Remote SCADA Monitoring: How a 24/7 NOC Model Works for Critical Infrastructure

Quick Answer

A SCADA Network Operations Center (NOC) provides 24/7 monitoring of SCADA platform health, communication status, and critical process alarms through secure VPN connectivity. Unlike IT NOCs, a SCADA NOC staffs engineers who understand process context, escalation is based on operational impact, and monitoring scope extends to field communication channels and protocol-level diagnostics.

What a SCADA NOC Is and How It Differs from an IT NOC

An IT NOC monitors servers, networks, and applications. A SCADA NOC monitors all of that plus the operational technology layer — field devices, communication protocols, process alarms, and telemetry data flows. The critical difference is context: when a SCADA NOC receives an alert about a communication failure to a remote site, the response isn't just "restore connectivity." It's "determine whether the lost connectivity affects a safety-critical monitoring point, whether process data is being buffered for recovery, and whether on-site personnel need to be dispatched."

This process context requires engineers who understand the operational environment — what a lift station high-level alarm means versus a tank farm pressure deviation, and why loss of communication to a wellsite with an active gas lift system requires a different response than loss of communication to a water quality monitoring station.

Secure Connectivity Architecture

Remote SCADA monitoring requires a secure, reliable connection between the NOC and the client's SCADA infrastructure. The standard architecture includes:

VPN Tunnels

A site-to-site or client VPN tunnel provides encrypted connectivity between the NOC and the client's SCADA network. WireGuard and IPsec are the most common protocols. The VPN terminates at a hardened firewall on the client's network edge — never directly on the SCADA server. All traffic through the tunnel is logged and auditable.

Firewall Architecture

The connection architecture follows a defense-in-depth model. The NOC connects to a DMZ or jump server in the client's network, not directly to SCADA servers. Firewall rules restrict the NOC's access to specific IP addresses and ports required for monitoring — no broad network access. The client retains full control of firewall rules and can revoke NOC access at any time.

Authentication and Access Control

NOC engineers access client systems using individual accounts with multi-factor authentication and role-based permissions. Read-only access for monitoring functions; elevated access for maintenance tasks requires additional authorization. All sessions are logged with timestamps and actions recorded.

Monitoring Scope

Server Health

Continuous monitoring of the Geo SCADA server process, SQL Server performance, Windows services, disk utilization, CPU load, and memory consumption. Health checks run at intervals appropriate for each metric — process monitoring every 60 seconds, resource utilization every 5 minutes, database metrics every 15 minutes.

Communication Status

Monitoring of all communication channels — cellular, radio, serial, satellite — with alerting on channel failures, degraded signal quality, and abnormal polling behavior. Communication monitoring extends to the protocol level: DNP3 unsolicited response delivery, Modbus poll success rates, and IEC 104 connection status.

Process Alarms

The NOC monitors a defined set of critical process alarms agreed upon with the client. Not every SCADA alarm requires NOC attention — only those that require action outside normal business hours or that indicate conditions requiring immediate escalation. The alarm scope is defined during service onboarding and refined over time.

Cybersecurity

Monitoring for unauthorized access attempts, unusual network traffic patterns, and security-relevant Windows events. Cybersecurity monitoring doesn't replace a full security operations center but provides a baseline awareness layer for the SCADA environment.

Escalation Workflows

When the NOC detects an event requiring action, the escalation follows a documented workflow:

• Tier 1 — NOC assessment: The NOC engineer evaluates the alert, gathers diagnostic information, and determines severity.
• Tier 2 — Remote resolution: If the issue can be resolved remotely (restart a service, clear a stuck alarm, reset a communication channel), the NOC engineer executes the resolution per approved procedures.
• Tier 3 — Client escalation: If the issue requires on-site action or a decision beyond the NOC's authority, the NOC contacts the client's on-call person with a clear description of the problem, its operational impact, and recommended actions.

Escalation contacts, authority levels, and procedures are documented and agreed upon during service onboarding. The goal is to ensure the right person is contacted at the right time with the right information.

Integration with Existing On-Site Staff

A SCADA NOC augments on-site staff — it doesn't replace them. On-site operators retain full authority over process control decisions. The NOC handles platform health, after-hours monitoring, and routine maintenance, freeing on-site staff to focus on operations, capital projects, and strategic improvements.

Communication between the NOC and on-site staff follows established channels — typically a dedicated communication platform, email distribution lists for reports and non-urgent notifications, and phone/SMS for critical escalations. Monthly coordination calls ensure alignment on priorities and upcoming maintenance activities.

To learn more about how NFM Consulting's managed Geo SCADA NOC can provide 24/7 coverage for your critical infrastructure, schedule a NOC capabilities demonstration.