Why the Return Path Is the Problem

OT environments running water treatment, wastewater processing, and other critical infrastructure have spent years building air-gapped or tightly segmented networks specifically because the consequences of unauthorized access extend beyond data. A compromised IT network leaks information. A compromised OT network can affect the physical systems that treat drinking water, manage sewage, or control industrial processes. The risk calculus is fundamentally different, and the security architecture has historically reflected that by keeping OT networks as closed as possible.

The problem is that closed networks cannot share data, and utilities increasingly need their operational data to flow outward – to cloud aggregators, digital twin environments, disaster recovery systems, and the analytics platforms that help operators understand performance trends before they become failures. Traditional connectivity methods introduced bidirectional channels that sat in direct conflict with the isolation model that those networks were built around.

Owl‘s data diodes address this at the hardware layer. As Protocol Filtering Diodes aligned with U.S. Government PFD requirements, they do not simply limit traffic – they enforce unidirectionality through FPGA-level protocol filtering, meaning the hardware itself prevents any return path from existing. There is no software policy to misconfigure, no firewall rule to bypass, and no session to hijack because the return channel is physically absent.

Blair Sooley, Trihedral Regional Account Manager, described what the combination delivers in practice: “This integration makes it possible to protect critical OT networks while still ensuring operational readiness and providing operators the insights they need to do their jobs effectively.“

What VTScada Brings to the Architecture

Trihedral‘s VTScada carries IEC 62443-4-1 Maturity Level 3 certification – the international benchmark for secure product development lifecycles in industrial automation, independently verified by Exida. That certification matters in regulated critical infrastructure environments where procurement decisions require documented evidence of security practices embedded in the development process, not just claims made in product literature.

VTScada’s role in the integrated solution is handling the SCADA layer – the software that collects, processes, and presents operational data from the OT environment. Combined with Owl’s hardware enforcement at the data transfer boundary, the architecture covers both what data is collected and how it moves, with the diode ensuring that the outbound flow of operational data to IT systems and cloud platforms cannot be reversed into an inbound attack vector.

Scott Orton, CEO of Owl Cyber Defense, pointed to the range of use cases the architecture supports beyond basic data transfer: “Operators have long sought a more secure approach that also supports disaster recovery, data redundancy, and digital twin use cases. By combining their best-in-class OT software with Owl’s hardware-enforced data diodes, we’re giving utilities a proven, U.S.-made path to secure data mobility without compromising the integrity of their OT or IT networks.“

The domestic manufacturing dimension in that statement reflects something real in the current procurement environment. A growing number of utilities have adopted self-imposed policies to source OT security products from U.S. manufacturers, and both Owl’s hardware and the partnership’s positioning are built around that requirement. The integration also aligns with NIST 800-82 security frameworks and supports Zero Trust architectures – a pairing that covers both the technical and compliance requirements that water and wastewater operators navigate.

The Vendor Selection Challenge in Connected Infrastructure

The Houston and Nashville deployments demonstrate adoption at the municipal scale, but the underlying challenge that the integration addresses applies across any environment where devices and systems cannot tolerate the agent-based security tools that work well in conventional IT. Water infrastructure shares that characteristic with connected medical devices, industrial control systems, and other environments where the security model has to work around the constraints of the asset rather than modifying the asset to fit the security model. Security and infrastructure leaders evaluating vendors for these environments – where agentless architectures, unidirectional data flows, and hardware-enforced controls define what is actually deployable – benefit from structured vendor assessment frameworks that surface the specific capabilities and limitations that matter in constrained OT and connected-device contexts.

Scope Beyond Water Infrastructure

The Houston and Nashville deployments are water and wastewater focused, but Owl and Trihedral have positioned the partnership across the broader range of critical infrastructure that runs on SCADA systems. Power generation, oil and gas, manufacturing, and transportation infrastructure all share the same core challenge: operational data needs to move outward to support monitoring, analytics, and redundancy, and the method of moving it cannot introduce the risks that the isolation architecture was built to prevent.

The integration does not resolve every OT security challenge – lateral movement within an OT network, insider access, and supply chain risks all require different controls. What it does resolve is the specific and persistent problem of secure data egress, and it does so through hardware enforcement rather than policy and monitoring, which is a meaningfully different level of assurance for environments where the consequences of getting it wrong are measured in more than data loss.

Research and Intelligence Sources: Trihedral, OWL Cyber Defense

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com