search
Online SchoolYouTubeLinkedInInstagram

shieldSecure OT/IT Data Integration Using HiveMQ Edge and Site DMZ

Typical enterprise OT/IT integration using HiveMQ Edge and Site DMZ

hashtag
System Overview

In industrial environments, securely moving data from OT to IT is not about connecting everything together.

It’s about placing the right components in the right network layers.

Most enterprises deploy HiveMQ in a layered architecture, aligned with the automation pyramid and network zones. This article explains a typical OT/IT integration pattern using HiveMQ Edge and a Site DMZ broker (Level 3.5).

hashtag
1. OT / Device Layer

At the lowest level, PLCs and field devices generate raw machine data such as:

  • vibration

  • temperature

  • speed

  • status signals

This data is typically exposed via industrial protocols such as OPC UA.

At this stage:

  • Data stays inside the OT network

  • No IT or cloud systems access PLCs directly

hashtag
2. Edge Integration Layer

HiveMQ Edge runs close to the machines and acts as the OT integration point.

Typical responsibilities of HiveMQ Edge include:

  • Connecting to PLCs via OPC UA

  • Mapping OT data to MQTT topics

  • Filtering, normalizing, and buffering data

  • Publishing data northbound using MQTT

Only selected and structured data leaves the OT layer.

Example topic mapping:

hashtag
3. Site DMZ / Level 3.5

A self-hosted HiveMQ broker is deployed at the site level, often referred to as Level 3.5 or the DMZ.

Important clarification:

  • HiveMQ does not have a special “DMZ mode”

  • The DMZ is enforced by network architecture, firewalls, and zones

  • The broker simply runs inside that DMZ

This broker acts as:

  • The aggregation point for multiple Edge instances

  • The controlled handover between OT and IT

hashtag
4. IT / Enterprise Layer

From the Site DMZ broker, data can be consumed by:

  • analytics platforms

  • dashboards

  • AI / ML systems

  • ERP or MES applications

  • cloud services

IT systems subscribe to MQTT topics exposed by the DMZ broker — not to PLCs or Edge devices.

hashtag
Key Security Principle

OT never connects directly to IT. The Site DMZ broker is the single, controlled handover point.

This approach:

✅ Preserves OT isolation ✅ Scales across sites and factories ✅ Aligns with UNS and enterprise security practices

hashtag
Summary

HiveMQ Edge and a Site DMZ broker form a clean and secure OT/IT integration pattern:

  • Edge handles OT complexity

  • The DMZ broker enforces architectural separation

  • IT systems consume data without exposing the OT network

This layered approach mirrors how most enterprises deploy HiveMQ within their UNS and IIoT strategies.

hashtag
♥️ Work With Me

I regularly test industrial automation and IIoT devices. If you’d like me to review your product or showcase it in my courses and YouTube channel:

📧 Email: [email protected] or drop me a message on LinkedInarrow-up-right

PreviousAnomaly detection Code ExplanationNextVirtual PLC- Otee.io

Last updated