IIoT Monitoring Architecture for Automotive Plants: A Practical Implementation Guide for Tier 1-3 Manufacturers

Why IIoT Monitoring Architecture Matters More for Smaller Suppliers

Tier 1 suppliers and large OEMs typically have dedicated OT cybersecurity staff, established reference architectures, and the budget to enforce them across multiple sites. Tier 2 and Tier 3 shops generally do not. They have a controls engineer or two, an outside systems integrator when needed, and a corporate IT group whose understanding of the plant floor often stops at the office firewall.

That gap is exactly why the architectural decisions made at the start of an IIoT monitoring architecture project carry so much weight. A poorly designed deployment in a Tier 2 plant can:

• Route raw PLC traffic across the same network segment as office workstations
• Create an unmanaged path between machine controllers and cloud services
• Drop OEE data into a dashboard with no documentation of where the numbers came from
• Fail a customer cybersecurity audit because OT and IT segmentation cannot be demonstrated

The fix is not more software. It is a clean, documented architecture that defines what runs at each layer, how data crosses between them, and where the security boundaries are. The same discipline that goes into a turnkey controls project applies here.

Layer 1: The Edge, Normalizing Data Before It Leaves the Plant Floor

The edge layer is the closest computing layer to the production equipment itself. In an automotive cell, that typically means an industrial PC (IPC) or edge gateway sitting next to the PLC cabinet, pulling tag data from one or more PLCs, CNCs, and sensor networks.

Edge hardware does three jobs that nothing else in the architecture is positioned to do:

1. Protocol translation and tag normalization. A typical Tier 2 plant has Allen-Bradley PLCs on one line, Siemens on another, a few CNCs running their own protocols, and a vision system speaking yet another. The edge gateway is where those streams are pulled in over their native protocols and mapped into a common tag structure with consistent naming, units, and timestamps. Without that normalization step, every downstream consumer (every SCADA screen, every analytics platform, every dashboard) has to do the translation itself, and the inconsistencies compound.
2. Local buffering and store-and-forward. Networks fail. WAN links to the cloud go down. A properly configured edge node holds data locally during outages and forwards it once connectivity returns, so OEE data and traceability records do not have gaps that the quality team has to explain to a customer auditor.
3. Pre-processing and filtering. Sending every raw tag change to the cloud is expensive in bandwidth, slow to query, and almost never useful. The edge is where high-frequency sensor data gets aggregated into the metrics that actually matter (cycle time per part, scrap counts per shift, downtime events with reason codes) before anything leaves the plant.

Processing at the edge also reduces latency for any control or alerting logic that needs to act quickly. A vision inspection result that triggers a reject mechanism cannot wait for a round trip to a cloud server. A practical architecture keeps deterministic, time-critical logic on the PLC and uses the edge layer for the supervisory and monitoring data that informs decisions but does not directly control the line. South Shore Controls’ work in robot integration and HMI programming follows the same separation.

Layer 2: Transport, MQTT Sparkplug B, OPC UA, and Why You Need Both

A large roll of material such as laminate is cut into a smaller size that matches your application. Slitting as a manufacturing process reduces waste and is more economical for material converting.

OPC UA: Device and Server Communication

OPC UA is the modern standard for deterministic, session-based communication between industrial devices, controllers, and supervisory systems. It runs over TCP, supports rich data modeling, and is well suited to the southbound side of an edge gateway. In practice, that is the part of the architecture where the gateway is talking directly to PLCs, CNCs, and other controllers.

Most current-generation PLCs from the major vendors expose an OPC UA server natively or through a companion module. That makes OPC UA the natural choice for getting structured tag data out of a controller and into the edge layer without having to maintain a different driver for every brand of equipment. Session-based behavior, strong typing, and built-in security make it well suited to staying inside the OT network where deterministic behavior matters.

MQTT Sparkplug B: Broker-to-Cloud Transport

MQTT is a publish/subscribe messaging protocol. Vanilla MQTT, on its own, does not define payload structure or topic naming conventions, which means two MQTT-based systems from different vendors generally cannot interpret each other’s data without custom mapping.

MQTT Sparkplug B fixes that. It is an open specification published under the Eclipse Foundation that sits on top of MQTT and defines:

• A standard topic namespace structure (group/edge node/device/metric)
• A standard payload encoding using Google Protocol Buffers
• Standard message types for birth, data, death, and command, so the broker and any subscribing application always know the state of every connected node

That standardization is what makes Sparkplug B interoperable across vendors and SCADA platforms. A historian, an analytics tool, and an MES that all subscribe to the same Sparkplug-compliant broker can consume the same data without custom integration work between each pair. Eclipse Mosquitto is the widely used open-source MQTT broker that supports Sparkplug B payloads when configured appropriately.

