This alone gives operations teams more real-time visibility than ninety percent of industrial plants have today. When a plant director opens the dashboard from their phone and sees four red parameters and twelve amber parameters out of 249 total, they know exactly where to direct attention – without calling the control room and waiting for someone to read numbers off a screen.
This is not a six-month capital project. If your DCS or PLC is already running, you already have ninety percent of what you need. The remaining ten percent is software that reads the data, stores it briefly, classifies it, and shows it on a screen – securely.
Third, set up a test OPC client on a separate machine connected to the plant network and confirm you can read live tag values in real time without affecting the running process.
Build a web-based frontend – React, Vue, Angular, or even plain HTML with JavaScript – that displays every monitored parameter with its current classification state. Users navigate by plant area, see which tags are in caution or critical status, and can open a 24-hour trend chart for any individual parameter to understand the trajectory.
Here is how to fix that – without opening your plant network to cyber risk.
Serve it over HTTPS with the latest version of the transport layer encryption protocol. Implement role-based authentication – administrators adjust threshold values and manage user accounts, while read-only viewers see dashboards but cannot modify any configuration. Log every login event and every configuration change to a tamper-resistant audit trail.
Second, check what OPC server your control system exposes. Most major DCS platforms support OPC DA or OPC UA natively, with no additional licensing required.
Why Most Monitoring Setups Get Security Wrong
The data sits on a SCADA screen in one room, watched by one or two operators per shift. Everyone else – the plant head sitting in another city, the maintenance manager on a different floor, the operations lead covering the night shift from home – is completely blind. They have no view into what the plant is doing right now.
Once you have live visibility across your entire operation, you are one step closer to predictive maintenance systems that catch equipment failures before they happen, turning reactive firefighting into proactive asset management.
No PLC reprogramming. No rewiring. No production downtime.
For every monitored parameter, define a high limit and a low limit based on your operating manual, OEM equipment specifications, or process engineering standards. Then run a simple check against every incoming data point:
- Network isolation. The monitoring layer reads data from the DCS or PLC, but it must sit on a completely separate network segment. There should be no routable path from the internet to your controllers. A unidirectional data flow – where the OPC client pulls data out of the control system but nothing can push commands back in – is the gold standard. This ensures that even if the monitoring server is compromised, the attacker cannot reach the control layer.
- Encrypted transport. TLS 1.3 on every connection between the database, the dashboard server, and any user accessing it remotely. No exceptions for “internal” traffic. Internal networks get breached too.
- Role-based access control. Every user authenticated individually. Administrators can adjust thresholds and manage viewer accounts. Read-only users see dashboards but cannot change any configuration. Every login and every configuration change must be logged to an immutable audit trail for compliance and forensic purposes.
- Bounded data retention. A 24-hour rolling data window means your monitoring database holds enough trend data for shift reviews and drift detection, but not months of historical records sitting on a server. Smaller data footprint means less to steal, faster queries, and simpler backup procedures. If long-term archival is needed for regulatory compliance, that data should live on a separate, air-gapped storage system – not on the live monitoring stack.
The Four Components You Actually Need
Most factories have sensors on everything. Boilers, turbines, pumps, fans, conveyor belts. Hundreds of them, sometimes thousands.
First, list your most critical parameters. Start with 50, not 500. Pick the ones where an out-of-range value means production stops or safety is at risk.
1. An OPC Client to Pull Data From Your Existing Control System
Each record is a timestamp, a tag identifier, and a numeric value. At 500 tags polled every five seconds, that works out to roughly 8.6 million rows per day. Any modern database running on commodity hardware handles this without breaking a sweat.
You just need a client to read those tags. Tools like Matrikon OPC Explorer, KepServerEX, or Prosys OPC UA Browser can connect to most control systems without touching the controller configuration. The critical detail: this is strictly read-only access. You are not writing to any tags, not changing setpoints, not interfering with any control loop. The OPC client simply reads the current value of each tag at a defined polling interval – typically every two to five seconds – and passes it downstream to your database.
And almost nobody can see what those sensors are saying.
2. A Local Database With a Short Memory
These rules apply whether you deploy on-premise or in a private cloud environment. The internationally recognized framework for industrial control system security provides a comprehensive standard for industrial cybersecurity architecture that covers all of these principles in detail.
Before getting into the architecture, it is worth understanding the most common mistake teams make when adding remote monitoring to an industrial plant.
