How to Use Digital Twins for Secure IoT Configuration Management

The configuration of IoT devices is a complex issue that is often not considered when companies select an IoT solution. This can lead to a high manual effort for configuration management and low flexibility for further requirements. In particular, today's IoT device management platforms lack capabilities to provide a useful configuration management that goes beyond just sending a file or message from a to b.

In recent years, the IoT platform and technology landscape has experienced exponential growth. The industrial sector in particular has a very heterogeneous system landscape, where assets from the last 3 to 5 decades may be present. Linking OT and IT systems is still a major challenge for many projects and requires project managers and developers to retrofit existing systems and combine them with new technologies in a secure way.

The configuration of these devices and systems can include telemetry, local and cloud endpoints, machine parameters, mappings, application settings and more. Implementing unified IoT device configuration management would provide the benefits of increased visibility, flexibility and automation for connected assets.

In this blog post, we show how you can integrate a unified configuration management for IoT devices by using the Digital Twin Definition Language (DTDL), the Open Source Tributech Digital Twin Stack, and the Tributech DataSpace Kit. The architecture below provides an overview of the building blocks for configuring OPC-UA and MQTT data sources of an IoT device.

This setup can be retrofitted on existing (IoT) devices in less than 30 minutes, the only requirement is the ability to run Docker services. You can also check our claim using the quick start guide or schedule a demo with one of our experts.

Catalog for IoT Device Configuration Options

Before we can start with the configuration, we need to define the data model for our configuration options. At Tributech, we use the Digital Twin Definition Language and our open-source digital twin stack to create twin models (which need to be defined once per configuration type such as protocols, parameters, etc.), relations (to define relationships between data models) and twin instances (a dedicated twin configuration for a device).

This separation between the creation of data models and instances allows us to create and maintain a catalog with all possible configuration options and flexibly create instances that can contain any combination based on the catalog models.

In the following example, we will use our twin models for MQTT and OPC UA data integrations to configure our IoT device and create a mapping between the data sources and sinks. To provide a more concrete example, the twin model of "opcua_stream" includes a property that allows to define the OPC-UA namespace and identifier as well as additional inherited options because it extends the model of "base_stream". For more details, check our latest twin models on GitHub.

1. Install Agent on IoT Device

To provide a secure connection between OT/IT systems and a unified IoT data management, we offer the Tributech DataSpace Agent Edge for (I)IoT devices. The Agent can be installed on any IoT device that has the ability to run Docker services. As shown in the architecture image above, the Agent forms a bundle of edge services that provides a plug & play system for many retrofitting use-cases. In addition, we also support a growing number of IoT device management solutions.

So, the first step is to get an Agent up and running on our IoT device. For more detailed information about the setup also visit docs.tributech.io.

2. Connect with Configuration Tool

In the second step we are installing our configuration tool called Agent Companion and linking the previously deployed DataSpace Agent Edge to a DataSpace Node (our connectivity and data management platform in the backend / cloud) so we can then take care of its configuration via a digital twin instance. The Agent Companion App is available for Windows & macOS, downloads and detailed setup instructions can be found here.

3. Create a new Twin Configuration

In Step 3 we are utilizing our twin models for MQTT and OPC UA configurations to create a twin instance that specifies the configuration for our IoT device. All these options can be found within the “Configure” section of the Agent Companion App’s UI.

The Agent Companion offers all available configuration options in a deductive manner. Meaning that starting from our edge / IoT device we e.g. have a selection of pre-defined sources based on our twin models. Once the twin for a MQTT source is added to the twin instance, we get the option the add a subordinated MQTT stream and so on. For this example, we created a new twin configuration for our device with an MQTT and an OPC UA source, each of these sources should contain two streams.

On top of specifying our source and stream configurations, we also must add the required value and proof sink options. When configuring the value sink options, we can choose between supported data sinks (e.g. IoT Hub or Data API) in order to define the connection between device and cloud. The Proof Sink is used to configure the connection to the trust layer endpoint that is included with the Tributech IoT and data management platform. If you want to learn more about our trust layer and data quality seals for data integrity and authenticity, we recommend our Data Notary blog post.

It is also possible to import and export configurations as a JSON file based on the DTDL standard. This allows us to easily re-use twin files at a later stage, as template or to share it directly with others.

4. Apply Twin Configuration

Once the configuration of our twin instance is finished, we can push it to the previously linked agent by selecting the Upload to Device Button. The Agent will apply the twin instance and further push the new configuration (or changes to an existing one) to the backend. A (new) dataset, based on the twin file, will automatically get created (or updated) and the Agent starts sending telemetry data from the mapped MQTT and OPC-UA sources.

5. Review Setup in Web Portal

Once the twin configuration is successfully applied, we can review the results directly via our web portal in the backend and have a closer look at the created dataset.

In addition, we can also verify any changes to our device configuration. For this example, we have added an additional MQTT stream to our twin instance and re-applied the new configuration via the Agent Companion App. Within the Agent Management section of our web portal, we can have a closer look at the new twin configuration and compare any changes to previous versions via our Change Tracking feature.

Start your digital twin journey with us

With the Tributech DataSpace Agent you can retrofit your IoT device with configuration management, providing a configuration options catalog that can be used within Docker based systems to create unified configurations. Create configurations that include telemetry, local and cloud endpoints, machine parameters, mappings, application settings and more. By providing more than just sending a file from a to b, this makes configurations much easier and more flexible. If you'd like to try it out for yourself, leave us a message via our contact form.

But this is just the beginning, the next generation of digital twins can be used for much more than IoT devices and will change the way of how applications are built and systems communicate with each other. If you want to learn more about the technology behind it, take a look at our digital twin blog posts and check out our open-source digital twin stack on GitHub.