CZ
SK
HU
SI
HR
RS
BA
ME
MK
EN
Company
Products
Services
Technical Support
Partners
Media Centrum
Events RA
Contacts
E-shop
Company Detail
RA Distributor
Cancellation and Return Policy
Belden certificate
Industrial Repair Services
Industrial Training
Engineering
TechConnect Suport
Warehouse management
IT Solution
Assemblies
Cyber security
Robotics
Vibration Measurement and Diagnostics
Custom autonomous vehicles ROBOSHERPA (AGV)
News
Price List
Rockwell Automation Documentation
Tutorial Videos
news-header

Industrial Data Logging from a Cybersecurity Perspective - From a Flat Network to a Segmented Architecture

Problem Statement

Consider a typical industrial application: a production line controlled by two Rockwell Automation ControlLogix control systems. Operators need to monitor and manage production status in real time on three HMI panels (e.g., Optix graphical panels) while also requiring periodic logging of selected PLC tags to a SQL database that must be accessible to IT applications for reporting and data analysis.

As a visualization solution, we can deploy a single Optix Edge device to host a FactoryTalk Optix application, distributing it to HMI panels as web clients via the WebPresentationEngine object.

The hardware baseline is therefore:

  • Two ControlLogix PLCs as data sources
  • One Optix Edge device as runtime for the FT Optix application
  • Three Optix panels as HMI terminals / web clients
  • A SQL server as the target storage for historical data

The requirements seem straightforward — distribute the visualization application to panels and regularly send data to the database. However, the way in which these functions are technically implemented has a fundamental impact on the security of the entire OT environment.

The Wrong (Naive) Solution: Flat Network

The simplest — and unfortunately still fairly common — solution is to connect all devices into a single shared network without any segmentation. Both control systems are connected via a switch to the same network segment, which also contains the Optix Edge device, all three HMI panels, and even the SQL server itself. A single FT Optix application runs on the Optix Edge, handling both visualization for the panels via WebPresentationEngine and data logging to the SQL server.

The SQL server is not isolated — it is also accessed by users from the corporate IT network, for example to generate reports or export data to enterprise information systems. This creates a direct link between the OT network and the IT world, and likely with the public internet as well, with no protective layer in between.
This architecture is called a "flat network" and carries several serious security risks.

Absence of Network Segmentation
In a flat network, every device has direct access to every other device. Compromising any node — whether an HMI panel, the SQL server, or any IT computer with database access — opens a direct path for an attacker to the control systems. In an industrial environment, this means the potential to interfere with process control, disrupt or destroy operations, or misuse sensitive data.

Monolithic Application
A single FT Optix application handles both visualization and data logging simultaneously, meaning it has access to both PLC communication and the database server. Any vulnerability in the application logic or connection configuration can be exploited to breach both systems at once.

SQL Server Exposure
A server that receives data directly from the OT network is also accessible from the IT environment without a firewall. An attacker who gains access to the SQL server from the IT side is in the same network segment as the PLCs.

The Correct Solution: Segmented Architecture with IDMZ

A secure architecture is based on the Purdue model and the principle of defense-in-depth. The Purdue model (often referred to as the Purdue Enterprise Reference Architecture — PERA) is a reference architecture used in industrial automation and cybersecurity for structuring manufacturing systems and separating them from IT networks. It is particularly important in the context of OT (Operational Technology) and standards such as ISA-95 or IEC 62443.

In the properly secured solution for our use case, the network is divided into three zones, separated by firewalls:

  • OT network (Purdue L1–L2)
  • Industrial DMZ, or IDMZ (Purdue L3.5)
  • IT network (Purdue L4)

Two Separate Optix Applications

In addition, we make one more change compared to the naive solution: we split the functionality into two separate FT Optix applications. To run these applications, we can deploy two Optix Edge devices, or one of the two applications can run in a Docker container. Using containerization reduces hardware requirements and allows the use of a single Optix Edge device. For simplicity, the remainder of this article refers to two Optix Edge devices.

The first Optix Edge runs an application dedicated exclusively to visualization — it distributes HMI screens to panels via WebPresentationEngine and has no direct access to the database server.

