Manufacturing is now the most attacked industry sector on the planet — ahead of financial services, ahead of healthcare. IBM X-Force reports that 25.7% of all cyberattacks in 2024 targeted manufacturers, with ransomware accounting for 71% of incidents. The average cost? $4.7 million per attack, with 21 days of production downtime.
Against that backdrop, every decision about what you connect to your factory network matters. And when it comes to machine monitoring, the choice between WiFi and cellular isn't just about signal strength or convenience. It's a security architecture decision that determines whether you're adding risk to your operation or removing it.
The Hidden Risk in "Just Connect It to WiFi"
Most machine monitoring vendors take the path of least resistance: plug their gateway into your factory network via Ethernet or WiFi, open some firewall ports, and start streaming data. It works. But it also means their device is now a node on your corporate network — sitting alongside your ERP system, your email servers, and potentially your PLCs and HMIs.
This creates what security professionals call lateral movement risk. If that monitoring gateway gets compromised — through a firmware vulnerability, a supply chain attack, or even a misconfigured update — the attacker doesn't just have access to machine data. They have a beachhead on your entire network.
For a 50-person shop running a flat network (which, honestly, describes a lot of U.S. manufacturers), that means one compromised IoT device could put everything at risk: production control systems, customer data, intellectual property, and financials.
What the IT Team Sees
This is exactly why IT teams push back on IoT projects. They're not being obstructionist — they're doing their job. Every device you add to the network is a new entry point to defend. It needs firewall rules, VLAN configuration, security reviews, and ongoing patching. For manufacturers with two to five IT staff (the norm in the $50M–$200M revenue range), that's a real burden.
The result? Machine monitoring projects stall in IT review for weeks or months. By the time you have approval, the operational urgency that justified the project has faded — or the vendor has moved on.
What "Security-First" Actually Means
At Helio, we took a different approach. Instead of trying to make a network-connected device "secure enough," we asked: what if the device never touched the network at all?
HLink, our edge monitoring device, communicates exclusively over private cellular via a dedicated IoT SIM. It has no WiFi radio. It never joins your corporate network. It never sees your ERP, your email, your PLCs, or anything else on your infrastructure.
This isn't a workaround. It's a deliberate architectural decision — and it changes the security equation fundamentally.
No Keys on the Device
Here's where it gets interesting. Traditional IoT devices need TLS certificates, API keys, or authentication tokens stored on the device to communicate securely with the cloud. If someone steals the device, those credentials are extractable. That's a real vulnerability.
HLink stores zero credentials on the device. No AWS keys, no TLS certificates, no authentication tokens. Instead, we use Soracom Beam — a service built into the cellular network — to handle TLS termination. The device authenticates via its SIM card's hardware-burned identity (IMSI). Soracom Beam then establishes the encrypted connection to AWS IoT Core using certificates that never exist on the physical device.
If someone walks off with an HLink unit, they have a Raspberry Pi with no credentials, no network access, and a SIM card that gets killed remotely in under 60 seconds. It's an expensive paperweight.
Air-Gapped from Your Network
The phrase "air-gapped" gets thrown around loosely in cybersecurity. In Helio's case, it's literal. The HLink device connects to the CNC machine via a direct Ethernet cable (point-to-point, for reading machine data), and to the cloud via its own cellular radio over a private APN. There is no path between those two connections. There is no route from the cellular network to your corporate network. There is no route from the device to the public internet.
If your corporate network gets breached? HLink is completely unaffected — it's not on your network. If HLink somehow gets compromised? The attacker has access to a read-only data stream from one machine. No lateral movement. No path to your ERP or production control systems.
ISA-95 and OT/IT Segmentation — Without the Project
If you've dealt with ISA-95 or IEC 62443 compliance, you know the core principle: keep your operational technology (OT) network separated from your information technology (IT) network. The standard prescribes "zones and conduits" — clear boundaries between different parts of your infrastructure, with well-defined data flows through controlled connection points.
