The Internet of Things on AWS – Official Blog
Securely sending industrial data to AWS IoT services using unidirectional gateways
Introduction
Critical infrastructure customers are challenged to make industrial networks more accessible without significantly increasing cybersecurity risks. This is due in part to the common practice of using Industrial IoT (IIoT) and cloud technologies to analyze large volumes of industrial data to improve operational efficiencies. To be successful, this practice requires a balance between advancing digitization to remain competitive and securing critical infrastructure systems.
Many of the Industrial Control Systems (ICS) and Operational Technology (OT) used in critical infrastructure have technology with little or no built-in security. Connecting these systems to external, untrusted networks poses security risks since these systems support the safe operation of critical infrastructure. So, how can you safely and securely connect these systems to the cloud to get the benefits from cloud offerings without adding risk to the ICS/OT systems?
AWS recommends following the 10 security golden rules for IIoT solutions. These rules recommend to deploy security appliances, such as unidirectional gateways, to control data flow and establish secure connections to external, untrusted networks and cloud services.
Unidirectional gateways allow OT/IIoT data to be sent from the OT network to the IT network and Cloud in one direction while physically blocking traffic in the opposite direction. Unidirectional gateways can be a secure alternative to firewalls. They meet several industrial security standards, such as NERC CIP, ISA/IEC 62443, NEI 08-09, NRC 5.71, and TS50701. They are also supported by the Industry IoT Consortium’s Industrial Internet Security Framework, who provides guidance on protecting safety networks and control networks with unidirectional gateway technology. NIST SP 800-82 states that using unidirectional gateways may provide additional protections associated with system compromises at higher levels or tiers within the environment. For example, a unidirectional gateway deployed between Layers 2 and 3 may protect Layer 0, 1, and 2 devices from a cybersecurity event that occurs at Layers 3, 4, or 5. For more information, refer to the Purdue Enterprise Reference Architecture (PERA).
In this blog, we discuss two options to send OT/IIoT data to AWS using unidirectional gateways. You can use Waterfall Security’s Unidirectional Cloud Gateway to send OT/IIoT data to AWS IoT SiteWise or AWS IoT Core to support IIoT, Industry 4.0, and AI/ML use cases. For example, to improve operational efficiencies and reduce unplanned downtime in critical infrastructure operations. This approach enables customers in critical infrastructure sectors and regulated industries to take advantage of AWS Cloud services while limiting the risks to their ICS/OT environments.
Solution Overview
Unidirectional gateways are a combination of hardware and software. Unidirectional gateway hardware is physically able to send data in only one direction, while the gateway software replicates servers and emulates devices. Since the gateway is physically able to send data in only one direction, there is no possibility of IT-based or internet-based security events pivoting into the OT networks. The gateway’s replica servers and emulated devices simplify OT/IT integration.
A typical unidirectional gateway hardware implementation consists of a network appliance containing two separate circuit boards joined by a fiberoptic cable. The “TX,” or “transmit,” board contains a fiber-optic transmitter, and the “RX,” or “receive,” board contains a fiber-optic receiver. Unlike conventional fiber-optic communication components, which are transceivers, the TX appliance does not contain a receiver and the RX appliance does not contain a transmitter. Because there is no laser in the receiver, there is no physical way for the receiving circuit board to send any information back to the transmitting board. The appliance can be used to transmit information out of the control system network into an external network, or directly to the internet, without the risk of a cyber event or another signal returning into the control system.
Figure 1 shows how a unidirectional gateway replicates historian data from an industrial network to an external network, such as an enterprise IT network or Cloud. Unidirectional gateway software running on the industrial circuit board connects to the industrial historian database and issues queries to the database. Historical data retrieved from the industrial database is sent across the unidirectional gateway hardware to software running on the board connected to the external network. That software registers as a client of the replica historian database. It then issues insert requests to that database asking the database to store all the timestamped data received from the industrial network. Users and applications on the external network that need access to the historical data can access the replica historian. This approach isolates and protects the industrial systems in the industrial network.
Figure 1: Historian data replication using a Unidirectional gateway (courtesy Waterfall Security Solutions)
Option 1: Sending OT/IIoT data to AWS IoT SiteWise
Figure 2 shows how you can send industrial data to AWS IoT SiteWise using a unidirectional gateway. AWS IoT SiteWise is a managed service that simplifies collecting, organizing, and analyzing industrial equipment data at scale. The Waterfall gateway appliance reads OPC UA data from an OPC UA server and hosts a replica OPC UA server for the IT network. An AWS IoT SiteWise Edge gateway running on AWS IoT Greengrass reads the OPC UA data from the replica OPC UA server and sends that data to AWS IoT SiteWise in the cloud. The data is stored in AWS IoT SiteWise and can be visualized in AWS IoT SiteWise Monitor. AWS IoT SiteWise Edge software makes it easy to collect, organize, process, and monitor equipment data on-premises. AWS IoT SiteWise Monitor is a feature of AWS IoT SiteWise that you can use to create portals in the form of a managed web application. You can then use these portals to view and share your industrial/operational data.
