Unbreachable Access to
OT Data
Recognized by:
- NERC CIP
- IEC 62443
- NIST SP 800-82
- NIS2
- TSA
- CMMC
Uncompromising Security
Inbound cyber attacks are physically impossible through the Unidirectional Gateway hardware
Unlimited Visibility
Software replicates industrial systems in real time to external networks using native OT protocols
What is a Unidirectional Gateway
A Unidirectional Gateway is a hardware-enforced cybersecurity solution that permits data to flow in only one direction. As defined by the National Institute of Standards and Technology (NIST):
“Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from one network to another but is physically unable to send any information at all back to the source network. The software replicates databases and emulates protocol servers and devices.”
What makes Unidirectional Gateways so secure?
A laser on one circuit board, connected to a photocell on a second board, guarantees one-way data flow that is physically impossible to remotely reverse.
There is physically no way to transmit cyber-attacks through a Unidirectional Gateway – proven to a high degree of confidence by Common Criteria certification, in the face of even the most sophisticated imaginable cyber attacks.
"Extremely reliable, easy integration in complex environments, set and forget functionality"
Healthcare & Biotech | <50M USD
Why Operators Choose Unidirectional Gateways
Access OT data with no OT exposure
Confident digital transformation
No rules to misconfigure
Firewalls are software. All software has bugs that can be misconfigured. A gateway is a physical constraint.
Continuous operations
Exceeds regulatory & compliance requirements
Future-proof compliance with the strongest IT/OT segmentation.
Easily connect legacy systems
Hundreds of native connectors. Thousands of supported OT systems. No new software needed inside OT.
Built for OT
Connect
Safely share OT data
with IT, cloud &
analytics
Protect
Hardware-enforced one-way
communication blocks all
inbound threats
Replicate
Users and systems
interact with real-time
OT replicas
Waterfall hardware enforces security.
Our software delivers visibility.
Deployed at 1,000s of sites globally
Eliminate Entire Classes of Cyber Attacks
No malware. No remote compromise.
No human error.
No inbound attack path.
Remote attacks
No inbound path means OT vulnerabilities stop being externally exploitable.
Ransomware
Gateways highlight OT dependencies on IT and eliminate the pathway of IT ransomware propagating to OT.
Malware propagation
No "Abundance of Caution" shutdowns. Attacks cannot move from IT to OT through a Gateway.
Human error at the boundary
Even legitimate administrators cannot misconfigure the product into allowing inbound traffic.
Denial of service against OT
To flood a system, it has to be reached first. Nothing on the external side can send traffic into OT through the Gateway.
AI zero-days
Even if the gateway software is compromised, the hardware cannot propagate that attack into OT targets.
One Security Standard
Multiple Platform Choices
Powered by Axle Software
Strong security shouldn't require complex operations. Waterfall’s Axle Software delivers a modern, intuitive user experience for all our gateway products, designed to streamline OT security management at scale.
- Seamless User Interface: Enjoy a clean, modern UI
- Centralized Management: Configure, manage, monitor, and troubleshoot all your gateways and connectors from a single pane of glass
- 100s of Native Connectors: Seamlessly integrate with your existing infrastructure. Native support for ABB, AVEVA, Emerson, GE, Honeywell, Rockwell, Schneider, Siemens, Yokogawa & many more...
Strong security. Efficient operations. With Waterfall, you get both
Simplifying Regulatory and Standards Compliance
NERC CIP-005 R1
Rewards unidirectionally-protected sites with 37 requirements exemptions, recognizing the strength of security provided by Waterfall’s gateways.
IEC 62443-3-3
Recommends unidirectional gateways for protecting high-consequence network zones.
NIST SP 800-82r3
Describes unidirectional gateways as a stronger alternative to firewalls.
NIS2 / EU operators
Unidirectional gateways satisfy the segmentation and isolation requirements that many nations’ NIS2-compliant regulations demand of essential and important entities.
FAQ
What is the difference between a data diode and a Unidirectional Gateway?
According to the NIST SP800-82 definition, a data diode is the hardware primitive. A unidirectional gateway combines that primitive with protocol connectors, server replication, and a management stack. The diode is the floor; the gateway software is what makes the hardware operationally useful for industrial systems.
I have a firewall at the IT/OT interface, do I need a Unidirectional Gateway?
A firewall is policy enforced by software, with rules that can drift, or be misconfigured or exploited. A fully-patched, correctly-configured firewall should not allow attacks to reach into OT networks. With Waterfall’s Unidirectional Gateways, it does not matter if the gateway is fully patched, nor if it is correctly configured – the gateway hardware cannot allow attacks into OT targets across the IT/OT consequence boundary.
