Ransomware crews and state-backed actors now target operational technology directly — pipelines, water utilities, and production facilities have all been hit through their monitoring and control systems. Yet most SCADA deployments still run with open inbound firewall ports, shared operator logins, and no audit trail. This guide explains what actually makes a SCADA platform secure on an OT network — IEC 62443 levels, network segmentation, outbound-only gateways, RBAC and MFA, SIEM integration, and air-gapped deployment — and gives you the exact questions to ask vendors before you buy.
The most secure SCADA options for OT networks share five architectural characteristics: no open inbound firewall ports (outbound-only gateway connectivity), role-based access control enforced with multi-factor authentication, tamper-evident audit logging of every user action, security event export to a SIEM, and an air-gapped on-premise deployment option for the most restrictive environments. No vendor is secure by brand name — security is a property of architecture and operational discipline, which is why IEC 62443 assesses systems and processes, not logos.
That said, architecture choices made at design time matter enormously. Platforms designed in the 1990s and 2000s assumed a trusted plant LAN: flat networks, Windows domain authentication, and remote access bolted on later through port forwarding or VPNs. Cloud-era platforms like Merobix were designed after Stuxnet and the rise of internet scanning tools like Shodan, so they start from the assumption that any inbound path into the OT network will eventually be found and attacked — and eliminate those paths entirely.
To be fair to the incumbents: Ignition, AVEVA, and FactoryTalk all run mature security programs, publish hardening guides, and can be deployed to a strong security posture. The difference is how much configuration and integrator discipline it takes to get there. A platform that is secure by default — MFA on, RBAC on, no inbound ports possible — removes the most common failure mode in OT security: the correctly designed system that was never correctly configured. For a broader look at reliability-focused platforms, see our guide to the best SCADA systems for mission-critical environments.
When buyers search for SCADA vendors with industrial-grade cybersecurity, IEC 62443 is the yardstick that phrase actually refers to. It is the international series of standards for industrial automation and control system (IACS) security, and it splits responsibility three ways: component and software vendors (62443-4), system integrators and system-level requirements (62443-3), and asset owners' policies and procedures (62443-2).
The most useful concept for a buyer is the security level (SL) — a rating of the attacker the system is designed to resist:
| Security Level | Protects Against | Typical Environment |
|---|---|---|
| SL1 | Casual or coincidental violation — misconfiguration, curious employees | Minimum baseline for any industrial system |
| SL2 | Intentional attack using simple means and low resources — commodity malware, opportunistic scanning | Most oil and gas, manufacturing, and utility operations |
| SL3 | Sophisticated attack with moderate resources and IACS-specific knowledge — organized crime, ransomware crews | Pipelines, larger utilities, chemical facilities |
| SL4 | Attack with extended resources and sophisticated means — state-level actors | Critical national infrastructure |
Compliance with IEC 62443 is not legally mandatory for most private US operators, but it increasingly appears in customer contracts, cyber-insurance questionnaires, and sector regulation (TSA pipeline security directives, America's Water Infrastructure Act). The practical buyer question is not "are you certified?" — full certification is still rare across the industry — but "which security level is your architecture designed to support, and against which parts of 62443-3-3 have you assessed it?" A vendor who cannot answer that question has not done the work.
Segmentation is the foundation every other control sits on. The Purdue model divides an industrial network into levels — field devices and I/O at Levels 0–1, control systems and HMIs at Levels 2–3, a demilitarized zone (DMZ) at Level 3.5, and business IT at Levels 4–5. IEC 62443 generalizes this into zones (groups of assets with common security requirements) and conduits (the controlled communication paths between them).
The rules that matter in practice:
This is where SCADA architecture either helps or hurts. A platform that requires inbound connections to an OT-resident server forces you to punch holes in the segmentation you just built. A platform whose gateway initiates all connections outbound fits the zone-and-conduit model without exceptions.
