The Xiid + Portainer Joint Architecture
Industrial teams face a structural choice when modernizing OT operations: expose devices to manage them remotely, or keep them air-gapped and lose central visibility. The Portainer + Xiid joint architecture removes that tradeoff.
Portainer provides the operator control plane for containerized workloads across thousands of distributed sites. Xiid Terniion provides the secure connectivity layer underneath: outbound-only encrypted tunnels that make field devices non-addressable from the public internet while keeping them fully manageable from a central operations plane.
The result is an architecture where devices that need to stay protected stay protected, and the operations that need to be reached can be reached, through the same outbound tunnel that carries telemetry the other direction.
Zero Inbound Network Exposure
Field devices have no public IP presence. Inbound firewall ports stay closed. Devices cannot be enumerated or scanned by external actors.
Centralized Workload Management
Deploy, update, and monitor containerized OT applications across distributed sites from a single console. No site visits required for routine maintenance.
Post-Quantum Encrypted Connectivity
Triple-layer encryption stack (TLS 1.3 with ML-KEM-768, Kyber/Dilithium end-to-end, AES-256-GCM inner) suitable for environments with strict data-in-transit requirements.
Process-Level Tunnel Isolation
Network access is constrained to the process level. A compromise at one device does not pivot into the broader operations network.
Self-Hosted End to End
No SaaS dependency. No external infrastructure required. Suitable for regulated, air-gapped, and disconnected environments.
Resilient to Intermittent Connectivity
Built for the realities of industrial sites with cellular, satellite, or other unreliable network links. Operations continue during outages; updates queue and apply on reconnection.
How Xiid + Portainer Works in Practice
Outbound Tunnel Established at Startup
Every OT gateway boots with a Terniion STLink agent that immediately closes all inbound firewall ports and initiates an outbound-only encrypted tunnel to the self-hosted operations plane. From any external network observer's perspective, the device does not exist.
Workloads Deployed Centrally
Portainer's management plane pushes containerized workloads to the gateway through the established tunnel. Protocol adapters, monitoring applications, OT collectors, and configuration updates all deploy without anyone touching the device.
Telemetry and Management Flow Through the Same Tunnel
OT data flows outbound to the operator's chosen analytics, historian, or visibility layer. Management commands and updates flow back through the same tunnel. The gateway never opens an inbound port for either direction.
The Portainer + Xiid joint architecture is built for industrial teams who need both secure connectivity and central management at scale.
Built for industrial operators, system integrators, and ISVs running OT across manufacturing, energy and utilities, defense and government installations, transportation, and other sectors where distributed infrastructure runs continuously.
Start your journey today
Containers have become the cornerstone of modern industrial software. Portainer manages them across distributed environments without forcing operations teams to become Kubernetes specialists. Paired with Xiid's secure connectivity, the joint architecture is built for the operational realities of OT at scale.