In this scenario, the OPC UA server for a PLC or DCS is running on a specific board, which can be installed in the rack of the controller itself. The edge is connected to the OPC UA server, which is hosted by the controller through the OPC UA client interface, as shown in the following diagram:

This setup, like the previous one, entirely uses OPC UA interfaces. In this scenario, a firewall must be placed to filter and secure the HTTPS/TCP traffic due to the requests coming from the edge device placed outside of the network where the OPC UA server is linked. The deployment of another firewall between the edge and the network linked to the internet creates a DMZ for the edge deployment, as shown in the following diagram:

Unfortunately, in this setup, there is no option to deploy a DPI firewall to segregate the OPC UA server further from the control network, since the communication between the OPC UA server and the controller occurs through the internal bus of the controller itself. There are two additional considerations that should be taken into account with regards to this setup:

• In general, when the OPC UA server is hosted on an integrated board of the controller, it runs on a Linux box, which is a bit more resilient from a cybersecurity perspective than a Windows box.
• A software firewall could be installed on the Linux box in which the OPC UA server runs. It could be configured to further segregate the control network to which the OPC UA server is linked via the controller bus.

In any case, since this setup exclusively uses the security model provided by OPC UA, a careful analysis of the OPC UA security model implemented by the vendor must be carried out to make sure that it is able to cover the security requirements of the specific use case.