Electronic AirGap is a cybersecurity hardware device that creates a complete physical separation between two networks through an electronic protocol break. Developed and patented by Seclab, it removes layers 1 to 4 of the OSI model between the two networks: no TCP/IP stack crosses the system. Only the useful data (files or application data) is transmitted from one side to the other via a non-routable electronic bus.

How does it work in practice?
The architecture relies on three independent processors, each dedicated to a distinct security function. Two separate access controls—one for incoming traffic, one for outgoing—enforce security policies that must be consistent with each other. The useful data is analyzed during transit (protocol verification, file signature checks, anti-malware scanning) before being reconstructed on the destination network.

How it differs from traditional filtering devices

• Protected assets are invisible and inaccessible from the at-risk network—there is no network route to exploit.
• The attack surface is reduced by design, not by configuration.
• The system is resilient to its own compromise: even if a processor is compromised, the compartmentalized architecture prevents propagation.

Electronic AirGap is CSPN-certified by ANSSI. It is installed between two networks without modifying the existing architecture, making it particularly suitable for OT environments (energy, transportation, industry, defense, telecom, water and waste) where availability is critical and maintenance windows are limited.

Key takeaway – Electronic AirGap physically removes network connectivity between two zones through electronics. It makes protected assets invisible from the at-risk network without requiring any architectural changes.

The main difference lies in the direction of communication: a data diode enforces a strictly unidirectional flow, while the Electronic AirGap provides equivalent physical isolation while allowing secure bidirectional exchanges.

Structural limitations of a data diode
A network diode is effective for one-way information flows (to a SOC or Historian, for example). However, many OT use cases require two-way communication: remote administration, file synchronization, industrial protocols with acknowledgments. Some solutions bypass this limitation by combining two diodes with synchronization gateways, which increases complexity and introduces high latency.

The Electronic AirGap therefore combines the strict isolation of a diode with the operational flexibility required by modern industrial environments.

Key takeaway– Electronic AirGap provides the same level of physical isolation as a data diode, but supports bidirectional communications up to 800 Mbps, without additional software components and without compromising security.

An OT firewall filters network traffic according to configurable rules. The Electronic AirGap, on the other hand, completely eliminates network connectivity between two zones. These are complementary approaches: the firewall controls traffic flows, while the Electronic AirGap removes the very possibility of unauthorized network traffic.

Why a firewall alone is not enough in OT environments

Industrial firewalls have several vulnerabilities in operational contexts:

• They require regular updates (firmware, signatures, rules), often incompatible with maintenance windows limited to a few hours per year.
• They rely on software and remain vulnerable to configuration errors, zero-day exploits, and attacks targeting TCP/IP layers.
• Their effectiveness depends on the quality and constant updating of their rules.

The Electronic AirGap approach

By removing the transport and network layers through an electronic protocol break, the Electronic AirGap inherently eliminates an entire category of attacks. Maintenance is minimal: on average, one software update per year. Protection does not rely on up-to-date signatures or rule maintenance.

The Electronic AirGap does not systematically replace a firewall. It complements it within a defense-in-depth strategy, protecting the most critical perimeter—where a compromise would have major operational impact.

Key takeaway — Where a firewall filters traffic, the Electronic AirGap breaks network continuity. Both are complementary: the firewall for routine segmentation, the Electronic AirGap for isolating the most critical assets.

Physical isolation via Electronic AirGap directly addresses the network segmentation and risk management requirements of the NIS 2 Directive (Article 21). By eliminating any direct network connection between the protected zone and the at-risk zone, it prevents lateral movement and makes critical assets inaccessible.

Which NIS 2 requirements are covered?

• Cyber risk management (Art. 21): Physical isolation is a proportionate and demonstrable risk-reduction measure, especially for critical assets.
• Supply chain security: Systems interconnected with third parties (service providers, suppliers) are physically isolated, limiting the risk of compromise via lateral attacks.
• Business continuity: The integrity of critical systems is ensured without relying on frequent updates—a key factor in OT environments where every downtime has an operational cost.

Progressive compliance

NIS 2 does not require a full-scale overhaul overnight. The Seclab XCore platform enables step-by-step maturity: asset discovery and threat detection with Xplore, followed by isolation of critical systems with Xchange (Electronic AirGap). This gradual approach aligns with the directive’s intent, which calls for measures adapted to the organization’s risk level and maturity.

Key takeaway — Electronic AirGap addresses three key areas of NIS 2: risk management, supply chain security, and business continuity. Combined with Xplore for visibility, it enables progressive compliance tailored to OT constraints.

Electronic AirGap integrates into the zones-and-conduits architecture defined by IEC 62443. Positioned as a conduit between two zones with different security levels, it provides a level of protection corresponding to the highest Security Levels (SL-3 to SL-4).

The zones-and-conduits model in practice

IEC 62443 is based on a clear principle: group assets by security requirement level (zones) and strictly control communications between zones (conduits). Each conduit must guarantee a target security level (Security Level Target) appropriate to the threat.

Why Electronic AirGap meets SL-3 / SL-4 levels

• The protocol break ensures physical isolation—the highest level of protection against intentional breaches using sophisticated means.
• Dual independent access controls (inbound/outbound) meet the standard’s requirements for granular control.
• The principle of least privilege is respected: only explicitly authorized business flows are allowed.

Electronic AirGap protects critical zones (PLCs, SCADA, Historian) while allowing necessary operational traffic. Its deployment without modifying the existing architecture enables progressive compliance, even in legacy environments where equipment replacement is not feasible.

Key takeaway — In the IEC 62443 model, Electronic AirGap acts as a high-security conduit (SL-3/SL-4) between critical zones and at-risk zones. Deployment is possible without overhauling the existing architecture.

No. Not all equipment in an OT environment has the same level of criticality. Applying maximum protection everywhere leads to disproportionate costs and complexity, which can itself harm availability.

The MVDI Principle (Minimum Viable Digital Industry)

MVDI refers to the set of digital assets vital for the proper functioning of industrial operations. The goal is to identify this critical perimeter—production PLCs, SCADA, Historian, safety systems—and focus the strongest protection measures there.

This approach aligns with IEC 62443, which formalizes differentiated security levels by zone. It maximizes risk reduction while controlling costs and operational impact.

Key takeaway — Focus maximum protection (physical isolation) on MVDI assets, and adapt security levels for other assets according to their actual criticality. This provides the best security-to-cost ratio in OT environments.