The document discusses the importance of enabling enterprise-wide operational technology (OT) data access through the Matrikon Data Broker, highlighting its benefits such as secure data connectivity, improved data quality, and cost-effectiveness. It outlines a structured approach to data access separating it from application functionality, emphasizing the use of open standards like OPC UA. Furthermore, it addresses various infrastructure levels from far edge to enterprise core, noting operational considerations and security risks associated with each level.

1. Enabling Enterprise-wide OT Data access
with Matrikon Data Broker
John Archer
Senior Principal BDM - AI & Edge
archer@redhat.com
Alex Kubacki
Technical Architect Ecosystem
akubacki@redhat.com
Darek Kominek
Marketing Director
darek.kominek@matrikonopc.com

2. John Archer
Sr Principal BDM - AI, Edge and
Industrials
BS Political Science
Red Hat since 2015
Meet The Speakers
Alex Kubacki
Technical Architect - Global Partner
Solutions & Technologies
BS in Computer Engineering,
Computer Science, and Electrical
Engineering
Red Hat Since 2021
Darek Kominek
Marketing Director
BSc Computer Engineering
Matrikon since 2005

3. Where is Matrikon Technology and OPC-UA deployed today?

4. Business Value Story
● Universal OPC UA Based data connectivity
○ 3rd party vendor neutral
○ Improved data context
● Secure data connectivity
○ End-to-end encryption
○ Network traversal (Enterprise wide)
● Legacy infrastructure friendly (extends ROI)
● Low cost of ownership
● Better data quality (IM)
● Extended ROI
● Reduce Non-Productive Time
Bottom Line
● Introduce DevSecOps into the OT domain
● Open Process Automation foundation
● OTA style updates and patches with rollback
● Improve Safety, Resiliency, Reliability concerns
● Zero Touch Deployments
● Declarative Security
● Sustainable pattern for complex industrial architecture deployments
● Safely explore new business goals in process industries
● Free engineers to focus on the analytics and custom workloads in highly
regulated and HSE focused industries
● Move to autonomous operations and improve margins
The combination of modern OT data connectivity with state of the art IT infrastructure multiplies
business value.
OT Focus IT Focus

5. Purdue Model / ISA-95 Mapping to Red Hat Edge Layers

6. Industrial Infrastructure Levels
What are the different Levels for Industrial Infrastructure
Operational Level
Far Edge
What is Far Edge?
Far Edge is the Level 2 and below.
This consists of Control Systems,
Intelligent Devices and Physical
Processes that make up the
manufacturing.

7. Industrial Infrastructure Levels
What are the different Levels for Industrial Infrastructure
Operational Level
Far Edge
What is Far Edge
Far Edge is the Level 2 and below.
This consists of Control Systems,
Intelligent Devices and Physical
Processes that make up the
manufacturing.
Plant Level
Near Edge
What is Near Edge
Near Edge consists of the DMZ
and Level 3 of the Purdue Model.
The DMZ is the security features
such as firewalls and proxies,
which isolate the environment
from the outside world. Level 3 is
the manufacturing operation
systems which manage
production workflow.

8. Industrial Infrastructure Levels
What are the different Levels for Industrial Infrastructure
Operational Level
Far Edge
What is Far Edge?
Far Edge is the Level 2 and below.
This consists of Control Systems,
Intelligent Devices and Physical
Processes that make up the
manufacturing.
Plant Level
Near Edge
What is Near Edge?
Near Edge consists of the DMZ
and Level 3 of the Purdue Model.
The DMZ is the security features
such as firewalls and proxies,
which isolate the environment
from the outside world. Level 3 is
the manufacturing operation
systems which manage
production workflow.
Enterprise Level
Core
What is Core?
Core is equal to Level 4/5 of the
Enterprise Levels. It is the
primary level where business
functions occurs. Common IT
networking exists at level, along
with workstations, Web Servers,
DNSs, etc.

9. Industrial IT/OT Considerations
Goals and Risks for either the IT or OT POV for each Level
Operational Level
Far Edge
● Network and IT security
● Data Access
● ML Model Inferencing
● Automation
Plant Level
Near Edge
● Configuration Changes
● Vulnerabilities
● Software Update and
Patches
Enterprise Level
Core
● Privilege abuse attempts
and escalations
● Financial Fraud
● Autonomous Operations
OT Focus
IT Focus
● Network traversal
● Platform Hacking
● Data Leaking, Tampering,
Manipulation
● Device Manipulation
● Unscheduled Downtime
● 3rd party connectivity
● Operational Security
● Reliability
● Safety
● Data context
● Business and Operation
Disruption
● Real-time Visibility

10. Level 2
Level 1
Level 3.5
Level 4
Sensors & Devices
System DCS S-PLC
OT applications
Business
Level 3
DMZ
3rd
Party Cloud Providers
Connectivity & Federation
Data Model & Mapping
Traversal (OT Side)
Traversal (DMZ)
Traversal (IT Side)
Cloud communications
MDB: Unified OT Data Platform

11. 11
RAW COMPANY OT DATA
ADVANCED APPLICATION FUNCTIONALITY + DATA CONTEXTUALIZATION
(VENDOR SPECIFIC)
On Prem
Application 1
On Prem
Application 2
Cloud
Application 1
Access to OT data is
dependent on Advanced
Application(s) . Another
type of Vendor Lock-in.
Traditional Solution: An advanced application serves double duty: as an advanced function
and as an access point to data for other applications.
MDB: The Unified OT Data Layer

12. RAW COMPANY OT DATA
MDB: The Unified OT Data Layer
12
MDB – Unified OT Data Layer (OPC UA OPEN STANDARD BASED)
ADVANCED APPLICATION FUNCTIONALITY + DATA CONTEXTUALIZATION
(VENDOR SPECIFIC)
On Prem
Application 1
On Prem
Application 2
Cloud
Application 1
Create a single, secure
OT-data access point
via a unified OT data
layer
Best Practice - OT Data Access :separate “data access” from “application functionality” by creating an
open standard-based layer for OT data access for all applications.

13. RAW COMPANY OT DATA
MDB: The Unified OT Data Layer
13
MDB – Unified OT Data Layer (OPC UA OPEN STANDARD BASED)
ADVANCED
APPLICATION
FUNCTIONALITY
On Prem
Application 1
On Prem
Application 2
Cloud
Application 1
Use advanced
applications for the
functionality they
provide
Use a common,
standards-based access
OT data access point
Best Practice - OT Data Access :separate “data access” from “application functionality” by creating an
open standard-based layer for OT data access for applications across the enterprise and to-cloud.

14. RAW COMPANY OT DATA
14
MDB – Unified OT Data Layer (OPC UA OPEN STANDARD BASED)
ADVANCED
APPLICATION
FUNCTIONALITY
On Prem
Application 1
On Prem
Application 2
Cloud
Application 1
Move beyond raw OT-data
access by enhancing its
context and structure
whale protecting
underlying sources.
MDB: The Unified OT Data Layer
Best Practice: Enhanced OT Data Value: Present OT data in the context(s) required by different
users/applications using open, OPC UA standards-based Data Technology.

15. Unified
OT Data
Layer
Connectivity
Consolidation
Context
Collaboration
Cloud
Access
15
ADVANCED APPLICATION
FUNCTIONALITY
On Prem
Application 1
On Prem
Application 2
Cloud
Application 1
MDB: Data Tech for a Unified OT Data Layer

16. MDB powered Unified OT-Data Layer vs Traditional
Connectivity
Traditional Solution Unified OT-Data Layer Best Practice
● Direct connections to data
sources
● Little to no data context
provided by sources, hard to
add context.
● Custom solutions relied on for
access to OT-data and context
(vendor lock in)
● Inconsistent (home grown)
security practices depend on
expertise of integration team.
● Single connection made to data
sources.
● Dynamic, user managed, 3rd
party data context
● Separated data access and
advanced application roles
● Sustainable open
standards-based solution
(ex. OPC UA, MQTT)
● Consistent, system-wide,
security best-practices included
‘under the hood’

17. OT Data Centric View IT Network View IT Workflows View
Two Sides of the Same Coin

18. Control plane
Windows containerized
workloads
Matrikon OPC-UA Explorer
Windows legacy VM workloads
DataBroker Operator
(ubi container)*
Windows
containers
Linux
containers
Windows
virtual machine
Red Hat OpenShift
virtualization
Red Hat Enterprise
Linux CoreOS
Microsoft Windows
Honeywell Matrikon Data Broker Deployment Options
Roadmap
Kubernetes Orchestrated Workloads
Today
Linux Edge Workloads
(Bare Metal/ VM/Container)
Red Hat Enterprise
Linux
Ansible Automation
(Roadmap)
DataBroker Podman
(ubi container)
DataBroker Bare Metal
(AppImage)
UA Explorer Bare Metal
(AppImage)

19. Operational Level
Far Edge
Enterprise Level
Core
Plant Level
Near Edge
Industrial Edge Architecture
19
Trusted Software Factory
& DevOps Platform
System &
Software Testing
DevOps &
Continuous Integration
SW Release & Dependency
Mgmt (Version Control)
Edge Management &
Control
Development
Tooling
Security
Enterprise IT &
other Business Lines
Central IT Platforms
Production & Logistics
collaboration & communication of
OEM, Tier 1, Tier N, …
Enterprise
Resource Planning
(SAP)
Supply Chain
Management
(SCM)
Product
Lifecycle
Management
(PLM)
Engineering,
Requirements &
Architecture
(CAx)
Plant Application /
Factory Operations
Manufacturing
Execution
Systems (MES)
Asset
Management
Warehouse
Management
(with ERP)
Custom
Factory
Applications
Digital Twin Track & Trace
Structured /
unstructured
Timeseries Analytics Visualization ML Development Data Platform
Message Broker
Protocol
Transform
Change Data
Capture
Event Streaming API Mmgt Integration Platform
MSA Event Driven ML Inference Workflow Rules
CI/CD,
CfgMmgt
Observability Serverless Application Platform
Existing
Operational
Technology
(PLC, RTU, HMI , …)
IoT
Gateway
Supervisory
control &
data acquisition
(SCADA)
Machine,
Device,
Sensor,
Robot
Future Software
Defined OT
(PLC, RTU, HMI , …)
Container Virtual Machines Low Latency
Compute Network Storage Technical Platform

20. Current Projects - OT Investments and Roadmap
IEC 62443 and OPAF O-PAS Modernization Path

21. A System with O-PAS™ Components

22. O-PAS Testbed on Red Hat Infrastructure

23. Finding Targets - Titles and Keywords
Who to reach out to with these capabilities
1. Plant Supervisor
2. SCADA Manager
3. Compute Architect
4. Operations Lead
5. Cluster Administrator
6. Network Administrator
7. Project Engineer
8. Security Engineer
1. OPA/OPAF
2. SCADA
3. OPC-UA/Modbus
4. Predictive Maintenance
5. Real time Operations
6. Time-Series
7. Cybersecurity
8. Operations Edge
9. Purdue Model
10. ISA-95
11. Reliability
12. Safety
13. HMI
14. Industrial Controls
Titles Keywords

24. Next Steps…
For engagement support, here is what's next:
1. Contact John Archer - archer@redhat.com and
Jennifer Owen at Matrikon - jennifer.owen@MatrikonOPC.com for assistance
2. Go to media.redhat.com and search for Industrials Solutions to learn more about
industrial sales plays, OPC-UA, and Matrikon Data Broker solutions.
3. Reach out to Edge Solution Center Team for demo and engagement support.

25. Q & A Thanks Contact