Reference Architecture Diagram + Narrative (gateway normalization + secure device identity)
┌──────────────────────────────────────────────┐
│ DEVICES & SENSORS │
PLCs │ RTUs │ Cameras │ RFID/Beacons │ Meters │ Wearables │ Robots │ Kiosks
└──────────┬───────────┬───────────┬──────────┘
│ │ │
▼ ▼ ▼
┌──────────────────────────────────────────────────────────┐
│ EDGE GATEWAYS / FIELD NODES │
│ • Proto normalize: OPC-UA / Modbus / DNP3 / BACnet │
│ • Southbound drivers; Northbound pub/sub (MQTT/Kafka) │
│ • Local policy: rate-limit, filter, mask, sign │
│ • Store-and-forward cache with checksum/ordering │
└───────────────┬───────────────────────────┬─────────────┘
│ │
Private 5G/LTE / Wi-Fi (site LAN) │ Long-range LPWAN
(local UPF for URLLC when needed) │ LoRaWAN / NB-IoT
▼ ▼
┌────────────────────────────────────────────────┐
│ EDGE COMPUTE / MICRO-MEC (on-prem) │
│ • K8s/VMs: inference, rules, digital twins │
│ • Feature extraction, media pipelines (WebRTC)│
│ • Secrets cache, device certificates (mTLS) │
└───────────────┬────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ TRANSPORT / SECURITY FABRIC (northbound) │
│ SD-WAN overlays ║ MPLS/IX ║ SASE/SSE POPs (ZTNA/SWG/… )│
│ Geo/data-residency fences • Vendor PAM windows │
└───────────────┬──────────────────────────┬──────────────┘
│ │
▼ ▼
┌────────────────────────────────────┐ ┌──────────────────────────────────┐
│ STREAMS & INTEGRATIONS │ │ CONTROL / DATA DESTINATIONS │
│ • MQTT brokers / Kafka clusters │ │ • OT systems / MES / SCADA │
│ • Schema registry & contracts │ │ • ERP/WMS/CRM • Data Lakes │
└────────────────────────────────────┘ │ • Analytics/AI • APIs (WAF) │
└──────────────────────────────────┘
Telemetry / Integrity bus ──► AIOps • SIEM/SOAR • ITSM/CMDB • GRC/Audit (WORM/retention)
Narrative (how the edge speaks clearly and safely to the core)
1) Purpose & posture
- Objective: Provide a unified, secure, and standards-based fabric for onboarding, identifying, normalizing, and operating everything that is not a laptop—from PLCs and cameras to meters and mobile robots—so higher layers get clean, trustworthy signals.
- Posture: Identity-first devices (certs/mTLS), protocol neutrality, minimal data by default (filter/mask at source), and evidence-ready operations.
2) Device & gateway layer (syntax at the edge)
- Southbound drivers speak field protocols (OPC-UA, Modbus, DNP3, BACnet, CAN, ONVIF).
- Normalization converts to MQTT/Kafka + JSON/Avro/Protobuf with schema registry and versioned contracts to prevent drift.
- Local policy—rate-limit, dedupe, mask PII, sign payloads—before anything leaves the site.
3) Access & compute near things (semantics preserved)
- Private 5G/LTE with local UPF where deterministic latency (URLLC) is needed (robots, motion control).
- Edge/Micro-MEC runs rules engines, ML inference, digital twins, and media pipelines (e.g., CV for quality/safety), using sealed secrets and device certs for mTLS.
4) Northbound transport & security
- SD-WAN steers flows to nearest healthy SASE/SSE POP, applying ZTNA for device classes, SWG/CASB/FWaaS/DLP for any SaaS/API egress, and geo-pinning for data residency.
- Vendor access is PAM/JIT only—time-boxed, recorded, with automatic key rotation in HSM/KMS.
5) Streams, contracts, and destinations (meaning with memory)
- Brokers (MQTT/Kafka) separate producers from consumers; schema registry enforces contracts; dead-letter topics retain bad events.
- Destinations include SCADA/MES, ERP/WMS/CRM, data lakes/AI, and partner APIs behind WAF/API gateways.
6) Resilience patterns (grammar under stress)
- Store-and-forward caches at gateways keep ordered payloads during outages; replay reconciles checksums upstream.
- Radio failover: site LAN → private 5G/LTE → LPWAN as last resort for telemetry.
- Edge autonomy: safety/quality rules continue locally even if the WAN is dark.
7) Security & evidence (pragmatics of trust)
- Device identity via cert enrollment (EST/SCEP); attestation on boot; EDR-for-edge where feasible.
- SIEM/SOAR correlates anomalies (scan, flood, exfil) → actions: isolate VRF, revoke cert, rotate keys, open ITSM.
- WORM/Audit vault stores configs, firmware hashes, access trails, and retention proof for regulators.
8) Reference KPIs
- Onboarding to trusted (cert’ed) state: ≤10 min avg
- Normalization coverage: ≥95% of device types under schema contract
- Telemetry continuity during outages: ≥99.5% (via store-and-forward)
- Edge inference latency (vision/rules): <50 ms typical
- Security MTTR (device isolate → recover): ≤2 h
9) Minimal BOM (aligned with prior matrix)
Edge gateways (multi-protocol), Private 5G/LTE + UPF (optional), Wi-Fi/LPWAN radios, SD-WAN/SD-Branch, SASE/SSE (ZTNA/SWG/CASB/FWaaS/DLP), Edge/Micro-MEC (K8s/VMs), MQTT/Kafka + schema registry, WAF/API GW, HSM/KMS/PKI, PAM/JIT, SIEM/SOAR, AIOps/Observability, ITSM/CMDB, WORM audit store.