Industrial digital transformation is driving changes to the Operational Technology (OT) landscape, making it more connected to the internet and IT systems and solutions. With OT/IT convergence, OT environments are leveraging more IT solutions to improve productivity and efficiency of production operations. Industrial customers can use AWS edge and cloud services to securely access OT data and use AWS IoT services, artificial intelligence, and machine learning capabilities to transform their operations. Continuous digitization and progressive inter-connectivity of the production environment is important to capture value from industrial IoT (IIoT) solutions. While this new and expanding “physical meets digital” connectivity enables great rewards, it also introduces new cyber security risk, which needs to be properly managed. Industrial organizations should be aware of the risks that come with the benefits of this convergence and cloud adoption. To help companies plan their industrial digital transformation safely and securely, AWS recommends a multi-layered approach to secure industrial control systems and operational technology (ICS/OT), IIoT and cloud environments, which is captured in the Ten Security golden rules for IIoT solutions.
In this blog post, we introduce you to the AWS IIoT security workshop which can help you get started with hands on learning focused on how to secure your smart factory and IIoT solutions by implementing the IIoT security golden rules using AWS services.
AWS IIoT Security workshop
To get started, see the AWS IIoT security workshop. This workshop provides you with hands on education focused on how to use AWS IoT services and AWS Security services to safely and securely deploy and monitor industrial IoT security solutions. Working through a scenario in a smart factory with computer numerical control (CNC) machines sending data to AWS, you will be able to detect and remediate data exfiltration from the factory using network anomaly detection and process anomaly detection. Detecting and responding to cyber events early can limit the damage to mission critical OT operations and can help you improve your organization’s cyber security posture. Let’s start by taking a look at the workshop architecture.
AWS IIoT Security workshop architecture
The workshop architecture shows a factory with CNC machines sending data to an edge gateway for edge data processing. Data from the edge device is sent to AWS for data storage, processing, analytics, and visualization. In this workshop, we will emulate CNC machine data using an Ignition OPC UA server. OPC UA is a modern communications protocol for industrial automation which is used for data collection and control by IIoT and smart factory applications and platforms. It is an open standard, and allows the Ignition OPC UA server interface to seamlessly connect to the OPC UA client on AWS IoT SiteWise gateway. The OPC UA server sends data to a gateway device deployed on an Amazon EC2, which runs AWS IoT Greengrass. An AWS IoT SiteWise gateway component installed on AWS IoT Greengrass streams the data to AWS IoT SiteWise in the cloud.
AWS IoT SiteWise Monitor is used to visualize the data in near real-time while AWS IoT SiteWise metrics are used to create custom aggregates and metrics. A malicious script will be injected into the gateway device to simulate a cyber event. AWS IoT Device Defender is used to audit and monitor your fleet of IoT devices. AWS IoT SiteWise metrics detect process anomalies, which could indicate a cyber event. We will also be looking into mitigation approaches as well. Once a security anomaly is detected, you will investigate and take mitigating actions, such as quarantining the anomalous device. AWS Security Hub can be used to provide a centralized view of security alerts across your factory and cloud environments when implementing IIoT solutions.
To conduct the workshop, you will need the following:
AWS Account with admin privileges. If you don’t have an AWS Account follow the instructions to create one. If you are participating in an AWS event, an account can be provided by AWS.
Basic AWS IoT knowledge. For familiarity you can look at Getting started with AWS IoT workshop
Laptop or computer with a browser installed
Access to a remote desktop client
Basic Linux knowledge
Basic Python skills
Knowledge about AWS IoT SiteWise. For familiarity you can look at AWS IoT SiteWise workshop
AWS IoT Greengrass V2. For familiarity you can look at Greengrass V2 workshop
Learning objectives and services used
In this workshop you will learn how to:
Detect data exfiltration from the smart factory using AWS IoT Device Defender device side metrics such as Bytes out, Packets out, and Destination IP
Investigate the data exfiltration security event and take a mitigation action to quarantine the device using AWS IoT Device Defender
Secure gateway configuration by protecting the Ignition server authentication secret using AWS Secrets Manager and by configuring authentication and encryption between the Ignition OPC UA server and AWS IoT SiteWise Gateway OPC UA client to enable secure OPC UA communications
Detecting process anomalies using AWS IoT SiteWise monitor and alarms
Auditing against IoT security best practices using AWS IoT Device Defender Audit followed by importing the audit findings into AWS Security Hub
You will use the following key services:
AWS resources for the workshop are created with AWS CloudFormation. The CloudFormation stack that you are going to launch during the workshop works with nested stacks. Nested stacks are stacks created as part of other stacks. You will see more than one CloudFormation stack being launched. Nested stacks are marked as NESTED in the AWS CloudFormation console. The CloudFormation stacks will create the following resources:
Amazon EC2 instance as your OPC UA server simulating industrial data.
