Friday, July 19, 2024

Securely sending industrial information to AWS IoT companies utilizing unidirectional gateways

Securely sending industrial information to AWS IoT companies utilizing unidirectional gateways


Essential infrastructure clients are challenged to make industrial networks extra accessible with out considerably growing cybersecurity dangers. That is due partially to the widespread follow of utilizing Industrial IoT (IIoT) and cloud applied sciences to investigate giant volumes of commercial information to enhance operational efficiencies. To achieve success, this follow requires a stability between advancing digitization to stay aggressive and securing vital infrastructure programs.

Most of the Industrial Management Techniques (ICS) and Operational Expertise (OT) utilized in vital infrastructure have expertise with little or no built-in safety. Connecting these programs to exterior, untrusted networks poses safety dangers since these programs assist the secure operation of vital infrastructure. So, how are you going to safely and securely join these programs to the cloud to get the advantages from cloud choices with out including threat to the ICS/OT programs?

AWS recommends following the ten safety golden guidelines for IIoT options. These guidelines advocate to deploy safety home equipment, akin to unidirectional gateways, to regulate information stream and set up safe connections to exterior, untrusted networks and cloud companies.

Unidirectional gateways enable OT/IIoT information to be despatched from the OT community to the IT community and Cloud in a single route whereas bodily blocking site visitors in the wrong way. Unidirectional gateways is usually a safe different to firewalls. They meet a number of industrial safety requirements, akin to NERC CIP, ISA/IEC 62443, NEI 08-09, NRC 5.71, and TS50701. They’re additionally supported by the Business IoT Consortium’s Industrial Web Safety Framework, who offers steerage on defending security networks and management networks with unidirectional gateway expertise. NIST SP 800-82 states that utilizing unidirectional gateways could present further protections related to system compromises at larger ranges or tiers inside the surroundings. For instance, a unidirectional gateway deployed between Layers 2 and three could shield Layer 0, 1, and a couple of units from a cybersecurity occasion that happens at Layers 3, 4, or 5. For extra data, check with the Purdue Enterprise Reference Structure (PERA).

On this weblog, we focus on two choices to ship OT/IIoT information to AWS utilizing unidirectional gateways. You should utilize Waterfall Safety’s Unidirectional Cloud Gateway to ship OT/IIoT information to AWS IoT SiteWise or AWS IoT Core to assist IIoT, Business 4.0, and AI/ML use instances. For instance, to enhance operational efficiencies and scale back unplanned downtime in vital infrastructure operations. This method allows clients in vital infrastructure sectors and controlled industries to make the most of AWS Cloud companies whereas limiting the dangers to their ICS/OT environments.

Resolution Overview

Unidirectional gateways are a mix of {hardware} and software program. Unidirectional gateway {hardware} is bodily in a position to ship information in just one route, whereas the gateway software program replicates servers and emulates units. For the reason that gateway is bodily in a position to ship information in just one route, there isn’t any chance of IT-based or internet-based safety occasions pivoting into the OT networks. The gateway’s duplicate servers and emulated units simplify OT/IT integration.

A typical unidirectional gateway {hardware} implementation consists of a community equipment containing two separate circuit boards joined by a fiberoptic cable. The “TX,” or “transmit,” board incorporates a fiber-optic transmitter, and the “RX,” or “obtain,” board incorporates a fiber-optic receiver. Not like standard fiber-optic communication elements, that are transceivers, the TX equipment doesn’t include a receiver and the RX equipment doesn’t include a transmitter. As a result of there isn’t any laser within the receiver, there isn’t any bodily approach for the receiving circuit board to ship any data again to the transmitting board. The equipment can be utilized to transmit data out of the management system community into an exterior community, or on to the web, with out the danger of a cyber occasion or one other sign returning into the management system.

Determine 1 exhibits how a unidirectional gateway replicates historian information from an industrial community to an exterior community, akin to an enterprise IT community or Cloud. Unidirectional gateway software program operating on the economic circuit board connects to the economic historian database and points queries to the database. Historic information retrieved from the economic database is distributed throughout the unidirectional gateway {hardware} to software program operating on the board related to the exterior community. That software program registers as a consumer of the duplicate historian database. It then points insert requests to that database asking the database to retailer all of the timestamped information obtained from the economic community. Customers and functions on the exterior community that want entry to the historic information can entry the duplicate historian. This method isolates and protects the economic programs within the industrial community.

Determine 1: Historian information replication utilizing a Unidirectional gateway (courtesy Waterfall Safety Options)

Choice 1: Sending OT/IIoT information to AWS IoT SiteWise

Determine 2 exhibits how one can ship industrial information to AWS IoT SiteWise utilizing a unidirectional gateway. AWS IoT SiteWise is a managed service that simplifies gathering, organizing, and analyzing industrial tools information at scale. The Waterfall gateway equipment reads OPC UA information from an OPC UA server and hosts a reproduction OPC UA server for the IT community. An AWS IoT SiteWise Edge gateway operating on AWS IoT Greengrass reads the OPC UA information from the duplicate OPC UA server and sends that information to AWS IoT SiteWise within the cloud. The info is saved in AWS IoT SiteWise and will be visualized in AWS IoT SiteWise Monitor. AWS IoT SiteWise Edge software program makes it straightforward to gather, set up, course of, and monitor tools information on-premises. AWS IoT SiteWise Monitor is a characteristic of AWS IoT SiteWise that you should utilize to create portals within the type of a managed internet software. You possibly can then use these portals to view and share your industrial/operational information.

