NETVALEN logo
NETVALEN
Industrial OT Engineering
View Reference ArchitecturesArchitecture Review
HomeServicesReference ArchitecturesLabsIndustriesAboutContact
Home / Reference Architectures

Reference Architectures

Generic NETVALEN design patterns for industrial OT environments. These examples are intentionally sanitized and do not represent customer networks, site layouts, IP addressing, VLANs, firewall policies, or confidential project deliverables.

Industrial Infrastructure Reference Patterns

High-level architecture visuals for OT segmentation, industrial DMZ design, SCADA data movement, MDF/IDF resiliency, passive visibility, automation, and remote-site connectivity. Detailed customer designs are handled privately through project deliverables.

Request Architecture Review
DWG-OT-SEG-001 ISA/IEC 62443 ZONES & CONDUITS / INDUSTRIAL DMZ ENTERPRISE IT IDM / AAADNS / NTPSOC / SIEMPKIIT AppsWAN EdgeCentral Identity + Logging FW HA PAIRdeny defaultallow-listed conduits INDUSTRIAL DMZ Jump HostMFA / PAMPatch RepoSecure RelayHistorianData BrokerSyslog RelayAV StagingMediation tier only — no direct IT-to-control access OT CORE HAVRF / ACL / L3east-west control CELL / AREAZONES PLC / HMISCADARoboticsSafetyUtilityI/OEng WSOT MonControls, drives, robots, utility systems ZONE/CONDUIT MODEL • FIREWALL HA • MFA/PAM JUMP ACCESS • DMZ MEDIATION • VRF-BASED OT CORE • PRODUCTION-SAFE BOUNDARIES

Multi-Zone Industrial Segmentation & Controlled Interconnect

ISA/IEC 62443-style zone and conduit model with firewall HA, industrial DMZ mediation, MFA/PAM jump access, VRF-based OT core routing, and production-safe controls boundaries.

ISA/IEC 62443Industrial DMZOT Core
DWG-DATA-002 SCADA / HISTORIAN / BROKERED OPERATIONAL DATA EXCHANGE CONTROL DOMAINPLC / RTUHMISCADASensorsOPC UA / CIP / Modbus COLLECTION TIERCollectorsValidate / BufferQuality Rules HISTORIAN TIERHistorian HANormalize TagsReplicate CONSUMER SERVICESDashboardsReportsMQTT / APIMES / AppsRead-only publish layer CONTROLLED COLLECTION • BUFFERED TRANSPORT • HISTORIAN HA • READ-ONLY BROKERING • MES/DASHBOARD CONSUMPTION

SCADA Communication & Operational Data Exchange

Realistic SCADA data-flow model using collectors, historian HA, read-only broker/API layers, and controlled operational consumers such as MES, dashboards, and reports.

SCADAHistorianMQTT/API
DWG-INF-MDF-004 MDF/IDF CORE DISTRIBUTION / REDUNDANT FIBER TOPOLOGY EDGE / SECURITYFirewall HA PairWAN / SD-WAN EdgeCloudflare / VPNInternet edge isolated MDF CORECore Switch ACore Switch BLACP / Port-ChannelDual PSU / UPS DISTRIBUTIONDistribution ADistribution BFiber Patch Field10/25G Backbone IDF / ACCESSIDF Stack 01IDF Stack 02Industrial SWWi-Fi / EdgeUPS A/B DUAL FIBER UPLINKS • CORE HA • LACP PORT-CHANNELS • REDUNDANT UPS • SEGMENTED ACCESS DOMAINS

MDF/IDF Core Distribution & Redundant Fiber Topology

Resilient facility network design using firewall HA, dual core switches, distribution pairs, LACP/port-channels, dual fiber uplinks, IDF stacks, and UPS A/B support.

MDF/IDFFiberRedundancy
DWG-SEC-PASSIVE-003 PASSIVE OT CYBERSECURITY VISIBILITY / SENSOR ARCHITECTURE PRODUCTION NETWORKPLC CellRobotsHMIDrivesAccess SwitchNo inline dependency SPAN / TAP LAYERSPAN SessionNetwork TAPMirror-only traffic OT SENSORPassive SensorProtocol DecodeAsset DiscoveryCIP / Profinet / Modbus SOC / REPORTINGSIEM / SOCAlertsAsset ReportsRunbooks PASSIVE MIRRORED TELEMETRY • PROTOCOL-AWARE ASSET INVENTORY • ANOMALY DETECTION • SIEM/SOC FORWARDING • ZERO INLINE RISK

Passive OT Cybersecurity Visibility & Sensor Deployment Architecture

Passive sensor architecture using SPAN/TAP mirrored telemetry, protocol-aware asset discovery, anomaly detection, reporting, and SIEM/SOC forwarding with no inline production dependency.

Passive SensorSPAN/TAPSIEM
DWG-AUTO-PATCH-005 ANSIBLE AUTOMATION / CONTROLLED PATCH ORCHESTRATION DISCOVERY & SCOPEInventoryCMDBReachabilityBaselineApproved target groups AUTOMATION COREAnsible / AWX ControllerPlaybooksVaultValidationReportsMaintenance windows EXECUTION TARGETSWindows ServersLinux ServersNetwork DevicesOT AppsEvidence LogsRollback / audit trail INVENTORY CONTROL • VAULTED CREDENTIALS • SCHEDULED PATCHING • HEALTH VALIDATION • REPORTING AND CHANGE EVIDENCE

Ansible Automation & Controlled Patch Orchestration

Controlled patching workflow with inventory scope, vaulted credentials, maintenance windows, validation checks, execution evidence, and rollback/audit support.

AnsiblePatchValidation
DWG-UTIL-WAN-006 UTILITY-SCALE OT NETWORKING / REMOTE SITE BACKHAUL OPERATIONS CENTERSCADA / EMSHistorian HANOC / SOC24x7 observability WAN SECURITY EDGESD-WAN / MPLSIPsec Firewall HALTE / Starlink Backup AGGREGATION HUBCore Router PairVPN ConcentratorTelemetry BrokerRoute segmentation REMOTE SITESSite 01Site 02BESSSolarRemote I/OLocal OT firewall SD-WAN / MPLS / IPSEC • LTE/STARLINK BACKUP • SEGMENTED REMOTE OT • TELEMETRY AGGREGATION • UTILITY-SCALE RESILIENCY

Utility-Scale OT Networking & Remote Site Backhaul Architecture

Remote industrial site backhaul using SD-WAN/MPLS/IPsec, LTE or Starlink backup, aggregation hubs, local OT firewalls, telemetry brokers, and segmented utility domains.

SD-WANIPsecRemote OT
Public-Safe Reference Material

Reference Architecture Disclaimer

The reference architectures presented on this website are provided for informational and illustrative purposes only. They do not represent customer environments, customer configurations, customer intellectual property, IP addressing, VLAN assignments, hostnames, plant layouts, firewall rules, or private project deliverables.