Figure 2 – Sending industrial equipment data using a unidirectional gateway to AWS IoT SiteWise
Solution Overview
AWS
AWS IoT Greengrass is an open-source edge runtime and cloud service for building, deploying, and managing device software. With AWS IoT Greengrass installed, you can deploy AWS IoT SiteWise Edge gateways to collect industrial data using industrial protocols such as OPC UA.
2. Deploy AWS IoT SiteWise Edge gateway software
AWS IoT SiteWise gateways run on AWS IoT Greengrass V2 as an IoT Greengrass component that supports data collection and processing on premises. In this step, you deploy the AWS IoT SiteWise Edge gateway software for data collection using OPC UA and configure the OPC UA settings.
3. Model the assets in AWS IoT SiteWise
Model the assets to create virtual representations of your industrial operation with AWS IoT SiteWise. An asset represents a device, a piece of equipment, or a process that uploads one or more data streams to the AWS Cloud.
4. Configure AWS IoT SiteWise Monitor dashboard
Create a dashboard to monitor key operating parameters and performance metrics for your assets using AWS IoT SiteWise Monitor and take necessary actions when needed in near-real time.
Waterfall
5. Setup the OPC UA client on the Waterfall unidirectional gateway appliance
Use the unidirectional gateway’s web-based user interface on the industrial network. Log in and configure an OPC UA data source. Enter the host name/IP address and login credentials. Also, include instructions about copying all data points in the OPC UA server (the default), or select the parts of the OPC UA namespace that can be copied to the IT network.
- Waterfall TX acts as a native OPC UA client that reads data from the OPC UA server on the customer’s industrial system in real time.
- Waterfall RX acts as a replica of the industrial OPC UA server and enables OPC UA clients on the enterprise network to read the replicated data.
For detailed instructions, refer to the Waterfall Security product documentation.
Option 2: Sending OT/IIoT data to AWS IoT Core
Figure 3 shows how you can send industrial data to AWS IoT Core through a unidirectional gateway and using the MQTT protocol. Messages can then be routed to different AWS services (such as AWS IoT Events, AWS Lambda, Amazon Kinesis, Amazon Simple Storage Service (Amazon S3), and Amazon Timestream) for processing using the AWS IoT rules engine. The Waterfall Unidirectional Gateway is an MQTT broker on the industrial network. It receives MQTT messages from industrial systems and sends that data through the gateway to the Waterfall client, which then sends the data to AWS IoT Core.
Figure 3 – Sending industrial equipment data using a unidirectional gateway to AWS IoT Core
Solution Overview
AWS
1. Setup Amazon Timestream to store the data originating from the industrial database.
In this scenario, we use Timestream which is a fast, scalable, and serverless time-series database. However, you can use other purpose-built AWS Cloud databases.
2. Create an AWS IoT Thing with certificates and rules to send data to Timestream.
In this step, the Waterfall Unidirectional gateway is created as an IoT Thing in AWS IoT Core with an IoT certificate and IoT policy. A rule is configured to send data received by AWS IoT Core to Timestream. Timestream integrates with commonly used services for visualization and machine learning. For example, you can visualize data using Amazon QuickSight or Amazon Managed Grafana, and use Amazon SageMaker for machine learning.
3. Create and setup the Amazon Managed Grafana dashboard to visualize data.
4. Configure the Amazon Managed Grafana dashboard and create the graphs.
5. Visualize your time series OT/IIoT data and create alerts using Amazon Managed Grafana.
Waterfall
6. Setup an MQTT connector through the Waterfall web-based user interface on the industrial and the IT sides of the unidirectional gateway appliance.
For detailed instructions, refer to Waterfall Security product documentation.
Conclusion
In this post, you learned how to stream OT/IIoT data to AWS IoT SiteWise and AWS IoT Core using the Waterfall Unidirectional Cloud Gateway. This solution enables regulated industries and critical infrastructure sectors to take advantage of cloud services in AWS (such as IoT and AI/ML) while preventing remote events from penetrating back into protected industrial networks. While the unidirectional gateway simplifies OT/IT integration and helps improve the security posture, it is only one aspect when designing secure OT/IIoT network architectures. AWS recommends a multi-layered approach to secure the ICS/OT, IIoT, and cloud environments as described in the ten security golden rules for IIoT solutions.
Resources:
- Collecting, organizing, monitoring, and analyzing industrial data at scale using AWS IoT SiteWise – Official Blog
- AWS IoT Greengrass on Windows operating system on AWS – Official Blog
- Creating a gateway – AWS IoT SiteWise
- AWS IoT SiteWise Monitor – User Guide
- Visualize time series data in Amazon Timestream using Grafana