Ignition SCADA Architectures – Cheat Sheet

One of Ignition’s greatest strengths is its flexibility in deployment. Understanding the core Ignition SCADA Architectures is key to designing a system that fits your project’s needs for cost, scalability, and reliability.

1. Centralized Server Architecture:

  • Description: A single Ignition Gateway server communicates with all field devices (PLCs, databases) and serves the HMI client sessions.
  • Best For: Small to medium-sized plants or single-line processes. It’s simple to manage and cost-effective.

2. Distributed Architecture:

  • Description: Multiple Ignition Gateway servers are deployed across different plants or geographical areas. These can be managed from a central “master” gateway.
  • Best For: Large, multi-site operations. It localizes data traffic and processing, reducing network load and containing faults.

3. High-Availability (HA) Architecture:

  • Description: Two Ignition servers are configured in a active/passive failover cluster. If the primary server fails, the secondary takes over automatically with minimal disruption.
  • Best For: Mission-critical processes where downtime is not an option. This architecture ensures maximum uptime and redundancy.

Choosing the right architecture from the start ensures your Ignition platform can grow and adapt with your operations.

Start with Clear Objectives

  • Define the system’s purpose: monitoring, control, data historization, or enterprise integration.
  • Identify the scale of deployment: single site, multi-site, or enterprise.

Core Design Principles

  1. Scalability:
    • Design systems to accommodate future growth (devices, data, users).
    • Use Scale-Out or distributed architectures for large systems.
  2. Redundancy:
    • Ensure high availability with redundant Gateways, databases, and networks.
    • Use automatic failover for critical operations.
  3. Security:
    • Implement RBAC (role-based access control).
    • Use HTTPS and SSL/TLS for secure communication.
    • Segregate networks using VLANs and DMZs.
  4. Performance:
    • Optimize tag structure and scripting for efficiency.
    • Use load balancers to distribute workloads.
    • Minimize polling intervals to reduce network congestion.

Key Components

  1. Ignition Gateway:
    • Central hub for clients, devices, and data.
    • Can be scaled horizontally (multiple Gateways) or vertically (high-performance Gateway).
  2. Clients:
    • Use Vision or Perspective for visualization.
    • Optimize UIs for different roles (operator vs. manager).
  3. Edge Devices:
    • Use Ignition Edge for critical local operations at remote sites.
    • Implement MQTT for lightweight, real-time communication.
  4. Database:
    • Use SQL for data historization and reporting.
    • Optimize performance with indexed queries and periodic data archiving.

Architectural Models

  • Basic Architecture: Single Gateway for small systems.
  • Scale-Out Architecture: Multiple Gateways distribute workloads; use load balancing for fault tolerance.
  • Hub-and-Spoke Architecture: Central Hub Gateway communicates with multiple Edge Gateways, ideal for multi-site systems.
  • Edge and IIoT: Deploy Edge Gateways for local operations; integrate MQTT for real-time IIoT connectivity.
  • Enterprise Architecture: Centralized Gateway integrates with ERP/MES; use for large-scale systems with global visibility.
  • Redundancy Architecture: Dual Gateways and synchronized databases minimize downtime.
  • Cloud/Hybrid Architecture: Use cloud solutions for centralized monitoring or AWS Outposts for hybrid deployments.

Networking Essentials

  • Communication:
    • Use OPC-UA for device communication.
    • Leverage MQTT for lightweight IIoT messaging.
  • Bandwidth Planning:
    • Ensure capacity for tag updates and client traffic.
    • Optimize with compression and batching.
  • Firewall Rules:
    • Restrict access to essential ports only (e.g., 443, 8088).
    • Monitor traffic to detect anomalies.

Security Checklist

  1. Access Control:
    • Use RBAC and enforce strong passwords with multi-factor authentication.
  2. Data Security:
    • Encrypt data at rest and in transit with SSL/TLS.
  3. Compliance:
    • Follow ISA-99/IEC 62443 standards for cybersecurity.
  4. Regular Updates:
    • Keep Ignition and related software updated with security patches.
  5. Penetration Testing:
    • Conduct vulnerability assessments and penetration tests.

Design Best Practices

  1. Tag Structure:
    • Use logical, hierarchical naming (e.g., Site.Area.Equipment.Tag).
    • Avoid excessive tag depth.
  2. Scripting:
    • Use gateway scripts for centralized logic.
    • Minimize polling scripts; rely on event-driven updates.
  3. Project Management:
    • Use Ignition’s project inheritance for modular designs.
    • Reuse templates and UDTs for similar screens/devices.
  4. Documentation:
    • Maintain up-to-date architecture diagrams and network configurations.

Performance Optimization Tips

  1. Tag Subscriptions:
    • Subscribe only to necessary tags.
    • Reduce polling rates where possible.
  2. Database:
    • Archive historical data periodically to prevent bloat.
    • Use partitioned tables for large datasets.
  3. Gateway Load:
    • Monitor performance metrics (CPU, memory, connections).
    • Distribute device connections across Gateways.

Troubleshooting Essentials

  1. Monitoring:
    • Use Ignition Gateway diagnostic tools (logs, sessions, threads).
  2. Backups:
    • Automate Gateway and database backups.
    • Test restoration processes regularly.
  3. Failover Testing:
    • Periodically test redundancy and failover mechanisms.

