SCADA Network Topology Diagram: 5 Essential Designs Every Engineer Should Know

Behind every reliable SCADA system is a network topology that was deliberately chosen, not accidentally inherited. A SCADA network topology diagram is the architectural map showing how RTUs, PLCs, HMIs, servers, and field devices connect, both physically and logically. Get it right, and the plant survives a switch failure, a cyberattack, and the next expansion. Get it wrong, and a single fiber cut or a single misconfigured port takes the entire operation offline.

This guide walks through the five SCADA network topologies actually used in production plants in 2026, where each shines, and the design rules that separate a clean topology diagram from a brittle one.

Why the topology diagram matters

The SCADA network topology diagram is the single document that an operator, integrator, and IT/OT cybersecurity auditor all reference. It drives:

• Cable and switch BOM. Fiber runs, copper drops, port counts, media converters.
• Fault tolerance design. How the network behaves when a link or switch fails.
• Recovery time. Milliseconds for safety-critical, seconds for general supervisory.
• Cybersecurity zones. Segmentation aligned with the Purdue model and IEC 62443.
• Future expansion. Where the next 20, 50, or 200 devices will land.

A topology drawn on a napkin and never updated is one of the most common root causes of unplanned outages during routine maintenance windows.

1. Star topology

Star is the default for most plant-floor SCADA networks. Every device connects to a central managed switch (or a stack of switches). It is simple, easy to troubleshoot, and cleanly supports VLAN segmentation.

Where the star wins

• Single-building plants with under 50 devices on the SCADA segment
• Greenfield builds where structured cabling is being installed
• Plants standardizing on industrial Layer 2 switches (Cisco IE, Hirschmann RSP, Moxa EDS, Stratix)

Star’s weakness

The central switch is a single point of failure. If that switch dies, every connected node drops simultaneously. Mitigation: Stack two switches or use chassis-based switches with hot-standby supervisors. For mission-critical assets, escalate to ring or redundant star.

2. Ring topology (with MRP or RSTP)

Ring topology connects switches in a closed loop, forming a single logical “block” that opens when a fault is detected, enabling automatic recovery. The two protocols you will see in industrial deployments:

• MRP (Media Redundancy Protocol). The PROFINET standard, sub-200 ms recovery.
• RSTP and MSTP. Ethernet standards have longer recovery times, ranging from 1 to 3 seconds.
• HSR and PRP. Parallel redundancy protocols with zero-loss recovery, used in substation automation per IEC 62439.

Where the ring wins

• Long cable runs through a process plant or pipeline corridor
• Process control where a single switch outage cannot stop the operation
• Substation automation requiring deterministic recovery

Ring’s weakness

Recovery is automatic, but troubleshooting is harder. A partial ring or unidirectional fault can leave the network superficially healthy while half the devices struggle. Ring deployments require disciplined cable labeling, link-status monitoring, and clear maintenance procedures.

3. Bus topology (mostly legacy)

Bus topology connects all devices on a shared backbone. Historically, that meant coaxial Ethernet, RS-485 Modbus, or Profibus. In 2026, a true Ethernet bus is rare, but RS-485 buses are still everywhere in field instrumentation.

Where does the bus still live

• Modbus RTU instrument trunks (flow meters, level transmitters, drives)
• Profibus DP segments on older Siemens process installations
• HART multi-drop instrumentation networks

Bus’s weakness

Single shared medium means a single fault, whether a bad termination resistor, a short, or a noisy drive, disrupts everything on the segment. Most retrofit projects we run convert RS-485 buses to redundant Ethernet/IP or PROFINET segments with managed switches.

4. Mesh and partial mesh topology

In a full mesh, every switch connects to every other switch. In a partial mesh (more common), critical switches are cross-connected for redundancy without the cable-cost explosion of a full mesh. Modern industrial deployments rely on a partial mesh with RSTP/MSTP or routing protocols such as OSPF.

