Every monitoring, forecasting or reporting platform needs the same thing from the plant: its telemetry. The instinct is to open a path to the SCADA historian or poll the PLCs directly — and that is how control systems end up reachable from the internet. The data still has to leave; the question is how to let it out without letting anything in, and without loading the controllers.
A connector that cannot write cannot be turned into a way to move the plant.
Make the data flow one way, outbound only
The safest connector reads and sends, and can do nothing else. It polls the historian or an OPC UA server, or subscribes to Modbus or MQTT, and pushes readings outbound over an authenticated, encrypted session it opens itself. It exposes zero inbound ports on the control network: the cloud never dials the plant, the plant dials out. With no listening service, there is nothing for an attacker to scan or reach.
Read-only is the other half. The connector authenticates to SCADA or the PLC gateway with credentials scoped to read tags and registers only. Even if its host is compromised, it has no path to change a setpoint, trip a breaker or flash firmware. High-frequency polling is also load on the controller, so we rate-limit, batch and back off — telemetry must never become a denial-of-service on the kit it is meant to watch.
Segment the network, then scope the access
Put a DMZ between the OT and IT worlds and let nothing cross it directly. The control network writes only to a broker or data diode in the DMZ; the connector that ships data onward lives on the IT side and reads only from there. No session originates in the enterprise network and ends on a PLC. This is the IEC 62443 model in practice: zones separated by conduits that carry the minimum traffic on named protocols and ports.
Least privilege then covers every account, certificate and firewall rule in that chain. The connector gets one read-only identity, one destination, one protocol; outbound rules permit that single endpoint and deny the rest, so a compromised host cannot exfiltrate to an arbitrary address. Certificates are short-lived and rotated, and every session is logged — an auditable record of what left the plant, when, and to where.
Getting plant data out safely is not a trade-off against security; it is the same job. Read-only and outbound-only by design, a real DMZ, least privilege throughout and full logging give you queryable time-series data and an OT network that stays unreachable. That boundary is what we build and harden as part of our integration work.