AWS for Industries

Vector automates deployment of GE ADMS at the edge using AWS Outposts

Vector Limited is the largest distributor of electricity and gas in New Zealand (NZ), managing a rapidly expanding energy distribution network across the Auckland urban area, serving approximately 30 percent of the NZ population, and representing one-third of the nation’s gross domestic product (GDP). The company entered into a strategic alliance with Amazon Web Services (AWS) in 2020, to work together to solve challenges in the energy sector, initially developing a next-generation metering and energy information platform that unlocks access to energy data, and enabling insights and analytics vital to meeting new energy challenges.

The electricity distribution industry is witnessing major shifts with the adoption of EVs, electrification of public transport, large scale data centres, ongoing and increasing growth from housing and housing density intensification, ongoing commercial and industrial growth, other decarbonisation driven growth like hydrogen electrolyser plants, and the residential and industrial transition from gas to electricity. Vector has been tapping into the opportunities created by these industry trends by using data and insights, deploying operational technology platforms to reduce customer costs, reducing load growth during peak to improve affordability and efficiency through the implementation of dynamic operating envelopes, and adopting AWS Cloud capabilities to innovate faster.

Advanced distribution network with GE ADMS running at the edge of the cloud

As Vector’s electricity distribution network grows in size and complexity, the ability to monitor and manage the network becomes more critical. This is why Vector chose to implement GE’s Advanced Distribution Management System (ADMS) to equip control room operators with enhanced capabilities to manage and monitor the electricity network, use data to anticipate failure and minimise unplanned outages, and facilitate rapid resolution of planned maintenance. ADMS also provides a near-real-time geolocation view of electricity assets, which is particularly useful for outage management and for organising proactive maintenance activities.

Considering the mission-critical nature of the ADMS application, Vector not only needed a resilient infrastructure but also one that facilitated regular upgrades and zero-touch automated deployment to minimize downtime and risk from accidental manual misconfiguration.

ADMS deployment on AWS Outposts

With a cloud-first strategy, Vector has been migrating enterprise IT applications (including Siebel, SAP, GIS and others) from on-premises into AWS Regions, physical locations around the world where data centers are clustered. And over the years, Vector has developed strong in-house capabilities, processes, and tools to manage and govern AWS Cloud infrastructure at scale. This made AWS the preferred infrastructure option for hosting ADMS. However, the absence of an active AWS NZ Region (coming in 2024) and key requirements around data residency and low-latency connectivity with the on-premises operational technology (OT) network seemed to initially rule out AWS.

Further research and trials led to AWS Outposts, which offered the desired infrastructure characteristics – fully managed AWS infrastructure on-premises with access to AWS services for a truly consistent hybrid experience.

Additionally, AWS Outposts offered Vector unique advantages for running the mission critical ADMS application:

  1. Vector used in-house AWS Cloud capabilities and the same set of AWS APIs that is used by their corporate IT teams. This freed the OT engineers with specialized skill sets to better use their expertise to configure ADMS applications and create automated and repeatable deployment processes.
  2. AWS Outposts offered secure, high-speed, private connectivity to Vector’s on-premises network for integration with other OT applications while also keeping sensitive data on premises.
  3. To run ADMS, Vector initially used two AWS services on AWS Outposts: Amazon Elastic Compute Cloud (Amazon EC2), which offers a broad and deep compute platform, and Amazon Elastic Block Store (EBS),  an easy-to-use, scalable, high-performance block-storage service. The architecture can be evolved in the future with the growing list of supported AWS services on AWS Outposts:
    1. Amazon Elastic Kubernetes Service (Amazon EKS), to run Kubernetes in the AWS Cloud and on-premises data centers
    2. Amazon Elastic Container Service (Amazon ECS), a fully managed container orchestration service that makes it easy to deploy, manage, and scale containerized applications
    3. Amazon Simple Storage Service (Amazon S3), an object storage service offering industry-leading scalability, data availability, security, and performance
  4. AWS Outposts offered custom specifications and flexible subscription terms that aligned well with Vector’s technology investment strategy.

Modelling security in AWS Outposts

Vector’s OT network follows the Purdue Model for industrial control system (ICS) security (Figure 1) as closely as possible, to define and implement security controls across IT and OT networks.

Figure 1. Purdue ICS security model

figure 1. Purdue ICS security model

Vector’s network is segmented into multiple logical networks called levels. Security controls implemented for each level are designed with consideration of the security requirements of components hosted inside each network level. For example, security at level 0 and level 1 is managed by physical security. At levels 2, 3, and 4, where components of ADMS are hosted, security is managed through AWS-native controls (network access control list and security group) in conjunction with Vector’s existing security appliances.

Environments in AWS Outposts and the AWS Regions are consistent, which allows Vector to easily implement network segmentation and security controls around the ADMS environment to deliver an improved security posture and, align with Vector’s cloud security policies.

Resilient ADMS deployment with AWS Outposts

Availability of ADMS is absolutely critical, so ADMS on AWS Outposts has been designed with redundancy at all layers (network, infrastructure, and application). To meet the high availability needs, Vector deployed two AWS Outposts racks at physically isolated data centres. Each AWS Outposts rack is homed to a different AZ in the AWS Region so that there is continued service in the rare event of an AWS Region service impact. It is an active-active architecture with multiple instances of ADMS deployed on different Amazon EC2 instances, with near-real-time data replication across both AWS Outposts.

Vector carefully considered all possible failure scenarios and ran extensive testing for them, including issues with individual Amazon EC2 instances on AWS Outposts, the loss of an entire AWS Outpost rack, outage of an AWS Availability Zone (AZ), or the loss of connectivity. Vector used AWS Well-Architected framework (which describes key concepts, design principles, and architectural best practices for designing and running workloads in the cloud) to regularly assess the ADMS deployment and used the findings to inform the backlog so that the overall solution met all high-availability, performance, and stringent security requirements.

Figure 2. GE ADMS deployment on AWS Outposts

Figure 2. GE ADMS deployment on AWS Outposts

As shown in the figure 2, both AWS Outposts are connected to the parent AWS Region (Sydney), with redundant private connectivity using AWS Direct Connect, which creates a dedicated network connection to AWS. This link, also called the service link, is used by AWS for performing maintenance activities and monitoring the status of the instances running on AWS Outposts. Any application data subjected to regulatory and compliance doesn’t leave the Vector network and is securely accessible to on-premises systems through a local gateway.

Summary

In a pioneering venture, Vector collaborated alongside AWS to establish the technology environment required to power the electricity distribution network of the future. AWS Outposts provided the performance and security of the AWS Cloud within Vector’s data centres, and facilitated use of consistent AWS Cloud tool sets and expertise across IT and OT environments. You can use the reference architecture for ADMS on AWS that Vector and AWS have created as you begin your journey of OT modernization.

Ratan Kumar

Ratan Kumar

Ratan is AWS Principal Solutions Architect based out of New Zealand. His mission is enabling customers innovate and use AWS for running business critical applications. Ratan enjoys sharing solutions, best practices and optimisation tips through AWS blogs and twitch sessions.

John Martin

John Martin

John is the Principal Architect for Vector Electricity. John is responsible for setting the digital architecture for the distribution business within Vector. This covers a wide variety of platforms from ADMS and DERMs (Distributed Energy Resources) to Data lake and Development technologies. He focuses on connecting the digital and electricity teams, while keeping technical strategic direction aligned.