Railway Cybersecurity: Why Choose a Data Diode Over a Firewall?
The digitization of railways, connected systems, and increased data exchanges raise the exposure of critical networks to cyberattacks. In this context, securing data flows becomes imperative.
LEROY AUTOMATION’s Data Diode (DTD001) stands out as a reliable, certified, and ultra-secure solution, providing an impenetrable physical barrier between critical systems (OT) and open networks (IT, cloud, telecom).
Data Diode vs Firewall: A Structural Difference in Railway Cybersecurity
1.Software vs Hardware: The Nature of the Devices
A firewall is a software-based device that enforces rules to control network traffic. It can be misconfigured, updated too late, or targeted by attacks. In contrast, the Data Diode (DTD001) is a hardware device with no software layer on the critical network side. This 100% hardware design eliminates intrusion risks due to software vulnerabilities.
2.Network Traffic: Bidirectional vs Unidirectional
Firewalls allow bidirectional communications, whereas the railway Data Diode only permits unidirectional data transfers. This prevents any attempt to access the OT network from outside, ensuring complete isolation of critical data.
3.Vulnerability Risks
A firewall remains exposed to configuration errors, open ports, and application vulnerabilities. Conversely, the railway Data Diode is designed to be tamper-proof, with no openings or communication channels toward the OT.
4.Maintenance and Lifespan
Firewalls require frequent updates and constant monitoring. The Data Diode (DTD001) needs no maintenance and boasts an MTBF (Mean Time Between Failures) of over 20 years, making it an ideal solution for embedded railway systems.
5.Security by Design
Where a firewall depends on configured rules, the railway Data Diode guarantees intrinsic security: no rules, no access, no risk.
6.Total Protection Against Cyberattacks
By removing any attack surface on the OT side, the Data Diode eliminates threats such as malware, ransomware, and network intrusions. A true physical barrier against cyber risk.
Official Recommendations and Railway Usage
Cybersecurity agencies such as ANSSI (France), DfT (United Kingdom), and NIST (United States) all recommend the use of unidirectional gateways in critical industrial systems compliant with the IEC 62443 standard. The Data Diode (DTD001) precisely meets these requirements.
Why adopt the Data Diode (DTD001) in railways?
Physical IT/OT hardware separation (“Air Gap”)
Protocol-level data break
Certified EN 50155:2021
Resistant from -40°C to +70°C
Secure unidirectional transfer (Ethernet, <250 µs latency)
Maintenance ports protected by secure passwords
Conclusion: Cybersecurity by Design
Unlike firewalls, which remain inherently vulnerable, the railway Data Diode offers protection that cannot be bypassed. Secure your critical data flows with a solution designed to withstand cyber threats—without compromise.
