Adding an operational intelligence layer on top of your SCADA systems is straightforward in theory. You point a read-only connection at your OPC-UA server or historian API, data flows out, anomaly detection runs on it. Nothing touches the control architecture. No new hardware on the OT network.
In practice, getting approval from the OT security team takes two to eight weeks and involves a set of questions that repeat at nearly every industrial facility we work with. This article documents those questions and the responses that tend to move the approval process forward.
The underlying principle: OT security teams are not obstructionist. They are protecting infrastructure where a security failure has physical consequences - production stoppage, equipment damage, or in some sectors, safety incidents. The review process exists for good reason. The goal is to give the security team what they need to make an informed decision efficiently.
The OT/IT Boundary Is Where the Friction Lives
Most industrial facilities have an OT-DMZ separating the control network from the enterprise IT network. SCADA servers sit inside or adjacent to this zone. Any connection that crosses the boundary - even read-only - requires review by whoever owns the OT network security policy. In larger organizations, that may be a dedicated OT security team. In mid-size manufacturers, it's often the IT director and the plant manager jointly.
The Purdue Model for industrial control system security describes five levels from physical process (Level 0) to enterprise IT (Level 4). The OT-DMZ sits at Level 3.5, where supervision and operations handoff occurs. Data moving from Level 2 (supervisory control, SCADA) to Level 4 (enterprise systems, cloud) must traverse this boundary. Every new traversal is a potential attack vector that requires documentation.
The 12 Questions (And What Answers Move Things Forward)
These are the questions OT security teams ask most frequently. Having answers prepared before the first meeting reduces review time significantly.
1. Does your system write to our SCADA or control systems?
This is the first and most important question. The answer must be unambiguous: no. Relynk uses read-only credentials and read-only API endpoints. The architecture review document should include a network diagram showing one-way data flow from historian to the Relynk cloud connector, with no return path to the control network.
2. What network ports does the connection require?
OPC-UA uses port 4840 by default (TCP). MQTT over TLS uses port 8883. REST API connections use 443 (HTTPS). Security teams want to know exactly which ports to open on the OT-DMZ firewall and which direction (outbound only from the historian server to the cloud connector). Outbound-only connections are significantly easier to approve than bidirectional ones.
3. Where does the data go after it leaves our network?
Provide the cloud hosting region, the data residency policy, and whether the data is processed on shared or dedicated infrastructure. For US manufacturing facilities, confirming data does not leave US-based AWS or Azure regions is often sufficient. For defense contractors or critical infrastructure, a private cloud or on-premise deployment option is typically required.
4. How is the connection authenticated?
OPC-UA supports certificate-based authentication with X.509 certificates. This is the preferred method for OT security teams because it eliminates username/password credentials on the control network. Provide the certificate management process: how certificates are issued, renewed, and revoked if the connection needs to be terminated.
5. What is your security certification status?
ISO 27001 certification covers information security management and is the most commonly requested certification for vendors connecting to industrial networks. SOC 2 Type II reports (available on Enterprise plan) provide additional assurance for US-based security teams. Have the certificate available for review, not just a claim of certification.
6. Has the product been penetration tested?
Annual third-party penetration testing is standard for enterprise software vendors. Provide the testing firm name, date of most recent test, and the scope of the test. Most security teams will not request the full report but want to confirm an independent assessment was done.
7. What happens if the connection to your system goes down?
OT security teams need to know the failure mode. If the cloud connection drops, does it affect SCADA operation? The answer should be no - Relynk is purely read-only and has no control path. The SCADA historian continues writing data; Relynk simply reconnects when connectivity resumes and backfills missing data. The OT network is unaffected by any cloud-side outage.
8. Can we terminate the connection immediately if needed?
Yes. The firewall rule for the outbound historian connection can be removed at any time. The OT security team retains full control over whether the data leaves the network. This is a standard condition to include in the vendor agreement: the facility can terminate the data connection without any impact on SCADA or production.
9. Which tags / nodes are being read?
Provide an explicit tag list during onboarding. The security team wants to confirm that only operational sensor data (vibration, temperature, flow rate, pressure) is being read - not control setpoints, safety interlock states, or any data that could provide meaningful insight into the facility's control logic. A tagged OPC-UA namespace screenshot is usually sufficient for this review.
10. Is data encrypted in transit and at rest?
All data in transit uses TLS 1.3. Data at rest is encrypted with AES-256. These are standard requirements that most vendors meet, but have the encryption specification documented in the architecture overview rather than requiring the security team to ask for it separately.
11. How long is our data retained and who can access it?
Provide the data retention period (12 months on Starter, 36 months on Professional, custom on Enterprise), access control model (tenant isolation), and data deletion policy when a contract ends. Security teams at larger organizations will also ask about subprocessors - third-party cloud services that the vendor uses to store or process data.
12. Do we need to install anything on our SCADA server?
No. Relynk connects via the SCADA system's existing API or OPC-UA endpoint. No agent, no software installation, no configuration change to the historian. This is the most important architectural distinction for OT security approval - nothing new runs on infrastructure that the OT team is responsible for protecting.
The Documents That Accelerate Approval
Having these documents prepared before the first security review meeting reduces back-and-forth significantly:
- Network architecture diagram showing data flow from historian to cloud connector, with firewall placement and port requirements labeled
- Data flow documentation showing what data is read, at what frequency, and where it goes
- ISO 27001 certificate (current, dated within the last 12 months)
- Penetration test summary (firm name, date, scope)
- Vendor security questionnaire responses - most enterprise OT teams have a standard vendor security questionnaire; filling it out completely before being asked saves a review cycle
- Reference to a comparable deployment - an existing customer in the same industry who has completed OT security review at a comparable facility
What "Two Weeks" Actually Means
The fastest OT security approvals Relynk has seen took five business days. The typical range is two to four weeks. Longer timelines usually result from document requests that require multiple back-and-forth cycles or from security reviews that go into a queue managed by a central IT/OT governance committee.
The most common delay is the security questionnaire. If the vendor can't produce a completed security questionnaire on first request, the review process typically restarts at the beginning of the next committee cycle - often another two weeks.
One practice that consistently reduces review time: involve the OT security team in the vendor selection process before a purchase decision is made. A brief security review of shortlisted vendors - even just a document review - means the approval process is nearly complete by the time a contract is signed.
Security documentation for your review team
Relynk provides a complete security documentation package including architecture diagrams, ISO 27001 certificate, and penetration test summary. Request it as part of your demo conversation.
Request Documentation