Maritime Data Diodes & Unidirectional Flow Security

Part of the PROTECT Playbook ← Return to Hub

Phase: Protect All vessels

Satisfies: E26E27IEC 62443

Data Diodes & Unidirectional Flows

This guide explains the deployment of hardware-enforced unidirectional data flows, allowing performance data to leave the OT environment for shore-side monitoring without creating a return path for cyber threats. Under IACS UR E26 §4.2.1, zone boundaries must be protected by appropriate conduit controls — for monitoring-only scenarios, a data diode provides a stronger security guarantee than a software firewall.

In modern shipping, the shore office needs real-time engine data, fuel consumption, and hull performance metrics. Connecting the ECR directly to the internet creates a bidirectional path — data out, commands or malware in. A data diode solves this by allowing data to flow out while physically preventing any data — including malicious commands — from flowing back in. It is the digital equivalent of a check valve in a piping system.

The one-way philosophy — hardware vs software security

Unlike a firewall which uses software rules to block traffic, a data diode enforces direction at the hardware level. It is physically impossible for data to move against the direction of the diode regardless of how an attacker manipulates the software or network stack above it.

Physical isolation

Traditional diodes use fibre optics with only a transmitter on one side and a receiver on the other — no transmitter on the receiving side means there is no physical return path. A hacker cannot send a command back to the vessel because the hardware to transmit in that direction does not exist.

Protocol stripping

Unidirectional gateways strip complex bidirectional protocols (like TCP/IP which requires acknowledgement packets) and transmit raw data only. This prevents network exploits that rely on two-way handshakes — there is no TCP SYN-ACK cycle because the ACK cannot physically return.

Firewall vs data diode — when to use each

Feature	Standard firewall	Data diode
Communication direction	Bidirectional — software rules control what passes	Outbound only — hardware-enforced, no exceptions
Security basis	Software policy — can be misconfigured, bypassed, or exploited	Hardware physics — cannot be misconfigured to allow inbound traffic
Maintenance burden	High — continuous rule management, patching, and audit	Low — firmware updates only, rule set is fixed by design
Supports remote control	Yes — bidirectional traffic enables OEM access and remote commands	No — one-way flow means no inbound commands possible
E26 use case	Standard zone conduit — bidirectional controlled traffic	Monitoring-only conduit — data leaves OT, nothing enters
IEC 62443 alignment	SL1–SL3 depending on configuration	SL3–SL4 for the protected direction — strongest available

Maritime deployment use cases

Data diodes are applicable in specific maritime scenarios where data must flow from OT to IT or shore without any return path. Each use case below has a defined data flow direction and an E26 zone boundary reference.

Use case 1 Performance monitoring — ECR to shore office

OT zone — ECR
AMS, fuel data, vibration sensors

→

Shore office / VSAT
Performance dashboard, SOC

Data flows outbound only — engine performance, fuel consumption, alarm states. No shore-side system can send commands or data back to the AMS. E26 boundary: OT zone conduit to SATCOM zone.

Use case 2 Security log forwarding — OT syslog to shore SOC

OT zone — syslog server
IDS alerts, firewall logs, CBS events

→

Shore SOC / SIEM
Threat detection and analysis

Security events leave the OT environment for shore-side analysis without creating a management channel back into the OT network. The SOC can see everything — but cannot send anything back.

Use case 3 ECDIS chart update — IT zone to navigation zone

IT zone — chart update server
Pre-verified ENCs from official source

→

Navigation zone — ECDIS
Chart database updated

Chart data flows inbound to ECDIS but no data can return from ECDIS to the chart server. Prevents the chart update mechanism from being used as an outbound data exfiltration channel from the navigation zone.

Implementation best practices

Deploy at the IT/OT edge

Place the diode where the ECR network meets the ship’s business or VSAT network. This allows performance monitoring without risking the AMS or propulsion control CBS. The diode is the conduit boundary device for that zone pair in the CSDD.

Use for syslog aggregation

Push security logs from the OT environment to a shore-based SOC or SIEM via a diode. This is the ideal architecture for continuous OT monitoring — the SOC has full visibility but no management path back into the OT network.

Document in the CSDD as a conduit boundary device

The data diode must appear in the zone and conduit diagram as the boundary device for the conduit it protects. The CSDD entry must specify the direction of data flow, the protocols forwarded, and the systems on each side. Class surveyors will verify the CSDD matches the physical installation.

The feedback exception: Data diodes are not suitable for systems requiring two-way communication — remote DP diagnostics, OEM troubleshooting sessions, or any CBS where shore-side commands must reach the vessel. For those use cases, an iDMZ with ZTNA is required. Diodes are strictly for monitoring-only and one-way data transfer scenarios.

E26 documentation requirements

A data diode installation must be fully documented in the CSDD and included in the zone and conduit architecture submitted to Class. An undocumented diode is a network device with no conduit entry — a finding at survey.

CSDD section	Required content
Zone and conduit diagram	Diode shown as boundary device on the conduit between the two zones — with direction of flow indicated by an arrow. Label with make, model, and firmware version.
Data flow matrix	List all data types forwarded through the diode — protocols, source systems, destination systems, and direction. Mark as unidirectional in the direction column.
CBS Register	Include the diode as a CBS entry with its own Asset ID, criticality category, firmware version, and maintenance schedule.
Configuration backup	Diode firmware and filter configuration backed up in the offline backup inventory. Hash recorded in the image inventory table.

PREVIOUS:
Configuration Backups & Golden Images

Next Section

Secure Space & Physical Access

Secure Space & Physical Access This guide defines the physical security requirements for spaces housing critical OT infr...

Secure Space & Physical Access →