Airgap Design · Data Diodes · CDR · Removable Media Control · OT/SCADA Isolation

Airgapped Networks — Total Isolation for Your Most Critical Systems

When the cost of a breach is catastrophic — classified data, industrial plant control, national infrastructure — a firewall is not enough. Ogma designs and implements airgapped network architectures for India's defence, government, utilities, and critical infrastructure sectors. Physical isolation. Hardware-enforced data flow. Zero attack surface.

NCIIPC Guidelines Aligned IEC 62443 Architecture OT / SCADA Expertise GST Invoice
Zero
Attack Surface at Physical Layer
Hardware
Enforced Unidirectional Flow
CDR
Content Disarm & Reconstruction
IEC 62443
OT/SCADA Security Standard

Why Ogma for Airgap Design?

Ogma architects airgap environments that balance true isolation with operational usability. We have designed airgapped architectures for defence research, power utilities, and financial market infrastructure — environments where a single wrong connection has consequences that cannot be undone.

  • Purdue Model network segmentation for OT/SCADA environments
  • Unidirectional data diode selection, procurement, and integration
  • CDR station deployment — OPSWAT MetaDefender, Votiro
  • Secure removable media kiosk design and policy enforcement
  • Airgapped SIEM and endpoint detection within isolated zones
  • NCIIPC, IEC 62443, and CERT-In critical infrastructure alignment
Critical Infrastructure
Power, defence, water, finance
Hardware Data Diodes
One-way, tamper-proof flow
CDR Sanitisation
Zero-day safe file transfer
Media Control
USB kiosks and removable media

Airgap Architecture Services

Ogma delivers end-to-end airgap architecture — from threat modelling and network design through hardware procurement, implementation, and ongoing integrity assurance.

Airgap Architecture Design

Threat model, zone definition, and network topology design based on Purdue Model / IEC 62443 / NIST SP 800-82. Defines exactly which data flows are permitted, in which direction, by what mechanism, with what logging.

Unidirectional Gateway Implementation

Selection and integration of hardware data diodes (Waterfall Security, Owl Cyber Defense, Forcepoint) for OT-to-IT telemetry flows. Hardware-enforced — physically impossible to carry reverse traffic.

CDR File Transfer Stations

Deployment of Content Disarm and Reconstruction solutions (OPSWAT MetaDefender, Votiro) at airgap crossing points. Every file is disarmed of active content and reconstructed clean before crossing the boundary.

Removable Media Control

Secure USB kiosk stations with multi-engine malware scan, CDR, encryption enforcement, and asset tagging. Policy prevents any unscanned media entering the airgapped zone. All media events logged and auditable.

Airgapped SIEM & Monitoring

Deployment of offline endpoint detection agents and local SIEM nodes within the airgapped zone. Log data forwarded outbound via one-way channel to enterprise SIEM for correlation. No inbound management traffic.

Airgap Integrity Assessment

Periodic assessment to verify that no unauthorised connections have been established — network topology review, wireless RF scanning, USB audit log review, and firewall rule analysis at boundary devices.

Frequently Asked Questions

An airgapped network is a computer network that is physically and electronically isolated from all unsecured networks, including the internet and corporate intranets. No wireless interfaces, no shared switches, no indirect connections. Airgapped networks are required where the consequence of a breach is catastrophic: classified government systems, nuclear plant controls, power grid SCADA, defence command networks, and financial systems holding extremely sensitive data.

Controlled data transfer is the core engineering challenge of an airgapped deployment. Ogma implements layered mechanisms: unidirectional data diodes (hardware-enforced one-way data flow for operational telemetry), CDR (Content Disarm and Reconstruction) stations that sanitise files before crossing the boundary, and secure removable media kiosks that scan and clean USB drives before allowing them into the airgapped zone. Each mechanism is logged and auditable.

A data diode is a hardware device that enforces one-way data flow at the physical layer — it is literally impossible for data to flow in the reverse direction because the transmission hardware only exists for one direction. A firewall is software/firmware that applies rules — rules can be misconfigured or bypassed. Data diodes are used for the most sensitive airgap boundaries: from OT/SCADA to IT (telemetry out, no commands in) or from classified to unclassified networks.

CDR is a file transfer security technique that deconstructs every incoming file into its component parts, discards anything that does not conform to the expected file specification (macros, embedded objects, active content, malformed structures), and reconstructs a clean, functionally equivalent file. CDR is critical at airgap boundaries because traditional antivirus is signature-based and cannot catch zero-days. CDR eliminates the threat class entirely by removing all active content.

Yes, and Ogma recommends a Purdue Model-aligned architecture: Level 0–2 (OT/SCADA) completely isolated, Level 3.5 (DMZ) for data collection, and Level 4–5 (IT/business network) separated by a unidirectional gateway that passes historian data upward but carries zero commands downward. This architecture is consistent with IEC 62443, NERC CIP, and India's NCIIPC guidelines for critical infrastructure protection.

Yes. Airgapped networks require specialised monitoring approaches since standard network-based SIEM agents cannot phone home. Ogma implements endpoint-based detection agents that store logs locally and forward via the approved one-way channel, offline SIEM nodes within the airgapped zone, and periodic manual audit processes. We provide quarterly airgap integrity assessments to verify that no unauthorised connections have been established.