OT ARCHITECTURE

Secure OT-to-IT data transfer

How to move operational data to enterprise systems without turning the integration into a new inbound path to the plant.

REFERENCE ARCHITECTURE

A secure OT-to-IT data path, end to end

Industrial protocols terminate inside OT. Approved records are normalized and buffered before crossing the hardware-enforced one-way boundary. A separate IT-side service then creates new sessions to enterprise destinations.

OT NETWORKTrusted operational environment
1
Industrial sourcesPLC · RTU · DCS · OPC UA · Modbus · OT historian

2
Collect, validate and mapAllow-listed tags · source timestamps · quality · protocol termination

3
Persistent OT bufferStore-and-forward · queue monitoring · outage retention

SECURITY BOUNDARYIndustrial DMZ / Level 3.5
Diodos Data DiodePhysical transmit-only path
APPROVED DATA ONLYNo IT-to-OT network path

IT NETWORKEnterprise and monitoring environment
4
Reconstruct and deliverNew IT-side sessions · replay control · destination mapping

5
Enterprise destinationsSQL · enterprise historian · MQTT · API · analytics · SOC/SIEM

NormalRecords move continuously
IT destination offlineOT buffer retains approved records
RecoveryQueued records replay in controlled order

Reference pattern, not a universal topology. Sources, protocols, buffer capacity and destination controls must be selected through site-specific engineering and risk assessment.
01

Minimize the flow

Transfer only the tags, records and events required by the approved business purpose.

02

Terminate protocols

Do not expose PLCs, OPC servers or the OT historian directly to enterprise consumers.

03

Engineer recovery

Size persistent storage, alarms and replay behaviour for the maximum expected outage.

04

Monitor both sides

Track source freshness, queue depth, last transfer, rejects and destination delivery independently.

Begin with the data flow, not the product

Define the source, the exact data required, update frequency, destination and acceptable delay. Separate operational visibility requirements from remote-control requirements. Many projects initially described as bidirectional only need telemetry to move from OT to IT.

A narrow, documented flow is easier to secure, test and monitor than broad network access. Treat every protocol conversion and destination connection as a new trust boundary.

  • Inventory sources and destinations
  • Classify data and required freshness
  • Remove unnecessary return traffic
  • Define loss and recovery behaviour

Choose the boundary pattern

A firewall-based conduit is appropriate when a controlled return path is essential. A unidirectional gateway or data diode is stronger when the flow can be publish-only. In both cases, avoid exposing PLCs, OPC servers or historians directly to enterprise networks.

Use collectors and middleware near the source. Terminate industrial protocols inside OT, validate and buffer data, then create a separate delivery session from the destination side of the boundary.

Reliability is part of security

Secure transfer must also survive outages. Store-and-forward queues prevent a temporary destination failure from causing data loss or repeated access to source systems. Monitoring should expose queue depth, last successful delivery, rejected records and storage capacity.

Time synchronisation, deterministic mappings and idempotent writes help the destination reconstruct an accurate history after recovery.

  • Local buffering
  • Back-pressure and capacity alarms
  • Replay without duplicate records
  • Independent health monitoring

Validate before production

A proof of concept should test normal operation, destination outage, network interruption, malformed data and recovery. Security validation should confirm that only approved flows exist and that no reverse session can reach OT.

Document ownership for certificates, credentials, mappings, upgrades and incident response. A secure design becomes fragile when operational responsibilities are unclear.

FAQ

Frequently asked questions

What is the safest OT-to-IT transfer pattern?

When the required flow is strictly outbound, hardware-enforced one-way transfer provides the strongest directional guarantee.

Should IT connect directly to an OT historian?

Direct cross-boundary access increases exposure. Replication or middleware-based delivery is generally easier to control and monitor.

How is data loss prevented?

Use persistent buffering, monitored queues and replay-capable delivery during destination or network outages.

NEXT STEP

Apply the architecture to a real industrial data flow.

Start with one source, one destination and a measurable security or operations objective.