The second Optix Edge runs an application dedicated exclusively to data logging — it reads selected tags from both PLCs and sends them through the firewall to a staging SQL server in the IDMZ (see below). Each application has a precisely defined and limited set of communication permissions; neither requires access to both systems simultaneously.

OT Network and VLAN Segmentation
The OT network is further internally segmented using VLANs. The first VLAN groups both ControlLogix control systems and the two Optix Edge devices — this VLAN contains exclusively devices that communicate directly with the production process. The second VLAN is dedicated to the three HMI panels.

IDMZ
IDMZ stands for Industrial Demilitarized Zone. It is a dedicated zone that serves as a security layer between the OT and IT environments. The staging SQL server in the IDMZ receives data from the OT network through the first firewall, but is not itself accessible from the IT environment for write operations. IT systems actively pull data from the staging server through the second firewall using a pull mechanism — communication is always initiated by the IT side, never by the IDMZ. The use of an IDMZ ensures that an incident in the IT environment cannot directly threaten the availability or integrity of OT systems.

IP Addressing Scheme

Zone Subnet Devices and Addresses
VLAN 1 (PLC + Edge) 10.0.1.0/24 ControlLogix 1: 10.0.1.10, ControlLogix 2: 10.0.1.11, Optix Edge 1: 10.0.1.20, Optix Edge 2: 10.0.1.21
VLAN 2 (HMI panels) 10.0.2.0/24 Panel 1: 10.0.2.10, Panel 2: 10.0.2.11, Panel 3: 10.0.2.12
IDMZ 10.0.3.0/24 SQL staging: 10.0.3.10
IT network 10.0.4.0/24 SQL final: 10.0.4.10

Firewall 1 Rules (OT → IDMZ)

Firewall 1 separates the OT network from the IDMZ. The only permitted data flow is the sending of logged tags from Optix Edge 2 to the staging SQL server. Communication from the IDMZ toward the OT network is blocked. Optix Edge 1 has no rule for passing through FW1, as it does not communicate with the IDMZ or IT network at all.

Rule Source Destination Port Action
1 10.0.1.21 10.0.3.10 TCP 1433 PERMIT
2 any any any DENY

Firewall 2 Rules (IDMZ → IT)

Firewall 2 separates the IDMZ from the IT network. The only permitted flow is initiated from the IT side — the final SQL server actively pulls data from the staging server. The key principle is that communication is always initiated by the IT side (pull), never by the IDMZ toward IT. This ensures that even if the IT network is compromised, an attacker cannot actively push data or commands into the IDMZ and further into the OT environment.

Rule Source Destination Port Action
1 10.0.4.10 10.0.3.10 TCP 1433 PERMIT
2 any any any DENY

Conclusion

Designing network architecture for industrial data logging is a decision with a direct impact on the security of the entire production environment. As the comparison of the two solutions shows, functionally equivalent systems can have vastly different levels of resilience against cyber threats.

A flat network without segmentation is attractive in its simplicity and low initial cost. Connecting all devices into a single segment and using a monolithic application for both visualization and data logging does work — until something goes wrong. A SQL server exposed to the IT environment without any protective layer represents a direct bridge between the corporate network and industrial control systems. At a time when OT networks are increasingly common targets of cyber attacks, such an architecture is an unacceptable risk.

The segmented solution with an IDMZ provides multiple layers of protection that complement each other. Splitting the OT network into two VLANs separates HMI panels from control systems. Two separate Optix Edge devices with dedicated applications enforce the principle of least privilege at the application level. The IDMZ with its staging SQL server physically breaks the direct connection between the IT and OT worlds. Two industrial firewalls with explicitly defined rules ensure that all inter-zone communication is pre-approved and auditable. The pull principle at the IDMZ–IT boundary ensures that every data flow is always initiated by the IT side — an attacker from the IT environment therefore has no ability to actively push data or commands into lower layers of the architecture.

It should be noted that the added hardware costs — industrial firewalls, a staging server, and possibly a second Optix Edge device — are negligible compared to the potential consequences of a security incident in an OT environment.

Note: This article addresses only the application design and network infrastructure design. A comprehensive cybersecurity solution for this type of project also requires attention to other security aspects (risk analysis, application-level and device-level security, access control, monitoring, etc.), as well as securing the final SQL server itself (authentication, encryption, hardening, etc.).