Context: Real-World Industrial Architecture
Most industrial enterprises operate multiple plants integrated with corporate IT systems. A typical organization has:
- Enterprise IT: ERP, MES, analytics, data lakes, cloud integration, corporate IT governance
- Network Boundary: Industrial DMZ (IDMZ) separating IT from OT, firewalls, routing, security controls
- Plant OT Networks: Multiple autonomous production facilities with control systems, historians, equipment integration, local IT governance
The challenge: Exchange manufacturing data (work orders, batch records, quality results, alarms) between plants and enterprise systems while preserving:
- Network segmentation (no direct IT/OT cross-talk)
- Zone autonomy (each zone survives disconnection of others)
- Data reliability (no message loss during network partitions)
- Operational simplicity (no complex middleware to manage at boundaries)
BSFG is designed for exactly this scenario. This document describes the canonical four-zone deployment serving as the reference architecture for Statements of Work (SOW) and deployment planning.
Zones: Purpose and Characteristics
Zone 1: Enterprise IT
The corporate integration hub.
| Aspect | Details |
|---|---|
| Network | Corporate IT, internet-connected, cloud-capable |
| Systems | ERP, MES aggregation, analytics, data lake, cloud services |
| BSFG Node | Yes — enterprise-bsfg |
| JetStream Domain | Large cluster (3+ nodes HA), high availability, 100+ GB capacity |
| Object Store | S3 or equivalent, 10+ TB, 10-year retention for audit records |
| Operations Team | Enterprise platform team, 24x7 support |
| Autonomy | Limited — enterprise relies on connectivity; plants can isolate themselves |
Zone 2: Industrial DMZ (IDMZ)
The mediation layer between IT and OT. Critical rule: no durable middleware in the boundary network itself. In this reference topology, IDMZ is a real zone and therefore may host its own BSFG durability substrate.
| Aspect | Details |
|---|---|
| Network | Isolated, firewalled both sides, no internet |
| Systems | Firewalls, routers, VPN gateways, TLS terminators (stateless) |
| BSFG Node | Yes — idmz-bsfg, operated as a compact but durable intermediary zone node |
| JetStream Domain | Single-node or HA pair, minimal streams, retention per deployment policy |
| Object Store | Compact zone-local store, retention per deployment policy |
| Operations Team | Network operations, no application ownership |
| Autonomy | N/A — IDMZ does not produce or consume facts |
Zone 3 & 4: Plant A & Plant B (OT Networks)
Each plant is operationally independent. Plants can isolate from enterprise and IDMZ without impact to local operations.
| Aspect | Details |
|---|---|
| Network | Closed, air-gapped from IT, no internet |
| Systems | PLCs, MES, historians, batch records, quality systems, equipment |
| BSFG Node | Yes — plantA-bsfg, plantB-bsfg |
| JetStream Domain | Single or dual-node, high durability, 5–50 GB capacity |
| Object Store | NAS or local SSD, 1–5 TB, 3–7 year retention per bucket |
| Operations Team | Plant engineering and IT, local ownership |
| Autonomy | Full — plant operates independently during IDMZ or enterprise outages |
BSFG Node Placement and Architecture
Each zone runs a BSFG node. In this reference deployment, IDMZ is not a pass-through hop; it is a compact, durable zone with its own BSFG node and local state.
