OT/IT Integration · ISA/IEC 62443 · Edge AI · Zero-Trust OT
Scroll
MY WORKS
A selection of industrial systems architecture, IIoT transformation,
security design, and AI integration projects. Each one built to last.
01
IIoT Digital Transformation
Specialty Materials Site — Full OT/IT Integration
IIoTOPC UAMQTTISA-62443
→
02
Architecture & Diagrams
Purdue Model · 10 Interactive Architecture Diagrams
ArchitecturePurdueAI Pipeline
→
03
Cloud & Edge Infrastructure
Multi-cloud, Edge Computing, HA Architectures
CloudEdge
Coming Soon
→
04
Zero-Trust OT Security
Industrial Cybersecurity, NIST SP 800-82r3
SecurityZero-Trust
Coming Soon
→
05
Edge AI & Anomaly Detection
Isolation Forest · Real-time ML Pipelines
AI/MLPython
Coming Soon
→
06
DevOps & CI/CD for OT
GitOps, Infrastructure as Code, OT Patching
DevOpsIaC
Coming Soon
→
07
HMI & Operator UX Design
Alarm Management, Situational Awareness
UXHMI
Coming Soon
→
About Me
INDUSTRIAL SYSTEMS THINKING
I design and build IIoT architectures that bridge the gap between operational
technology and enterprise IT — respecting the real-time constraints of the
control plane while unlocking the analytical value of industrial data.
My work spans ISA/IEC 62443 security design, OPC UA/MQTT integration,
edge AI deployment, and resilience engineering across brownfield and
greenfield industrial environments.
Full OT/IT integration of a specialty materials manufacturing site —
6 buildings, 5 protocol families, ISA/IEC 62443 security, and edge AI
anomaly detection. Zero unplanned downtime during migration.
A specialty materials blending and packaging facility comprising six distinct
operational zones — each with unique protocol landscapes, ranging from
1990s-era Profibus DP to modern OPC UA-capable Profinet PLCs.
A
Blending Hall (Brownfield)
Batch tanks, agitators, pumping skids. Legacy Siemens S7 PLCs on Profibus DP/serial with zero northbound data normalisation.
B
Packaging Hall (Mixed)
Legacy drum/IBC lines on EtherNet/IP plus a new high-speed pouch line with Profinet and OPC UA-capable PLC.
C
Utilities
Compressors, boilers, chillers, WFI/CIP skids, and power metering communicating over Modbus RTU.
D
Warehouse & Shipping (Greenfield)
WMS-connected conveyors, scan tunnels, industrial Wi-Fi/5G, and AGV/AMR fleet.
R
Remote Sites (Tank Farm + Wastewater)
1–3 km distant. Custody/level/overfill monitoring, truck loading, and compliance logging over unreliable WAN links.
PRE
Pre-Transformation Reality
06:00
Paper Logbook Handover
Shift supervisor transcribes tank levels and batch counts from memory and HMI sticky notes into a paper logbook. Incoming shift debriefs verbally.
08:30
Batch Traceability Failure
Customer quality complaint requires cross-referencing three disconnected systems. One accessible only from a dedicated control-room workstation. Hours wasted.
11:15
Pump Failure — Manual Response
Transfer pump trips. Maintenance technician located by operator physically walking the floor. No remote data access. Paper maintenance history consulted.
16:30
Stale Remote SCADA Displays
WAN link to tank farm drops. SCADA displays go stale. Operator radios the remote site for custody tank levels. No reliable fallback data path.
Control stays local. IIoT never closes safety loops. Analytics traffic must never touch the control plane.
Profibus, Modbus RTU, EtherNet/IP, Profinet, and serial — all isolated, none speaking a common language northbound.
02
📋
Manual Data Flows
Critical operational data captured on paper, transcribed by hand, transferred verbally. Zero auditability, high error rate.
03
📡
Silent WAN Data Loss
Remote site WAN outages silently drop historian records. SCADA displays go stale. No buffering, no store-and-forward.
04
🔓
Flat OT Network
No OT/IT segmentation. Legacy protocols with no authentication (Modbus) routed across shared segments. Unlimited lateral movement.
05
🔍
Reactive Maintenance
No continuous monitoring. Failures detected only when equipment stops. No anomaly detection, no early-warning capability.
Solution Design
SIX ARCHITECTURE PRINCIPLES
01
Control Stays Local
IIoT never closes safety/critical loops. All hard real-time and safety logic remains in PLC/SIS domains. IIoT pipelines are explicitly non-authoritative for control outputs.
02
Explicit OT DMZ
All OT↔IT data movement forced through an OT DMZ. NIST SP 800-82r3 recommends DMZ separation to prevent pivot attacks from IT into OT without detection.
03
Protocol Normalisation at Edge
Brownfield protocols terminated at gateways and normalised to OPC UA and MQTT Sparkplug. Applications bind to the normalised namespace, not legacy buses.
04
Historian HA + Store-and-Forward
HA historian collectives and edge buffering ensure transient WAN outages do not silently drop data. Remote sites have autonomous buffering with replay on reconnect.
05
Open-Source Proven Stack
Eclipse Mosquitto, Node-RED, PostgreSQL, OpenSSL, Ignition, Kepware — production-proven, no proprietary lock-in on data-plane functions.
06
Phased & Reversible Migration
Each phase yields measurable KPIs and can be rolled back without stranding production on partially migrated dependencies.
Next
EXPLORE THE FULL ARCHITECTURE
10 interactive architecture diagrams — from the Purdue-aligned zonal topology
to the AI anomaly detection pipeline and migration roadmap.
Ten architecture diagrams covering the full IIoT stack: OT/IT zonal topology,
data flow planes, UNS design, security architecture, AI pipeline, and
the phased migration roadmap with NPV analysis.
↑ Scroll within diagram to explore · Click tabs above to switch
Data Architecture
THREE-LAYER DATA FLOW
Layer 0–2
CONTROL PLANE
PLCs, RTUs, safety systems, local HMIs. All hard real-time and safety decisions remain here. IIoT has read-only access through approved subscription/poll interfaces.
Siemens S7Schneider M580SIS
Layer 3
EDGE DATA PLANE
Protocol gateways, OPC UA aggregation, MQTT broker (UNS), edge rules engine, historian buffer. All processing under OT governance.
Node-REDMosquittoKepware
Layer 4–5
ENTERPRISE PLANE
Historian archive, OEE/production context service, MES/MOM, ERP, data lake, analytics/ML. Separated from OT by the DMZ via API gateway.
PI HistorianAzure/AWSSAP
Cybersecurity
THREAT MODEL & SECURITY CONTROLS
Five primary attack vectors identified through structured threat modelling
aligned with ISA/IEC 62443 and NIST SP 800-82r3.
🎯
DMZ Pivot
Attacker compromises DMZ service, moves laterally into OT without detection.
🔑
Remote Access Abuse
Vendor VPNs with shared always-on credentials, no MFA, unmanaged jump paths.
📡
Protocol Abuse
Unauthenticated Modbus transported over routable segments — zero authentication, zero encryption.
🦟
Lateral Movement
Flat OT network, single compromised credential enables unrestricted movement to any asset.
Control
Mechanism
Standard
Zone Segmentation
VLANs + dual firewall HA pairs
ISA-62443
MQTT mTLS
Client cert + bcrypt password + CA
NIST 800-82
OPC UA Security
SignAndEncrypt mode, cert pinning
IEC 62541
Jump Host + MFA
PAW in OT DMZ, PAM vault
Zero-Trust
SIEM + Log Fwd
Syslog → DMZ collector → SIEM
NIST 800-82
Patch Management
WSUS mirror in DMZ, offline staging
ISA-62443
AI Integration
EDGE AI ANOMALY DETECTION
Heterogeneous industrial data — energy, temperature, flow rates — require
per-type Isolation Forest models. A single unified model performs poorly;
individual models averaged 92% detection accuracy on one week
of training data (604,800 samples per sensor).
AI models operate in advisory and alerting modes only — they
do not close control loops. Edge AI provides real-time alerts.
Cloud AI provides trend analysis and model retraining.
Data Type
Model Accuracy
Samples
Energy Consumption
94%
604,800
Temperature
91%
604,800
Humidity
90%
604,800
Flow Rates
93%
604,800
# Algorithm 1 — Real-Time Anomaly Detectiondef detect_anomalies(area_id, db_conn):
# 1. Retrieve latest heterogeneous data
data = query_latest(db_conn, area_id)
# 2. Apply MinMaxScaler per data type
scaled = scaler.transform(data)
# 3. Segment by data type
segments = segment_by_type(scaled)
# 4. Run per-type Isolation Forest
results = {}
for dtype, segment in segments.items():
model = models[dtype]
scores = model.decision_function(segment)
anomalies = model.predict(segment)
results[dtype] = {
"scores": scores,
"anomalies": anomalies == -1
}
# 5. Publish alerts to MQTT UNS
publish_alerts(results, area_id)
return results
Resilience Engineering
AVAILABILITY TARGETS & DESIGN SLOs
Resilience is engineered against explicit SLOs. Each function class has a
defined availability target and a tested recovery path. HA is not an afterthought
— it is a first-class design constraint from day one.
Function
SLO Target
Mechanism
PLC Control
99.99%
Hot-standby redundancy
Historian Capture
99.9%
Collective + store-and-forward
MQTT Broker
99.9%
Cluster, persistent session
Remote WAN Link
99%
Dual-path + edge buffer
OT DMZ Services
99.9%
HA firewall pair + failover
Migration Approach
1
Wrap & Normalise
Terminate legacy protocols in gateways. Expose normalised OPC UA/MQTT namespace. Applications bind to namespace, not legacy buses.
2
DMZ & Security First
Deploy dual firewall HA pair, OT DMZ, MQTT cluster, and jump host before any production data flows cross zone boundaries.
3
Building-by-Building
Integrate one building at a time, validate KPIs, confirm rollback path before proceeding. Zero production stranding.
4
AI & Analytics Layer
Deploy edge AI only after historian baseline established. Train individual models per data type. Validate against known anomaly events.
Project 03
CLOUD & EDGE
Multi-cloud architecture, edge computing infrastructure, and high-availability deployments. Case studies and reference architectures coming soon.
Three-tier deployment model: containerised edge nodes at field level, site-level gateway aggregation, and scalable cloud platform for analytics and digital-twin synchronisation. Designed for autonomous offline operation with resilient cloud uplink.
Tier 1 — Field
EDGE NODES
Industrial PCs and embedded compute co-located with plant assets. Runs containerised workloads: protocol adapters, local ML inference, and store-and-forward buffer. Operates fully autonomously during cloud disconnect.
Azure IoT EdgeDockerNode-REDONNX Runtime
Tier 2 — Site
EDGE GATEWAY
Site-level aggregation hub under OT governance. MQTT broker cluster, OPC UA aggregation server, and local historian buffer. Enforces the OT DMZ boundary. TLS-secured uplink to cloud platform over dual-path WAN.
Mosquitto ClusterKepwareSD-WANOT DMZ
Tier 3 — Cloud
CLOUD PLATFORM
Scalable IoT ingestion, time-series storage, ML training, and enterprise analytics. IoT Hub/Core handles device registry, routing rules, and bi-directional commands. Geo-replicated for DR.
Azure IoT HubAWS IoT CoreADX / S3Power BI
High-Availability Design
1
Autonomous Edge Operation
Edge nodes operate fully offline. Local inference and store-and-forward buffer accumulate data across cloud connectivity loss events. Replay on reconnect with guaranteed ordering.
2
Dual-Path WAN
Primary MPLS + secondary 4G/5G LTE failover managed by SD-WAN policy. Routes telemetry over primary path and fails back automatically when link-quality drops below threshold.
3
Multi-Region Cloud Resilience
Primary and DR regions with geo-replicated time-series storage. RTO < 4 h, RPO < 15 min for historian data continuity across full cloud region failure.
Security Boundary Model
Zero-Trust Cloud Access
All edge-to-cloud traffic over mTLS. Device identity via X.509 certificates, automatically rotated by edge runtime PKI module — no shared secrets.
Data Classification in Transit
Telemetry tagged at source with criticality tier. High-criticality events bypass buffering and are delivered via a dedicated ingestion path with guaranteed delivery.
Immutable Audit Log
All edge configuration changes and cloud commands logged to WORM storage. Append-only audit trail supports regulatory compliance and incident forensics.
ARCHITECTURE STATUS
REFERENCE COMPLETE
Reference architecture finalised. Case studies and lab validation in progress....
Project 04
ZERO TRUST OT
Industrial cybersecurity deep-dives: NIST SP 800-82r3, IEC 62443 zone design, certificate authority management, and SIEM integration.