Securely manage and access computing resources - Security Best Practices for Manufacturing OT

Securely manage and access computing resources

Keeping computing resources up to-date, securely accessing them for configuration and management, and automatically deploying changes can be challenging. This issue is exacerbated by disparate hardware and software systems used for compute, making it hard to consistently apply best practices. It often leads to more open permissions and more security exposure than needed (for example, a traditional approach managing an edge gateway remotely would typically open RDP or SSH ports and/or a VPN solution, increasing the security risk for the gateway). AWS provides options to securely manage existing compute resources (AWS System Manager), IoT resources (IoT Device Management, AWS IoT Greengrass) and also provides a fully managed infrastructure service (AWS Outposts) to make it easy to consistently apply best practices to all resources. Figure 13 highlights some of these best practices.

  • Manage and monitor on-premises resources with Systems ManagerAWS Systems Manager is an AWS service that you can use to view and control your computing resources both on-premises and on AWS. Using the Systems Manager console, you can view operational data from all managed instances and automate operational tasks across your managed resources. Systems Manager helps you maintain security and compliance by scanning your managed instances and reporting on (or taking corrective action on) any policy violations it detects.

You can install AWS Systems Manager Agent (SSM Agent) on on-premises infrastructure and configure it to connect to AWS Systems Manager service in your AWS account. SSM Agent communicate with the AWS services over HTTPS port 443 and don’t require any inbound open ports for connectivity.

Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances, on-premises instances such as edge gateways, and virtual machines (VMs) through an interactive, one-click, browser-based shell, or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.

  • Use AWS provided on-premises infrastructure solutions to simplify management and monitoring — AWS provides solutions for a hybrid cloud environment enabling consistent experiences across AWS and on-premises environments. AWS Outposts is a fully managed hybrid solution that extends the AWS cloud to the on-premises environment, bringing the same AWS infrastructure, services, APIs, management tools, support, and operating model as the AWS Cloud. AWS Outposts can be securely managed from the cloud. It can be used to run a wide variety of traditional on-premises manufacturing applications (SCADA/MES) along with edge applications. It provides a secure and consistent experience of managing and accessing on-premises resources in a similar way to AWS Cloud resources. It also makes it easy to leverage AWS services (such as CloudWatch and Systems Manager) for continuous monitoring and management.

The AWS Snow Family provides highly secure portable devices to collect and process data at the edge. They are designed to operate offline and offer localized management, monitoring and task automation features with AWS OpsHub application. AWS Snow Family also offers security features such as security groups, and local IAM users, roles and policies. It allows customers to implement security via code and also allows them to reason about permissions in a similar manner as they would in a full cloud environment.

  • For IoT devices use secure tunneling for AWS IoT device management AWS IoT devices can use secure tunneling to establish bidirectional communication to remote devices over a secure connection that is managed by AWS IoT. Secure tunneling does not require updates to your existing inbound firewall rule, so customers can keep the same security level provided by firewall rules at a remote site. The access permissions for the tunnel can be managed in the cloud with IAM permission policies, offering customers a consistent way to manage access.

For example, suppose a sensor device located at a factory a few hundred miles away is having trouble measuring the factory temperature. You can use secure tunneling to open and quickly start a session to that sensor device. After you have identified the problem (for example, a bad configuration file), you can reset the file and restart the sensor device through the same session. Compared to a more traditional troubleshooting (for example, sending a technician to the factory to investigate the sensor device), secure tunneling decreases incident response and recovery time and operational costs.

        A diagram that shows securely managing and accessing computing resources.

Securely manage and access computing resources