We recently completed a major security transformation for our genealogy tracking deployment across three manufacturing sites. The project centered on implementing Purdue Enterprise Reference Architecture with a properly segmented industrial DMZ to protect our DELMIA Apriso MES genealogy data flows.
Our previous flat network exposed critical genealogy tracking systems directly to enterprise networks, creating unacceptable risk. We deployed unidirectional gateways between Level 3 (MES) and Level 4 (enterprise) following ISA-99/IEC 62443 standards. The industrial DMZ now sits between our shop floor genealogy collectors and the enterprise reporting layer.
Key architectural decisions included OPC UA encryption for all genealogy data streams with certificate-based authentication, and microsegmentation policies isolating each production line’s tracking systems. We implemented separate VLANs for genealogy servers, data historians, and external integrations.
The deployment took 6 months with zero production downtime through careful staging. Security posture improved dramatically - we now have complete visibility into genealogy data flows with enforced access controls at every network boundary. Performance actually improved 15% due to optimized routing and reduced broadcast traffic.
Happy to share technical implementation details and lessons learned from this journey.
We went with physical Palo Alto firewalls at the Level 3/4 boundary and virtualized Check Point instances for internal DMZ segmentation. The unidirectional gateways are Waterfall hardware units - absolutely no return path from enterprise to OT.
For genealogy replication, we implemented a data diode pattern. Apriso genealogy servers in Level 3 push serialized batch records through the diode to a replica database in the DMZ. Enterprise reporting pulls from that replica. The trick was implementing acknowledgment through a separate out-of-band monitoring channel that doesn’t carry production data. We use SNMP traps for health monitoring only.
Critical lesson: test your genealogy query patterns extensively before deployment. Some complex parent-child tracking queries needed optimization because the replica has slightly different indexing than the live system.
Can you elaborate on your microsegmentation policies? We’re trying to determine the right granularity - are you segmenting at the production line level, cell level, or even individual equipment? How does this work with genealogy tracking that needs to follow products across multiple cells and lines?
This is exactly the type of implementation we’re planning for Q3. Few questions on your Purdue model implementation - did you deploy separate physical firewalls for each zone boundary, or use virtualized security appliances? Also, how did you handle the genealogy data replication between DMZ and enterprise zones given the unidirectional gateway constraints?