The Internet of Things on AWS – Official Blog

Secure IIoT secondary sensing using AWS Snowcone and CloudRail

Introduction

One of the major barriers to Industrial IoT (IIoT) adoption is integrating modern IIoT solutions in brownfield environments with legacy components and systems. These legacy industrial components and systems could be 20, 30, 40 years old and are less capable of supporting modern security standards. Physically connecting legacy industrial systems to the cloud can be complex, costly, and time-consuming. Secondary sensing refers to equipping older machines (brownfield) with additional sensors to gather data for IIoT applications. We discussed secondary sensing and actuation for factories using AWS IoT and CloudRail Gateways. In this blog post, we provide guidance on an alternate approach and discuss the benefits of a secondary sensing solution using AWS Snowcone (Snowcone) running CloudRail.OS Docker application. This solution is a non-invasive, secure, and cost-effective way to collect and send OT data from brownfield environments to AWS IoT SiteWise without impacting safety and plant operations.

Background

To enable IIoT applications for improving operational efficiencies, reducing unplanned downtime, and improving product quality, data from machines and industrial equipment needs to be acquired and transferred to the edge and cloud for processing. A mixture of legacy and modern equipment, as well as a variety of different protocols can make this connectivity difficult to establish. Furthermore, industrial organizations are facing a new challenge as they try to merge the traditional physical world (Operational Technology or OT) and the digital world (Information Technology or IT). This is discussed in Managing Organizational Transformation for Successful OT/IT Convergence.

Introducing IIoT in brownfield environments can open new avenues for cyber-events and needs additional security consideration since it can result in connecting “insecure by design legacy industrial control (ICS/OT) systems” to external and untrusted networks like the internet. In brownfield IIoT deployments, new IIoT technologies co-exists with legacy brownfield systems. This integration of IT and OT introduces risk since systems built for usage in hostile networks are integrated with those that were not.  IIoT has significantly widened the array of technologies available for use in industrial environments like secondary sensors. OT/IT convergence and the growth of IIoT increases the attack surface, which inherently increases the risk of compromise in these environments. For brownfield environments, AWS recommends following the Ten Security Golden Rules for IIoT solutions.

Solution architecture and components

 The architecture enclosed shows a secondary sensing solution using CloudRail.OS running on an AWS Snowcone acting as an edge gateway. An IO-Link Master is used to connect temperature and vibration IO-Link sensors to CloudRail.OS on Snowcone. Sensor data is securely sent to AWS IoT SiteWise in the AWS Cloud.

Figure 1 Secondary sensing architecture using CloudRail.OS on AWS Snowcone

Figure 1: Secondary sensing architecture using CloudRail.OS on AWS Snowcone

A brief description of the solution components is as follows:

AWS Snowcone

AWS Snowcone is a small, rugged, and secure device offering edge computing and local data storage, in environments with little or no connectivity to the AWS Region. Snowcone is used to run IIoT applications in austere (non-data center) industrial edge environments. With 2 vCPUs, 4 GB of memory, and 8 TB of usable storage (14 TB for Snowcone SSD), Snowcone devices can come provisioned with several AWS services, including Amazon EC2, AWS NFS, and Amazon EBS, for secure, ruggedized data storage and compute ideal for IIoT and factory floor uses. Snowcone’s small size (8.94 inches long x 5.85 inches wide x 3.25 inches tall / 227 mm x 148.6 mm x 82.65 mm) enables you to set it next to machinery in a factory to collect, format, and transport data back to AWS for storage and analysis. All data on the Snowcone is always automatically encrypted and the Trusted Platform Module (TPM) provides hardware root of trust. Snowcone simplifies OT/IT integration by securely bridging OT and IT networks.

CloudRail

CloudRail is a fully managed plug-and-play solution to acquire data from industrial environments, pre-process it locally, and send it to AWS IoT Core, AWS IoT SiteWise, or AWS IoT Greengrass. CloudRail works for greenfield as well as brownfield applications. It uses industry standards like OPC-UA to connect modern equipment, while old machines are retrofitted with secondary sensors. A database of over 12,000 sensor definitions in combination with automated data transformation and device provisioning reduces the setup time for connecting a machine to the cloud from weeks to just hours. The optional support of AWS IoT Greengrass runs powerful logic locally on the edge device like data pre-processing or machine learning applications.

CloudRail.OS provides a container-based Docker application which runs on the Snowcone.

By combining CloudRail’s plug-and-play approach for connecting industrial assets to the cloud with the AWS Snowcone’s secure and rugged compute and storage offering, customers get an industrial-grade ruggedized solution. Due to the deep integration of CloudRail with AWS IoT services, data acquisition is simple, cost effective and scalable. The solution enables customers to quickly, easily, and securely collect OT data from brownfield environments to implement IIoT use cases.

IO-Link

IO-Link is a serial digital communication protocol used in industrial automation systems. It connects sensors and actuators to a programmable logic controller (PLC) and is a PLC standard for a serial communication protocol that allows three types of data to be exchanged – process data, service data, and events.

IO-Link uses point-to-point connectivity between an IO-Link Master device and sensors rather than a message bus topology. Multiple IO-Link Masters can be connected to the Snowcone gateway box via an Ethernet connection. This allows a single gateway to support sensors and actuators across longer runs within a factory floor. Hundreds of IO-Link based sensors and actuators are supported by vendors such as IFM, Turck, Sick, Pepperl+Fuchs, or Balluff. IO-Link Design Guide can be used in designing IIoT solutions using IO-Link sensors and actuators.

