Back to Resources
Field Note Mar 2026 8 min read

Multi-Site OT Networks Over SD-WAN

SD-WAN enables cost-effective multi-site networks but introduces architectural complexity in OT. Learn how to maintain security and determinism across distributed sites.

C

Cascadia OT Security

Founder · Managing Principal · CISSP · GICSP

WAORIDSeattlePortlandHillsboroSalemEugeneKennewickSpokaneBoiseTacomaPNW COVERAGEPORTLAND METRO

Manufacturing companies with multiple sites—warehouses, distribution centers, remote production lines—have historically connected them with expensive MPLS circuits or built isolated networks at each site. SD-WAN replaces dedicated circuits with intelligent routing over commodity broadband and 4G, reducing costs dramatically. But SD-WAN in OT environments requires careful architectural thinking around latency variance, failover behavior, and maintaining security zones across geographically distributed networks.

The primary challenge is that SD-WAN makes routing dynamic and application-aware in ways that break traditional OT assumptions. Industrial protocols assume consistent latency and deterministic path selection. SD-WAN is optimized for throughput, cost, and failover speed, not for predictable control-loop timing.

Architecture for Multi-Site OT Over SD-WAN

Do not run inter-site OT control traffic directly over SD-WAN. Instead, deploy a hub-and-spoke architecture where each site has its own local network perimeter and zone structure, and inter-site communication is limited to non-real-time data: historian replication, log aggregation, and management traffic. Control commands should be executed locally at each site, not routed centrally.

If you must exchange real-time production data between sites, establish dedicated tunnels with latency guarantees (QoS, dedicated bandwidth) rather than relying on SD-WAN's dynamic routing. Use redundant tunnels for critical paths and test failover behavior under production load before placing the network in service.

SD-WAN Security Considerations

Specific SD-WAN Protocol Considerations

Verify that SD-WAN tunnel encryption preserves the characteristics your industrial protocols require. Modbus TCP, Ethernet/IP, and OPC-UA assume specific port ranges and packet sequences. Some SD-WAN implementations rewrite ports or adjust TCP windowing, breaking protocol-specific expectations. Test actual industrial traffic before deploying to production.

If you're planning multi-site connectivity, reach out to discuss SD-WAN architecture for your environment.

About the author

This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.

Working on something similar?

We'd rather have a direct conversation than send you a sales pitch.

Book a 30-minute call