Layer 3: Cloud and SCADA, Where OEE Data Actually Gets Used

The top layer is where data becomes information. This is where SCADA visualization, MES integration, historians, and cloud analytics live. For automotive suppliers, the most common use cases at this layer are:

• OEE data dashboards covering availability, performance, and quality across lines, shifts, and product families
• Downtime reason code tracking with drill-down to specific machines and cells
• Traceability records that tie part-level data (cycle time, torque values, inspection results) to a serial number or VIN for warranty and recall response
• Predictive maintenance alerting based on trended sensor data
• Cross-plant rollups for multi-line Midwest plants where corporate quality teams need comparable metrics across facilities

The architectural rule at this layer is that it consumes from the broker. It does not reach down into the OT network to pull data directly from PLCs. That separation is what makes the rest of the security model possible.

A common deployment splits the SCADA function: a plant-floor SCADA layer for operator HMI and supervisory control that lives inside the OT network, and a cloud or corporate analytics layer that sits outside it. Both can subscribe to the same Sparkplug-compliant broker, with the broker (or a federated broker pair across the DMZ) acting as the controlled boundary between them. South Shore Controls’ IoT monitoring work is built around exactly this kind of layered consumption model.

Security and Segmentation: Applying NIST SP 800-82 Rev. 3

Industrial cybersecurity for an IIoT monitoring architecture is not an add-on. It is the part of the design that determines whether the rest of it is defensible.

NIST SP 800-82 Revision 3, Guide to Operational Technology Security, is the governing federal framework for ICS and OT environments. It is not automotive-specific, but it is the document that automotive cybersecurity audits, customer questionnaires, and IATF-aligned cybersecurity expectations increasingly reference. Two parts of SP 800-82 Rev. 3 matter most for an iiot architecture design that includes cloud connectivity:

1. Zones and conduits, aligned with IEC 62443. SP 800-82 endorses the zone-and-conduit model from the IEC 62443 series, which says that an OT environment should be divided into zones grouping assets with similar security requirements, with all communication between zones flowing through defined, controlled conduits. In a practical Tier 2 plant, that translates to:

• A cell or process control zone for PLCs, CNCs, drives, and the edge gateway that talks to them
• A supervisory zone for plant-floor SCADA and the MQTT broker
• An enterprise/IT zone for corporate analytics, cloud connectors, and business systems
• An industrial DMZ separating supervisory OT from enterprise IT

2. The industrial DMZ and the no-direct-path rule. NIST SP 800-82 is explicit that there should be no direct routable path between OT systems and the public internet, or in most cases between OT systems and the corporate IT network. The accepted pattern is a DMZ that brokers traffic between the two sides. Outbound MQTT connections from a broker inside the supervisory OT zone to a broker (or cloud endpoint) in the DMZ, rather than inbound connections from the cloud reaching down to the plant floor, is one of the standard patterns for achieving this safely.

Additional baseline practices that follow from SP 800-82 and apply directly to industrial IoT monitoring deployments:

• TLS encryption on every MQTT connection, with certificate-based authentication for edge nodes and brokers
• Per-device credentials and role-based access on the broker, not shared accounts
• Network segmentation enforced by firewalls or industrial security appliances at every zone boundary, not just at the IT perimeter
• Logging of broker connection events, authentication failures, and configuration changes
• A documented inventory of every edge device, broker, and subscriber, kept current

For suppliers without an in-house OT security function, working with an integrator who treats segmentation, controls support, and system upgrades as part of the same design conversation is generally the most reliable way to get this right the first time.

How South Shore Controls Approaches IIoT Monitoring in Automotive

South Shore Controls works with automotive suppliers across the Midwest to design and deploy monitoring architectures that hold up under both production demands and customer audits. Our approach combines automation and controls engineering, electrical panel design and build, field service, and integration work in a single team. The people specifying edge hardware are the same people who will commission it, support it, and document it.

For automotive clients specifically, we deliver on our automotive automation projects with a focus on:

• Edge and gateway selection that fits the existing PLC and HMI landscape, not a rip-and-replace
• Sparkplug B and OPC UA integration that gives quality and engineering teams real OEE and traceability data without exposing the plant floor
• DMZ and segmentation design aligned with NIST SP 800-82 and IEC 62443 expectations
• Documentation packages that hold up to OEM cybersecurity and quality audits
• Ongoing preventative maintenance and on-site commissioning so the monitoring system stays as reliable as the production system it watches

Whether the starting point is a single cell on one line or a full plant rollout across multiple facilities, the architecture principles stay the same.