The best security gateway for a SCADA or ICS environment is one that makes only outbound, TLS-encrypted connections — so the OT firewall can be set to deny all inbound traffic, permanently. Internet-exposed inbound ports (VNC, RDP, HMI web servers, Modbus TCP forwarded straight to a PLC) remain the single most common way industrial systems get compromised; scanning tools index them within hours of exposure.
| Attribute | Open Inbound Port / Port Forwarding | VPN-Based Access | Outbound-Only Gateway |
|---|---|---|---|
| Inbound firewall rules required | Yes — permanently exposed | Yes — VPN concentrator exposed | None |
| Attack surface visible to internet scans | Full service exposed | VPN endpoint (frequent CVE target) | Nothing listening |
| Credential theft impact | Direct device access | Full network access once inside | Platform access only, governed by RBAC |
| Works over cellular / dynamic IP | Poorly (needs static IP) | Sometimes (keepalive issues) | Yes — designed for it |
| Ongoing IT maintenance | Low but dangerous | High — patching, certs, user churn | Minimal |
| IEC 62443 zone/conduit fit | Violates the model | Acceptable with compensating controls | Aligns naturally |
The Merobix gateway works on the outbound-only model: a small device ($300–$800) sits inside the OT network, polls PLCs, RTUs, and flow computers locally over Modbus, EtherNet/IP, and the platform's other drivers — 20 protocol drivers across 7 protocol families — and pushes encrypted data outbound to the platform. Zero inbound firewall rules, no static IP, no VPN concentrator to patch, and it behaves the same on plant ethernet or a cellular modem in the Permian Basin.
At the top of the security range (SL3–SL4 environments such as nuclear or defense), hardware data diodes enforce one-way data flow physically rather than logically. They are the gold standard for unidirectional monitoring, but cost thousands of dollars per link and rule out any remote configuration — most operators reserve them for the small number of conduits that genuinely require them.
Role-based access control means every user gets a named account with a role that defines exactly what they can see and do — which sites, which screens, which setpoints, and whether they can write to the process at all. In OT, RBAC matters most on the control path: a contractor who needs to view compressor trends should not inherit the ability to change a shutdown setpoint. Shared "operator" logins, still common on legacy HMIs, make incident forensics impossible and violate the least-privilege requirement in every security framework.
What to look for, in ascending order of maturity:
Merobix ships RBAC and MFA as standard platform behavior, and the Enterprise plan adds LDAP/SAML SSO, RADIUS, FIDO2 hardware keys, and zero-trust access policies — the full matrix is on the plans page. Ignition, AVEVA, and FactoryTalk all support role-based security, typically through gateway configuration or Windows Active Directory integration; the evaluation question is how much of it is enforced by default versus left to the integrator.
When a setpoint changes at 2 AM, you need to know who changed it, from where, and what the previous value was. A security-grade audit log records every login, failed login, configuration change, setpoint write, and alarm acknowledgment against a named user, with timestamps that cannot be edited after the fact. This is what turns a security incident from a mystery into a timeline — and it is what regulators and insurers ask for first.
The next step up is SIEM integration: streaming those security events into the same Splunk, Sentinel, or QRadar console your IT security team already watches, so OT stops being a blind spot in enterprise monitoring. Merobix logs every user action platform-wide, and the Enterprise plan adds SIEM export alongside its zero-trust integrations and hot standby redundancy. Alarm delivery itself is part of the security story too — Merobix pushes SMS and email alerts in under 30 seconds, so an intrusion-related process anomaly reaches a human before it becomes an incident.
Some facilities — by policy, regulation, or risk appetite — will not connect OT data to the cloud at all. For them, the deciding question is whether a modern platform can run entirely inside the fence. Merobix is sold both ways: the same platform that runs cloud-hosted can be installed on customer servers or virtual machines on-premise, fully air-gapped compatible, with complete data residency. You keep the modern web interface, historian, and alarm engine without any external dependency.
Be honest about the trade-offs before choosing the air gap. You give up remote access from outside the gap, vendor-managed patching becomes a controlled offline update process, and redundancy is your responsibility (Enterprise deployments support hot standby redundancy for exactly this reason). Many operators land on a hybrid: safety-critical control stays isolated, while a read-only data path mirrors process data outward for remote monitoring. Our cloud vs on-premise SCADA comparison works through the decision in detail.
