Internet of Things 6 min read

Digital twins for critical infrastructure: secure legacy integration architecture

Architecture for integrating legacy equipment with digital twins in industrial sectors. How to extract telemetry while prioritizing OT system availability.

Implementing digital twins in critical infrastructure requires combining modern operational technology (OT) security standards with reliable data exchange architectures. This is a critical challenge for industrial automation in 2025–2026. Modeling physical processes allows for energy optimization and wear prediction, but secure integration remains the primary hurdle.

Enterprises face a complex engineering task: connecting legacy equipment to digital twin analytical platforms while maintaining high levels of cybersecurity and process stability. Direct connection of industrial controllers to the cloud or corporate IT networks creates attack vectors that could provide unauthorized access to physical control systems.

Availability priority: why IT approaches require adaptation in OT environments

In classic information technology (IT), data protection is the foundation, with a strong emphasis on confidentiality. In operational technology (OT) managing physical processes in factories or power plants, priorities differ. According to the NIST SP 800-82 Guide to OT Security, availability is prioritized over confidentiality in industrial systems.

While rebooting a server for updates is standard in IT, a delayed control signal in an OT network can trigger an emergency conveyor shutdown. Therefore, architectural solutions for digital twins must be built on the principle of non-interference with the primary physical process.

Integrating legacy equipment without compromising SCADA

Many industrial facilities operate legacy systems that transmit data in plain text without built-in authentication or encryption. It is important to understand that digital twins do not automatically solve security issues without adhering to engineering standards. Furthermore, full compatibility for all legacy equipment cannot be guaranteed without additional industrial gateways.

For secure integration, network segmentation is used to isolate critical controllers. Data is read via intermediate edge gateways connected to monitoring ports or passive traffic taps. This ensures that requests from the digital twin platform cannot interfere with the programmable logic controller (PLC) managing a valve or turbine.

Secure transit architecture: from sensor to cloud

The reliability of modern IoT solutions requires meticulous planning at every stage. According to the AWS Well-Architected IoT Lens, data processing is distributed across levels:

  • Device level: Physical sensors, actuators, and controllers isolated in their own industrial segments.
  • Edge level: Industrial gateways that collect raw data, perform pre-processing, and normalize it.
  • Cloud/Enterprise level: The digital twin analytical environment for predictive analysis.

Telemetry collection from the device level is performed in a unidirectional mode (bottom-up), minimizing the risk of reverse attacks on the OT segment.

Normalization at the edge: OPC UA and edge computing

Since industrial facilities typically use equipment from various manufacturers, transmitting heterogeneous raw data directly into an analytical model is inefficient. To address interoperability, the OPC Unified Architecture (OPC UA) standard is used.

According to the OPC Foundation, OPC UA is a platform-independent architecture used to normalize data before transmission to analytical systems or SCADA/MES. This allows telemetry from different machines to be presented in a unified format.

Simultaneously, deploying edge computing enables pre-processing of sensor data directly at the industrial site. An edge node can filter noise or aggregate metrics before sending them to the cloud, reducing the load on digital twin communication channels.

Implementing ISA/IEC 62443 requirements for digital twins

The ISA/IEC 62443 series of international standards covers over 20 industries using automation technologies and defines comprehensive system security requirements. Designing a digital twin architecture based on this standard requires applying the "Zones and Conduits" concept.

The digital twin platform is isolated into a separate information zone, and all connections to industrial segments are strictly controlled. Even if the analytical dashboard at the corporate level is compromised, attackers cannot alter the configuration of physical equipment.

Practical implementation and enterprise-level integration

Once secure telemetry collection from the OT level is implemented, this data must be integrated with enterprise business systems for maintenance planning, documentation, and regulatory process execution. Designing such integrated architectures requires a combination of expertise in IoT and corporate development.

For example, Softengi (part of the Intecracy Group alliance) develops custom IoT/embedded solutions and integration gateways for data collection. Softengi is certified to the international AI management standard ISO/IEC 42001:2023, confirming a responsible approach to developing analytical algorithms.

The upper, corporate level of the system is built using UnityBase — a full-stack JavaScript low-code platform (jointly developed by companies within the Intecracy Group). UnityBase ensures managed integration of twin data into the business environment through flexible mechanisms: a unified domain model (Domain metadata), built-in access control subsystems (RBAC and Row-Level Security), and detailed audit trails. For critical infrastructure objects with high security and load requirements, commercial Enterprise (EE) and Defence (DE) editions of the platform are available, supporting industrial DBMS (e.g., Oracle RAC, PostgreSQL) and advanced authentication methods.

Infrastructure readiness matrix for digital twins

Readiness levelInfrastructure descriptionOrganizational effect
Level 1: Local monitoringData is isolated in SCADA/MES, legacy protocols are used, and comprehensive analytics are absent.Reactive equipment maintenance based on failure events.
Level 2: Normalized collectionEdge gateways are implemented, data is converted to standardized formats (e.g., OPC UA), and basic network segmentation (per NIST SP 800-82) is performed.Capability for secure real-time monitoring of key nodes.
Level 3: Distributed analyticsPrimary data filtering at the edge level, secure telemetry export considering zones and conduits (ISA/IEC 62443).Transition to predictive maintenance based on trends.
Level 4: Digital twinContinuous stream of normalized data integrated into a cloud or enterprise platform for predictive analysis.Proactive asset management and energy optimization.

FAQ

How can legacy industrial equipment be connected to a digital twin without security risks?

Network segmentation and physical isolation are used. Data is collected via edge gateways using unidirectional transmission channels or read-only monitoring ports. This prevents analytical requests from affecting the operation of programmable logic controllers (PLCs).

What is the role of the ISA/IEC 62443 standard in designing digital twin architecture?

The ISA/IEC 62443 standard requires the use of the "Zones and Conduits" concept. This means the digital twin environment is isolated into a separate zone, and data flows between it and the industrial network are strictly controlled, limiting any unauthorized access to OT.

Why should industrial controllers not be connected directly to cloud IoT services?

Direct connection creates attack vectors. According to NIST SP 800-82, the highest priority in OT systems is the availability and continuity of physical processes. Connecting legacy devices to external networks without edge normalization and protective gateways violates this principle and risks production downtime.

Data sources

Sources & materials

Materials and sources used in this article.

  1. NIST SP 800-82 Guide to OT Security — csrc.nist.gov
  2. ISA/IEC 62443 Series of Standards — isa.org
  3. OPC Foundation: OPC Unified Architecture — opcfoundation.org
  4. Amazon Web Services: AWS Well-Architected IoT Lens — docs.aws.amazon.com