Achieving this with traditional monitoring solutions requires significant network engineering: DMZs, firewall rules, VLAN segmentation, proxy servers. For large enterprises with dedicated OT security teams, that's manageable. For a mid-market manufacturer? It's a non-starter.
Helio's architecture achieves this by default. The private cellular connection acts as a natural conduit between the OT environment and the cloud, with data flowing in one direction through a controlled, encrypted channel. There's no network engineering required because HLink was never on your network to begin with.
This is why security auditors and compliance consultants tend to like our architecture. It's not that we solved the OT/IT segmentation challenge through clever firewall rules — we eliminated it structurally.
Addressing the IT Security Objections
If you're a plant manager or operations leader who has had an IoT project stalled by IT security concerns, this section is for you. Here are the objections we hear most often, and how Helio's architecture addresses them.
"We need to review and approve any device on our network."
HLink is not on your network. It doesn't need WiFi credentials, firewall rules, VLAN configuration, DNS settings, DHCP reservations, proxy settings, or a network security review. It needs a power outlet and an Ethernet cable to the machine. That's it.
"Our compliance framework requires us to assess all connected devices."
Because HLink operates on its own cellular network, it's out of scope for your internal network compliance assessment. Your CMMC, NIST 800-171, or SOC 2 auditor won't need to include it in your network boundary — it operates on a completely separate network.
"How do we know the data is encrypted?"
Every byte is encrypted. HLink to Soracom uses cellular encryption (AES-128). Soracom to AWS IoT Core uses TLS 1.2+ with mutual authentication (AES-256-GCM). All data at rest is encrypted with AES-256 via AWS KMS. The data path has no unencrypted gaps.
"What about data residency?"
All Helio data is stored exclusively in AWS us-east-1 (Northern Virginia). No data leaves the United States. All Helio personnel are U.S. persons. Customer data ownership is contractual — you own your data, you can export it anytime, and we permanently delete it within 30 days of contract termination.
"Can this device control our machines?"
No. HLink is read-only. It monitors machine telemetry — spindle speed, temperature, vibration, motor current — but has no ability to send commands to, control, stop, or modify machine operations. Even a complete Helio platform outage has zero impact on your production. Your machines keep running no matter what.
The Practical Upside: Deploy in Minutes, Not Months
Security architecture aside, the cellular approach has an enormous operational benefit: speed of deployment.
The average HLink installation takes 15 minutes per machine. Plug in power. Connect the Ethernet cable to your machine controller. Turn it on. Data starts flowing. No IT ticket. No waiting for a maintenance window. No network credentials to manage.
For plant managers who need machine data to make decisions about maintenance, OEE, and throughput, the difference between "deployed in an afternoon" and "waiting six weeks for IT approval" is the difference between a project that delivers ROI and one that dies in committee.
Who This Matters For
If you're a manufacturer in the defense supply chain — or selling to customers who are — security architecture isn't optional. CMMC 2.0 requirements are cascading down the supply chain. Every vendor you add to your environment is a potential audit finding. Choosing a machine monitoring platform that's aligned with NIST 800-171, pursuing CMMC Level 2 certification, and designed for IEC 62443 compliance means one less risk to manage.
But even outside of defense, the logic holds. Ransomware doesn't check whether you're in the defense supply chain. Any manufacturer running connected equipment needs to think about attack surface — and every device on your network is part of that surface.
The Bottom Line
When you evaluate machine monitoring solutions, don't just ask "does it work?" Ask "what does it add to my attack surface?" WiFi-connected solutions work, but they expand your network boundary and create dependencies on IT resources. Private cellular eliminates both.
Helio was built from the ground up for security-conscious manufacturers. Our architecture doesn't just protect your data — it protects your network by never touching it in the first place.
Ready to see how it works? Schedule a demo or reach out at wes@helioiot.com. We'll show you live machine data flowing through our security-first architecture — and you can have HLink running on your shop floor in under an hour.