Transporting Secure Data: Data Diodes in the Transportation Industry

The transportation industry is often considered by most to be the backbone of the global economy, contributing upwards of 12% of the global GDP (Gross Domestic Product).  Global logistics, Aviation, Maritime, and Travel & Leisure combine to be a $50 Trillion industry annually. Every part of the transportation industry is highly dependent on both information and operational technologies that are increasingly under cyberattack. Firewalls simply do not offer the level of protection needed to secure this critical industry.

Across the industry, complex control systems are used to navigate and drive propulsion systems, manage cargo, and ensure passenger safety. These systems need to communicate with central monitoring systems. It is critically important that cybersecurity best practices are followed, which includes properly segmenting networks to protect against threats.

Data diodes are gaining wide acceptance in the transportation industry and are primarily used as a hardware-enforced cybersecurity layer to protect critical OT environments from external cyberthreats while supporting real-time monitoring and data analysis. Unlike software firewalls, data diodes physically restrict data flow to one direction, typically from high-security operational networks to lower-security enterprise or cloud environments. 

Network segmentation is enforced in hardware and cannot be bypassed, creating a zero-trust network security solution.

Enforced Air Gaps: They provide the security of an air gap while still allowing the transfer of information required for modern predictive maintenance and analytics.

Legacy System Protection: Transportation sectors often use legacy systems that cannot be easily patched. Isolating these systems with a data diode protects these assets by physically blocking all inbound traffic.

Regulatory Compliance: Using data diodes meets and—in many cases—exceeds mandatory cybersecurity requirements, such as those issued by the TSA, which require strict network segmentation and monitoring.

Data Integrity: Because data diodes physically prevent outside threats, real time and historical data recording systems are protected. Critical systems needed to maintain operations or to conduct analysis are secured.

A growing number of industries within the Transportation Sector have adopted data diodes to securely transfer data due to the hardware-enforced security profile of diodes.

• Maritime Operations: Data diodes are used on ships to transmit real-time engine room and system data to shore-based operation centers. This allows shipping companies to plan maintenance and monitor fuel consumption without exposing the vessel's navigation and control systems to potential remote attacks via two-way satellite communications.

• Rail Infrastructure: National rail companies implement data diodes to isolate rail monitoring and aggregation networks. Diodes facilitate the secure, one-way transfer of safety sensor data and performance metrics to remote monitoring centers, ensuring that safety-critical signaling and interlocking systems remain impenetrable to external threats.

• Aviation and Airports: Airports use diodes to secure communication networks and protect sensitive operational data. They enable the export of flight and facility status data while keeping the internal airside control networks isolated. Diodes are also used to secure sensitive TSA systems to ensure systems cannot be compromised.

• Commercial Fleet Management: In heavy trucking, data diodes protect on-board vehicle networks from vulnerabilities found in mandated ELDs (Electronic Logging Devices). By placing a diode between the vehicle's CAN (Controller Area Network) bus and the ELD, operators ensure that data can be read for compliance, but no malicious commands can be sent back to the truck's engine or braking systems.

• Electric Vehicle Ecosystems: Organizations like NIST recommend network segmentation for EV (electric vehicle) fast-charging infrastructure. Data diodes isolate the OT networks responsible for charging and access control from the IT networks that handle billing and public connectivity, preventing hackers from using charging stations as a gateway to broader power or vehicle networks. 

Regulatory requirements for data diodes in the transportation industry are increasingly shifting from best practice to hard requirement as the operational benefits of data diodes are seen as the only practical way to guarantee security.

1. TSA Security Directives (Rail & Aviation) 
   The TSA (Transportation Security Administration) has issued several emergency directives requiring critical transportation operators to harden their networks.
   1. Freight & Passenger Rail: TSA Security Directive 1582-21-01 and 1580/82-2022-01 mandate network segmentation between IT and OT.
   2. Requirement: Operators must prevent OT systems from being accessed via the IT system unless secured with measures like data diodes to ensure integrity and prevent corruption.
   3. Aviation: TSA requirements for airports and airlines align with NIST and CISA best practices, which prefer hardware-enforced data diodes for segmenting flight-critical systems. 
      CISA CPGs (Cybersecurity Performance Goals)
      CISA (Cybersecurity and Infrastructure Security Agency) provides Cross-Sector CPGs that serve as a baseline for critical infrastructure, including transportation. 
2. Unidirectional Flows: CISA explicitly recommends the use of one-way communication diodes to prevent external access to ICS (Industrial Control Systems) while allowing outbound operational data flow to digital twins or data historians.
3. NIST Standards (EV Charging & General OT)
   1. Electric Vehicle Infrastructure: NIST IR 8473 establishes a cybersecurity framework for EV/XFC (Electric Vehicle Extreme Fast Charging) ecosystems. It identifies network segmentation using data diodes as a recommended practice to isolate charging equipment from enterprise networks.
   2. OT Security: NIST SP 800-82 Revision 3 defines unidirectional gateways (data diodes) as a core component of a layered "defense-in-depth" strategy for high-risk OT environments.
4. EU NIS2 Directive 
   While not prescribing specific hardware, the NIS2 Directive mandates that "highly critical" transport sectors (Aviation, Maritime, Rail, Road) implement strict access controls and risk management. 
   1. Data diodes are frequently used by European operators to satisfy NIS2 requirements for securing real-time data exchange channels and protecting against supply chain vulnerabilities.