IDMZ BSFG Node
Location: IDMZ network
Hostname: bsfg-idmz.example.com
IP: 10.1.1.10
Certificate CN: idmz-bsfg
Services:
├── Connect RPC endpoint (port 9443)
├── AppendFact / FetchFacts / ConfirmReceipt / PutObject
└── Metrics endpoint (restricted to IDMZ operations)
JetStream Domain:
├── Streams (facts)
│ ├── facts.transit (cross-zone transfer)
│ ├── facts.audit (boundary and mediation audit)
│ └── facts.control (administrative coordination)
└── Named consumers
├── enterprise-receiver
├── plant-a-receiver
└── plant-b-receiver
Object Store:
├── transit-files (short-lived mediated artifacts)
└── audit-files (operational evidence, per policy)
Enterprise BSFG Node
Location: Enterprise IT network
Hostname: bsfg-ent.example.com
IP: 10.0.1.10
Certificate CN: enterprise-bsfg
Services:
├── Connect RPC endpoint (port 9443)
├── AppendFact / FetchFacts / ConfirmReceipt / PutObject
└── Metrics endpoint (internal)
JetStream Domain:
├── Streams (facts)
│ ├── facts.operational (work orders, batches, status)
│ ├── facts.quality (test results, inspections)
│ └── facts.audit (compliance, audit logs)
└── Named consumers
├── plant-a-receiver (tracks replication to Plant A)
└── plant-b-receiver (tracks replication to Plant B)
Object Store:
├── batch-files (batch orders, recipes, 10y retention)
├── asset-files (CAD, spec sheets, 10y retention)
├── document-files (certificates, SOPs, 10y retention)
└── audit-files (compliance records, 10y retention)
Plant A BSFG Node
Location: Plant A OT network
Hostname: bsfg-planta.local
IP: 10.2.1.10
Certificate CN: plant-a-bsfg
Services:
├── Connect RPC endpoint (port 9443)
├── AppendFact / FetchFacts / ConfirmReceipt / PutObject
└── Metrics endpoint (local only)
JetStream Domain:
├── Streams (facts)
│ ├── facts.operational (work orders, equipment status)
│ ├── facts.quality (test results)
│ └── facts.alarms (equipment alarms)
└── Named consumers
├── enterprise-receiver (replication to Enterprise)
└── local-app (plant MES application)
Object Store:
├── batch-files (batch records, work orders, 5y retention)
├── asset-files (equipment docs, 7y retention)
├── alarm-files (alarm logs, 1y retention)
└── document-files (local docs, 3y retention)
Plant B BSFG Node
Same structure as Plant A, with:
- Certificate CN: plant-b-bsfg
- Hostname: bsfg-plantb.local
- IP: 10.3.1.10
- Named consumers: enterprise-receiver, local-app
Data Flow: Facts Between Zones
Enterprise → Plant A (Push Work Orders)
Enterprise produces fact:
subject: "work_order:WO-2026-0001"
predicate: "was_assigned_to"
object_json: {plant: "A", due: "2026-03-15", ...}
Append at Enterprise BSFG:
AppendFact(...) → offset 1000
Plant A pulls facts:
FetchFacts(consumer_name="enterprise-receiver", limit=100)
→ receives batch starting at offset 1000
Plant A appends locally:
AppendFact(...) → local_offset (independent)
Plant A confirms:
ConfirmReceipt(consumer_name="enterprise-receiver", offset=1000)
Enterprise advances cursor:
Cursor(enterprise-receiver) = 1000
Plant A → Enterprise (Report Completion)
Plant A produces fact:
subject: "work_order:WO-2026-0001"
predicate: "was_completed"
object_json: {duration_ms: 3600000, status: "PASS", ...}
Append at Plant A BSFG:
AppendFact(...) → offset 500
Enterprise pulls facts:
FetchFacts(consumer_name="plant-a-receiver", limit=100)
→ receives batch starting at offset 500
Enterprise appends locally:
AppendFact(...) → local_offset
Enterprise confirms:
ConfirmReceipt(consumer_name="plant-a-receiver", offset=500)
Plant A advances cursor:
Cursor(plant-a-receiver) = 500
Plant A → Plant B (Indirect via Enterprise)
Plant A → Enterprise → Plant B
Never direct Plant A → Plant B.
All cross-plant communication flows through Enterprise.
This preserves network segmentation and simplifies operations.
