—iec 62443
IEC 62443 (industrial / OT).
IEC 62443 is the international cybersecurity standard for industrial automation and control systems. Paramant's iot.paramant.apprelay acts as a quantum-safe data diode — PLCs and sensors push data outbound only, without opening inbound ports or running TLS certificate management on the OT side.
| IEC 62443 SR | Paramant control |
|---|---|
| SR 1.1 — Authentication | API key + ML-DSA-65 device identity per OT endpoint |
| SR 1.5 — Authenticator management | No password storage; per-device key revocation hot-reloadable |
| SR 2.1 — Authorization enforcement | Per-key sector scoping (iot.paramant.app only) |
| SR 3.1 — Communication integrity | AES-256-GCM authenticated encryption + ML-DSA-65 signed receipts |
| SR 3.4 — Software & info integrity | CT log proves binary checksum at startup (relay binary hash logged) |
| SR 4.1 — Information confidentiality | Post-quantum encryption (FIPS 203); ciphertext-only on relay |
| SR 5.1 — Network segmentation | OT side outbound-only; IT side inbound-only; functions as data diode |
| SR 5.2 — Zone boundary protection | 5 MB padding masks payload size; DPI cannot distinguish heartbeat from firmware |
| SR 6.1 — Audit log accessibility | Public CT log + per-account /v2/audit JSON/CSV export |
| SR 7.1 — Denial of service protection | Per-IP and per-key rate limits; RAM saturation handled with HTTP 503 |
data diode positioning
Hardware data diodes cost €50K+, require dedicated installation, and cannot return ACKs. Paramant achieves equivalent zone-boundary protection in software with bidirectional ACKs at fraction of cost — and adds CT log auditability hardware diodes lack.
raspberry pi support
iot.paramant.app runs on Raspberry Pi 3B+/4/5. Use install-pi.shfor one-line install. Suitable for factory edge nodes with 1 GB RAM.