# Secure OT/IT Data Integration Using HiveMQ Edge and Site DMZ

## System Overview

In industrial environments, securely moving data from OT to IT is not about connecting everything together.&#x20;

> It’s about **placing the right components in the right network layers**.

Most enterprises deploy HiveMQ in a **layered architecture**, aligned with the automation pyramid and network zones. This article explains a typical OT/IT integration pattern using **HiveMQ Edge** and a **Site DMZ broker (Level 3.5)**.

<figure><img src="https://1831238825-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLd2M9UNfMTnw9DjDdZJz%2Fuploads%2F1JWUp0sPdGD7V08nruA3%2F1080x1350.gif?alt=media&#x26;token=7237bd28-3c48-4e0e-8f47-7070c1bdb841" alt=""><figcaption></figcaption></figure>

### 1.  OT / Device Layer

At the lowest level, PLCs and field devices generate raw machine data such as:

* vibration
* temperature
* speed
* status signals

This data is typically exposed via industrial protocols such as **OPC UA**.

At this stage:

* Data stays inside the OT network
* No IT or cloud systems access PLCs directly

***

### 2.  Edge Integration Layer

**HiveMQ Edge** runs close to the machines and acts as the OT integration point.

Typical responsibilities of HiveMQ Edge include:

* Connecting to PLCs via OPC UA
* Mapping OT data to MQTT topics
* Filtering, normalizing, and buffering data
* Publishing data northbound using MQTT

Only selected and structured data leaves the OT layer.

Example topic mapping:

```
OPC UA Node   →   MQTT Topic
PLC vibration →   machine/s71500/vibration
```

***

### 3.  Site DMZ / Level 3.5

A **self-hosted HiveMQ broker** is deployed at the site level, often referred to as **Level 3.5** or the **DMZ**.

Important clarification:

* HiveMQ does not have a special “DMZ mode”
* The DMZ is enforced by **network architecture**, firewalls, and zones
* The broker simply runs **inside** that DMZ

This broker acts as:

* The aggregation point for multiple Edge instances
* The controlled handover between OT and IT

***

### 4.  IT / Enterprise Layer

From the Site DMZ broker, data can be consumed by:

* analytics platforms
* dashboards
* AI / ML systems
* ERP or MES applications
* cloud services

IT systems subscribe to MQTT topics exposed by the DMZ broker — **not** to PLCs or Edge devices.

***

### Key Security Principle

> **OT never connects directly to IT.**\
> The Site DMZ broker is the single, controlled handover point.

This approach:

✅ Preserves OT isolation\
✅ Scales across sites and factories\
✅ Aligns with UNS and enterprise security practices

***

## Summary

HiveMQ Edge and a Site DMZ broker form a clean and secure OT/IT integration pattern:

* Edge handles OT complexity
* The DMZ broker enforces architectural separation
* IT systems consume data without exposing the OT network

This layered approach mirrors how most enterprises deploy HiveMQ within their UNS and IIoT strategies.

***

## ♥️ Work With Me

I regularly test **industrial automation and IIoT devices**. If you’d like me to **review your product** or showcase it in my courses and YouTube channel:

📧 Email: <rajvir@codeandcompile.com> or drop me a message on [LinkedIn](https://www.linkedin.com/in/singhrajvir/)