Enabling Secure Data Collection in Data Diode Environments
Leväsalmi, Matti (2026)
2026
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2026051111152
https://urn.fi/URN:NBN:fi:amk-2026051111152
Tiivistelmä
The thesis work focuses on how centralized management applications designed for bidirectional communication can be adapted to operate within networks which use data diodes to enforce unidirectional communication while maintaining operational technology integrity. The research problem arises from the fact that many operational technology devices require external requests, acknowledgements, and handshakes to initiate data collection and confirm delivery. In a unidirectional environment, these mechanisms cannot function, which prevents reliable data exchange and reduces visibility into critical processes.
The study draws on concepts from secure system design, operational technology communication models, and unidirectional gateway architectures. The key concepts include data collection, visibility, and unidirectional communication. Building on these foundations, the research analyzes the technical constraints preventing secure and reliable data collection. The work includes the design and implementation of a secondary software solution to enable data collection while preserving the hardware-enforced separation between networks.
The evaluation of the implemented solution shows that meaningful data collection can be achieved across a unidirectional boundary when communication is redesigned to operate without any inbound connections. The results demonstrate that the solution can reliably transfer operational data to higher network layers while preserving the hardware-enforced separation provided by the data diodes.
The study draws on concepts from secure system design, operational technology communication models, and unidirectional gateway architectures. The key concepts include data collection, visibility, and unidirectional communication. Building on these foundations, the research analyzes the technical constraints preventing secure and reliable data collection. The work includes the design and implementation of a secondary software solution to enable data collection while preserving the hardware-enforced separation between networks.
The evaluation of the implemented solution shows that meaningful data collection can be achieved across a unidirectional boundary when communication is redesigned to operate without any inbound connections. The results demonstrate that the solution can reliably transfer operational data to higher network layers while preserving the hardware-enforced separation provided by the data diodes.