In every major OT cyberattack of the past decade, firewalls were present. In each case, they failed. Not because they were misconfigured or underfunded, but because the architectural model they embody, a software-based decision engine sitting on a bidirectional network boundary, has structural limits that capable adversaries have learned to exploit systematically. The Ukrainian power grid, TRITON, Oldsmar, ArcaneDoor, Jaguar Land Rover: different actors, different sectors, different TTPs. The common thread is that the perimeter security control either permitted the attack path or became the attack path. This article examines why that pattern keeps recurring, what a hardware data diode changes at the architectural level, and what the compliance and cost implications look like when the comparison is made properly.
When the Shield Becomes a Liability
A decade of incidents, one recurring entry point
The pattern across the last decade of major OT incidents is consistent enough to be instructive. In the 2015 and 2016 Ukrainian power grid attacks, attackers hijacked SCADA systems to open circuit breakers across multiple substations, cutting power to over 230,000 citizens. The intrusion unfolded across multiple lateral movement stages that perimeter defenses did not block. In 2017, the TRITON campaign reached a Safety Instrumented System via engineering workstations, causing the plant to shut down twice before detection. In 2021, the Oldsmar water plant attack used a remote access session to raise sodium hydroxide concentrations to toxic levels. In 2024, the ArcaneDoor campaign implanted persistent malware inside Cisco ASA and FTD firewall firmware, surviving reboots and full firmware upgrades. The perimeter device became the persistence mechanism. In 2025, a cyberattack against Jaguar Land Rover halted global OT production for over a month, with IT and OT systems compromised simultaneously.
The common denominator across all of these incidents is not the absence of perimeter security. It is the fundamental vulnerability of a software-based, bidirectional boundary when facing adversaries with the time, resources, and motivation to find its limits.
The CVE treadmill: exploitation before the patch exists
Firewalls are software systems, and software systems have vulnerabilities. What has changed is the speed at which those vulnerabilities are weaponized relative to the time available to respond.
Consider the recent record. CVE-2024-21762, a Fortinet FortiOS SSL-VPN zero-day, was actively exploited for full remote access across industrial network perimeters. CVE-2025-32433, an unauthenticated remote code execution flaw in the Erlang/OTP SSH daemon embedded in many OT-facing firewalls, saw exploit attempts surge 70 percent within weeks of disclosure. Most recently, Amazon’s threat intelligence team confirmed that Interlock ransomware exploited CVE-2026-20131 in Cisco Secure Firewall Management Center as a zero-day for 36 days before Cisco published a patch. Defenders had no fix to apply during that entire window.
The data behind this trend is unambiguous. Google’s Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025, with enterprise technologies including security appliances representing 48 percent of all targets, an all-time high. VulnCheck found that 28.3 percent of KEV-listed vulnerabilities were weaponized within 24 hours of public disclosure. The median time to exploit a disclosed vulnerability is now under five days. In OT environments, where patching requires controlled shutdowns and vendor validation, the response window is shorter still. ANSSI reported that 50 percent of its 2024 cyber defense interventions involved attacks that exploited at least one vulnerability in a perimeter security component such as a firewall or router. When the security control is itself the vulnerability, patching is a race defenders are structurally positioned to lose.
The Architectural Alternative: What a Data Diode Actually Enforces
Physics, not policy
A hardware data diode enforces one-way data flow at the physical layer, using fiber optic connections with a transmitter on one side and a receiver on the other. There is no return path, no acknowledgment channel, no bidirectional protocol. The physics of the device makes inbound communication from the less-trusted network structurally impossible, not filtered by a rule, not blocked by a policy engine, but physically absent as an option.
A firewall is a decision-making system, and every decision-making system can be misconfigured, overridden, or compromised. A data diode eliminates the decision entirely. There is no firmware to implant, no configuration file to manipulate, no management interface to authenticate against. A zero-day vulnerability in a data diode is a physical engineering problem requiring direct physical access to the device. The entire CVE treadmill described in the previous section simply does not apply.
Zero Trust by hardware constraint, without the configuration overhead
Zero Trust Architecture, as defined by NIST SP 800-207, requires that no entity be implicitly trusted and every access request be verified. In IT environments, implementing Zero Trust requires identity providers, micro-segmentation platforms, continuous verification engines, and extensive policy management. In OT environments, that tooling cannot be deployed against most of the assets that matter most. A 20-year-old Modicon PLC cannot run an identity agent. A legacy RTU does not support modern authentication frameworks. The engineering workstation running the version of Windows that the vendor certified in 2014 cannot be retrofitted with continuous verification software without risking operational stability.
A hardware data diode achieves a structurally stronger form of Zero Trust in this context without any of that complexity. Because inbound connectivity is physically impossible, the question of whether a connection should be trusted does not arise. There is no connection to evaluate, no identity to verify, no policy to misconfigure. The diode applies equally to a 2024 DCS and a 2002 PLC without any modification to either asset, which is precisely the property that makes it viable for industrial environments where legacy equipment makes software-based security architectures difficult to retrofit uniformly.
