Manufacturing companies with multiple sites—warehouses, distribution centers, remote production lines—have historically connected them with expensive MPLS circuits or built isolated networks at each site. SD-WAN replaces dedicated circuits with intelligent routing over commodity broadband and 4G, reducing costs dramatically. But SD-WAN in OT environments requires careful architectural thinking around latency variance, failover behavior, and maintaining security zones across geographically distributed networks.
The primary challenge is that SD-WAN makes routing dynamic and application-aware in ways that break traditional OT assumptions. Industrial protocols assume consistent latency and deterministic path selection. SD-WAN is optimized for throughput, cost, and failover speed, not for predictable control-loop timing.
Architecture for Multi-Site OT Over SD-WAN
Do not run inter-site OT control traffic directly over SD-WAN. Instead, deploy a hub-and-spoke architecture where each site has its own local network perimeter and zone structure, and inter-site communication is limited to non-real-time data: historian replication, log aggregation, and management traffic. Control commands should be executed locally at each site, not routed centrally.
If you must exchange real-time production data between sites, establish dedicated tunnels with latency guarantees (QoS, dedicated bandwidth) rather than relying on SD-WAN's dynamic routing. Use redundant tunnels for critical paths and test failover behavior under production load before placing the network in service.
SD-WAN Security Considerations
- Edge Router Hardening: SD-WAN edge routers at each site become critical infrastructure. Harden them the same way you harden your core firewalls: disable unnecessary services, enforce strong authentication, centralize logging, and monitor configuration changes.
- Encryption Overhead: SD-WAN requires encryption over every tunnel to the controller and between sites. Encryption adds CPU overhead and latency. Confirm your edge routers can handle encrypted throughput at line rate without dropping packets.
- Centralized Policy Management: The appeal of SD-WAN is centralized policy control—configure routes, bandwidth allocation, and security policies from a central dashboard. This also means a compromised SD-WAN controller could affect all sites simultaneously. Protect the controller with multi-factor authentication, network segmentation, and regular backups.
- Zone Isolation Across Sites: If multiple sites share OT zones (interconnected production networks), they must be segmented consistently. Define zone policies centrally and enforce them at every edge router to prevent a weakness at one site from compromising the entire network.
Specific SD-WAN Protocol Considerations
Verify that SD-WAN tunnel encryption preserves the characteristics your industrial protocols require. Modbus TCP, Ethernet/IP, and OPC-UA assume specific port ranges and packet sequences. Some SD-WAN implementations rewrite ports or adjust TCP windowing, breaking protocol-specific expectations. Test actual industrial traffic before deploying to production.
If you're planning multi-site connectivity, reach out to discuss SD-WAN architecture for your environment.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.