Saturday, June 22, 2024
HomeIoTSecurely sending industrial knowledge to AWS IoT companies utilizing unidirectional gateways

Securely sending industrial knowledge to AWS IoT companies utilizing unidirectional gateways


Important infrastructure clients are challenged to make industrial networks extra accessible with out considerably growing cybersecurity dangers. That is due partly to the frequent follow of utilizing Industrial IoT (IIoT) and cloud applied sciences to research massive volumes of business knowledge to enhance operational efficiencies. To achieve success, this follow requires a steadiness between advancing digitization to stay aggressive and securing crucial infrastructure methods.

Lots of the Industrial Management Techniques (ICS) and Operational Know-how (OT) utilized in crucial infrastructure have know-how with little or no built-in safety. Connecting these methods to exterior, untrusted networks poses safety dangers since these methods help the secure operation of crucial infrastructure. So, how are you going to safely and securely join these methods to the cloud to get the advantages from cloud choices with out including threat to the ICS/OT methods?

AWS recommends following the ten safety golden guidelines for IIoT options. These guidelines advocate to deploy safety home equipment, equivalent to unidirectional gateways, to manage knowledge circulate and set up safe connections to exterior, untrusted networks and cloud companies.

Unidirectional gateways permit OT/IIoT knowledge to be despatched from the OT community to the IT community and Cloud in a single course whereas bodily blocking site visitors in the other way. Unidirectional gateways generally is a safe different to firewalls. They meet a number of industrial safety requirements, equivalent to NERC CIP, ISA/IEC 62443, NEI 08-09, NRC 5.71, and TS50701. They’re additionally supported by the Trade IoT Consortium’s Industrial Web Safety Framework, who supplies steering on defending security networks and management networks with unidirectional gateway know-how. NIST SP 800-82 states that utilizing unidirectional gateways could present extra protections related to system compromises at larger ranges or tiers inside the surroundings. For instance, a unidirectional gateway deployed between Layers 2 and three could defend Layer 0, 1, and a couple of gadgets from a cybersecurity occasion that happens at Layers 3, 4, or 5. For extra info, discuss with the Purdue Enterprise Reference Structure (PERA).

On this weblog, we talk about two choices to ship OT/IIoT knowledge to AWS utilizing unidirectional gateways. You should use Waterfall Safety’s Unidirectional Cloud Gateway to ship OT/IIoT knowledge to AWS IoT SiteWise or AWS IoT Core to help IIoT, Trade 4.0, and AI/ML use instances. For instance, to enhance operational efficiencies and cut back unplanned downtime in crucial infrastructure operations. This method permits clients in crucial infrastructure sectors and controlled industries to make the most of AWS Cloud companies whereas limiting the dangers to their ICS/OT environments.

Resolution Overview

Unidirectional gateways are a mixture of {hardware} and software program. Unidirectional gateway {hardware} is bodily in a position to ship knowledge in just one course, whereas the gateway software program replicates servers and emulates gadgets. Because the gateway is bodily in a position to ship knowledge in just one course, there isn’t a risk of IT-based or internet-based safety occasions pivoting into the OT networks. The gateway’s reproduction servers and emulated gadgets simplify OT/IT integration.

A typical unidirectional gateway {hardware} implementation consists of a community equipment containing two separate circuit boards joined by a fiberoptic cable. The “TX,” or “transmit,” board incorporates a fiber-optic transmitter, and the “RX,” or “obtain,” board incorporates a fiber-optic receiver. Not like standard fiber-optic communication parts, that are transceivers, the TX equipment doesn’t comprise a receiver and the RX equipment doesn’t comprise a transmitter. As a result of there isn’t a laser within the receiver, there isn’t a bodily method for the receiving circuit board to ship any info again to the transmitting board. The equipment can be utilized to transmit info out of the management system community into an exterior community, or on to the web, with out the chance of a cyber occasion or one other sign returning into the management system.

Determine 1 reveals how a unidirectional gateway replicates historian knowledge from an industrial community to an exterior community, equivalent to an enterprise IT community or Cloud. Unidirectional gateway software program working on the economic circuit board connects to the economic historian database and points queries to the database. Historic knowledge retrieved from the economic database is shipped throughout the unidirectional gateway {hardware} to software program working on the board related to the exterior community. That software program registers as a shopper of the reproduction historian database. It then points insert requests to that database asking the database to retailer all of the timestamped knowledge acquired from the economic community. Customers and purposes on the exterior community that want entry to the historic knowledge can entry the reproduction historian. This method isolates and protects the economic methods within the industrial community.

Determine 1: Historian knowledge replication utilizing a Unidirectional gateway (courtesy Waterfall Safety Options)

Possibility 1: Sending OT/IIoT knowledge to AWS IoT SiteWise

Determine 2 reveals how one can ship industrial knowledge to AWS IoT SiteWise utilizing a unidirectional gateway. AWS IoT SiteWise is a managed service that simplifies amassing, organizing, and analyzing industrial tools knowledge at scale. The Waterfall gateway equipment reads OPC UA knowledge from an OPC UA server and hosts a reproduction OPC UA server for the IT community. An AWS IoT SiteWise Edge gateway working on AWS IoT Greengrass reads the OPC UA knowledge from the reproduction OPC UA server and sends that knowledge to AWS IoT SiteWise within the cloud. The info is saved in AWS IoT SiteWise and might be visualized in AWS IoT SiteWise Monitor. AWS IoT SiteWise Edge software program makes it straightforward to gather, arrange, course of, and monitor tools knowledge on-premises. AWS IoT SiteWise Monitor is a characteristic of AWS IoT SiteWise that you should use to create portals within the type of a managed net utility. You possibly can then use these portals to view and share your industrial/operational knowledge.