Structural immunity to zero-day exploitation
The most consequential advantage of hardware data diodes over firewalls in high-risk OT environments is their structural immunity to software-borne zero-day attacks. A firewall running today’s most current firmware may already be compromised by a vulnerability the vendor will not discover for months. This is not hypothetical: the Interlock campaign exploited Cisco FMC for 36 days before a patch existed. The ArcaneDoor campaign deployed firmware implants that survived complete firmware reinstallation.
Hardware data diodes operate on no software logic that can be exploited remotely. They have no firmware to implant, no configuration file to manipulate, no management interface reachable from the network. This is not a matter of better security engineering on the software side. It is a different category of device, with a different category of threat model.
The Compliance and Cost Case
IEC 62443, NERC CIP, NIST SP 800-82: the compliance dividend
One of the least discussed benefits of hardware data diodes in OT environments is their direct impact on compliance posture and on the operational cost of sustaining it. IEC 62443-3-3 defines security levels and foundational requirements for industrial automation and control systems. FR5, Restricted Data Flow, is the requirement most directly addressed by unidirectional architectures. When a hardware diode is deployed as a conduit between security zones, it provides a verifiable, hardware-enforced mechanism for restricting data flow, eliminating the need to implement, document, and audit multiple compensating software controls for the same zone boundary.
The documented benefits extend across regulatory frameworks. Under NERC CIP standards, sites protected by unidirectional technology can see more than 35 percent of CIP requirements exonerated, reducing documentation scope, audit obligations, and remediation requirements that would otherwise apply to two-way connected architectures. The U.S. Nuclear Regulatory Commission and Nuclear Energy Institute have confirmed that unidirectional technology satisfies 21 out of 26 cyber boundary rule requirements at protected nuclear sites. ENISA has formally acknowledged that unidirectional gateways provide superior protection to firewalls for critical infrastructure segmentation. NIST SP 800-82 recommends unidirectional gateways as a mechanism that removes all connection among domain traffic. Organizations deploying hardware data diodes in properly architected zones reduce their compliance control surface across all of these frameworks: fewer controls to implement, fewer to document, and fewer to audit on an ongoing basis.
Total cost of ownership: where the comparison is usually made wrong
The perception that firewalls are the economical choice reflects an incomplete view of total cost of ownership. Enterprise OT-capable next-generation firewalls carry hardware costs plus recurring annual subscriptions for threat intelligence feeds, IPS signatures, and application identification databases. Data diodes carry higher upfront hardware costs but require no recurring software licenses, no signature subscriptions, and no managed service dependency.
The operational maintenance picture compounds this. Every new CVE affecting deployed firewall platforms triggers a response cycle of assessment, testing, scheduling, and deployment. In OT environments, that cycle must be managed carefully to avoid operational disruption, which means it runs slower and costs more than in IT. Data diodes require minimal maintenance once deployed. There is no software to patch and no configuration drift to audit.
Incident exposure: where the economics become decisive
The Jaguar Land Rover incident provides the scale reference: over 2.5 billion dollars in attributable losses from a single breach that halted global production for more than a month. The 2015 Ukrainian power grid attack disrupted critical services for hundreds of thousands of citizens with cascading economic consequences. The Oldsmar water plant incident required emergency operational intervention to prevent a mass casualty event.
Against that backdrop, the acquisition premium of a hardware data diode over a firewall becomes operationally irrelevant for any organization where the consequence of a successful OT intrusion is measured in tens of millions of dollars or in human safety. The global data diode market reflects this shift in risk calculus, projected to nearly double from $467 million in 2024 to approximately $1 billion by 2034, driven by regulatory pressure and the recognition that software-based perimeter security is structurally inadequate for critical OT environments.
Conclusion
The industrial cybersecurity community has operated too long on the assumption that a properly configured firewall is sufficient to protect critical OT infrastructure. The evidence from real-world incidents and the accelerating exploitation of firewall vulnerabilities challenges that assumption directly. Hardware data diodes do not reduce the skill of an attacker or improve detection capabilities. They eliminate the attack path by enforcing unidirectionality at the physical layer, delivering Zero Trust by hardware constraint, structural immunity to software-borne zero-day exploitation, a measurable compliance dividend under IEC 62443 and NERC CIP, and a total cost of ownership that becomes strongly favorable when incident exposure is properly accounted for. For operators of power grids, water systems, oil and gas facilities, and industrial production environments, the question is no longer whether hardware segmentation offers superior protection to software-based perimeters. The question is how quickly that architectural conclusion translates into a deployment decision.
Learn more about Cyberium unidirectional gateways and cross-domain architectures designed for OT segmentation and secure data transfer.
