Industrial OT · IEC 62443

Sensor data without exposing
your OT network

Ghost Pipe is a quantum-safe data conduit for the OT/IT boundary. PLC → Ghost Pipe relay → SCADA. No VPN, no certificates, no direct network connection between zones. Data is encrypted on the field device and destroyed after delivery.

Request API key → IEC 62443 compliance OT integration guide
Without Ghost Pipe
12 B — keep-alive
8 B — sensor ping
2.3 MB — FIRMWARE UPDATE!
980 KB — CONFIG CHANGE!
Attacker knows exactly when critical updates happen.
With Ghost Pipe
5 MB
5 MB
5 MB
5 MB
Uniform stream. No pattern. No intent visible.
Architecture

Purdue Model — where Ghost Pipe sits

Ghost Pipe deploys as the IEC 62443 conduit at Level 3.5 (Industrial DMZ). The relay stores nothing on disk — data lives in RAM only and is destroyed on delivery. No persistent connection crosses the OT/IT boundary.

Level 4  Enterprise     ────────────────────────────────────────────────────
         ERP, cloud       paramant-receiver → business systems

Level 3  Operations     ────────────────────────────────────────────────────
         SCADA, historian  paramant-receiver → data historian

Level 3.5 DMZ            ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                         ┌──────────────────────────────────────────────┐
                         │  Ghost Pipe relay                            │ ← HERE
                         │  RAM-only. No disk. Cannot decrypt payload.  │
                         │  Self-hosted (Pi, VM) or iot.paramant.app   │
                         └──────────────────────────────────────────────┘

Level 2  Control        ────────────────────────────────────────────────────
         DCS, PLC         paramant-sender --interval 15 --relay iot

Level 1  Field devices  ────────────────────────────────────────────────────
         Sensors, PLCs    (generate sensor data)
Capabilities

Built for OT constraints

Designed for environments where network changes are change-controlled and direct connectivity between zones is prohibited.

Continuous sensor data

Periodic push without a cron job

The --interval flag streams sensor readings continuously. One command, one connection, unlimited readings.

paramant-sender \
  --stdin \
  --interval 15 \
  --device-id plc-A1 \
  --relay iot \
  --key pgp_xxx
Firmware distribution

Signed firmware push to device groups

Ed25519-signed firmware delivered to named device groups. Devices verify signature before applying. CT log records every update event.

paramant-firmware \
  firmware-v2.1.bin \
  --sign \
  --device-group factory-floor.txt \
  --version 2.1
Edge deployment

Raspberry Pi 4 and ARM64 gateways

The relay runs on Raspberry Pi 3B+/4, Siemens SIMATIC gateways, and Advantech ARMs. Install in 2 minutes with install-pi.sh.

curl -fsSL \
  https://paramant.app/install-pi.sh \
  | sudo bash
Self-hosted / air-gap

No external dependency required

Deploy your own relay entirely within your OT DMZ. No outbound internet from the relay host. CT log stays local and can be archived to an air-gapped audit server.

docker run -d \
  -e RELAY_MODE=iot \
  -e LICENSE_KEY=plk_xxx \
  -p 3000:3000 \
  mtty001/relay:latest
Technical specifications

Security properties

Key exchangeML-KEM-768 + ECDH X25519 hybrid (NIST FIPS 203). Files are unreadable even by a quantum adversary.
Symmetric cipherAES-256-GCM with per-transfer random IV. AEAD authentication tag detects any in-transit modification.
Traffic obfuscationAll transfers padded to a fixed 5 MB block. An observer cannot determine payload size, type, or intent from packet captures.
Burn-on-readEach blob is destroyed after the first authorised download. No residual data in the relay after delivery.
Relay identityML-DSA-65 (FIPS 204) self-signed certificate. Post-quantum digital signature. Cannot be impersonated without the signing key.
Audit trailEvery transfer appended to a Merkle CT log. Tamper-evident, append-only. SHA-256 leaf hashes, published STH every 30 seconds.
Device identityW3C-compatible DID scheme (did:paramant:) for PLC/sensor enrollment. Registered in CT log at provisioning time.
InfrastructureManaged relay: Hetzner Falkenstein DE only. No US sub-processors. No US CLOUD Act exposure. Self-hosted option for full control.
Compliance

IEC 62443 alignment

Ghost Pipe maps directly to the IEC 62443 zones-and-conduits model. Full compliance documentation available at /compliance/iec62443.

SR requirementHow Ghost Pipe addresses it
SR 4.1 ML-KEM-768 client-side encryption. Relay never holds plaintext. No data at rest.
SR 4.2 API key per device. Hash-addressed retrieval. Burn-on-read (max_views enforcement).
SR 3.1 AES-256-GCM AEAD authentication tag on every payload. Tamper-evident Merkle CT log.
SR 1.1 Device DID enrollment via /v2/did/register. CT log timestamped registration.
SR 2.8 Every transfer in public, tamper-evident Merkle CT log. RSS feed for external archiving.
SR 5.1 / 62443-3-2 Dedicated iot.paramant.app sector. No cross-sector data. Self-hostable in DMZ.

Full IEC 62443 compliance documentation →

Start a Ghost Pipe OT pilot

Community edition is free for up to 5 devices. Enterprise licensing includes dedicated relay, custom SLA, and on-site deployment support.

Get free API key → Contact for enterprise
iot.paramant.app
IEC 62443 · NIS2
ML-KEM-768 · FIPS 203/204
Hetzner DE · BUSL-1.1
© 2026 PARAMANT