Introduction
In this post, I will describe two approaches to the Industrial Internet of Things deployments and provide my perspective. Hopefully, it will help you choose the proper architecture for your specific case.
Before we start, I will briefly define the Edge Gateway.
Definition of the Edge Gateway
Edge Gateway is a computer located inside a factory or some other facility. That computer is connected to the internal network and can communicate with local devices using industrial protocols. It can also access local IT systems running in your factory.
Additionally, the Edge Gateway has access to external systems (for example, a cloud backend) and can “translate” industrial protocols into secure protocols used on the internet.
Often the Edge Gateway has significant computing capabilities and can process data before sending it to the cloud backend. Installing an application on the Edge Gateway enables local actions based on received telemetry from connected devices.
In this post, I will divide the Industrial Internet of Things deployments into Edge Gateway and Gateway-less architectures.
Edge Gateway deployments
Legacy Operational Technology (OT) systems cloud not communicate with the external world. The only way to expose them to the remote backend was through the Edge Gateway. Edge Gateway was also responsible for the security of OT systems (not designed for remote access).
Modern, independent sensors
Modern sensors can communicate with external systems over the internet and transfer gathered data.
They also can locally process data, so they no longer depend on the Edge Gateways.
Attach that sensor to the factory device, and it will start gathering data.
Connect that sensor to the network, and it will automatically register itself in the backend system and start transferring data.
It will encrypt data before transfer to ensure confidentiality.
With or without Edge Gateways?
What if you could choose whether to use the Edge Gateway in your factory or independently connect all of the sensors to the remote backend - which approach is “better”?
The answer depends on a specific use case, but let’s break it down into a few areas of consideration.
Security
As mentioned above, the Edge Gateway secures local devices and IT systems from unauthorized external access.
Independent sensors can securely communicate with the external backend. They verify the identity of a remote party (for instance, using the X.509 certificates) before accepting any commands. In a way, they function similarly to Edge Gateways regarding communication with external systems.
What if the Edge Gateway got compromised? In that case, the attacker obtains access to all devices and local IT systems connected to the Edge Gateway. That is a significant threat.
The blast radius of a compromised independent sensor is smaller. Following the Zero Trust security model, that sensor has limited access to local infrastructure. When compromised, it will expose only a fraction of local infrastructure.
Failure impact
The Edge Gateway is a single point of failure when it is down:
- There is no connectivity between the facility and the external backend,
- The local processing and decisions making are not functioning.
The Edge Gateway should be as highly-available as possible using the accessible infrastructure. That requires a careful network and application design.
Issues with the Edge Gateway should not critically impact local operations on the shop floor, and production should continue. This type of resiliency requires careful planning.
A failure of a single independent sensor has less impact. We lose visibility into the operations of a monitored device without impacting the connectivity of other sensors. Using multiple connected sensors on a production line limits the impact of a single failure. Our system will retain end-to-end visibility with a limited number of details.
Ongoing maintenance
The Edge Gateway is a server that needs to be up-to-date. It requires robust functionality to install security patches and upgrade the Operating System and applications.
Maintaining the connectivity between Edge Gateway and local devices is also needed. We need to implement credentials management for connected devices and local IT systems. That is an important task and involves the assistance of the local Security Administrator. Based on my experience, that is a challenge in industrial IoT deployments.
What does the maintenance look like for independent sensors? It is similar to fleet management - we manage many distributed devices. That is not more difficult than the Edge Gateway management but requires a different approach.
We join our devices in logical groups to simplify management. Then we leverage the distributed jobs functionality to execute remote tasks at scale and monitor outcomes.
Hosting local applications
The Edge Gateway deployments have one significant advantage - the hosting of local applications.
We can leverage the Edge Gateway server to host applications exposed to the internal, isolated network. The shop floor personnel can access those dashboards from various devices (for example, tablets) connected to the local network. That enables greater visibility into operations and gathered telemetry data.
The hosted application can locally execute the Machine Learning inference and present outputs to operators. This way, we join the advanced analytics with expert knowledge to increase overall efficiency.
Edge Gateway maintains connectivity with the backend, which enables secure remote deployment and maintenance of locally hosted applications.
We lose that advantage in Gateway-less systems. Independent sensors do not host local applications (apart from the administration interface). The remote backend gathers telemetry from various connected devices. We can host applications on that backend and present obtained data. But there is a major difference - devices on the local factory network won’t access those remote applications.
I highly recommend considering the Edge Gateway design if you expect to use local dashboards.
MVP cost
The MVP (Minimum Viable Product) cost is another aspect worth considering.
Minimizing the upfront investment is important for experimental deployments of the Industrial Internet of Things. Obtaining the required hardware and configuring the Edge Gateway requires significant expenses.
Using independent connected sensors lowers the entry requirements - you simply connect the monitoring device and review obtained telemetry data in the backend system.
Gather and analyze the telemetry data to verify the gains from connecting your equipment to the external backend.
You can terminate the MVP and reduce losses when outcomes won’t meet your expectations.
Once satisfied with the initial results, you can plan the following iterations and potentially switch to the Edge Gateway setup.
Conclusion
I hope that this comparison was helpful to you. That is not an academic study but my own experience with commercial engagements. Any feedback is very welcome!