Tools & Resources

  • Inductive University: Free online training for Ignition SCADA.
  • Documentation: Refer to official system architecture guides.
  • Industry Standards:
    • ISA-95: Integration standard for enterprise and SCADA systems.
    • ISA-99/IEC 62443: Standards for industrial cybersecurity.
  • Community Forums: Engage with Inductive Automation forums for advice and problem-solving.

Expanded Ignition Architecture Models

The following table details core and enterprise-level architectures to guide your system design .

Architecture ModelDescription & Use-CaseKey Insight
Centralized ServerSingle on-premise server connected to PLCs, SQL DB, and clients. Best for: Small to medium plants.Simple, cost-effective starting point. Serves as the reference design.
Scale-OutSeveral gateways linked to form a decentralized system, distributing workload. Best for: Large, high-performance systems.Improves performance and provides fault tolerance through load distribution.
Hub & SpokeMultiple local/remote sites (spokes) linked by a central gateway (hub). Best for: Multi-site operations with centralized management.Ideal for franchised operations; localizes data traffic and contains faults.
High-Availability (HA)Two servers in an active/passive failover cluster. Best for: Mission-critical processes.Ensures maximum uptime. Requires redundant databases and networks.
EnterpriseSends data from independent local/remote sites to a centralized corporate site and cloud. Best for: Large-scale corporate data integration.Enables global visibility and feeds data to ERP/MES and analytics platforms.
IIoT & Cloud HybridUses cloud or on-premise MQTT infrastructure. Best for: Elastic storage, cloud analytics, and hybrid deployments.Leverages cloud scalability for data storage and integration with cloud tools.

Security Hardening Checklist

A secure architecture is fundamental. Move beyond principles to implement these specific measures.

  • 1. Secure Gateway Communication: This is the first and most critical step .
    • Enforce HTTPS: Install a valid TLS/SSL certificate from a reputable Certificate Authority (CA) and disable HTTP by forcing a secure redirect to the HTTPS port (default 8043, recommended 443) .
    • Use Strong Ciphers: Disable older, weak cipher suites in the Gateway settings (Config > Web Server > Excluded Cipher Suites) to prevent downgrade attacks .
    • Configure HTTP Headers: Consider enabling HTTP Strict Transport Security (HSTS) in the ignition.conf file to ensure browsers only connect via HTTPS .
  • 2. Lock Down the Gateway & Access: Control who can access what .
    • Gateway Security: Ensure the Configure and Status sections of the Gateway are protected by the default “Administrator” role .
    • Role-Based Access Control (RBAC): Implement fine-grained permissions for users and applications based on the principle of least privilege .
    • Identity Providers (IdP): Use the built-in IdP with Database or Active Directory authentication, or integrate third-party IdPs (e.g., Okta, ADFS) via SAML/OpenID Connect for centralized user management .
  • 3. Secure Device Communications: Protect data at its source .
    • OPC UA: Always use the SignAndEncrypt security mode. Manage trusted certificates and change default OPC UA user credentials .
    • MQTT: Use certificate-based TLS connections between publishers, brokers, and subscribers. Implement Username/Password authentication and Access Control Lists (ACLs) .
    • Native Devices: For devices that don’t support encryption, use network segmentation. Keep them on a separate private OT network, VLAN, or behind an Ignition Edge device .
  • 4. Follow a Cybersecurity Framework: Adopt a formal standard like ISA/IEC 62443. This provides a proven framework for:
    • Risk Assessments: Identifying and evaluating risks to your IACS.
    • Zone & Conduit Segmentation: Dividing your network into secured segments (zones) with controlled links (conduits) to contain threats .
    • Security Levels (SLs): Defining target and achieved security levels for different parts of your system .

Deployment & Change Management Workflow

For enterprise-grade systems, a structured deployment workflow is non-negotiable. Inductive Automation highly recommends a multi-environment setup .

  • Environments: Maintain at least three separate environments: Development (for active coding), Testing (for quality assurance), and Production (the live system) .
  • Understanding Ignition’s Configuration: It’s crucial to know how different parts of Ignition are stored and managed for effective deployment .
  • Version Control: Use a source control system like Git to track changes, especially for Projects and exported Tag configurations .

The table below summarizes how to handle different configuration components:

Configuration AreaStorage LocationChange Tracking & Deployment Method
Gateway Config (Connections, Users, Settings)Internal SQLite DatabaseManual process. Document changes and replicate across environments. Use Gateway Backups for recovery, not migration.
TagsInternal SQLite Database (in Providers)Export to JSON. Use Ignition’s EAM Module or manual export/import. Commit JSON files to version control.
Projects (Windows, Views, Scripts)File System ( /data/projects/ )Ideal for version control. The project folder can be a Git repository. Changes are automatically detected. Can use EAM or .zip files.
ImagesInternal SQLite DatabaseManual export/import. Use the Designer’s Image Management tool. Must be manually committed to version control.

Key Administrative Insights

  • Stay Updated: Ignition 7.9 has reached end-of-life. All users should be on Ignition 8.0 or newer, with 8.1 being a Long-Term Support (LTS) release Always plan to run a supported version to receive security updates.
  • Leverage Cross-Platform Flexibility: Ignition runs on Windows, Linux, and macOS. For production, a hardened Linux installation is often recommended for its reduced attack surface and stability .
  • Utilize Modern Features: For regulated industries, use features like the Authentication Challenge to allow supervisor sign-off without logging out the primary operator, aiding in compliance .

Our Expert Engineer could be contacted globally anytime.