Network Connectivity and Firewall Rules
Enterprise ↔ IDMZ
Direction: Bidirectional
Protocol: TCP/TLS (HTTP/2)
Port: 9443
Source: Enterprise BSFG (10.0.1.10)
Destination: IDMZ firewall gateway IP
Rules:
allow tcp from 10.0.1.10 to IDMZ-gateway port 9443
allow tcp from IDMZ-gateway to 10.0.1.10 port 9443
IDMZ ↔ Plant A
Direction: Bidirectional
Protocol: TCP/TLS (HTTP/2)
Port: 9443
Source: Plant A BSFG (10.2.1.10)
Destination: IDMZ firewall gateway IP
Rules:
allow tcp from 10.2.1.10 to IDMZ-gateway port 9443
allow tcp from IDMZ-gateway to 10.2.1.10 port 9443
IDMZ ↔ Plant B
Direction: Bidirectional
Protocol: TCP/TLS (HTTP/2)
Port: 9443
Source: Plant B BSFG (10.3.1.10)
Destination: IDMZ firewall gateway IP
Rules:
allow tcp from 10.3.1.10 to IDMZ-gateway port 9443
allow tcp from IDMZ-gateway to 10.3.1.10 port 9443
Key Constraints
- No direct IT/OT traffic: Enterprise BSFG never connects directly to plant networks. All traffic flows through IDMZ firewall.
- No direct plant-to-plant: Plant A BSFG never connects to Plant B BSFG. Cross-plant communication flows through Enterprise.
- No shared JetStream: Each zone's JetStream domain is isolated. No cross-zone stream replication or mirroring.
- No shared object storage: Each zone's artifact storage is local. No S3-style cross-zone buckets.
- IDMZ is independently durable: If the IDMZ zone is rebooted or fails, its own BSFG node recovers from local durable state just as Enterprise and Plant nodes do. Cross-zone communication resumes from durable cursors and retained facts.
Identity and Certificate Model
Certificate Hierarchy
Root CA: MyCompany-RootCA (internal, not public)
└── Intermediate: MyCompany-BSFG-CA
├── enterprise-bsfg
│ CN: enterprise-bsfg
│ SANs: bsfg-ent.example.com, 10.0.1.10
│ Issued to: Enterprise platform team
│
├── idmz-bsfg
│ CN: idmz-bsfg
│ SANs: bsfg-idmz.example.com, 10.1.1.10
│ Issued to: IDMZ operations
│
├── plant-a-bsfg
│ CN: plant-a-bsfg
│ SANs: bsfg-planta.local, 10.2.1.10
│ Issued to: Plant A engineering
│
└── plant-b-bsfg
CN: plant-b-bsfg
SANs: bsfg-plantb.local, 10.3.1.10
Issued to: Plant B engineering
mTLS Handshake and Verification
When Enterprise BSFG connects to Plant A BSFG:
1. Enterprise initiates TLS handshake
2. Plant A BSFG presents certificate with CN=plant-a-bsfg
3. Enterprise validates:
- certificate signature (against MyCompany-BSFG-CA)
- not expired
- CN matches expected plant identity
4. Plant A validates Enterprise's certificate similarly
5. Bidirectional authentication established
6. All RPC calls encrypted over this tunnel
Certificate Validity and Rotation
- Validity period: 1 year (renewable annually)
- Renewal schedule: 30 days before expiry
- Rotation procedure: Install new cert, reload BSFG node, test connectivity
- Emergency rotation: For compromised keys, immediate reissue and deployment
Operational Responsibilities
Enterprise Platform Team
Responsible for the Enterprise BSFG node and Enterprise zone connectivity:
- Deploy and operate enterprise-bsfg BSFG node
- Manage JetStream cluster (3-node HA setup)
- Manage artifact storage (S3 or equivalent)
- Issue and rotate mTLS certificates for enterprise-bsfg
- Monitor replication lag to plants (SLA: < 5 minutes)
- Maintain 24x7 uptime SLA
- Escalate to IDMZ team for network issues
IDMZ Operations Team
Responsible for network mediation between zones:
- Manage IDMZ firewall rules (allow/deny by BSFG node certificate CN)
- Monitor firewall logs for anomalies
- Ensure no durable infrastructure (no Kafka, no databases, no file servers)
- Route traffic between Enterprise and Plant networks
- Maintain network uptime SLA (99.5% target)
- Escalate to Enterprise or Plant teams for application issues
Plant A Engineering Team
Responsible for the Plant A BSFG node and plant autonomy:
- Deploy and operate plant-a-bsfg BSFG node
- Manage JetStream domain (single or dual-node)
- Manage local artifact storage (NAS or local SSD)
- Issue and rotate mTLS certificates for plant-a-bsfg
- Configure producers (MES, equipment) to emit facts
- Configure consumers (local apps) to process facts
- Monitor local buffer fill and consumer backlog
- Preserve plant autonomy: isolate from enterprise/IDMZ without impact to local operations
Plant B Engineering Team
Same responsibilities as Plant A, adapted for Plant B's specifics.
