Dani wants to protect HTTP traffic that is sent from SCADA devices on her network to a cloud-hosted controller. The devices don't natively support an HTTPS connection. What could she do to transparently protect the data?

A TLS-enabled proxy between the devices and server doesn't require anything else to be installed on the devices, which is typically impossible with SCADA devices. That means the VPN connection and the X.509 certificates are unlikely to work. SD-WAN helps to manage external connectivity, not to directly protect traffic in this scenario.