Internet of Things 6 min read

IIoT protocols: hybrid architecture for secure industrial data unification

Integrating Modbus, MQTT, and OPC UA via edge gateways allows legacy equipment to be combined with modern analytical platforms, preserving data context and security.

Implementing the Industrial Internet of Things (IIoT), industrial analytics, and Edge AI requires enterprises to transition from isolated SCADA systems to unified data exchange standards. Industrial enterprises increasingly face challenges integrating legacy equipment with modern cloud systems. Attempts to connect field equipment directly to cloud platforms create critical vulnerabilities in the operational technology (OT) environment and lead to a loss of data context.

Effective unification of industrial data requires not a total replacement of legacy protocols, but the construction of a hybrid architecture where Modbus, MQTT, and OPC UA interact via intelligent edge gateways. This approach ensures the scalability required for modern enterprises without compromising security.

Anatomy of protocols: why Modbus, MQTT, and OPC UA must work in synergy

In an industrial environment, there is no single universal protocol that can meet all deployment needs—from physical sensor reading to transmitting aggregated data to the corporate level. Each popular protocol has its strengths, and they should be viewed as complementary.

Modbus is a classic industrial automation protocol supported by a vast fleet of legacy equipment. It is extremely simple but has significant limitations: a lack of built-in security and metadata. Modbus operates only with register addresses, without transmitting information about the context of what is stored within them.

MQTT (Message Queuing Telemetry Transport) is a lightweight transport-level protocol. It is ideal for transmitting data over unstable communication channels with minimal traffic consumption. However, MQTT is inherently "payload agnostic"—without additional structural layers, it does not provide unified data semantics.

OPC UA (Open Platform Communications Unified Architecture) is positioned as a platform-independent architecture for ensuring reliable interoperability in industrial systems. OPC UA allows for the construction of complex information models with rich semantics. However, it places high demands on computing resources, making it too heavy for direct deployment on the simplest field devices.

ProtocolApplication levelKey advantagesCritical limitations
ModbusField level (sensors, PLC)Ease of implementation, compatibility with legacy equipmentLack of built-in security, encryption, and metadata
MQTTTransport level (Edge-to-Cloud)Minimal traffic, operation in unstable networksRequires external structuring (payload agnostic)
OPC UAUnification level (M2M, Enterprise)Rich semantics, built-in security, interoperabilityHigh computing resource requirements for devices

The problem of semantic gap: preserving context during data translation

Obtaining raw values from Modbus registers without context (units of measurement, equipment type, validity status) makes the data useless for modern analytical tools. If such data is transmitted directly to the cloud via MQTT, there is a need to manually write parsers for each type of equipment.

A reliable architectural solution is to use OPC UA for data normalization at the network edge. Raw indicators from Modbus registers are translated into standardized OPC UA objects at the edge gateway level, acquiring the necessary metadata. According to real-world implementation cases, using OPC UA allows for the effective normalization of data from heterogeneous sensors before transmitting them to industrial analytics systems (Edge AI), avoiding chaos in data lakes.

Edge-to-cloud architecture: computing distribution and integration

In accordance with AWS Well-Architected IoT Lens recommendations, the reliability and scalability of an IoT solution are established during the correct data transmission stage along the chain: device → edge → cloud. Direct connection of field devices to external platforms is inefficient and dangerous.

An optimal three-tier architecture is as follows:

  1. Field level: sensors and controllers read parameters via local protocols (e.g., Modbus).
  2. Edge level (gateways): traffic collection, primary filtering, normalization into OPC UA semantic models, and local processing of critical events for rapid response.
  3. Cloud/Corporate level: aggregated long-term telemetry is transmitted to the cloud via lightweight MQTT.

Specialized teams are involved in implementing such hybrid solutions. In particular, developers from Softengi (a member of the Intecracy Group alliance of independent companies) provide custom development of IoT/embedded solutions and edge-level integration, normalizing industrial data for further secure use.

When data reaches the corporate level, it must be integrated into business processes. This utilizes the UnityBase technology stack—a full-stack JavaScript low-code platform, which is a joint development of Intecracy Group companies. Thanks to the system's unified domain metadata model, systems built on UnityBase can accept normalized IIoT data via automatically generated REST APIs. This ensures strict access control (RBAC/RLS) and detailed audit trails, which are critical for ensuring data reliability in enterprise systems.

OT segment security: protecting legacy equipment according to ISA/IEC 62443 standards

In industrial control systems, service availability is a higher priority than confidentiality, which requires the adaptation of standard IT controls. As noted in the NIST SP 800-82 Guide to OT Security, the specifics of legacy equipment often do not allow for the application of modern update or patching methods.

To protect automation systems, over 20 industries today rely on the ISA/IEC 62443 series of standards. The basic approach is based on the concept of segmentation (Zones and Conduits):

  • Isolation in zones: legacy PLC controllers are grouped into physically isolated network segments (zones) without external access.
  • Controlled channels: communication between zones is carried out exclusively through edge gateways (conduits), which filter traffic.
  • Telemetry protection: the gateway collects unprotected data within the zone and transmits it to higher levels in an encrypted form.

Such segmentation is the only effective way to use legacy equipment without creating additional attack vectors on production.

Practical algorithm for building a unified data loop

To minimize the risks of deploying an industrial IoT infrastructure, the following steps should be followed:

  1. Asset audit: inventory of equipment and supported protocols.
  2. Security zone design: network segmentation in accordance with ISA/IEC 62443 principles to isolate legacy components.
  3. Edge integration implementation: deployment of industrial gateways at segment boundaries to collect local data.
  4. Semantic normalization: configuration of the OPC UA information model at the edge level to provide metadata and context.
  5. Transport and corporate integration: transmission of normalized information via MQTT to cloud storage or corporate systems (e.g., using UnityBase platform mechanisms) for analysis and decision-making.

FAQ

How can old Modbus controllers be safely connected to a modern IoT platform?

The safest approach is to isolate such controllers in a separate network segment without internet access (in accordance with NIST SP 800-82). Interaction with the cloud is configured via intermediate edge gateways that locally read indicators, normalize them, and transmit them further via secure encrypted channels.

What is the difference between OPC UA and MQTT in the context of building an industrial data lake?

OPC UA is a comprehensive architecture (standard) that ensures reliable interoperability and rich semantics (sensor context and metadata). MQTT is a lightweight message transport protocol that transmits data quickly but does not define its internal structure. In synergy, OPC UA structures the data, and MQTT efficiently transmits it to the cloud.

How can ISA/IEC 62443 security requirements be implemented for devices that do not support encryption?

The ISA/IEC 62443 standard uses the concept of 'Zones and Conduits'. Devices without built-in encryption are grouped into isolated secure zones. Any external exchange occurs only through controlled channels—intelligent gateways that encrypt and translate traffic outward.

Data sources

Sources & materials

Materials and sources used in this article.

  1. Amazon Web Services: AWS Well-Architected IoT Lens — docs.aws.amazon.com
  2. NIST SP 800-82 Guide to OT Security — csrc.nist.gov
  3. OPC Foundation: OPC Unified Architecture — opcfoundation.org
  4. ISA/IEC 62443 Series of Standards — isa.org