AWS for Industries

Use AWS services to build secure, resilient, and global OT and IT networks

Energy companies deploy a multitude of operational technology (OT), information technology (IT), and OT assets in their areas of business. Supervisory control and data acquisition (SCADA) systems, Open Platform Communications United Architecture (OPC UA) servers, programmable logic controllers (PLCs), Internet of Things (IoT) devices, and historians are some of the most visible OT assets used by our energy customers. These OT assets are not limited to the energy industry alone, but rather have a strong presence in oil and gas, renewables, manufacturing, automotive, and construction, among others.

OT represents the machinery, hardware, devices, sensors, and so forth that work in the background. OT assets are often purpose built, live long (sometimes for decades), communicate in custom protocols (more than 200), and are often cited as critical infrastructure because they control critical assets. Power generation plants, substations, transformers, and the electricity grid are some examples. IT, on the other hand, is responsible for providing the necessary tools for data availability, security, observability, traceability, analytics, authorized access, near-real-time situation awareness, artificial intelligence/machine learning (AI/ML), and so forth.

For the success of an organization, OT and IT need to complement and empower each other. However, we often find our customers walking a tightrope in trying to make this happen, especially when it comes to deploying OT/IT infrastructure in the cloud. Regulatory compliance (such as North American Electric Reliability Corporation Critical Infrastructure Protection [NERC CIP]), cybersecurity, resiliency, connectivity, and, even at times, cultural bias are some of the most common challenges that our customers face when it comes to OT and IT convergence.

In our conversations with customers, we often observe that the only thing uniform in industrial OT/IT/IoT is disparity. There are disparate devices, disparate protocols, disparate original equipment manufacturers (OEMs), disparate edge configurations—the list goes on. Energy companies need a robust, secure, and scalable mechanism to ingest, normalize/contextualize, interpret, and eventually make intelligent decisions on the relentless flow of data emanating from OT assets.

Use AWS for OT/IT integration

Prominent use cases where energy customers can use AWS for IT, OT, and cybersecurity include (but are not limited to) the following:

IT:

  • historian modernization (such as OSIsoft PI on AWS)
  • industrial IoT data lakes, facilitating 100 percent data ownership
  • near real-time situational awareness, monitoring, and control (such as AWS IoT and Esri ArcGIS velocity for real-time utility dashboards and analysis)
  • analytics, reporting, and advanced AI/ML
  • predictive maintenance
  • curtailment, scheduling, and dispatch management
  • building a secure, global IT network that can seamlessly interact with OT data and help drive intelligent decisions

Last year, we released the solution guidance for renewables data lake and analytics on AWS. The solution is being used by Greenko Group in India for monitoring and analytics of 2,200 wind turbines on AWS. (Read more about the story here.) In addition to renewables, this solution guidance is equally applicable for oil and gas and traditional energy generators and operators that employ OT such as SCADA systems, PLCs, and IoT devices.

OT:

  • emancipation from device, protocol, and edge configuration (that is, the freedom to choose any industrial device without having to worry about connectivity to the cloud or security of the data in transit or at rest)
  • building a secure, global OT network that can seamlessly and quickly onboard disparate OT assets (SCADA systems, OPC UA servers, PLCs, IoT devices, historians, and so forth)
  • edge-driven architectures where any change made to OT assets at the edge is instantaneously made visible to applications in the cloud and vice versa
  • providing cloud-to-edge compatibility, including compute and ML capabilities at edge

Cybersecurity:

  • building a global OT/IT secure infrastructure in the cloud that is grounded in the Purdue model (that is, separation of network layers and isolation of traffic between OT and IT assets)
  • a 100 percent private network, where no traffic traverses the public internet, from edge to cloud
  • in-depth packet inspection based on custom rules
  • minimizing the scope of impact in the event of a cyberincident
  • quickly isolating compromised networks and applications
  • reducing network complexity by providing the ability to manage all networks from one location

Build secure OT/IT infrastructure on AWS based on the Purdue model

The Purdue model developed as part of the part of the Purdue Enterprise Reference Architecture (PERA), is the general accepted standard for building an industrial control system (ICS) network architecture. It can also be extended for the development of OT/IT network infrastructure, which recommends dedicated and isolated network segments for OT, IT, security and egress.

To address the above and meet the needs of our customers, AWS has launched a white paper on how to build a secure global OT/IT network for industrial assets using AWS Cloud WAN (read the guidance here). AWS Cloud WAN makes it simple to build and operate wide area networks that connect your data centers and branch offices, as well as your Amazon Virtual Private Cloud (Amazon VPC), which gives you full control over your virtual networking environment. With AWS Cloud WAN, you connect to AWS through your choice of local network providers and then use a central dashboard and network policies to create a unified network that connects your locations and network types. This eliminates the need to configure and manage different networks individually, even when they are running different technologies. AWS Cloud WAN generates a complete view of your on-premises and AWS networks to help you visualize the health, security, and performance of your entire network.

Avneet Singh

Avneet Singh

Avneet is the EMEA Principal Specialist Solutions Architect for Energy at Amazon Web Services. He is based out of Amsterdam, The Netherlands and is responsible for establishing AWS's leadership position in building resilient cloud native solutions for the Energy vertical. Avneet has more than 15 years of experience in the utility industry having delivered successful technology solution projects across the meter to cash cycle spanning smart metering, billing, invoicing, and regulatory compliance. Avneet has a keen interest in IoT, data analytics, and renewable energy optimization. He is the author, of the solution guidance on, Renewables Data Lake and Analytics on AWS. He is actively collaborating with renewable energy operators across the world in NAMER, EMEA and APJ regions, developing next generation, renewable energy solutions on the AWS cloud.

Abhishek Naik

Abhishek Naik

Abhishek is a Senior Manager leading Solutions Architecture group for power and utilities at AWS for Energy. He has over 15 years of experience designing and building infrastructure and leading product solutions. Abhishek helps customers accelerate business outcomes and decarbonize their operations using technology. Abhishek provides technical guidance and expertise, design and lead implementation projects to ensure customers succeed on AWS. Outside of work, Abhishek enjoys exploring the great outdoors.

Yashar Araghi

Yashar Araghi

Yashar is a Senior Solutions Architect at AWS. He has over 20 years of experience designing and building infrastructure and application security solutions. He has worked with customers across various industries such as government, education, financial, energy and utilities. In the last 5 years at AWS, Yashar has helped customers design, build, and operate their cloud solutions that are secure, reliable, performant and cost optimised.