OT Security

Threat models, incident recovery

SDA’s OT Security model delivers modern, cloud-native protection to historically isolated industrial environments. It ensures that all device interactions—from backups and deployments to variable reads and password rotations—are executed securely, using least-privilege access and encrypted communication.

Security is covered throughout the documentation.For full details, refer to:

  • Vaults & Secrets — Secure credential storage with encrypted secrets and automatic password rotation.

  • Audit Logs — Full traceability for every user and system-generated action.

  • Roles & Role-Based Access Control — Fine-grained permissions for users, devices, assets, pipelines, and vaults.

  • Gateway — Secure outbound-only connectivity between plant-floor devices and the SDA Cloud.

  • Pipelines — How pipelines securely execute backups, deployments, snapshots, and password rotations.

  • User Management & SSO — Identity and authentication controls, including MFA and SAML/OIDC integrations.

Secure Connectivity & Gateways

SDA Gateways provide encrypted, outbound-only tunnels to the SDA Cloud. No inbound firewall rules are required, significantly reducing attack surface.

See Gateway Overview for how the SDA Gateway secures outbound connection flow: Devices → SDA Gateway → Encrypted Tunnel → SDA Cloud, with identity validation and mutual TLS.

Identity & Access Control

SDA enforces least-privilege access using fine-grained role-based access control. All permissions are scoped to user roles, device groups, vaults, pipelines, and actions.

See Roles & Role-Based Access Control for permission models, role definitions, and time-bound access.

Secrets Management

Device and system credentials are stored in encrypted Vaults. Secrets never appear in plaintext outside controlled execution paths.

See Vaults & Secrets to learn how secrets are stored, encrypted, scoped, and used with pipelines.

Operational Integrity & Auditability

Every action performed on a device—successful or failed—is captured in the Audit Logs system. This includes backups, deployments, variable reads/writes, password rotations, and firmware updates.

See Audit Logs for details on log structure, filtering, retention, and export capabilities.

Pipelines

All pipeline executions (backup, deployment, device snapshot, library upgrade, etc.) run in isolated execution contexts with full authorization and credential isolation.

See Pipelines for how SDA validates, executes, and secures OT workflows.

PreviousSecurity PrinciplesNextControl & Compliance

Last updated