No machine learning. No neural networks. No training data. No model tuning. Just three states, color-coded red, amber, and green. This is basic threshold logic – a series of if-else comparisons that any competent developer can implement in an afternoon.
3. A Classification Engine That Does Exactly One Job
The entire stack – OPC client, database, classification engine, and web server – can run on a single physical server inside your plant network, or in a secured private cloud environment accessible only through a corporate VPN. No public-facing endpoints. No exposed ports. No attack surface beyond what you explicitly authorize.
- Critical – the current value is outside the acceptable operating band right now. This parameter needs immediate attention.
- Caution – the current value is inside the acceptable band, but it crossed a limit at some point during the last 24 hours. Something drifted and recovered, or the parameter is trending toward a boundary. Worth watching.
- Ideal – everything is within normal range. No action needed.
The result: plant leadership could see every parameter from any device, anywhere, in real time. Shift handovers transformed from verbal summaries and paper logs to shared digital dashboards where incoming operators could instantly see what had drifted, what had alarmed, and what was trending toward a limit. Parameters that had been quietly drifting for weeks – unnoticed because nobody happened to be watching that specific screen at that specific moment – were caught within hours of the system going live.
The solution used this exact four-component architecture: OPC data acquisition pulling from both DCS systems simultaneously, a SQL Server database with 24-hour rolling retention, three-state classification running against every incoming data point, and a React-based dashboard with role-based access control, TLS 1.3 encryption, and comprehensive audit logging. The entire system went from contract to production in 30 days.
Most teams bolt on remote access as an afterthought. They open ports directly to the SCADA network, expose HMI screens to the corporate LAN, or pipe raw tag data to a cloud dashboard with no access control. Every one of these shortcuts is a security hole – and in an industrial environment, a security hole is not just a data breach. It can mean someone gaining write access to a controller that manages a 60-tonne boiler or a high-pressure steam turbine.
4. A Secure Web Dashboard With Access Control
The data already exists inside your plant. Your sensors are already measuring. Your DCS is already logging. The only thing missing is getting that information out of a single control room and onto every screen that matters – securely, without compromising the operational network that keeps your plant running.
This is why security cannot be a “Phase 2” item. It has to be baked into the foundation from day one.
If your plant has a DCS or PLC with an OPC server, you can start this week:
This Works in the Real World
Your DCS already exposes process tags through an OPC server. This open interoperability standard for industrial communication – originally “OLE for Process Control,” now maintained as an open standard by the OPC Foundation – is a communication protocol that virtually every industrial control system supports out of the box. Honeywell Experion, ABB 800xA, Siemens PCS 7, Yokogawa CENTUM – all of them expose an OPC interface.
Configure automatic deletion of anything older than your retention window. The result is a small, fast database with predictable storage requirements and straightforward backup procedures. If you need long-term historical data for compliance or analytics, route that to a separate archival system that does not sit on the same network as your live monitoring stack.
Then something breaks. A bearing overheats. A pressure line drifts past its limit. A boiler trips at 2 AM. And the first question from leadership is always the same: “Why didn’t we know sooner?”
What to Do Next
By Nitin Panwar, KGT Solutions
There are four non-negotiable security principles for any industrial monitoring deployment:
The machines told you. The data just never left the control room.
Fourth, build the database, classification logic, and dashboard. Or find a team that has deployed this architecture before and can get you live in weeks instead of months.
You do not need a data lake. You do not need a cloud-hosted time-series database. A simple relational database – Microsoft SQL Server, PostgreSQL, or even SQLite for smaller installations – storing the last 24 hours of tag values is sufficient for trend analysis, shift-to-shift comparison, and catching slow parameter drifts before they escalate into emergencies.
A recent industry survey of operational technology security found that nearly half of industrial organizations experienced at least one cyber incident in the previous twelve months. The root cause is almost always the same: someone connected the plant to something without thinking about who else could get in. Once SCADA traffic touches a network with internet access, the attack surface expands from one control room to the entire world.
A sugar and power conglomerate that deployed this exact approach operating two separate DCS systems across co-located plants had exactly this problem. They were monitoring 249 critical process parameters across both facilities. Two operators watched everything on local SCADA screens during each shift. Plant leadership in another city had zero remote visibility. There was no trend history beyond what individual operators remembered from their shifts, and no systematic way to detect slow parameter drift between shift handovers.
