Skip to main content

Large Size Deployment

The large size deployment model addresses enterprise-level industrial environments with multiple physical sites, extensive asset populations, and complex network topologies. At this scale, the primary design challenge is finding the right balance between traffic generated by agents and the number of Controllers required to build a robust, resilient infrastructure that is not dependent on a single point of failure.

Large Size Enterprise Deployment

Design Principles

Every large size deployment is shaped by the specific technical requirements of the customer. However, the following principles guide the architecture:

  • Each physical site is treated as a standalone deployment with its own dedicated Controller — ensuring local autonomy, resilience, and performance
  • Site Controllers replicate critical data — such as alarms — to a central point of monitoring, providing enterprise-wide operational visibility and control
  • Agent traffic is distributed across Controllers to prevent bottlenecks, ensure processing capacity, and maintain near real-time responsiveness
  • No single Controller dependency — the loss of one site Controller does not affect the protection or visibility of other sites

In practice, each site deployment follows the same principles as the small and mid size models — with PLC Guards and ControlGuards deployed in monitoring or enforcement mode according to local requirements — while the enterprise layer provides unified oversight.

Central Point of Monitoring

A critical aspect of the large size deployment is the central point of monitoring, which aggregates alarms and key operational data from all site Controllers.

This central role can be fulfilled by:

  • Another First Watch® Controller — acting as a centralised aggregation point for alarms and events across all sites
  • A professional SIEM tool — integrating First Watch data into the organisation's broader security operations and incident management workflows

The choice depends on the organisation's existing infrastructure, security operations maturity, and governance requirements.

Near Real-Time Operations

The First Watch® platform operates as a near real-time system. Once an alarm is generated at a site Controller, it appears at the central monitoring point almost immediately. This near real-time capability is essential for:

  • Monitoring — maintaining continuous situational awareness across all sites from a central location
  • Incident management activation — triggering incident response processes as soon as a critical alarm is raised
  • Response activation — enabling rapid, coordinated response actions across the enterprise
  • Correlation — combining alarms from multiple sites to identify patterns or coordinated activity that may not be visible at the individual site level

This ensures that enterprise security and operations teams can act on events with minimal delay, regardless of which site generated the alarm.

Deployment Flexibility

While the architecture follows consistent principles, large size deployments are tailored to each customer's specific requirements. Scenarios may vary based on:

  • Number and geographic distribution of physical sites
  • Network bandwidth and connectivity between sites and the central monitoring point
  • Local regulatory and compliance requirements per site or region
  • Existing SIEM and security operations infrastructure
  • Organisational governance model — centralised, federated, or hybrid

Each site deployment is designed and validated independently, following the standard project methodology, before being integrated into the enterprise monitoring layer.

Summary

AspectLarge Size Deployment
ControllersDedicated Controller per physical site
PLC GuardsMultiple per site — monitoring and/or enforcement
ControlGuardsAll Windows endpoints across all sites
Central monitoringFirst Watch Controller or external SIEM
Data replicationAlarms and key events replicated to central point
LatencyNear real-time alarm delivery
ResilienceNo single Controller dependency
CustomisationTailored to specific customer requirements

The large size deployment model provides enterprise-scale protection with site-level autonomy. By treating each site as a standalone deployment with centralised alarm replication, organisations achieve comprehensive visibility and control without sacrificing resilience or near real-time responsiveness.