Cloud computing, in its simplest definition, can be defined as the ability to use computing services over the internet at any time. With on-premises systems being gradually phased out and CAPEX and OPEX prices declining, cloud computing has entirely transformed the IT industry. The IIoT and OT industries are currently being shaken by the recent expansion of services offered under the banner of cloud computing.
The use of hardware and software to monitor and manage physical processes, devices, and infrastructure is known as operational technology (OT).
Since IT and OT are frequently conflated, it’s crucial to comprehend their differences. Information technology (IT) controls data whereas operational technology(OT) controls the equipment. Information Technologies (IT) is particularly concerned with protecting the confidentiality, availability, and integrity of systems and data.
In an OT setting, traditional IT segmentation is inadequate. We have depended on strong perimeter security for many years to monitor communications related to north-south traffic at the network level. However, the construction of traditional IT segmentation including intricate VLAN and firewall configurations takes time. Additionally, OT environments have a low tolerance for extended downtimes, particularly when it comes to pipelines, power plants, etc.
Additionally, IT firewalls can’t completely reveal which set of packet exchanges are authorized in an OT context.
For its guidance on industrial control systems architecture, the well-known Purdue Enterprise Reference Architecture (PERA) Model has emerged as an iconic standard in the automation industry. The Purdue Model’s layer separation and definition of how machines and processes should operate and interact have contributed to industrial communication security.
In the PERA model, the industrial network is divided into 6 levels.
- Level 4/5 (Enterprise Zone): Applications and corporate IT infrastructure are located here. It is crucial to separate this level from the ICS environment.
- Level 3.5 (DMZ): This level is responsible for communication between IT and OT levels and other untrusted communications. Level 3 (Industrial Zone): ICS activities are managed at Level 3. Historians, EWS, and DNS reside at this level
- Level 2 (Control Zone): Here are the HMIs that control the Distributed Control Systems (DCS), Remote Terminal Units (RTU), and Programmable Logic Controllers (PLC), each of which has a unique OS and security flaws specific to the vendor.
- Level 1: The control devices are on Level 1. This level is where the PLC, RTU, and DCS are located and is often the only level to which they are connected.
- Level 0: Devices that are connected on this level include those that are essential to the operation of the facility. Motors, sensors, valves, and other components make up these gadgets.
Since the IT world has been acquainted with either pure or hybrid cloud technologies for a long time, Level4/5 has transitioned to Cloud, but this hybrid structure now spreads to other Purdue levels thanks to the following #AWS technologies.
Purdue Model Aligned to AWS Cloud
As can be seen, it is difficult to implement the Purdue Model in a hybrid IoT project, but reinterpreting and using the Purdue Model and its security principles is important to design a Well-Architected IoT framework.
In this context, the following AWS Modules can be used to build an architecture based on the Purdue model. Of course, AWS’s IoT capabilities are not limited to these, but the rest will be the subject of another article.
AWS IoT GreenGrass: You may develop, distribute, and manage device software using Greengrass, an open-source edge runtime and cloud service for the Internet of Things (IoT). For their Internet of Things (IoT) applications, customers deploy AWS IoT Greengrass on millions of devices in their homes, factories, cars, and companies. You may configure your devices to filter and aggregate device data, perform predictions based on machine learning models, act locally on the data they produce, and only send the essential data to the cloud.
IoT AWS Greengrass makes it simple and quick to create software for intelligent devices. AWS IoT Greengrass offers prebuilt components to quicken application development and enables local processing, messaging, data management, and ML inference. IoT AWS Greengrass further offers a safe solution to securely link your edge devices to any AWS service.
Thanks to the Lambda Functions we will write for IoT Greengrass, you can interpret protocols such as MQTT or OPC, which are widely used in the OT/IoT and IIoT world, and transfer data to Cloud for further processing.
AWS IoT SiteWise: AWS IoT SiteWise is a managed service that makes it simple to gather, arrange, and analyze data from industrial equipment at scale. Industrial enterprises can use AWS IoT SiteWise to monitor and enhance operations at a single industrial site or across several sites, comprehend and quickly address equipment problems, and display operational data of devices and equipment with the SiteWise Monitor feature.
AWS IoT Core: AWS IoT Core services connect IoT devices to AWS IoT services and other AWS services. AWS IoT Core includes the device gateway and the message broker, which connect and process messages between your IoT devices and the cloud.
AWS IoT Device Defender: The security service AWS IoT Device Defender enables you to audit the configuration of your devices, keep an eye on connected devices to spot strange activity, and reduce security threats.
It enables you to immediately react when devices are compromised and apply uniform security policies throughout your fleet of AWS IoT devices. You can think of AWS IoT Defender as the cybersecurity layer in Purdue Model.
In the next post in the series, we’ll take a look at the protocols specific to the IoT world and how to handle these protocols.
Top comments (0)