Case Study: Connecting a Plant Securely — Without Exposing the PLCs

At a glance

The deployment in one view.

Operation

An operator wanting visibility but wary of opening a path to its control systems

Concern

Data-security and cyber risk — a top reported barrier to connecting OT

How we connected it

Read-only, outbound-only edge access — no PLC ports exposed to the internet

Architecture

OT/IT segmented by firewall; encrypted transport; role-based access with audit log

Data

Owned by the operator — SA-region cloud or fully on-premise, exportable

The shift

From "stay blind to stay safe" to visible and more controllable

The challenge

Data security is consistently one of the top reasons operators hesitate to connect their plant. Operational technology was historically "secure" by isolation, and the worry is reasonable: connecting machines for visibility could create a path for an attacker to reach the equipment that runs the operation. The brief was blunt — get us the data we need, but do not open a door to our control systems, and do not put our PLCs on the internet.

The core principle: get the data out, never let control in. A monitoring connection should be read-only and outbound-only — the edge device reads the machine and pushes data out; nothing reaches back to the PLC.

Our approach

Read-only at the edge. The edge device reads from PLCs and sensors without write access, so the connection can't be used to change a setpoint or stop a process.
No exposed PLC ports. Controllers stay on a protected OT network; the edge device initiates an outbound connection — nothing untrusted connects in.
Segment OT from IT. Edge devices sit in their own segment behind a firewall — defence in depth, so a problem in one zone can't reach the control layer.
Encrypt, authenticate, log. Encrypted transport, authenticated outbound-only connections, and role-based access with a full audit trail of who saw what.
Own the data. SA-region cloud or fully on-premise, with export to CSV/SQL — no lock-in, no data-release fees (the principles in our OT-security guide).

What changed

Visibility without exposure.

Data out, control untouched

Live visibility of the plant with the control systems isolated and read-only — the connection can't alter the process.

A stronger posture, not weaker

Continuous monitoring, segmentation, role-based access and an audit log give more control than an unmonitored, shared-password "air gap".

Data ownership kept

In-region or on-premise hosting and full export — the operator decides where its data lives, with no lock-in.

Why it fits South Africa

Addressing the objection that stalls adoption.

With data-security and cyber concerns among the top barriers to IoT adoption locally — and data-privacy expectations rising — "is this safe?" is the question that must be answered before a project starts. A read-only, outbound-only, segmented architecture with data ownership answers it concretely: you gain visibility and a better security posture without exposing control. Done this way, connecting the plant reduces risk rather than adding it.

See the industrial IoT security guide and the addaNet platform.

This case study illustrates addanode's approach through a representative scenario; client details and figures are omitted by policy.

Connecting a plant securely — without exposing the PLCs

The deployment in one view.

The challenge

Our approach

Visibility without exposure.

Data out, control untouched

A stronger posture, not weaker

Data ownership kept

Addressing the objection that stalls adoption.

Worried about the security of connecting up?

Connecting a plant securely — without exposing the PLCs

The deployment in one view.

The challenge

Our approach

Visibility without exposure.

Data out, control untouched

A stronger posture, not weaker

Data ownership kept

Addressing the objection that stalls adoption.

Worried about the security of connecting up?

Related reading

Industrial IoT security

SCADA vs IoT platform

OPC-UA vs Modbus vs MQTT