Architecture Overview
Breakwater follows a cloud-managed, edge-deployed architecture designed for OT/ICS environments where security, reliability, and air-gap compatibility are critical.
High-Level Architecture
┌──────────────────────────────────────────────────────────────┐
│ BREAKWATER CLOUD │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Helm │ │ Manifest │ │ Lookout │ │ Forecast │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Channel │ │ API │ │ Postgres │ │ Redis │ │
│ │ Broker │ │ Server │ │ DB │ │ Cache │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ ┌──────────┐ ┌──────────────────────────────────────┐ │
│ │ Tunnel │ │ Threat Intel Pipeline (NVD/CISA) │ │
│ │ Server │ └──────────────────────────────────────┘ │
│ └──────────┘ │
└──────────────────────┬───────────────────────────────────────┘
│ HTTPS / Encrypted Tunnel (outbound only)
│
┌──────────────────────┴───────────────────────────────────────┐
│ CUSTOMER SITE │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Breakwater Gateway / Collector │ │
│ │ ┌───────────┐ ┌───────────┐ ┌──────────┐ │ │
│ │ │ Collector │ │ Channel │ │Coastal IDS│ │ │
│ │ │ (SNMP) │ │ (SRA) │ │ (IDS) │ │ │
│ │ └───────────┘ └───────────┘ └──────────┘ │ │
│ └──────────────────────────────────────────────────────┘ │
│ │ │ │ │
│ ┌────┴────┐ ┌────┴────┐ ┌────┴────┐ │
│ │ PLCs │ │ HMIs │ │Switches │ │
│ └─────────┘ └─────────┘ └─────────┘ │
└──────────────────────────────────────────────────────────────┘
Cloud Components
Application Server
- Runtime: Node.js with Express
- Database: PostgreSQL 16 (device inventory, CVEs, sessions, audit logs)
- Cache: Redis 7 (session state, rate limiting)
- Frontend: React 18 + TypeScript + Tailwind CSS (SPA served via nginx)
- Auth: Clerk (OAuth, MFA, session management)
- Hosting: Vultr VPS with nginx reverse proxy + TLS
Threat Intelligence Pipeline
- NVD API v2.0 — CVE data with ICS/SCADA filtering
- CISA KEV — Known Exploited Vulnerabilities catalog
- EPSS — Exploit Prediction Scoring System
- Automated sync every 6 hours via cron
- Device-CVE correlation engine matches vulnerabilities to your inventory
Tunnel Server
- Listens on UDP 51820
- Each gateway gets a unique tunnel IP in
10.200.x.0/24 - Handles all Channel SRA traffic
- Per-peer configuration, dynamically provisioned
Edge Components
Collector
Lightweight agent that discovers and monitors OT devices.
- Discovery: SNMP v2c/v3 polling, ARP scanning
- Monitoring: Interface stats, CPU/memory, environmental sensors
- Communication: Outbound HTTPS to Breakwater API (no inbound ports)
- Deployment: Docker container, install script, or air-gapped bundle
Gateway
Full-featured appliance combining Collector + Channel + IDS.
- Collector — all discovery/monitoring capabilities
- Channel — Encrypted tunnel client for secure remote access
- Coastal IDS — passive network traffic analysis with OT rulesets
- Hardware: Bosch ctrlX CORE (recommended), Breakwater Gateway X3 appliances, or BYOD
Data Flow
- Collector → Cloud: Device telemetry, SNMP data, discovery results (HTTPS POST)
- Cloud → Collector: Configuration updates, polling schedules (HTTPS response)
- Gateway ↔ Cloud: Encrypted tunnel for remote access sessions
- Cloud → NVD/CISA: Threat intel sync (outbound HTTPS, automated cron)
- User → Cloud: Platform UI, API calls (HTTPS via Clerk-authenticated sessions)
Security Model
- Zero inbound ports at customer sites — all connections are outbound
- TLS 1.3 for all API traffic
- Encrypted tunnels (Noise protocol, ChaCha20-Poly1305)
- Clerk MFA for user authentication
- RBAC — role-based access at the platform, site, and device level
- Session recording — mandatory audit trails for remote access
- IDS — passive traffic analysis, no inline blocking (OT safety principle)