Capability 1. Providing secure edge computing and connectivity
This capability supports best practices 3, 4, and 5 from the AWS SRA best practices for IoT.
The AWS shared
responsibility model
Rationale
As industrial operations increasingly adopt cloud technologies, there's a growing need to bridge the gap between traditional OT systems and modern IT infrastructure. This capability addresses the necessity for secure, low-latency processing at the edge while also ensuring robust connectivity to AWS Cloud resources. By implementing edge gateways and secure connectivity methods, organizations can maintain the performance and reliability required for critical industrial processes while they take advantage of the scalability and advanced analytics capabilities of cloud services.
This capability is also essential for maintaining a strong security posture in IIoT and OT environments. OT systems often involve legacy devices and protocols that might lack built-in security features and become vulnerable to cyber threats. By incorporating secure edge computing and connectivity solutions, organizations can implement crucial security measures such as network segmentation, protocol conversion, and secure tunnelling closer to the data source. This approach helps protect sensitive industrial data and systems and also enables compliance with industry-specific security standards and regulations. Additionally, it provides a framework for securely managing and updating edge devices, which further enhances the overall security and reliability of IIoT and OT deployments.
Security considerations
The implementation of secure edge computing and connectivity in IoT, IIoT, and OT solutions presents a multifaceted risk landscape. Key threats include inadequate network segmentation between IT and OT systems, security weaknesses in legacy industrial protocols, and the inherent limitations of edge devices that have limited resources. These factors create potential entry points and avenues for threat propagation. The transmission of sensitive industrial data between edge devices and cloud services can also introduce risks of interception and manipulation, and insecure cloud connections can expose systems to internet-based threats. Additional concerns include the potential for lateral movement within industrial networks, lack of visibility into edge device activities, physical security risks for remotely located infrastructure, and supply chain vulnerabilities that can introduce compromised components. Collectively, these threats underscore the critical need for robust security measures in edge computing and connectivity solutions for industrial environments.
Remediations
Data protection
To address data protection concerns, implement encryption for data in transit and at
rest. Use secure protocols such as MQTT over TLS, HTTPS, and WebSockets over HTTPS. For
communications with IoT devices, and generally within IoT industrial edge environments,
consider using secure versions of industrial protocols such as CIP Security, Modbus
Secure, and Open Platform Communications Unified Architecture (OPC UA) with security
mode enabled. When secure protocols aren't natively supported, employ protocol converters
In the context of the AWS SRA for IoT, IIoT, and OT environments, secure protocol usage and conversion should be implemented at multiple levels:
-
Level 1. By using an AWS IoT SiteWise Edge gateway connected to an industrial data source that supports OPC UA with security mode.
-
Level 2. By using an AWS IoT SiteWise Edge gateway combined with a partner data source that supports legacy protocols to achieve required protocol conversion.
-
Level 3. By using a secure local MQTT broker configuration with MQTT brokers that are supported through AWS IoT Greengrass.
Identity and access management
Implement robust identity and access management practices to mitigate unauthorized
access risks. Use strong authentication methods, including multi-factor authentication
where possible, and apply the principle of least privilege. For edge device management,
use AWS Systems Manager
Network security
Secure connectivity between the industrial edge and the AWS Cloud is a critical component for the successful deployment of IoT, IIoT, and OT workloads in the cloud. As shown in the AWS SRA, AWS offers multiple ways and design patterns to establish a secure connection to the AWS environment from the industrial edge.
The connection can be achieved in one of three ways:
-
By setting up a secure VPN connection to AWS over the internet
-
By establishing a dedicated private connection through AWS Direct Connect
-
By using secure TLS connections to AWS IoT public endpoints
These options provide a reliable and encrypted communication channel between the
industrial edge and the AWS infrastructure, in alignment with the security guidelines
outlined in the National Institute of Standards and Technology (NIST) Guide to Operational Technology
(OT) Security (NIST SP 800-82 Rev. 3)
After you establish a secure connection to workloads running in AWS and to AWS services, use virtual private cloud (VPC) endpoints whenever possible. VPC endpoints enable you to connect privately to supported Regional AWS services without using the public IP addresses of these AWS services. This approach further helps enhance security by establishing private connections between your VPC and AWS services, and aligns with NIST SP 800-82 Rev. 3 recommendations for secure data transmissions and network segmentation.
You can configure VPC endpoint policies to control and limit access to only the required resources, applying the principle of least privilege. This helps reduce the attack surface and minimize the risk of unauthorized access to sensitive IoT, IIoT, and OT workloads. If the VPC endpoint for the required service isn't available, you could establish a secure connection by using TLS over the public internet. The best practice in such scenarios is to route these connections through a TLS proxy and a firewall, as shown previously in the Infrastructure OU – Network account section.
Some environments might have requirements to send data in one direction to AWS
while physically blocking traffic in the opposite direction. If your environment has
this requirement, you can use data diodes and unidirectional gateways. Unidirectional
gateways consist of a combination of hardware and software. The gateway is physically
able to send data in only one direction, so there is no possibility of IT-based or
internet-based security events pivoting into the OT networks. Unidirectional gateways
can be a secure alternative to firewalls. They meet several industrial security
standards, such as the North American Electric Reliability Corporation Critical Infrastructure Protection
(NERC CIP),