Topology Diagram
flowchart TD
subgraph ENT["ENTERPRISE IT"]
ENT_APPS["ERP, MES Aggregation, Analytics, Cloud"]
ENT_NODE["BSFG Node: enterprise-bsfg
IP: 10.0.1.10
Cert: CN=enterprise-bsfg
JetStream (HA 3-node)
facts.operational / facts.quality / facts.audit
S3 Object Storage (10+ TB, 10y retention)"]
ENT_APPS --> ENT_NODE
end
subgraph IDMZ["IDMZ"]
IDMZ_INFO["Firewalls, Routing, VPN (no durable middleware)"]
IDMZ_GW["IDMZ Firewall Gateway
Routes traffic 3 directions
No data retention
TLS termination optional"]
IDMZ_INFO --> IDMZ_GW
end
subgraph PA["PLANT A OT"]
PA_NODE["BSFG Node: plantA-bsfg
IP: 10.2.1.10
JetStream (1-2 nodes)
NAS/SSD (1-5 TB)"]
PA_APPS["MES, PLC, Historians"]
PA_APPS --> PA_NODE
end
subgraph PB["PLANT B OT"]
PB_NODE["BSFG Node: plantB-bsfg
IP: 10.3.1.10
JetStream (1-2 nodes)
NAS/SSD (1-5 TB)"]
PB_APPS["MES, PLC, Historians"]
PB_APPS --> PB_NODE
end
ENT_NODE -->|"mTLS RPC (port 9443)"| IDMZ_GW
IDMZ_GW -->|"mTLS RPC"| PA_NODE
IDMZ_GW -->|"mTLS RPC"| PB_NODE
Deployment Checklist
- ☐ Create enterprise CA and issue BSFG node certificates
- ☐ Provision Enterprise zone (ERP, analytics integration)
- ☐ Deploy Enterprise BSFG node (HA JetStream, S3 storage)
- ☐ Configure IDMZ firewalls (allow BSFG mTLS RPC only)
- ☐ Verify no durable infrastructure in IDMZ
- ☐ Provision Plant A OT network
- ☐ Deploy Plant A BSFG node (JetStream, NAS storage)
- ☐ Issue mTLS certificate for plant-a-bsfg
- ☐ Configure Plant A producers (MES, equipment) to emit facts
- ☐ Provision Plant B OT network
- ☐ Deploy Plant B BSFG node (JetStream, NAS storage)
- ☐ Issue mTLS certificate for plant-b-bsfg
- ☐ Configure Plant B producers (MES, equipment) to emit facts
- ☐ Test connectivity: Enterprise ↔ IDMZ ↔ Plant A
- ☐ Test connectivity: Enterprise ↔ IDMZ ↔ Plant B
- ☐ Test replication: Enterprise → Plant A (work order flow)
- ☐ Test replication: Plant A → Enterprise (completion report)
- ☐ Test replication: Enterprise → Plant B
- ☐ Test replication: Plant B → Enterprise
- ☐ Test autonomy: Isolate Plant A from IDMZ, verify local operation
- ☐ Test autonomy: Isolate Plant B from IDMZ, verify local operation
- ☐ Set up monitoring (replication lag, buffer fill, cert expiry)
- ☐ Document operational procedures (failover, certificate rotation, troubleshooting)
- ☐ Train operations teams (Enterprise, IDMZ, Plant A, Plant B)
- ☐ Go-live readiness review
Related Documentation
- Enterprise IDMZ Plant Topology — General 3-zone reference
- Peer Replication Protocol — How BSFG nodes synchronize facts
- Network Policy — Firewall rules and mTLS requirements
- Identity Model — Certificate management and zone authentication
- Operations Runbook — Monitoring, failure modes, recovery procedures
- Architecture Map — BSFG architectural primitives
- Integration Contract — Producer and consumer responsibilities