Determine 2 – Sending industrial tools information utilizing a unidirectional gateway to AWS IoT SiteWise

Resolution Overview


1. Setup AWS IoT Greengrass

AWS IoT Greengrass is an open-source edge runtime and cloud service for constructing, deploying, and managing machine software program. With AWS IoT Greengrass put in, you’ll be able to deploy AWS IoT SiteWise Edge gateways to gather industrial information utilizing industrial protocols akin to OPC UA.

2. Deploy AWS IoT SiteWise Edge gateway software program

AWS IoT SiteWise gateways run on AWS IoT Greengrass V2 as an IoT Greengrass element that helps information assortment and processing on premises. On this step, you deploy the AWS IoT SiteWise Edge gateway software program for information assortment utilizing OPC UA and configure the OPC UA settings.

3. Mannequin the belongings in AWS IoT SiteWise

Mannequin the belongings to create digital representations of your industrial operation with AWS IoT SiteWise. An asset represents a tool, a bit of apparatus, or a course of that uploads a number of information streams to the AWS Cloud.

4. Configure AWS IoT SiteWise Monitor dashboard

Create a dashboard to observe key working parameters and efficiency metrics to your belongings utilizing AWS IoT SiteWise Monitor and take mandatory actions when wanted in near-real time.


5. Setup the OPC UA consumer on the Waterfall unidirectional gateway equipment

Use the unidirectional gateway’s web-based consumer interface on the economic community. Log in and configure an OPC UA information supply. Enter the host identify/IP handle and login credentials. Additionally, embrace directions about copying all information factors within the OPC UA server (the default), or choose the elements of the OPC UA namespace that may be copied to the IT community.

  • Waterfall TX acts as a local OPC UA consumer that reads information from the OPC UA server on the client’s industrial system in actual time.
  • Waterfall RX acts as a reproduction of the economic OPC UA server and allows OPC UA shoppers on the enterprise community to learn the replicated information.

For detailed directions, check with the Waterfall Safety product documentation.

Choice 2: Sending OT/IIoT information to AWS IoT Core

Determine 3 exhibits how one can ship industrial information to AWS IoT Core by means of a unidirectional gateway and utilizing the MQTT protocol. Messages can then be routed to completely different AWS companies (akin to AWS IoT Occasions, AWS Lambda, Amazon Kinesis, Amazon Easy Storage Service (Amazon S3), and Amazon Timestream) for processing utilizing the AWS IoT guidelines engine. The Waterfall Unidirectional Gateway is an MQTT dealer on the economic community. It receives MQTT messages from industrial programs and sends that information by means of the gateway to the Waterfall consumer, which then sends the info to AWS IoT Core.

Determine 3 – Sending industrial tools information utilizing a unidirectional gateway to AWS IoT Core

Resolution Overview


1. Setup Amazon Timestream to retailer the info originating from the economic database.

On this situation, we use Timestream which is a quick, scalable, and serverless time-series database. Nonetheless, you should utilize different purpose-built AWS Cloud databases.

2. Create an AWS IoT Factor with certificates and guidelines to ship information to Timestream.

On this step, the Waterfall Unidirectional gateway is created as an IoT Factor in AWS IoT Core with an IoT certificates and IoT coverage. A rule is configured to ship information obtained by AWS IoT Core to Timestream. Timestream integrates with generally used companies for visualization and machine studying. For instance, you’ll be able to visualize information utilizing Amazon QuickSight or Amazon Managed Grafana, and use Amazon SageMaker for machine studying.

3. Create and setup the Amazon Managed Grafana dashboard to visualise information.

4. Configure the Amazon Managed Grafana dashboard and create the graphs.

5. Visualize your time collection OT/IIoT information and create alerts utilizing Amazon Managed Grafana.


6. Setup an MQTT connector by means of the Waterfall web-based consumer interface on the economic and the IT sides of the unidirectional gateway equipment.

For detailed directions, check with Waterfall Safety product documentation.


On this publish, you realized methods to stream OT/IIoT information to AWS IoT SiteWise and AWS IoT Core utilizing the Waterfall Unidirectional Cloud Gateway. This resolution allows regulated industries and significant infrastructure sectors to make the most of cloud companies in AWS (akin to IoT and AI/ML) whereas stopping distant occasions from penetrating again into protected industrial networks. Whereas the unidirectional gateway simplifies OT/IT integration and helps enhance the safety posture, it’s only one facet when designing safe OT/IIoT community architectures. AWS recommends a multi-layered method to safe the ICS/OT, IIoT, and cloud environments as described in the ten safety golden guidelines for IIoT options.


Ryan Dsouza AWS

Ryan Dsouza is a Principal Industrial IoT (IIoT) Safety Options Architect at AWS. Primarily based in New York Metropolis, Ryan helps clients design, develop, and function safer, scalable, and progressive IIoT options utilizing the breadth and depth of AWS capabilities to ship measurable enterprise outcomes. Ryan has over 25 years of expertise in digital platforms, sensible manufacturing, power administration, constructing and industrial automation, and OT/IIoT safety throughout a various vary of industries. Ryan is captivated with bringing safety to all related units and being a champion of constructing a greater, safer, and extra resilient world for everybody. Earlier than AWS, Ryan labored for Accenture, SIEMENS, Basic Electrical, IBM, and AECOM, serving clients for his or her digital transformation initiatives.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles