Search Crosser Knowledge Base

Node to Node communication

Introduction

When talking about digitalization in the industry, security often comes up as one of the main concerns. Usually production environments are decoupled from other areas to prevent unauthorized actions. To realize this, a common practice is to separate networks into different segments like Production, OT, Office, Cloud.

Usually these networks are separated by firewalls with specified rules which only allow communication to the next network level on specific protocols and/or ports.

Therefore you might run into the question: How do I connect my production equipment with systems in other network levels?

Scenario

Let's assume your network infrastructure is divided into the following segments:

Cloud (level 3), Office (level 2), OT (level 1), Production (level0)

Typically it will be allowed to transfer payload (at least outbound) from one network level to the next (level 0 to level 1, level 1 to level 2) but not to 'skip' a network level in-between (level 0 to level 2).

Due to this reasonable restriction you need to implement some sort of system which acts as a 'data bridge' which securely transfers your payload data.

Solution

In the above shown architecture you would most likely place one Crosser Edge Node in the OT network. From here you have access to the OT equipment using protocols like Siemens S7, OPC UA, Modbus TCP. Once you have connected the source systems you can already implement logic like filtering, aggregation, normalization and transformation.

Afterwards you need to find a way to send the data into your destination systems - lets say the Azure IoT Hub.

To realize this, you need a 'data bridge' in the office network.

Fortunately you can just use another Crosser Edge Node, implement it in the office network and send the data to the Crosser Edge Node using MQTT or HTTP.

 

In this setup, your Crosser Edge Node in the OT network would publish the data to the Crosser Edge Node in the office network.

On the Crosser Edge Node in the office network you would deploy a flow, which picks up the data which has been published to the Crosser Edge Node`s internal MQTT Broker and send it to your destination system.

The below screenshots illustrate how this would look like from a flow perspective.

Office network (level 2)

OT network (level 1)

With this approach, you can easily connect your equipment with your system in different network segments while still being compliant with your security guidelines.

The above shown concept of course also applies when you want to communicate between Crosser Edge Nodes in the same network, which might be separated due to load distribution.

About the author

David Nienhaus | Senior Solution Engineer

David is a Senior Solution Engineer at Crosser. He has over 10 years experience working with software integration and digitization projects for critical infrastructure.
His engineering background gives him the understanding and focus needed to solve customer use cases in the most efficient and successful way.