Stuxnet
the most famous air-gap attack: malware delivered via USB drive to Iranian nuclear facility control systems not connected to the internet
Hardware-enforced
data diodes enforce one-way data flow at the physical layer — fiber optic hardware that only transmits in one direction, making bidirectional communication physically impossible
Defense, energy, water
the primary sectors using data diodes: military networks, power grid SCADA, nuclear facility control systems, water treatment control systems
USB
the most common air-gap bridging vector: 63% of air-gap attacks documented between 2020-2025 involved USB or removable media as the initial infection vector

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Air-gapped networks achieve network isolation by eliminating all network connectivity — no internet, no corporate network, no wireless. The isolation is the security control. The challenge: air-gapped networks still require data movement. Industrial control systems need software updates and signature file updates. Air-gapped environments need to export logs to a security operations center that is not air-gapped. Classified networks need to receive data from lower-classification networks.

Every path that allows data into or out of the air-gapped network is a potential attack vector. The history of air-gap attacks shows that attackers reliably find and exploit these paths. Data diodes (unidirectional security gateways) provide a hardware-enforced solution: data physically can only flow in one direction because the hardware is incapable of bidirectional transmission.

Air-gap attack vectors: how isolated networks get compromised

Understanding how air-gapped networks are breached informs the controls needed to defend them.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Data diodes: hardware-enforced unidirectional transfer

A data diode is a cybersecurity hardware device that enforces one-way data flow at the physical layer. The most common implementation uses fiber optic hardware: a transmit-only fiber optic transceiver on the sending side and a receive-only transceiver on the receiving side with no transmit capability — making it physically impossible for any data to flow from the receiving network back to the sending network.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Cross-domain solutions (CDS): bidirectional with content inspection

Data diodes enforce strict one-way transfer. Cross-domain solutions (CDS) allow bidirectional transfer between networks of different classification levels but subject all content to inspection and filtering by a guard system that enforces transfer policies — only approved data types, verified against policy, are allowed to cross.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

USB control procedures for air-gapped environments

For environments where data diodes are not deployed or where ad hoc media transfer is operationally necessary, USB and removable media procedures are the primary air-gap protection control.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Air-gapped networks provide strong isolation but every data transfer path is an attack surface. Data diodes hardware-enforce one-way transfer for log export, telemetry collection, and update delivery — eliminating the bidirectional attack path that traditional network connections create. For environments requiring bidirectional transfer between different security domains, cross-domain solutions with content inspection policy provide controlled data movement with inspection enforcement. For environments where neither is deployed, USB scanning stations and write-once media procedures reduce but do not eliminate the risk of air-gap bridging attacks.

Frequently asked questions

Are data diodes appropriate for most enterprises, or just government and critical infrastructure?

Data diodes are most commonly used in government/defense, industrial control systems, and critical infrastructure because those environments have formal air-gap requirements. Most commercial enterprises do not operate truly air-gapped networks — they manage network segmentation with firewalls rather than physical isolation. However, data diodes are increasingly used in commercial environments for specific high-value one-way flows: exporting logs from a PCI cardholder data environment to a SIEM without creating a bidirectional connection, transferring financial transaction data from trading systems to analysis infrastructure, and protecting manufacturing floor OT systems from IT network threats. If your environment has a segment that should only send data out and never receive connections from outside, a data diode is the right control.

Can malware survive a data diode transfer?

A data diode enforces network isolation but does not inspect content — a malware-infected file transferred through a data diode arrives on the receiving network intact. The data diode prevents network-layer attack paths back to the sending network but does not prevent malware delivered through the allowed data flow. Content that traverses a data diode should be scanned for malware before being processed on the receiving end. The diode's value is preventing the attacker from establishing network connectivity back through the diode, not preventing malware delivery through the diode's intended data channel.

What protocols work over data diodes?

Because data diodes prevent TCP's acknowledgment (ACK) packets from returning to the sender, standard TCP-based protocols (FTP, SFTP, HTTP) do not work natively across a data diode. Data diode vendors provide proxy software that converts TCP-based applications to UDP (which does not require acknowledgments) on the sending side and reconstructs the TCP session on the receiving side. Common supported protocols via vendor proxies: syslog (UDP natively), OPC-UA (industrial protocol), file transfer (vendor-specific protocol over UDP), and video streaming (UDP multicast). Protocol support varies by vendor — verify that your specific required protocols are supported before selecting a data diode product.

Sources & references

  1. CISA Cross-Domain Solutions Guidance
  2. NIST SP 800-82: Guide to Industrial Control Systems Security
  3. Owl Cyber Defense Data Diode Products

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.