AWS Cloud9 environment as your workplace where you will install AWS IoT Greengrass V2 and the AWS IoT SiteWise components.
Note: To streamline the installation process during the workshop, the CloudFormation template is configured to automatically deploy AWS IoT Greengrass V2 and AWS IoT SiteWise components on the AWS Cloud9 environment. Once the CloudFormation template is launched, a fully functional AWS IoT Greengrass environment will be running via a Docker container with the components deployed and running on the AWS IoT Greengrass core device. For more details you can check out AWS IoT Greengrass Accelerators project.
S3 Bucket with an auto generated name.
VPC with public subnet and Security Groups for Cloud9 and EC2 instances.
IAM user to provide credentials for the Cloud9 environment.
Lambda function to create CNC machine model and asset in AWS IoT SiteWise.
Mosquitto based MQTT broker deployed on an EC2 instance. The Mosquitto MQTT broker is used as an external broker to receive the simulated malicious data.
Amazon SNS topic to notify you when the AWS IoT Device Defender report is ready.
Lambda function that imports the Device Defender findings into AWS Security Hub.
Industrial customers increasingly use IIoT solutions as part of their industrial digital transformation. This introduces new risk in OT making it important for customers to understand, prioritize, and plan cyber security when implementing IIoT solutions.
AWS recommends a multi-layered security approach to secure IIoT solutions using the ten security golden rules and establishing an OT/IIoT cyber security program. In this workshop, we introduced you to a new security workshop resource that will help you implement the following IIoT security golden rules using multiple AWS services and features:
Golden Rule #3 Unique identity & Least privilege access using AWS IoT identities & AWS IoT policies
Golden Rule #6 Convert insecure protocols to secure protocols and configure OPC UA for secure communications
Golden Rule #7 Device hardening by securing secrets using AWS IoT Greengrass and AWS Secrets Manager and establish secure cloud connections to AWS IoT services
Golden Rule #8 Auditing (against IoT security best practices) using AWS IoT Device Defender audit and security monitoring using AWS IoT Device Defender Detect and AWS Security Hub
Golden Rule #9 Incident response using AWS IoT Device Defender and AWS Security Hub
This blog post reviewed some of the best practices for keeping your IIoT infrastructure secure using AWS’s multilayered security approach and comprehensive security services and features. Industrial IoT security at AWS is built on open standards such as MQTT, OPC UA and ISA/IEC 62443 standards, etc. Industrial customers have lots of choices and flexibility with AWS security services; customers can pick and choose what they need and integrate with what they have. AWS provides customers with an easier, faster, and more cost-effective path towards comprehensive, continuous, and scalable IIoT security, compliance, and governance solutions. To learn more, go to AWS Industrial Internet of Things, AWS Security Best Practices for Manufacturing OT, Securing IoT with AWS whitepaper and AWS IoT Lens.
About the authors
Ryan Dsouza is a Principal Solutions Architect for industrial IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has more than 25 years of experience in digital platforms, smart manufacturing, energy management, building, and industrial automation, OT/IT convergence and IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.
Ameer Hakme is an AWS Solutions Architect based in Pennsylvania. He works with independent software vendors in the Northeast to help them design and build scalable and modern platforms on the AWS Cloud. In his spare time, he enjoys riding his motorcycle and spend time with his family.
Umesh Kalaspurkar is a New York based Solutions Architect for AWS. He brings more than 20 years of experience in design and delivery of Digital Innovation and Transformation projects, across enterprises and startups. He is motivated by helping customers identify and overcome challenges. Outside of work, Umesh enjoys being a father, skiing, and traveling.