AWS for Industries
Supercharge Manufacturing Agility: Self-Service IT on the Shop Floor with AWS
With the exponential adoption of cloud computing today, there is hardly any corner of the IT sector that has not been affected by the benefits of the cloud, in particular increased agility, elasticity, cost savings, and scalability. However, the area of manufacturing known as operational technology (OT) seems to be one specialized cases where the capabilities of the cloud have yet to be fully explored. The journey of discovering the possibilities of the cloud and OT is still in its infancy, and early adopters will be rewarded according to the technical debt they can unload—including the often overlooked costs of maintaining legacy infrastructure, which leads to inflated maintenance costs and consequently hinders a company’s productivity and ability to remain innovative and agile in a constantly evolving industry.
According to a McKinsey study reported on in Harvard Business Review, a product that is 6 months late to market earns 33% less profit over 5 years, while a product released on time but 50% over budget earns 4% less profit. For a business to create new and innovative services and products and also see financial gain within a reasonable time frame, it is vital to test new ideas in the form of a proof of concept (PoC) or a proof of value (PoV) and then bring those ideas to production in the shortest possible time. In order to be able to understand the value outcome of such PoC-to-production processes, companies need to create mechanisms that simplify them. Removing bureaucracy facilitates the ultimate aim of scaling up rapidly when a PoC is successful, refining and iterating when necessary, or simply “failing fast.” Companies that manage to be efficient in this process, and avoid what has been called pilot purgatory, hold the key to success for the next generation of manufacturing. A well-planned digital transformation of people, technology, and processes is at the heart of that transition. Organizations in which processes drag on or become stuck due to technical, resource, and siloed-organization constraints often lose their ability to act with agility.
Although visionary business leaders in manufacturing often see cloud adoption as a key element in addressing the above concerns, those leaders are also often anxious about the cloud. That anxiety often stems from a perception that migrating to the cloud will mean an increase in attack surfaces for malicious actors, due to the connection of OT/IT systems to the internet. Such concerns are understandable—manufacturing has been facing many security challenges and ransomware attacks, as reported on in Dragos’s 2023 OT Cybersecurity Year in Review. In this blog, we address the need for a scalable mechanism at a time when standardized methods for governance, visibility, reliability, and security have never been more crucial. For us at Amazon Web Services (AWS), these elements are the bedrock of the strategic thinking that we have years of experience in sharing with customers across several industries.
Solution overview
Our aim with this solution is to achieve a level of convergence between OT, IT, and the AWS Cloud, using AWS networking resources such as (depending on specific use cases) AWS VPN, a fully managed, elastic VPN service that automatically scales up or down based on user demand, AWS Transit Gateway, which connects a company’s Amazon Virtual Private Clouds (Amazon VPCs) and on-premises networks through a central hub, and AWS PrivateLink, which provides private connectivity between VPCs, supported AWS services, and on-premises networks. The core idea with this approach is to maintain and manage such resources from an AWS Account, which ideally would be dedicated to this purpose. The architectural requirements are as follows:
- The bidirectional flow of traffic does not traverse the public internet, thereby reducing security vulnerabilities to the greatest possible extent.
- There is an IT-like mechanism and standardized workflow for provisioning and configuring OT/IT to cloud connectivity in a self-service fashion, reducing dependency on internal IT resources.
- There is transparent visualization of the cloud connectivity statuses of different OT or IT networks and segments.
- There is absolute access control for on-premises and AWS resources using identity and access management policies to grant and restrict access.
- The solution creates a clear conduit—or air-gapping—between different segments and the cloud to isolate and contain security breaches, in accordance with the ISA/IEC 62443 series of standards.
The architecture pattern and its components
In designing this OT/IT cloud convergence, the architecture pattern needs to accommodate existing “brownfield” OT conduits and IT networks alongside newer ones. Establishing connectivity between these networks and the cloud can be done on an as-needed or if-needed basis. Not all networks need to be connected.
Figure 1. Workflow for an OT/IT cloud convergence
Prerequisite: It is important that an OT segment or an IT network has the routing and Virtual Local Area Network (VLAN) configured to allow necessary traffic in and out of it.
Translating this workflow into an AWS architecture, figure 1 shows the analogous structure:
- A single AWS Region (to be offered in a specific geographical area)
- Amazon VPC to host the VPC endpoints of the AWS services used
- OT/IT segment connectivity with AWS Site-to-Site VPN, a fully managed service that creates a secure connection between a on-premises data center or branch office and AWS resources using IP Security (IPsec) tunnels
- AWS Transit Gateway to connect and isolate the different components (that is, Amazon VPCs and AWS VPN connections)
In this architecture, three different OT networks are connected to the AWS Cloud securely using AWS Transit Gateway and Amazon VPC endpoints:
- In the mixing area, process and operational data is streamed into AWS IoT SiteWise—a managed service that makes it easy to collect, store, organize, and monitor data from industrial equipment at scale—for visualization and archiving in the cloud.
- In the packing area, using images from a camera on the packing line, the positions of labels are inspected for quality compliance by pre-trained machine learning (ML) models using Amazon Lookout for Vision, an ML service that uses computer vision to spot defects in manufactured products at scale.
- In the operator station, operators have secure access to the dashboards on Grafana, which has the data collated from the mixing area and the packing area in a user-friendly way.
Advantages of this approach for manufacturing customers
With the help of Amazon VPCs, one can create bounded contexts for individual use cases, put other business functions/capabilities into logical domains, and later define how these communicate with each other. Depending upon use-case requirements, we can use AWS Transit Gateway for secure access to the internet. You can authenticate and authorize identity-based access to the logical boundaries of any use case using AWS Identity and Access Management (IAM) policies and roles, thus controlling both the duration and privilege level of the access. By establishing these logical domains, we can optimize the architecture to minimize the blast radius of the solution.
