My SCADA Architecture Stack for Secure Remote Monitoring

Posted on November 13, 2024 | by Abraham Ouma
My SCADA Architecture Stack for Secure Remote Monitoring

🔧 My SCADA Architecture Stack for Secure Remote Monitoring

1. Introduction

Imagine managing a critical infrastructure that requires continuous 24/7 monitoring and real-time control. Whether it’s a complex industrial plant or a smart home system, the ability to respond to events both onsite and remotely is crucial.

SCADA systems empower users to centralize operations—offering a comprehensive dashboard that eliminates the need to check each machine manually. Simply put, “The SCADA system brings the plant to the user.”

But designing communication between the plant, servers, and remote clients isn’t just about connectivity—it’s about security. A poorly designed system can be hijacked, posing risks to mission-critical operations. With cyber threats on the rise, secure remote access is no longer optional. It’s mandatory.

In this post, I break down the exact architecture I use to create a secure, reliable, and scalable remote SCADA setup—used in both industrial plant systems and home automation prototypes.

2. Key Design Principles

  • 🔐 Zero Trust Model
    Every device and user must be authenticated and authorized. No assumptions, no blind trust.

  • 🎯 Least Privilege Access
    Users only access what they need—nothing more.

  • 🔒 Encryption at Every Level
    From tag data to client sessions, everything is encrypted—whether at rest or in transit.

  • 🛠️ Maintainability
    The system is built for easy maintenance by field engineers with minimal downtime.

  • 📈 Scalable & Reliable
    Designed to grow as operational needs expand.

  • 💡 Platform Support
    Inductive Automation’s Ignition simplifies security integration with built-in role management, scripting, and user authentication.

3. Core Components of the Stack

a. Field Layer

  • Devices: PLCs, sensors, and edge devices.

  • Protocols: OPC UA and Modbus TCP for real-time acquisition.

b. SCADA Software Layer

  • Platform: Ignition by Inductive Automation.

  • Why Ignition: Flexibility, Python scripting, Perspective module for mobile dashboards, and security-first tools.

  • Tag Management: Structured naming and UDTs for scalable, organized tags.

c. Database Layer

  • Types: MySQL or PostgreSQL depending on the site.

  • Stored Data:

    • Sensor metrics

    • Alarm history

    • Operational logs

    • User session activity

d. Networking & Remote Access Layer

🌐 Local Networking

  • Static IP assignments

  • Internal subnets and firewall restrictions

🔗 Remote Access via WireGuard VPN

My ISP uses Carrier-Grade NAT (CGNAT) and doesn’t provide a static IP—rendering traditional port forwarding ineffective. Here's the workaround:

  • 📡 VPN Server: A 24/7 Ubuntu server running WireGuard on Google Cloud (approx. $7/month). It uses a static public IP that remains fixed unless the instance restarts.

  • ⚙️ Port Forwarding: WireGuard routes traffic from port 8088 (used by Ignition) to the plant’s internal SCADA server.

  • 🖥️ Client Access:

    • Local users access directly over LAN.

    • Remote users connect to WireGuard VPN first, then use the system as if they’re on-site.

This ensures the SCADA server is never exposed to the open internet—only trusted VPN-connected clients can access it.

e. Cloud Integration

  • Platform: Google Cloud Platform (GCP)

  • Used For:

    • Hosting the VPN server

    • Scheduled SCADA data backups

    • Future cloud-based services (dashboards, alerts, etc.)

f. Visualization Layer

  • Frontend: Ignition Perspective

  • Features:

    • Fully responsive web views

    • Role-based content filtering (Operator, Engineer, Admin)

    • Custom login screen with secure access

📸 Screenshot of login page & dashboard here

4. Security Architecture

Feature Implementation
VPN-only access No public port exposed, access via WireGuard only
Multi-Factor Authentication All VPN keys & cloud accounts protected with MFA
Port Restrictions Only essential ports (e.g., 51820 for WG) are open
Let's Encrypt SSL Skipped—VPN tunnel already encrypts traffic end-to-end
Audit Trails Logs of login attempts, access activity, and server uptime

5. Challenges & Solutions

🛰️ Dynamic IP & CGNAT

  • Problem: No public IP meant remote access was impossible.

  • Solution: Hosted a WireGuard VPN server on GCP with static external IP.

📶 Unstable Plant Internet

  • Problem: Occasional disconnections could interrupt service.

  • Solution:

    • Auto-reconnect features in WireGuard

    • Scheduled off-peak data backups

    • Local dashboards that still run offline

6. Conclusion

This architecture brings together open-source tools, cloud infrastructure, and hardened access control to enable seamless and secure remote monitoring.

It’s reliable, adaptable, and most importantly—safe from unauthorized access. Whether you’re managing an industrial plant or experimenting with smart home automation, this SCADA stack can scale with you.

7. Call to Action

Want to build your own secure SCADA remote setup?

  • 🔧 Learn to configure WireGuard for SCADA [Coming Soon]

  • 🧩 Explore Ignition Perspective Dashboard Design [Coming Soon]

  • 📬 Need help or have questions? Reach out via my contact page