Where mesh wins

• Multi-building campuses such as refineries, water utilities, and large manufacturing complexes
• Substation automation networks per IEC 61850
• Wide-area SCADA backhaul where multiple paths to the control center are required

Mesh’s weakness

Cost and complexity. Documentation drift is the silent killer. Three years after commissioning, nobody knows the actual path a packet takes. Strong network monitoring tools and disciplined change control are non-negotiable.

5. Layered (Purdue model) topology

The Purdue Enterprise Reference Architecture is not a topology in the literal sense. It is the framework that wraps around all the others. A Purdue-aligned SCADA network topology diagram shows five distinct levels separated by firewalls and a DMZ:

• Level 0, field devices: sensors, actuators, motor starters.
• Level 1, basic control: PLCs, RTUs, safety controllers.
• Level 2, supervisory control: SCADA servers, HMIs, historians.
• Level 3, manufacturing operations: MES, batch management, OEE.
• Level 3.5, industrial DMZ: remote access jump hosts, patch servers, anti-malware.
• Levels 4 and 5, enterprise and corporate: ERP, business systems.

The 3.5 DMZ is where most cybersecurity audits focus. CISA and NIST 800-82 both treat this layered topology as the baseline expectation for modern SCADA. Our SCADA cybersecurity guide covers segmentation in greater depth.

Choosing the right topology: five design questions

1. What is the consequence of a 30-second outage? If the answer is “the line stops, and we lose $50K,” ring or redundant star are mandatory. If the answer is “the operator sees stale data,” star is fine.
2. How geographically spread is the plant? A single building suggests a star. The long process corridor suggests a ring. A multi-building campus suggests mesh.
3. What protocols dominate? PROFINET RT or IRT pushes you toward the ring with MRP. EtherNet/IP can run on any topology, but pairs well with DLR (Device Level Ring).
4. What is cybersecurity maturity? Without firewalls and a DMZ, no topology is secure. Add the Purdue layering before optimizing for redundancy.
5. Who maintains the network? A complex partial mesh that the on-site electrician cannot troubleshoot at 2 a.m. is a liability. Match complexity to operating capability.

Common mistakes in SCADA topology drawings

• No version control. The diagram in the engineering binder shows the 2021 design; the live network has changed 8 times since then.
• Missing the DMZ. Many older plants have a flat OT network connected directly to a corporate switch. This is the single biggest cybersecurity gap we find in audits.
• Confusing physical and logical topology. A star of cables that runs an RSTP ring is logically a ring. The diagram needs to show both views.
• Ignoring wireless. Industrial Wi-Fi, mesh radio, and 5G private networks now carry serious SCADA traffic. They belong on the diagram.
• No bandwidth or latency annotations. A 100 Mbps WAN link between Level 2 and Level 3 quietly limits historian replication years later.

Building a good SCADA network topology diagram

The practical checklist for a diagram that holds up to an IEC 62443 audit and a 3 a.m. outage:

• Every device labeled with hostname, IP, function, and VLAN
• Every switch is labeled with model, firmware, and port count
• All firewalls, NAT boundaries, and DMZ hosts are called out
• Redundancy protocols (MRP, RSTP, HSR, PRP, DLR) annotated on the links
• Cable runs colored by media (fiber, copper, wireless) and length
• Purdue levels overlaid as bands or zones
• Diagram source file checked into version control alongside PLC code
• Quarterly walk-through with the operations team to flag drift

The bottom line

A SCADA network topology diagram is not a one-size-fits-all decision. Star handles most single-building plants, ring earns its premium where downtime is expensive, mesh fits sprawling campuses, and the Purdue model wraps around all of them with the security segmentation that 2026 actually demands. A topology diagram is worth nothing if it is not maintained, and worth its weight in plant uptime when it is.

Pro-Tech Systems Group designs and audits SCADA network topologies across oil and gas, water/wastewater, and manufacturing. If your current diagram is a whiteboard photo from 2019 and you want a fresh set of eyes on the architecture, our team is ready. Get in touch to schedule a network design review.