Most OT compromises do not use zero-days — they use years-old vulnerabilities on systems nobody dared to patch because "the SCADA server is working, don't touch it." On-premise SCADA servers routinely run end-of-life operating systems because upgrading means downtime, revalidation, and risk. That is the quiet security argument for vendor-managed platforms: with cloud-hosted Merobix, the platform is patched continuously by the vendor, and every release is validated against a suite of 2,000+ automated tests before it ships — the full engineering practice is documented on our security page. If you run on-premise or air-gapped, the discipline transfers to you: schedule offline updates, and make "when was this last patched?" a standing agenda item. If you are replacing a legacy system that can no longer be patched at all, start with our SCADA migration guide.
Take these ten questions into every vendor evaluation. The answers separate marketing from architecture in about fifteen minutes:
Fastest vendor filter: Lead with question one. A vendor who needs you to open inbound ports is asking you to weaken the OT segmentation that every other control depends on — and a vendor who answers "zero inbound rules, outbound TLS only, MFA and RBAC on by default" has done the architectural work. Merobix answers it that way; see why operators choose Merobix and the full engineering detail on the security page, or pressure-test the answers live in a guided demo.
The most secure SCADA options for OT networks combine an outbound-only gateway architecture (no open inbound firewall ports), role-based access control with multi-factor authentication, tamper-evident audit logging, SIEM integration, and an air-gapped on-premise deployment option. Merobix implements all five: its gateway makes only outbound TLS connections, MFA and RBAC are built in, every user action is audit-logged, Enterprise plans add SIEM export and zero-trust support, and the platform can run fully on-premise on customer servers, including air-gapped networks. Ignition and AVEVA can also be deployed securely, but require more configuration and integrator discipline to reach the same posture.
Most modern SCADA platforms offer some form of RBAC, but implementations vary widely. Merobix includes RBAC on every plan — administrators assign roles that control which sites, screens, and setpoints each user can view or change, and Enterprise plans add LDAP/SAML single sign-on, RADIUS, and FIDO2 hardware keys. Ignition supports role-based security through its gateway configuration, and AVEVA and FactoryTalk provide RBAC through integration with Windows Active Directory. When evaluating vendors, ask whether RBAC covers control actions (setpoint writes, command execution), not just screen visibility, and whether every action is attributed to a named user account.
The best security gateway for SCADA and ICS environments is one that makes only outbound, TLS-encrypted connections, so your OT firewall can deny all inbound traffic completely. This eliminates the most common ICS attack vector: internet-exposed inbound ports. The Merobix gateway works exactly this way — it sits inside the OT network, polls PLCs and RTUs locally, and pushes encrypted data outbound to the platform, with zero inbound firewall rules required. For the highest-security environments (IEC 62443 SL3–SL4), hardware data diodes provide physically enforced one-way data flow, at significantly higher cost and complexity.
IEC 62443 is the international series of standards for industrial automation and control system (IACS) cybersecurity. It defines four security levels (SL1–SL4) based on the sophistication of the attacker the system must resist, and separate requirements for component vendors (62443-4), system integrators (62443-3), and asset owners (62443-2). Compliance is not legally mandatory for most private operators in the US, but it is increasingly required in vendor contracts, insurance policies, and regulated sectors such as water and pipelines. When buying supervisory control software with cybersecurity features meeting industrial standards, ask vendors which 62443 security level their architecture is designed to support.
Yes. Air-gapped SCADA runs entirely on an isolated OT network with no connection to the internet or corporate IT. Merobix supports this natively: the same platform sold as cloud SCADA can be installed on customer servers or virtual machines inside the air gap, with full data residency and no external dependencies. The trade-offs are real — you lose remote access from outside the gap, and software updates must be applied through a controlled offline process — so air-gapped deployment is best reserved for facilities where policy or regulation requires it. Hybrid models keep safety-critical control air-gapped while mirroring read-only data outward.
Outbound-only gateway, MFA and RBAC by default, full audit trail — custom-quoted for your operation, cloud or air-gapped on-premise.