MES / historian, read-only across OT/IT
Everything is read-only — the agent can observe the plant, never actuate it.
Open the live lab · pre-loaded to this scenario
MCP Server Playground
Context
A plant-ops copilot sits on the IT side of the OT/IT boundary. The MES/historian server exposes only read tools — machine status, OEE, tag history. There is no write tool at all, so nothing the agent does can actuate equipment.
The decision
Read-only resource design is the OT safety guarantee: the absence of any write tool, not a permission setting, is what makes the copilot safe on the plant floor.
What most miss
People add a 'set_setpoint' tool behind an approval and think they're safe. On OT the guarantee people trust is the one that's structurally impossible — no write tool exists.
Stakes
A single actuation path from an IT-side agent onto OT equipment is a safety-of-life risk, not an incident ticket.
Studied · Agent & Protocol · verified 2026-07-03
Sources: OT/IT segmentation (Purdue model) and read-only integration patterns; MES / historian (OPC-UA) data exposure practice