A user-centric self-service platform for your specific needs
The setup begins with configuring an instance of AWS Transit Gateway in your AWS Account. Using this configured instance, you can connect your AWS Account and the resources in it to any network on your premises, or to resources in a different AWS Account. Because the data flow in an instance of AWS Transit Gateway follows a hub-and-spoke logic, it scales very easily with minimal manual effort. Once the instance is in place, you can connect your desired on-premises networks based on your use case or specific needs to AWS in a self-service fashion—that is, on your existing ServiceNow Marketplace or using AWS Service Catalog.
The workflow is straightforward and simple: the user selects a desired use case from the service catalog menu and enters the input parameters pertaining to the on-premises network that requires connectivity. In just a few minutes the AWS CloudFormation stack for the request is deployed. This stack deployment will create the network connectivity from the IT/OT network to AWS Transit Gateway and also deploy other resources and internal configurations required for the use case.
To look more closely at the benefits of this approach, let’s take a simple use case: a user would like to move some old files from the servers of their on-premises data center into an Amazon Simple Storage (Amazon S3) bucket. The conventional way to do this would be to first go to the IT department and ask them to create a secure connection from the data center to AWS over the internet—triggering a series of compliance checks, approvals, and manual configuration of the network. This process usually takes 2–4 months, or even more according to the use case. However, with a self-service approach, all this complexity is eliminated. Once the user selects the Amazon S3 Storage use case from the menu options, and inputs the network parameters of the on-premises data center, there is an automatic deployment of the infrastructure as code (IaC) through AWS CloudFormation and the on-premises data center will then be connected to the AWS Cloud over a private network.
Not only can companies use this self-service model to deploy applications, but they can also generate the necessary resources for providing a third-party vendor with temporary access to a desired network. Such access usually needs to be time-bound, strictly role-based, and restricted to the resources needing to be accessed. All these configurations and security policies can be standardized and embedded in the AWS CloudFormation stack to be deployed.
Figure 2 : Workflow for the Amazon S3 storage use case
Why this approach? Why now?
We have already addressed the imperatives of cybersecurity, but looking further, how do we drive excellence? How do we create business value? Change and evolution in a business according to global trends is the norm. Such trends are shaped by sociopolitical and geographical factors alongside general consumer demand. When manufacturing industries are able to adapt to such trends, they will be profitable. This is a continuous, unending process and a challenge faced by every sector. It is also obvious that there is no magic, one-size-fits-all solution. Just as our customers observe that a solution designed for one of their factories is not replicable in another of their factories in a different city, it is highly improbable that any single solution could meet the requirements of manufacturing industries across the board. Thus, the heterogenous nature of manufacturing poses another unique challenge: one cannot take for granted that the value proposition of an application or a use case is universal. It is therefore generally accepted that there will always be a degree of individual customization in crafting solutions, and individual factories and organizations need to be empowered with tools and mechanisms to perform such customization according to their own needs—and in a user-friendly and timely manner. It is at this point that the people aspect of digital transformation comes into play. To obtain the confidence and empowerment to adapt to these new processes and tools, team members at all levels need trusted advisors and partners who will guide and support them at every step. With the foregoing in mind, our approach helps alleviate common pitfalls in the following ways:
Agility: This architecture delivers agility without sacrificing governance. New data streams? New use case. Spin up some new Amazon VPCs. Configure the network resource both in the cloud and for the factory. Experimenting with AI? Get access to the data, and test quickly on demand.
Security and governance: With the cloud you can collect and accumulate all your manufacturing OT/IT data centrally in a data lake, in a data warehouse, or with a hybrid approach. Also, manage the access and life cycle of the data based on compliance policies, especially in highly regulated industries such as pharmaceuticals. With AWS Security Hub—a cloud security posture management service that streamlines security operations—you can monitor and assess the security posture of your whole infrastructure from a single point.
Flexibility: Need a self-service model with which OT teams can securely provision the infrastructure they need, while still operating within IT-defined security policies? This is possible with AWS.
Consistency: With IaC services such as AWS CloudFormation or AWS Cloud Development Kit (AWS CDK)—which accelerates cloud development using common programming languages to model applications—one can maintain individual use cases and applications in Amazon VPCs as code. This provides reproducibility, version control, and the foundation for secure, seamless collaboration. This brings IT mechanisms to OT with Git-based workflows to manage infrastructure.
Audit trails and compliance: With AWS Security Hub acting as your security mission control, with its unified alerts and automated compliance checks, you can rely on built-in compliance monitoring. With AWS Config—a service that empowers you to assess, audit, and evaluate the configurations of your AWS resources—you can continuously track configuration changes against policy. Identify drift early on and take corrective action to avoid compliance breaches.
OT/IT DevOps: Gain operational visibility across cloud and on-premises systems for managed environments. Use AWS Systems Manager Agent (SSM Agent) to run commands, patch OT assets, perform inventory audits, and manage an entire fleet of devices automatically using rules and guardrails.
Conclusion
This solution is empowering OT professionals to simplify the provisioning of cloud resources that can seamlessly connect to the shop floor. This helps OT teams drive innovation without needing to rely heavily on IT support. By using the interface of AWS services, OT personnel can quickly spin up cloud resources, potentially accelerating the deployment of new solutions and streamlining operations. This approach ultimately fosters collaboration between OT and IT, promoting a more agile and efficient manufacturing environment.
If you would rather not build such a foundation on your own, firms like AllCloud, an AWS Partner, have developed their Industrial Data Insights In-a-Box solution, in collaboration with manufacturing customers.