s OWA unidirectional architecture, MICA ensures deterministic, loss-free PI synchronization even in the event of downstream outages.
Its resilient design guarantees data continuity and operational visibility at scale, making it a trusted solution for industrial groups consolidating PI data across sites, zones or security levels.
SQL Databases Agents
Cyberium SQL Agents enable unidirectional data transfer between two trusted zones for both DCS/SCADA environments and IT-based business applications built on relational databases, with full support for MS SQL and Oracle.
Designed as generic agents, they are deployed alongside source databases and adapted through lightweight scripting to reflect the specific structure, logic and transaction model of each application.
Two complementary transfer models are supported. The first enables incremental, batch-oriented data transfer for operational or application use cases where real-time replication is not required. The second provides real-time SQL replication driven by committed database changes, ensuring timely data availability for monitoring, analytics and compliance — while maintaining strict unidirectional enforcement and minimal impact on source systems.
Native Support for:
Typical Architecture Example
File Transfer Agent
For automated, directory-driven workflows, the File Transfer Agent can complement the FTP connector by monitoring upstream folders and transferring newly generated files through the same unidirectional pipeline.
Unlike interactive SFTP sessions, the agent operates in a controlled queue-based mode: files are extracted, transferred one-way, and cleared upstream as the downstream repository is populated — without any synchronization logic or bidirectional exchange.
Native Support for:
WSUS Agent
The WSUS Agent enables controlled, unidirectional Windows update distribution from IT environments toward OT or restricted zones. It is designed for infrastructures where patch validation and staging occur centrally, but deployment must remain strictly one-way.
The agent replicates both WSUS database metadata and update payload files across security domains through the Data Diode, preserving Microsoft update workflows without introducing any bidirectional session.
Deployed alongside WSUS infrastructure components, it ensures that approved updates can be propagated into isolated environments while maintaining strict domain separation and eliminating any return communication path.
This approach supports compliant, auditable and deterministic IT-to-OT patch distribution in regulated or safety-critical infrastructures.
Native Support for:
OPC UA Agent
The OPC UA Agent enables secure, unidirectional extraction of structured operational data from OPC UA servers across security domains. It supports environments where process data must be consolidated centrally without exposing control systems to return communication paths.
Deployed alongside upstream OPC UA infrastructures, the agent reads and serializes selected data nodes for one-way transfer through the Data Diode. On the receiving side, data can be ingested by compatible platforms or historians while preserving structured context.
The agent supports integrations with leading industrial platforms such as AspenTech (InfoPlus.21) and Yokogawa Data Historian, enabling reliable data consolidation for analytics, monitoring and enterprise reporting.
This architecture ensures strict separation between operational control layers and enterprise systems while preserving interoperability with modern OPC UA ecosystems.
Native Support for:
Typical Architecture
Electrical Protocols Agent
The Electrical Protocols Agent enables secure, unidirectional transfer of structured electrical telemetry across security domains. It supports widely adopted utility and substation protocols, including IEC 60870-5-104, DNP3, ICCP and Modbus.
Deployed alongside SCADA, RTU or substation environments, the agent captures operational telemetry and serializes protocol data for deterministic one-way transfer through the Data Diode.
On the receiving side, structured grid data is reconstructed for integration into monitoring, EMS or analytics platforms — without exposing operational networks to control return paths.
This approach ensures that electrical infrastructure telemetry can be centrally consolidated while preserving strict separation between field operations and enterprise or supervisory layers.
Native Support for:
Agents / Connectors Architecture
Cyberium Replicator Agents are fully compatible with OWA proxies, leveraging their native embedded connectors to enable advanced, application-aware unidirectional data replication across security domains.
Tailor-made Integrations
Extend OWA connectivity beyond native integrations with custom-built agents and workflows tailored to your specific OT, IT and cross-domain data exchange requirements. Leverage Cyberium’s modular architecture to design secure, high-performance integrations without compromising unidirectional security principles.
Custom SCADA Integration
Design custom integrations with proprietary or legacy SCADA systems by leveraging Cyberium’s protocol connectors and building dedicated agents adapted to specific data models and communication patterns.
Other OT System Integration
Integrate non-standard or specialized OT systems, including niche industrial applications, monitoring platforms or proprietary tools — through custom agents built on top of Cyberium’s connectivity framework.
Common File System & Process Integration
Implement secure, files and directories-based data exchange (synchronization, transfer…) workflows using Cyberium’s File Transfer Agent, enabling structured and automated replication across standard file systems and shared repositories.
Custom Diffusion Workflows (CDS)
Build advanced, custom data distribution workflows using Cyberium’s meta-agents (SQL or File Transfer), enabling tailored replication logic, routing rules and multi-target data delivery strategies.
Custom Filtering (CDS)
Extend Cyberium’s embedded filtering engine with custom validation, transformation or inspection rules, using on-premise or remote hooks to enforce client-specific security and compliance requirements.
Custom Integration Architectures
Cyberium supports multiple customization approaches, from fully custom-built agents leveraging native connectors, to configurable workflows based on SQL and file transfer meta-agents.
Additional flexibility is provided through extensible filtering mechanisms, allowing the integration of custom validation, transformation and security logic at different stages of the data flow.
This modular architecture enables the design of highly tailored, secure and scalable cross-domain integration solutions aligned with specific operational and regulatory constraints.
Trusted Across Critical Sectors
- Gov & Defense
- OWA 2U/3U
- Bitdefender, ClamAV
- SFTP, FTP/S/ES
- Critical OT & Industry 4.0
- OWA 2U/3U
- Cisco Splunk
- HTTP/S API, SFTP, FTP/S/ES
- Critical OT & Industry 4.0
- OWA 2U/3U
- Hexagon PAS
- File Transfer Agent, SMTP
- Gov & Defense
- OWA 2U/3U
- SFTP, FTP/S/ES
- Critical OT & Industry 4.0
- OWA 2U/3U
- Custom SCADA, Siemens WinCC
- SQL Databases Agent
We secure the critical
— connecting what should stay isolated.
Latest blog entries
- AI & Cybersecurity, Threat Landscape
In 2025, the baseline assumption of industrial cybersecurity broke. For twenty years, defenders had one reliable edge over attackers: time. (…)
- OT Cybersecurity Best Practices, Threat Landscape
Every documented OT breach in the past five years started at the same place: an internet-facing asset that operators believed (…)
- OT Cybersecurity Best Practices, Regulations & Compliance, Threat Landscape
In every major OT cyberattack of the past decade, firewalls were present. In each case, they failed. Not because they (…)
- Architecture Design Patterns, Engineering Insights
Industrial cybersecurity starts with a simple reality: you cannot detect threats if you cannot see what happens inside your OT (…)
