IIoT Insights

Three Ways to Connect Machines Securely

Written by Lauren Markofsky | January 28, 2026

Industrial connectivity isn’t a single choice. Most environments include new machines, existing installations, and legacy equipment, each with different constraints around security, compute, and lifecycle. A practical connectivity strategy has to work across all three.

Below are three common ways machines are connected securely today, and when each approach makes sense.

 

1. Dedicated Hardware Gateway

A dedicated hardware gateway is a physical device installed in the control cabinet, creating a clear boundary between operational technology (OT) and external networks.

Why it’s used

  • Strong physical and network isolation
  • Clear security demarcation for IT and OT teams
  • Stable architecture for long-lived machines
    Common in regulated or risk-averse environments

Tradeoffs

  • Requires cabinet space and physical installation
  • Hardware lifecycle and refresh considerations

 

2. Virtual Gateway (Software-Based)

A virtual gateway delivers secure connectivity as software running on an existing industrial PC or edge device, without adding hardware.

Why it’s used

  • No additional devices in the cabinet
  • Faster deployment and easier scaling
  • Well suited for modern, IPC-based machines
  • Supports software-defined architectures

Tradeoffs

  • Dependent on host system availability
  • Shared responsibility for security and lifecycle management

 

3. Legacy Connectivity and Upgrade Paths

Many machines in operation today were never designed to be connected securely. Older controllers, limited operating systems, and customer restrictions can make modern gateway approaches impractical.

Legacy connectivity focuses on bringing these machines into a secure connectivity platform without forcing redesigns.

Why it’s used

  • Enables secure access for constrained or aging equipment
  • Extends machine life without major upgrades
  • Supports incremental modernization strategies

Tradeoffs

  • Less flexibility than fully modern architectures
  • Often part of a transitional solution

Choosing What Fits

Most industrial fleets don’t rely on a single connectivity model. New machines, existing lines, and legacy assets often require different approaches, even within the same facility.

Evaluating connectivity at the architecture level makes it easier to select the right gateway per machine, while still standardizing security, access control, and operations across the fleet.

Connectivity Approach When It Fits Best ei³ Gateway
Dedicated hardware gateway Physical isolation, long-lived assets Amphion
Virtual gateway (software) Modern machines, IPC-based designs Zethus
Legacy connectivity path Older or constrained machines Portara

 

Why these approaches Secure at Scale

Gateway form factor alone doesn’t determine security. What matters is whether all connectivity options operate within a consistent, layered security model.

ei³ achieves this through its Cyber-Physical System (CPS) Protection Platform, which establishes a unified security framework for how machines, users, and data interact, regardless of whether connectivity is delivered through hardware, software, or legacy paths. This framework brings together edge devices, managed networks, private cloud infrastructure, and IIoT applications into a single, unified security model.


 

At a high level, this security model includes:

Edge-Level Trust

  • Booting securely & automated updates to verify firmware integrity and maintain a consistent security posture
  • Hardened operating systems with minimal, read-only baselines
  • Physical protection & secure key storage to preserve device identity
  • Firewall with an outbound-only policy to block unsolicited traffic

Protected Communication

  • 2048-bit TLS encrypted communication with mutual authentication
  • Centralized certificate & identity management
  • Protocol management, including secure data handling and optional OPC UA translation

Resilient Operation

  • Docker container framework to isolate edge applications and workloads
  • Local data caching during network interruptions
  • Automatic synchronization once connectivity is restored

Managed Networks

  • Centralized visibility & policy control across machines and sites
  • Network segmentation to limit lateral movement between assets
  • Continuous traffic monitoring and anomaly detection
  • Integration with enterprise security and monitoring tools

Together, these capabilities create a zero-trust, defense-in-depth (DiD) architecture that applies consistently across all gateway types, not just the newest machines.
View full post