Determine 2 – Sending industrial tools knowledge utilizing a unidirectional gateway to AWS IoT SiteWise

Resolution Overview


1. Setup AWS IoT Greengrass

AWS IoT Greengrass is an open-source edge runtime and cloud service for constructing, deploying, and managing gadget software program. With AWS IoT Greengrass put in, you possibly can deploy AWS IoT SiteWise Edge gateways to gather industrial knowledge utilizing industrial protocols equivalent to OPC UA.

2. Deploy AWS IoT SiteWise Edge gateway software program

AWS IoT SiteWise gateways run on AWS IoT Greengrass V2 as an IoT Greengrass element that helps knowledge assortment and processing on premises. On this step, you deploy the AWS IoT SiteWise Edge gateway software program for knowledge assortment utilizing OPC UA and configure the OPC UA settings.

3. Mannequin the belongings in AWS IoT SiteWise

Mannequin the belongings to create digital representations of your industrial operation with AWS IoT SiteWise. An asset represents a tool, a bit of apparatus, or a course of that uploads a number of knowledge streams to the AWS Cloud.

4. Configure AWS IoT SiteWise Monitor dashboard

Create a dashboard to observe key working parameters and efficiency metrics on your belongings utilizing AWS IoT SiteWise Monitor and take essential actions when wanted in near-real time.


5. Setup the OPC UA shopper on the Waterfall unidirectional gateway equipment

Use the unidirectional gateway’s web-based consumer interface on the economic community. Log in and configure an OPC UA knowledge supply. Enter the host title/IP deal with and login credentials. Additionally, embrace directions about copying all knowledge factors within the OPC UA server (the default), or choose the components of the OPC UA namespace that may be copied to the IT community.

  • Waterfall TX acts as a local OPC UA shopper that reads knowledge from the OPC UA server on the shopper’s industrial system in actual time.
  • Waterfall RX acts as a reproduction of the economic OPC UA server and permits OPC UA purchasers on the enterprise community to learn the replicated knowledge.

For detailed directions, discuss with the Waterfall Safety product documentation.

Possibility 2: Sending OT/IIoT knowledge to AWS IoT Core

Determine 3 reveals how one can ship industrial knowledge to AWS IoT Core by a unidirectional gateway and utilizing the MQTT protocol. Messages can then be routed to completely different AWS companies (equivalent to AWS IoT Occasions, AWS Lambda, Amazon Kinesis, Amazon Easy Storage Service (Amazon S3), and Amazon Timestream) for processing utilizing the AWS IoT guidelines engine. The Waterfall Unidirectional Gateway is an MQTT dealer on the economic community. It receives MQTT messages from industrial methods and sends that knowledge by the gateway to the Waterfall shopper, which then sends the info to AWS IoT Core.

Determine 3 – Sending industrial tools knowledge utilizing a unidirectional gateway to AWS IoT Core

Resolution Overview


1. Setup Amazon Timestream to retailer the info originating from the economic database.

On this situation, we use Timestream which is a quick, scalable, and serverless time-series database. Nonetheless, you should use different purpose-built AWS Cloud databases.

2. Create an AWS IoT Factor with certificates and guidelines to ship knowledge to Timestream.

On this step, the Waterfall Unidirectional gateway is created as an IoT Factor in AWS IoT Core with an IoT certificates and IoT coverage. A rule is configured to ship knowledge acquired by AWS IoT Core to Timestream. Timestream integrates with generally used companies for visualization and machine studying. For instance, you possibly can visualize knowledge utilizing Amazon QuickSight or Amazon Managed Grafana, and use Amazon SageMaker for machine studying.

3. Create and setup the Amazon Managed Grafana dashboard to visualise knowledge.

4. Configure the Amazon Managed Grafana dashboard and create the graphs.

5. Visualize your time collection OT/IIoT knowledge and create alerts utilizing Amazon Managed Grafana.


6. Setup an MQTT connector by the Waterfall web-based consumer interface on the economic and the IT sides of the unidirectional gateway equipment.

For detailed directions, discuss with Waterfall Safety product documentation.


On this submit, you discovered stream OT/IIoT knowledge to AWS IoT SiteWise and AWS IoT Core utilizing the Waterfall Unidirectional Cloud Gateway. This answer permits regulated industries and significant infrastructure sectors to make the most of cloud companies in AWS (equivalent to IoT and AI/ML) whereas stopping distant occasions from penetrating again into protected industrial networks. Whereas the unidirectional gateway simplifies OT/IT integration and helps enhance the safety posture, it’s only one facet when designing safe OT/IIoT community architectures. AWS recommends a multi-layered method to safe the ICS/OT, IIoT, and cloud environments as described in the ten safety golden guidelines for IIoT options.


Ryan Dsouza AWS

Ryan Dsouza is a Principal Industrial IoT (IIoT) Safety Options Architect at AWS. Primarily based in New York Metropolis, Ryan helps clients design, develop, and function safer, scalable, and modern IIoT options utilizing the breadth and depth of AWS capabilities to ship measurable enterprise outcomes. Ryan has over 25 years of expertise in digital platforms, good manufacturing, vitality administration, constructing and industrial automation, and OT/IIoT safety throughout a various vary of industries. Ryan is enthusiastic about bringing safety to all related gadgets and being a champion of constructing a greater, safer, and extra resilient world for everybody. Earlier than AWS, Ryan labored for Accenture, SIEMENS, Common Electrical, IBM, and AECOM, serving clients for his or her digital transformation initiatives.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments