OT/IT convergence architecture for critical infrastructure protection with sovereign cloud integration.
Critical infrastructure (energy, utilities, manufacturing) requires secure integration between Operational Technology (OT) environments and cloud analytics while maintaining safety and availability. This architecture follows the Purdue Model for industrial security with sovereign cloud controls.
After completing this section, you will be able to:
✅ Design OT/IT convergence architectures
✅ Implement industrial DMZ patterns
✅ Configure Azure IoT for OT environments
✅ Enable threat detection for industrial systems
Level Name Components Azure Integration 0-1 Process PLCs, RTUs, Sensors IoT Edge (gateway) 2 Control SCADA, HMI, Historian Local processing 3 Site Operations OT DMZ, Edge Gateway IoT Edge + Azure Arc 3.5 IT/OT DMZ Industrial Firewall Azure Firewall 4-5 Enterprise Cloud Analytics Azure Sovereign Cloud
graph TB
subgraph OT ["OT Network (Air-Gapped)"]
A[PLCs/RTUs<br/>Level 0-1]
B[SCADA/HMI<br/>Level 2]
C[Historian<br/>Level 3]
end
subgraph DMZ ["IT/OT DMZ"]
D[Industrial<br/>Firewall]
E[Data Diode<br/>One-way]
F[Azure IoT Edge<br/>Gateway]
end
subgraph IT ["IT Network / Cloud"]
G[Azure IoT Hub]
H[Time Series<br/>Insights]
I[Sentinel<br/>OT Workbooks]
end
A --> B --> C
C -->|Read Only| E
E -->|Telemetry| F
F -->|MQTT/AMQP| D
D -->|VPN| G
G --> H
G --> I
style OT fill:#FFE4E1,stroke:#D13438
style DMZ fill:#FFF4E6,stroke:#FF8C00
style IT fill:#E8F4FD,stroke:#0078D4
For maximum OT isolation, deploy a hardware data diode:
Direction Allowed Purpose OT → IT ✅ Yes Telemetry, alarms IT → OT ❌ No Prevents attack vectors
"$schema-version" : " 1.1 " ,
"image" : " mcr.microsoft.com/iotedge/opc-publisher:latest "
"Security" : { "value" : " OpcUA-SignAndEncrypt " }
"image" : " mcr.microsoft.com/azure-stream-analytics/azureiotedge:latest "
# OPC UA publisher configuration
endpointUrl : " opc.tcp://plc-server:4840 "
securityMode : " SignAndEncrypt "
securityPolicy : " Basic256Sha256 "
- nodeId : " ns=2;s=Temperature "
- nodeId : " ns=2;s=Pressure "
# Deploy Defender for IoT sensor
New-AzIoTSecuritySolution `
- Name " critical-infra-defender " `
- ResourceGroupName " ot-security-rg " `
- IotHub @ ( " /subscriptions/{sub}/resourceGroups/iot-rg/providers/Microsoft.Devices/IotHubs/industrial-hub " ) `
- RecommendationsConfiguration @ (
@ { RecommendationType = " IoT_OpenPorts " ; Status = " Enabled " }
@ { RecommendationType = " IoT_PermissiveFirewallPolicy " ; Status = " Enabled " }
// Industrial protocol anomaly detection
| where TimeGenerated > ago ( 1h )
| where DeviceType == " PLC " or DeviceType == " HMI "
| where EventType in ( " ProtocolAnomaly " , " UnauthorizedAccess " , " FirmwareChange " )
| project TimeGenerated, DeviceId, DeviceType, EventType, Message
| summarize EventCount = count() by DeviceId, EventType, bin (TimeGenerated, 5m )
Alert Type Severity Response Unauthorized firmware change Critical Isolate device, investigate Protocol violation High Log, alert operations New device on network Medium Verify with operations Unusual traffic pattern Low Monitor, investigate
Framework Applicability Implementation NERC CIP Electric utilities Azure Policy + Sentinel IEC 62443 Industrial automation Network segmentation NIST SP 800-82 ICS security guide Full architecture NIS2 EU critical infrastructure Incident reporting
CIP Requirement Azure Implementation CIP-002 Asset inventory via Defender for IoT CIP-003 Azure Policy for governance CIP-005 Network segmentation, firewall CIP-007 Patch management via Azure Arc CIP-010 Configuration monitoring
System Type Cloud Integration Safety Impact SIS/ESD ❌ Never Life safety Process Control ⚠️ Monitor only Process safety SCADA ✅ Bi-directional (secured) Operational Historian ✅ Full integration None
Reference: Microsoft Defender for IoT — Microsoft Learn
