scope3

The Scope 3 Conundrum: How Sub-Meters and Sensors Help Meet Tightening Carbon Rules Without Breaking OT Security

Inkwelldata

21 Jan 2026 • 5 min read

Industrial companies are caught between two forces that are moving at speed—and in opposite directions. Scope 3 carbon reporting requirements are becoming more stringent, while operational technology security expectations are tightening just as quickly. Together, they create a genuine conundrum.

            Relying on estimates is no longer acceptable. Opening up OT environments indiscriminately is no longer permissible.
        

This tension is now the single most common reason Scope 3 programmes stall. What is emerging instead is a more pragmatic and defensible approach: start with low-risk measurement, govern data as it leaves OT, and expand carefully into action only as confidence and trust are established.

Why Scope 3 Can No Longer Rely on Estimates

Under CSRD and ESRS E1, the regulatory direction is explicit. Where feasible, organisations are expected to move away from averages and emissions factors towards primary, auditable data. As assurance requirements progress from limited to reasonable, Scope 3 data increasingly resembles financial data: it must be traceable, repeatable, and defensible.

For manufacturers, this has a clear implication. Energy and resource consumption inside factories—electricity, water, heating, ventilation, and cooling—can no longer be approximated. These activities must be measured, not inferred.

Why Traditional OT APIs Are Now the Wrong Starting Point

The instinctive response is to connect enterprise platforms directly to OT systems and pull data through traditional APIs. Increasingly, this is precisely the wrong approach.

National OT security guidance—including the NSA principles published in December—sets out a consistent position:

OT Security Principles

OT environments should push data out, not allow external systems to pull data in

Persistent inbound connectivity expands attack surface

Consequential actions must retain human-in-the-loop accountability

NIS2 reinforces these expectations, and insurers are now enforcing them in practice. Architectures that rely on multiple inbound APIs into OT systems are being flagged as high risk, with consequences ranging from higher premiums to reduced coverage.

            As a result, many Scope 3 initiatives are blocked not by lack of ambition, but by legitimate security and risk constraints.
        

Start with Measurement, Not Control

The way through this conundrum is not deeper integration, but better measurement.

Inkwell Data's approach begins with measurement infrastructure that already exists—or can be introduced safely—without touching control systems.

Sub-meters as the safest foundation

Electrical and water sub-meters are a logical starting point because they are measurement devices, not control systems; they are already present in most manufacturing sites; and they are directly relevant to major Scope 3 drivers, including electricity, water, heating, ventilation, and cooling.

For many manufacturers, HVAC-related consumption alone accounts for a significant share of embedded emissions. Sub-metering these loads provides immediate, facility-specific evidence without introducing operational risk.

Sensors for carbon-relevant context

Where additional context is required—thermal processes, combustion, or regulatory carbon reporting—carbon-relevant sensors can be added as read-only signals. These observe physical reality without intervening in it.

The Governing Principle

Observe first, control later—if at all. This creates a low-risk, low-friction entry point into primary data, aligned with both audit and security expectations.

Altior: Governing Data at the OT Boundary

Measurement alone is not sufficient. Data must be moved, secured, and made audit-ready.

Altior is designed specifically for this role. Rather than acting as a generic integration platform, it provides a governance layer for data in transit, built for OT environments.

Altior Capabilities

Enforces push-only data egress from OT by default

Prevents persistent inbound connectivity

Filters and aggregates data at the edge to avoid bandwidth and resilience risks

Applies cryptographic signing and metadata (asset identity, timestamps, quality indicators) to establish data provenance suitable for Reasonable Assurance audits

With Aegis embedded, identity, policy enforcement, and lifecycle security are intrinsic rather than bolted on later.

            This matters because auditors increasingly treat provenance as a technical control, not a narrative explanation.
        

Avoiding the "Data Tax"

Joint guidance on AI and OT integration warns that excessive data aggregation can saturate networks and degrade operational resilience. Raw sensor streams are rarely appropriate for enterprise reporting.

By validating, filtering, and aggregating data at the edge, Altior ensures that only material, reportable information leaves the OT environment. This avoids turning compliance into a performance or security risk, while also reducing cloud ingestion and processing costs.

Expanding Scope 3 Coverage at a Comfortable Pace

Crucially, this approach does not require organisations to solve all of Scope 3 at once.

Once a low-risk data acquisition foundation is in place, companies can expand coverage at the pace they are comfortable with, category by category.

Altior can govern and route data for other Scope 3 areas, including purchased goods and services (supplier-provided operational data), waste generated in operations, upstream and downstream transport, and capital goods and asset lifecycle data.

Each category can be added incrementally, without reopening OT security architecture or creating new point-to-point integrations.

            Data is governed once at source and reused safely across sustainability tools, finance systems, analytics platforms, and audit workflows.
        

From Data to Action—Deliberately and When Ready

Importantly, Altior does not prevent action. It supports bidirectional, action-led capabilities, but only when organisations are ready to take that step.

Rather than forcing automation through direct OT APIs, Altior allows actions to be introduced progressively, policies to define what actions are permitted, where, and under what conditions, and human review and approval to remain central for consequential changes.

This aligns with security guidance that requires human-in-the-loop control, while allowing organisations to move beyond reporting towards optimisation and operational improvement when confidence has been established.

Simplifying the OT–IT and API Landscape

One of the less visible but most valuable benefits of this approach is architectural simplification.

Many organisations today suffer from API sprawl: dozens of bespoke integrations between OT systems, cloud platforms, ESG tools, analytics engines, and enterprise applications. Each adds cost, security review, and long-term maintenance overhead.

By acting as a single governed data and action layer, Altior allows:

OT systems to integrate once

Data to be reused across multiple consumers

New use cases to be enabled without reopening OT security

Over time, this simplifies the OT–IT interface rather than making it more complex.

From Compliance Burden to Confidence and Value

An important side-effect of starting with sub-metering is that it rarely stops at reporting.

Manufacturers frequently uncover ghost loads, abnormal consumption patterns, and inefficiencies—often in the 5–15% range. This creates a clear double win:

Double Win

Sustainability teams obtain audit-grade Scope 3 data. Finance teams gain tangible, near-term cost-reduction opportunities—without changing control systems.

More importantly, organisations build confidence: confidence with auditors, CISOs, insurers, and boards that Scope 3 requirements can be met securely and pragmatically.

A Practical Resolution to a Real Conundrum

Scope 3 can no longer rely on estimates. Equally, it cannot be solved by opening up OT environments through traditional APIs.

Inkwell Data's combined approach—sub-meters and sensors for low-risk measurement, Altior with Aegis embedded for governed data and action—offers a practical resolution to this conundrum.

It allows organisations to start safely, build trust, simplify OT–IT integration, and progressively fulfil Scope 3 requirements without compromising security.

            Increasingly, it is this ability to move at the organisation's own pace, without architectural regret, that determines whether Scope 3 programmes succeed.
        