Unless the MAN connects to a WAN port of the MX, and even then, not likely (it doesn't work if you have NO-NAT mode enabled, which you usually would do if you had a MAN connected to the WAN port).

I can tell you what I have done in the past with some extra ideas.  You can configure a Windows/Linux jump host (possibly on the SCADA network).  I'll pretend it's windows to keep the discussion simple.

Configure a firewall rule to only allow access to the jump host, and nothing on SCADA.  Only allow access to the SCADA network from the jump host.

Now users have to RDP to the jump host and then access SCADA.  The RDP session should be encrypted by default.

Next step up, deploy something like the Cisco Duo RDP agent, so that people accessing the jump host have to use MFA before they can get to the SCADA network.

https://duo.com/docs/rdp 

Next step up if you are super anal.  Leave the jump host powered down by default so there is no remote access to SCADA at all.  Also configure the jump host to shutdown automatically after 60 minutes.

Have an approval process to get access to SCADA network.  If the request for access is approved (say for 7am), you power on the jump host at that time.  Remote user gets 60 minutes to complete what is required on their access request, and then access is automatically removed when the jump host shuts down.

Bonus points for enabling auditing on the jump host to make sure all logins are recorded and the IP address they are connecting from.