# Secure OT/IT Data Integration Using HiveMQ Edge and Site DMZ

## System Overview

In industrial environments, securely moving data from OT to IT is not about connecting everything together. 

> It’s about **placing the right components in the right network layers**.

Most enterprises deploy HiveMQ in a **layered architecture**, aligned with the automation pyramid and network zones. This article explains a typical OT/IT integration pattern using **HiveMQ Edge** and a **Site DMZ broker (Level 3.5)**.

<figure><img src="/files/N0LGNEXNDonik2YUmV3o" alt=""><figcaption></figcaption></figure>

### 1.  OT / Device Layer

At the lowest level, PLCs and field devices generate raw machine data such as:

* vibration
* temperature
* speed
* status signals

This data is typically exposed via industrial protocols such as **OPC UA**.

At this stage:

* Data stays inside the OT network
* No IT or cloud systems access PLCs directly

***

### 2.  Edge Integration Layer

**HiveMQ Edge** runs close to the machines and acts as the OT integration point.

Typical responsibilities of HiveMQ Edge include:

* Connecting to PLCs via OPC UA
* Mapping OT data to MQTT topics
* Filtering, normalizing, and buffering data
* Publishing data northbound using MQTT

Only selected and structured data leaves the OT layer.

Example topic mapping:

```
OPC UA Node   →   MQTT Topic
PLC vibration →   machine/s71500/vibration
```

***

### 3.  Site DMZ / Level 3.5

A **self-hosted HiveMQ broker** is deployed at the site level, often referred to as **Level 3.5** or the **DMZ**.

Important clarification:

* HiveMQ does not have a special “DMZ mode”
* The DMZ is enforced by **network architecture**, firewalls, and zones
* The broker simply runs **inside** that DMZ

This broker acts as:

* The aggregation point for multiple Edge instances
* The controlled handover between OT and IT

***

### 4.  IT / Enterprise Layer

From the Site DMZ broker, data can be consumed by:

* analytics platforms
* dashboards
* AI / ML systems
* ERP or MES applications
* cloud services

IT systems subscribe to MQTT topics exposed by the DMZ broker — **not** to PLCs or Edge devices.

***

### Key Security Principle

> **OT never connects directly to IT.**\
> The Site DMZ broker is the single, controlled handover point.

This approach:

✅ Preserves OT isolation\
✅ Scales across sites and factories\
✅ Aligns with UNS and enterprise security practices

***

## Summary

HiveMQ Edge and a Site DMZ broker form a clean and secure OT/IT integration pattern:

* Edge handles OT complexity
* The DMZ broker enforces architectural separation
* IT systems consume data without exposing the OT network

This layered approach mirrors how most enterprises deploy HiveMQ within their UNS and IIoT strategies.

***

## ♥️ Work With Me

I regularly test **industrial automation and IIoT devices**. If you’d like me to **review your product** or showcase it in my courses and YouTube channel:

📧 Email: <rajvir@codeandcompile.com> or drop me a message on [LinkedIn](https://www.linkedin.com/in/singhrajvir/)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.codeandcompile.com/product-reviews/smart-platforms/hivemq/secure-ot-it-data-integration-using-hivemq-edge-and-site-dmz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.