At the recent Georgia Tech Manufacturing Institute (GTMI) seminar, Andrew Dugenske, Director of the Factory Information Systems (FIS) Center at GTMI presented an open architecture for factory floor applications.
There are a lot of really good things to say about this concept. GTMI is correct to say that this architecture:
- accommodates a wide variety of devices, protocols, and applications
- supports many-to-many communication
- is built on standards (no proprietary lock-in)
- is extremely scalable
- is simple to use and deploy
- is monitorable and traceable.
It is all of those things, but the claims of security and maintainability are overstated.
It is unclear how secure this architecture is. There certainly is no end-to-end security in this architecture. An analytics device that requires Modbus data from a Modbus device has no end-to-end security between the analytics device and the Modbus device or Modbus device gateway. There is a broker involved and several gateways – several attack surfaces and an undefined security architecture. Is that up to the user to define? Is there a specific, highly secure MQTT broker that must be used with this system? Looking at this system from a security perspective, the very secure claim seems to be overstated.
I also question the maintainability and extensibility of this architecture. Instead of data modeling, this architecture defines its own, custom data definitions. It’s well thought out, but a generic data model such as defined in this architecture is never going to be a perfect fit for all applications and all devices.
The Open Process Automation Forum defines the exact same model as GTMI and claims the same benefits. What is different about the OPAF architecture is that instead of a simple transport layer (MQTT), OPAF uses the OPC UA architecture. This provides two advantages over the GTMI architecture:
One, multiple security mechanisms are available within OPC UA. There is end-to-end security, if needed, from the Northside (IT applications) to the Southside (end devices). An analytics tool can make a secure connection (or non-secure if that makes sense) directly to the Modbus gateway to get Modbus device data. The attack surfaces when using the OPAF architecture are smaller than with the GTMI architecture.
Two, data modeling is much more sophisticated and more application-specific in the OPAF architecture. OPC UA provides the ability for users, trade associations and vendors to create specific data models for specific applications. These data models can be discoverable at runtime and allow a Client device to automatically locate and use a data model that correctly captures the operation of the device and all its data. Data integration between the Northside and the Southside is vastly improved in the OPAF architecture.
With the number of trade associations adopting OPC UA (over 45 at last count) and creating data models, I see no reason to believe that there will be large scale adoption of the GTMI platform with the MQTT transport layer at its core. OPAF architecture is far superior and will be more successful.