I am trying to understand and plan a secure network that will segment IT and OT network using dual firewall DMZ based on the The Purdue Model And Ignition diagram.
The thing is I need to give access to some tags to a vendor for something. Currently they just VPN to the OPC UA server with security setting enabled in Ignition and managed by our IT.
Does it make sense to create a DMZ and have Ignition Edge installed in the DMZ between IT and OT that communicates to the Ignition installed in the OT network (no internet access once this is implemented) and the vendor to connect to that DMZ Ignition Edge OPC UA server to access the data?
I have looked at some other documents provided by Ignition. Anything I am missing?
Never give a vendor external access to the Ignition OPCUA server. Access to one tag is access to all the tags. find a way to use a separate system to subscribe to the allowed tags, and give them access to the tags from that system only.
1 Like
I think what @prashants is saying though is to set up an Ignition Edge instance in the DMZ. Then they could set up an OPC-UA client in the Edge instance to point to the standard Ignition instance (or set up a remote tag provider), then pull only the necessary tags into the Edge instance and give the vendor access to that instance to limit access and make the tags read-only (most likely).
I think that's a perfect option as then you can only bring the tags they need and keep it on a separate network.
Yes, that's exactly what I meant. Thanks.
I wanted to make sure Ignition Edge in DMZ can do that and this is a secure way to provide scada data without actually giving direct access to scada OT Network.
This isn't entirely true any more in 8.3. The server got roles and permissions support, and it's now possible to slice up access by Tag Provider and by Device.
3 Likes
Have the vendor setup a MQTT broker, and publish the tags you want them to have, right to their broker. Or setup your own broker in the DMZ, and do the same..