The fear is legitimate — and addressable

Operational technology was historically "secure" by being isolated — air-gapped, proprietary, disconnected. Connecting it for visibility understandably raises the worry that you're creating a path for an attacker to reach the equipment that runs your plant. That worry is healthy. But the answer isn't to stay blind; it's to connect in a way that exposes data without exposing control. The security risk comes from doing it carelessly — putting a PLC on the public internet, or wiring an IoT box straight into the control network with write access — not from monitoring itself.

The core principle: get the data out, never let control in. A monitoring connection should be read-only and outbound-only — the edge device reads the machine and pushes data to the platform; nothing reaches back to the PLC.

How to connect securely

  1. Read-only at the edge. The edge device reads data from PLCs and sensors without write access, so even if it were compromised it couldn't change a setpoint or stop a pump.
  2. Never expose PLC ports. Controllers stay on a protected OT network. The edge device initiates an outbound connection to the platform; nothing untrusted initiates a connection in to the PLC.
  3. Segment the network. Put IoT/edge devices in their own segment with a firewall between OT and IT — defence in depth, so a problem in one zone doesn't reach the control layer.
  4. Encrypt and authenticate. Encrypted transport and authenticated, outbound-only connections from edge to platform; no plaintext, no anonymous access.
  5. Role-based access & audit log. Named users with least-privilege roles, and a full audit trail of who viewed or changed what.
  6. Own your data and your patch path. Keep data ownership (in-region cloud or on-prem) and a clear process for updating and patching edge devices over their life.

Why connected can be more secure

Done right, monitoring improves your security posture rather than degrading it. Continuous visibility means you notice anomalies — unexpected access, abnormal device behaviour — that an isolated, unmonitored plant would miss entirely. Centralised, role-based access with an audit log is more controllable than a dozen engineers sharing a SCADA password. And edge buffering means a network problem degrades gracefully (data queues locally) rather than failing open. "Air-gapped" often really means "unmonitored and unpatched" — which isn't as secure as it sounds.

Questions to put to any vendor

  • Is the connection to our PLCs read-only, and is it outbound-only?
  • Are any PLC or device ports exposed to the internet? (The answer must be no.)
  • How is OT segmented from IT, and where does the firewall sit?
  • Is transport encrypted, and access authenticated and role-based with an audit log?
  • Who owns the data, where is it hosted, and can we run it on-premise?
  • What's the patching and update process for the edge devices?

These principles are built into the in-house addaNet platform: read-only edge access, no exposed PLC ports, network segmentation, encrypted transport, role-based access with audit logging, and your choice of in-region cloud or fully on-premise hosting with full data ownership and export. Connecting your plant should make it more visible and more controllable — not more exposed. For the wider picture, see our guide to Industrial IoT in South Africa and the protocol-level view in OPC-UA vs Modbus vs MQTT.

Frequently asked questions

Does connecting our PLCs to IoT create a security risk?

Only if it's done carelessly. The safe pattern is read-only, outbound-only access at the edge with no PLC ports exposed to the internet, OT segmented from IT by a firewall, and encrypted, authenticated connections. Done this way, you expose data without exposing control — and gain visibility you didn't have before.

Can the platform change settings on our equipment?

For monitoring it shouldn't, and by default it doesn't. The edge device reads data without write access, so the connection can't be used to alter setpoints or stop equipment. Any control function is a separate, deliberate design decision kept in the proper control system — not a side effect of monitoring.

Isn't an air-gapped plant more secure?

Often less than it appears. "Air-gapped" frequently means unmonitored and unpatched, with shared passwords and no audit trail. A properly connected system gives continuous visibility of anomalies, role-based access with logging, and a managed patch path — which can be a stronger security posture than isolation.

Where is our data, and do we own it?

You should own it outright. A good platform offers in-region cloud or fully on-premise hosting, encrypted transport, and export to CSV, SQL or your data lake at any time — with no lock-in or data-release fees. Data ownership and hosting location should be your decision, not the vendor's.

What should we ask a vendor about security?

Whether the PLC connection is read-only and outbound-only, whether any device ports are exposed to the internet (must be no), how OT is segmented from IT, whether transport is encrypted and access is role-based with an audit log, who owns and hosts the data, and what the edge-device patching process is.