Connecting machines does not require exposing them. The standard defensive pattern is simple: segment machine networks into zones, let data flow outward through a read-only edge that initiates every connection itself, and allow nothing inbound to the controls. Done this way, monitoring data leaves the plant network and nothing reaches back in. Security is the most common reason plants delay connectivity, and the concern deserves a straight answer rather than a brush-off. This post gives the defensive playbook in plain English: what IEC 62443 actually says, what a read-only edge is, how segmentation works, and what to do about controllers too old to patch.
Does connecting machines make a plant less secure?
It changes the risk surface, and whether that change is for better or worse depends entirely on how the connection is built. Two honest points frame the question. First, most plants are already more connected than they believe: vendor laptops plug into control networks for service visits, USB sticks carry programs between machines, and remote access tools installed years ago quietly persist. Unmanaged connectivity is the real baseline, not an air gap. Second, a deliberately designed data path, one-way, monitored, and segmented, is a far smaller surface than the ad hoc access it often replaces, and the visibility it creates means unusual behavior gets noticed instead of persisting silently. The goal is not connectivity versus security; it is managed connectivity versus the unmanaged kind. Our OT cybersecurity guide covers the wider discipline; this post focuses on the machine-data path specifically.
What does IEC 62443 actually say, in plain English?
IEC 62443 is the international standard family for securing industrial automation and control systems, and its core idea is refreshingly practical: divide the plant into zones and control the traffic between them. A zone is a group of assets with similar trust and function, the business network, the plant applications, the control network for a line, the safety systems. A conduit is the controlled path between zones, with explicit rules about what may cross: firewalls, authentication, logging. Nothing moves between zones except through a conduit.
The standard also defines security levels, SL 1 through SL 4, that describe what a zone is defended against: SL 1 covers casual or accidental misuse, SL 2 intentional attack with simple means, SL 3 sophisticated attack with moderate resources, and SL 4 attacks by well-resourced, highly motivated adversaries. The point of the levels is proportionality. A packaging line's monitoring zone does not need the defenses of a safety system, and the standard gives you the vocabulary to make that call deliberately instead of by accident.
What is a read-only edge, and why does it matter?
A read-only edge is a device or gateway that sits inside the machine network, reads data from PLCs and sensors, and publishes it outward, initiating every connection itself. Three properties do the security work:
- Outbound-only initiation. The edge dials out to the broker or platform; nothing on the outside ever opens a connection into the machine network. Firewall rules can then deny all inbound traffic to the control zone, which removes the classic attack path.
- Read, not write. The edge's credentials on the PLC allow reading tags, not writing them or changing programs. Monitoring needs no write access, so granting none costs nothing and removes the scariest failure mode.
- A narrow, inspectable stream. What leaves is a defined set of states, counts, and process values over one encrypted channel, which is easy to monitor and easy to reason about, unlike a general-purpose remote session.
For the highest-consequence environments, hardware data diodes make the one-way property physical. Most plants do not need that; a properly firewalled outbound-only edge follows the same principle with ordinary equipment. The pattern also answers the cloud question: data can leave for analytics over this path while the control zone stays closed; the same discipline applies whether the destination is a server in the plant or a platform beyond it.
How do you segment machine networks in practice?
Segmentation is the workhorse control, and the practice is well documented in NIST's guide to operational technology security, SP 800-82. The pattern: separate the enterprise network from the plant network, place a DMZ between them so no traffic flows directly from business systems to controls, and divide the plant side into zones per line or cell so trouble in one area cannot roam. Traffic between zones passes through firewalls with explicit allow rules, and everything else is denied. If your machine network today is one flat LAN where an office laptop can ping a PLC, segmentation is the first project, before or alongside any new connectivity; it protects the SCADA and control systems you already run, not just the data project you are adding. The cost is managed switches, firewalls, and design time, modest against the downtime a single incident causes, and you can weigh it with the ROI calculator alongside the connectivity benefits it protects.
How do you connect machines securely, step by step?
- Inventory what exists. Every controller, connection, remote-access tool, and vendor pathway. Most plants find surprises, and the surprises are the current risk, not the future project.
- Define zones and conduits. Group assets by function and trust, decide what may talk to what, and write it down. This is design work, not equipment purchase.
- Segment with a DMZ between business and plant. No direct enterprise-to-control traffic in either direction; data hands off in the middle.
- Deploy a read-only, outbound-only edge. Read-only credentials on the PLCs, outbound-initiated encrypted connections, deny-all inbound at the control-zone firewall.
- Apply least privilege to accounts and credentials. Unique credentials per system and person, no shared logins, and no default passwords, on the edge, the PLCs that support it, and the platforms above.
- Monitor the conduits. Log what crosses zone boundaries and alert on anything new. A narrow, defined data stream makes anomalies stand out.
- Plan for the unpatchable. Old controllers that cannot be updated get compensating controls: tighter zones, stricter conduit rules, and no network exposure beyond the minimum. Isolation substitutes for patching where patching is impossible.
What about old PLCs that cannot be patched?
Treat them as protected assets rather than problems to modernize on a security timeline. A 1990s controller was never going to authenticate anyone; the defense is the architecture around it: a small zone, a strict conduit, read-only extraction through the edge, and no direct route from anywhere outside its cell. This is standard practice, not a workaround, and it means machine age is not a reason to forgo either security or data. The connectivity methods in our protocols guide all work within this pattern, and the ROI of connecting machines is unchanged by doing it safely; the secure path and the fast path are the same path when designed up front.
What do the standards say?
The defensive playbook above is not vendor advice; it is the published consensus of the standards bodies:
- The ISA/IEC 62443 series defines zones, conduits, and security levels SL 1 through SL 4 for industrial automation and control systems, with requirements spanning asset owners, integrators, and product suppliers.
- NIST's SP 800-82 Revision 3, the Guide to Operational Technology Security published in September 2023, details segmentation, DMZ architectures, and the principle that direct enterprise-to-control traffic should not be permitted.
- CISA publishes ongoing industrial control systems advisories, a free feed of vulnerabilities and mitigations relevant to the equipment on your floor.
Where does Harmony AI fit?
Harmony AI's job is the operational layer: machine data joined with schedules, paperwork, and people in one live picture. The connectivity underneath follows the defensive pattern this post describes, data collected from the equipment you already run and moved outward into the platform, with no rip-and-replace of controls or networks. Because deployment happens in person, typically one or two visits, the data path is designed on site with your team and within your segmentation, rather than mailed in as a box that demands open ports. Security questions get answered in the walkthrough, with your IT and controls people in the room. The CLS case study shows the result: real-time visibility on working lines, built on the plant's own infrastructure. For the broader connected-plant picture, see IIoT and smart factory technology.