Some of the benefits of the CloudRail.OS on AWS Snowcone IIoT secondary sensing solution are:

  1. IoT plug-and-play support for industrial secondary sensors and support for thousands of IO-Link sensors
  2. Reduce the time to connect an industrial machine to AWS
  3. Start small and quickly scale based on your learnings
  4. Ruggedized and industrial-grade AWS managed gateway appliance with AWS Snowcone
  5. Improve security with AWS Snowcone security features including TPM, for hardware root of trust and data encryption at rest by default using 256-bit keys
  6. Simplify OT/IT convergence by securely bridging OT and IT networks
  7. Improve safety and reduce downtime when adding secondary sensing to production sites without impacting production
  8. Optionally add security audit and monitoring using AWS IoT Device Defender to audit for security best practices and monitor for device anomalies

Solution Configuration

We will provide steps to build the architecture diagram mentioned above (Figure 1). The steps will guide you from ordering Snowcone to setting up Cloudrail.OS on an EC2 instance running on Snowcone.

I. Prerequisite steps:

  1. Procured sensors from your manufacturer of choice and request a Cloudrail.OS container license here.
  2. Order a Snowcone device as per the steps listed here (Job type: Local compute and storage only).
  3. Download Snowcone device credentials ‘unlock code’ and ‘manifest file’ as described here.
  4. Download AWS Opshub on the local machine used to interact with AWS Snowcone device via GUI.
  5. Download SnowballEdge Client on the local machine used to interact with AWS Snowcone device via CLI.
  6. Configure SnowballEdge Client by navigating here.

II. Snowcone configration

  1. Power on the Snowcone device and connect it to local network device via Ethernet connection or Wifi (Router/Switch).
  2. Configure RJ451 or RJ452 as DHCP/Static to get local LAN IP address on the Snowcone’s display screen.
  3. Unlock Snowcone using AWS Opshub or SnowballEdge Client.
  4. Launch the EC2 instance on the Snow device following the steps provided here. In this blog we will be using default Amazon Linux AMI validated to be used on Snow devices.

Figure 2: Launch the EC2 instance using AWS Opshub for Snow

Figure 2: Launch the EC2 instance using AWS Opshub for Snow

  1. Create a direct network interface (DNI) and attach it to the Amazon EC2 instance as per the steps explained here.

Note: DNI is only supported on RJ45 interface. DNI is required for the communication between IO-Link master and CloudRail.OS running on the EC2 instance.

Figure 3: SnowconeEdge CLI used to set up a Direct Network Interface (DNI)

Figure 3: SnowconeEdge CLI used to set up a Direct Network Interface (DNI)

 III. CloudRail.OS set up 

  1. SSH into EC2 instance
ssh -i <key-pair.pem> ec2-user@x.x.x.x
sudo yum update -y
  1. Install Docker
$ sudo amazon-linux-extras install docker
$ sudo service docker start
$ sudo systemctl enable docker
$ sudo usermod -a -G docker ec2-user
  1. Pull the latest container image from docker public repository. Steps to set up container is found here. Latest CloudRail-image is found here.

For example.

$ sudo docker pull cloudrailos/cr-container-os:beta-2.0.6
  1. The ‘cr-container-for-snow.zip’ will contain module-credentials to be used by the container to connect to CloudRail DMC. Configure interface (to be used as field port for IO-Link master connectivity) in the container-config.json.

For example.

$ sudo docker run -d —name cr-firmware \
—net=host -v '/home/ec2-user/cr-container-for-snow/cr-agent/cr-container':/home/cr-container \
cloudrailos/cr-container-os:beta-2.0.6

IV. CloudRail management console registration

  1. Login to CloudRail management console and register the serial number provided by CloudRail.
  2. Once the box is added the status of the box should be “online”. Follow the steps here to set up CloudRail environment.

Below is the example of CloudRail console

Figure 4: CloudRail console with Snowcone gateway appliance

Figure 4: CloudRail console with Snowcone gateway appliance

V. Processing the telemetry data

In order to set up CloudRail.OS to forward telemetry data to AWS IoT SiteWise follow these steps.

Conclusion

Secondary sensing is a non-invasive way to add secondary sensors such as temperature, vibration, pressure, flow, RFID, cameras, and more to an existing production site to enable more data collection for analytics and visualization. With the CloudRail.OS on AWS Snowcone IIoT secondary sensing solution, you can implement common IIoT use cases safely and securely in a matter of days. Try it yourself using the guidance provided in this blog post.

Additional resources to learn more:

AWS Snowcone: https://thinkwithwp.com/snowcone/

Secondary sensing and actuation for factories using AWS IoT and CloudRail Gateways: https://thinkwithwp.com/blogs/iot/secondary-sensing-and-actuation-for-factories-using-aws-iot-and-cloudrail-gateways/

Cloudrail: https://cloudrail.com/

AWS for Industrial Internet of Things: https://thinkwithwp.com/iot/solutions/industrial-iot/

AWS for Industrial: https://thinkwithwp.com/industrial/

AWS IoT: https://thinkwithwp.com/iot/

Setting-up CloudRail with AWS IoT Core: https://devices.CloudRail.com/documentation?service=AWS#aws1

IO-Link FAQ – https://io-link.com/en/FAQ/FAQs.php#Frage06

About the authors

Sameer Kumar Headshot1.jpg

Ryan Dsouza

Ryan Dsouza is a Principal Industrial IoT (IIoT) Security Solutions Architect at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative IIoT solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has over 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, and OT/IIoT security across a diverse range of industries. Ryan is passionate about bringing security to all connected devices and being a champion of building a better, safer, and more resilient world for everyone. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.

Sameer Kumar Headshot1.jpg

Omkar Mukadam

is Edge Specialist Solution Architecture at Amazon Web Services. He currently focuses on solutions which enables commercial customers to effectively design, build and scale with AWS Edge service offerings which includes but not limited to AWS Snow Family.