AWS for Industries
Improve your industrial operations with cloud-based SCADA systems
Introduction
In modern industrial environments, it is common for thousands to millions of data points to be generated every minute. With the increasing use of Industrial Internet of Things (IIoT) in the industrial and energy sectors, the amount of data generated is expected to increase.
In the energy and utilities industry, supervisory control and data acquisition (SCADA) systems are useful for near real-time monitoring of systems that are geographically widely distributed from a central location. Industrial control systems and other operational technology (ICS/OT) are located in the field and are connected to the SCADA system using a data communication network. SCADA can improve efficiency and productivity, reduce costs and waste, and provide greater control over disparate systems.
SCADA systems are expected to be available and running 24/7 because they serve critical operations in near real time. Traditionally, SCADA systems have been on-premises systems designed to operate industrial and energy processes safely and reliably without connections to external networks. However, to increase business agility, improve operations, and reduce costs, OT systems such as SCADA are becoming more integrated into business networks and cloud infrastructures.
There are several advantages of cloud-based SCADA systems, such as reducing the need for installing and maintaining expensive server hardware and software on premises and making your industrial data available wherever and whenever you need it. Cloud-based SCADA systems are increasingly important in IIoT and Industry 4.0 because they provide the automation, data collection, analysis, analytics, machine learning, and connectivity necessary to improve processes and operations. With cloud-based SCADA systems, customers have easier access to the data and can use cloud services to manage and analyze the data at scale.
While cloud-based SCADA systems offers several advantages, it also comes with additional availability, safety, security, and performance challenges that result from increased sensitivity to external networks and cloud services. In this blog, we discuss common cloud-based SCADA use cases and architectures as well as best practices for cloud-based SCADA systems on Amazon Web Services (AWS).
In the energy and utilities sector, cloud-based SCADA systems are of special interest because energy and utilities operations are distributed geographically, sometimes in remote locations. Providers in these industries need global visibility of their sites, and there are typically no dedicated OT teams in those remote locations to operate the SCADA systems. Having a cloud-based SCADA system helps them to run large, distributed operations with smaller teams in a centralized location.
Architectural patterns for cloud-based SCADA systems
1. Cloud data consolidation and multisite view
One of the best places to start your cloud-based SCADA system journey is multisite data visualization and analytics in the cloud. In this scenario, you continue to run your primary SCADA system on premises at each site and use the cloud for data consolidation, democratization, analysis, and visualization across multiple sites. This approach provides easier integration with cloud services and applications, facilitating other use cases that are not typically available on premises in a secure and scalable way. This process is often called an “open loop” operation because there is one-way communication from on-premises SCADA to the cloud, often through an edge gateway, without sending commands back to the industrial automation and control system (IACS) from the cloud. All control functions are performed by the local on-premises SCADA system. (See figure 1 below.)
Figure 1. Cloud data consolidation and multisite view architecture
In this solution, we use AWS services at the edge, such as AWS IoT SiteWise Edge—a service used to collect, process, and monitor industrial equipment data on premises—or third-party solutions, such as CirrusLink MQTT module for Ignition SCADA to send the data to AWS IoT Core, a service used to easily and securely connect devices to the cloud, or AWS IoT SiteWise, a managed service that makes it easy to collect, store, organize and monitor data from industrial equipment at scale. Once the data is ingested, we can use AWS IoT Rules Engine, which gives your devices the ability to interact with AWS services, to route the payload to other AWS services for storage in a data lake. Ultimately, users can incorporate other AWS services to create dashboards, run machine learning (ML) models, and provide monitoring and observability.
2. Ignition® by Inductive Automation SCADA on AWS
Ignition is an integrated Software Platform for SCADA systems by Inductive Automation. The Inductive Automation partner solution deploys Ignition, a solution by AWS Partner Inductive Automation, to the AWS Cloud. The partner solution enhances availability, performance, observability, and resilience of SCADA applications. It provides both standalone and cluster deployment options of Ignition on Amazon EC2 Linux instances. Both options are designed to be secure and highly available, configured with best practices for security, network gateway connections, and database connectivity.
In this deployment approach, AWS takes care of the underlying infrastructure and provides a secure and reliable platform for customers to build, operate, secure, and maintain SCADA systems and applications on both local and AWS Cloud environments. Customers can use their perpetual license from Inductive Automation and only pay for the AWS services consumed.
This means that you are responsible for setting up, configuring, and managing the AWS resources needed to run Ignition, such as databases, networking, and instances of Amazon Elastic Compute Cloud (Amazon EC2), which provides secure and resizable compute capacity for virtually any workload. The partner solution provides more control and flexibility but also requires more IT expertise.
The standalone deployment is ideal for a small number of clients, while the cluster architecture adds a layer of improved performance by including an Application Load Balancer—a solution that load balances HTTP and HTTPS traffic with advanced request routing—and separating the backend and frontend gateways so that client traffic can be more efficiently managed.
In the standalone architecture, the partner solution deploys the following components (see figure 2 below):
- highly available architecture that spans two Availability Zones
- a virtual private cloud (VPC) configured with public and private subnets, according to AWS security best practices
- Amazon CloudWatch, which is used to monitor and observe your AWS and on-premises resources and applications, and Amazon Simple Notification Service (Amazon SNS), a fully managed messaging service, for notification when the Amazon CloudWatch alarms are triggered
The public subnets host the following:
- managed network address translation (NAT) gateways to allow outbound internet access for those resources in the private subnets
- Linux Bastion boxes that allow secure shell access (SSH) to Amazon EC2 instances and Amazon Aurora, a relational database management system (RDBMS) built for the cloud, in the private subnets
- primary and secondary Ignition gateways in two separate Availability Zones
The private subnets host the following:
- a primary Amazon Aurora database that supports write operations
- a replica database that supports read operations
Figure 2. Ignition’s standalone deployment architecture
In the cluster architecture, the partner solution deploys similar components, but it increases the performance of the Ignition gateways by creating separate backend and frontend gateways to direct the client workloads to the frontend servers. To support this, the deployment also creates an Application Load Balancer configured with an Amazon SSL certificate to route traffic to Ignition’s frontend servers in the private subnets. (See figure 3.)
Figure 3. Ignition’s cluster deployment architecture
For details on this partner solution, please refer to Ignition’s deployment guide.
3. Ignition on AWS Outposts
Ignition® by Inductive Automation can be deployed to AWS Outposts, a family of fully managed solutions that deliver AWS infrastructure and services to virtually any on-premises or edge location, for customers who require ultra low latency and high bandwidth between their local devices and the SCADA systems.Using Ignition on AWS Outposts, customers have the benefit of a fully managed infrastructure with native AWS APIs. Customers who choose not to use AWS Outposts will need to procure, manage, support, secure, and maintain the hardware and software stack to run the SCADA solution.
AWS Outposts offer a valuable solution for organizations who are looking to bridge their on-premises environments and the AWS Cloud, helping them to use the benefits of cloud computing while maintaining control and low-latency access to their local resources. It’s particularly useful in hybrid cloud scenarios, where a combination of on-premises and cloud-based resources is required.
AWS Outposts consist of AWS infrastructure hardware, including compute, storage, and networking components, which are physically located at your site. AWS Outposts are connected to the nearest AWS Region through a dedicated, high-speed connection. This connection is established using AWS Direct Connect, which is used to create a dedicated network connection to AWS, or AWS Virtual Private Network (AWS VPN), which is used to connect your on-premises networks and remote workers to the cloud. Which service you use depends on your requirements and network setup:
- AWS Direct Connect provides a dedicated and private network connection between your AWS Outpost and the AWS Region. It offers low-latency, high-throughput connectivity and is ideal for scenarios that require consistent and reliable access to AWS services.
- AWS VPN helps you to establish a secure VPN connection over the public internet. It provides encrypted communication between your AWS Outpost and the AWS Region. While it may have slightly higher latency compared to AWS Direct Connect, it is a more flexible and cost-effective option.
There are many architecture options available for Ignition on AWS Outposts:
Standard architecture | Standard with redundancy architecture | Scale-out architecture | Scale-out with redundancy architecture |
Ignition’s most common architecture consists of a single on-premise Ignition server connected to Amazon Relational Database Service (Amazon RDS)—an easy-to-manage relational database service optimized for total cost of ownership—PLCs, and clients. | Another common Ignition architecture consists of a single on-premise Ignition server (with a redundant server) connected to a SQL database (Amazon RDS), PLCs, and clients. | The scale-out architecture links together several Ignition gateways to form a decentralized system. You can easily separate out Ignition’s input/output (I/O) from the frontend and scale each independently. | The scale-out architecture with redundancy links together several Ignition gateways (with redundant servers) to form a decentralized system. You can easily separate out Ignition’s I/O from the frontend and scale each independently. |
Ignition on AWS Outposts helps organizations to use AWS infrastructure and services on premises while securely connecting their environments to the AWS Cloud to start the journey into data analytics, predictive maintenance, and ML. (See figure 4.)
Figure 4. Combining on-premises Ignition on AWS Outposts and AWS IoT services
4. Ignition Cloud Edition
Ignition Cloud Edition is a cloud-hosted version of the Ignition platform on AWS. With Ignition Cloud Edition, the software is hosted on AWS, and users can access it without needing to manage the underlying infrastructure. This reduces the operational burden on users, letting them focus instead on configuring and using the Ignition platform. With Ignition Cloud Edition, users are responsible for configuration, backup, and upgrades of the software.
Ignition Cloud Edition offers a pay-as-you-go model and comes packaged with a bundle of modules that are already installed and licensed. Instead of paying for each module used, you pay for how much you use Ignition Cloud Edition. While it does not contain drivers for industrial equipment connectivity, Ignition Cloud Edition includes both MQTT and Gateway Network functionality to enable connectivity with your standard Ignition or Ignition Edge installations. So, it’s easy to extend on-premises data into the cloud and connect it with various cloud services.
Ignition Cloud Edition comes packaged with Ignition Core Modules: Perspective, Reporting, SQL Bridge, OPC UA, Enterprise Administration Module (EAM), Tag Historian, and Alarm Notification. It also includes the Web Development, Twilio Notification, and Voice Notification modules, as well as the MQTT Engine, MQTT Distributor, and MQTT Transmission modules from Cirrus Link Solutions. A cloud connector module called the MongoDB Module is also included, and Ignition Cloud Edition users will get new cloud connector modules as they become available.
With Ignition Cloud Edition, customers don’t need to purchase and manage expensive servers and can more easily use cloud services for storage, machine learning, analytics, and more.
Cloud-based SCADA challenges, security considerations, and recommendations
While cloud-based SCADA adoption can improve centralized data management, reduce capital and operation and maintenance expenditures and improve security, there are inherent risks with implementing SCADA in the cloud. Customers need to consider several types of new risks described here.
Cloud-based SCADA poses risks such as availability and performance of the network connection and cloud services. If you are relying on the internet, then you need to consider network latency.
Minimizing and mitigating risk to cloud-based SCADA systems requires careful vetting because cloud-based SCADA introduces a dependency on external networks and cloud services. Additionally, it is suitable for some industrial and energy use cases, but not all, and requires a risk assessment, proper solution design, configuration, and continuous monitoring.
Security recommendations for cloud-based SCADA systems
- cybersecurity risk assessment: Conduct a cybersecurity risk assessment so that the risks, gaps, and vulnerabilities are fully understood and can be proactively managed.
- network segmentations: Establish an industrial demilitarized zone (IDMZ) and control of traffic between zones using firewalls and unidirectional gateways.
- secure network connection to the cloud: Keep network traffic private and encrypted. When using the public internet, traffic must be encrypted.
- visibility and monitoring of OT and cloud operations: Deploy security auditing and monitoring mechanisms across OT, IIoT, and the cloud and centrally manage security alerts.
- defense in depth (DiD) strategies: Adapt DiD approaches, such as security policies, authentications and authorizations, firewall controls, patch management, micro-network segmentation, redundant communication networks, graceful degradations, and backup and recovery procedures.
- SCADA vendor recommendations: Follow the SCADA vendor’s security guidance, such as the Ignition Security Hardening Guide.
- security standards: Follow IACS security standards, such as ISA/IEC 62443, which are evolving to support the use of IIoT and cloud services and build on established standards for the security of general-purpose IT systems (for example, the ISO/IEC 27000 series).
- secure the global OT/IT network: Follow this AWS guidance when connecting multiple remote sites with multiple edge configurations to the cloud.
In addition, follow the AWS multilayered security approach described in the Ten Security Golden rules for IIoT solutions, and AWS Security Best Practices for Manufacturing OT.
Conclusion
In this blog, we presented several design considerations and ways to use cloud-based SCADA systems on AWS. As modern industrial systems evolve, generate greater volumes of data, and have increased levels of automation, industry can benefit from a modern approach to SCADA, which cloud SCADA offers. Design the cloud-based SCADA solution that addresses your availability, latency, performance, and security requirements, and have a backup plan with contingency measures in case of network downtime or disruption. AWS offers a broad range of services, guidance, and solutions for cloud-based SCADA so that you can choose the best solution for your needs while enjoying the advantages of cloud computing.
Using cloud-based SCADA systems in the energy and utilities sector delivers heightened operational efficiency, near real-time monitoring, and seamless integration. Its scalability adapts to evolving demands, optimizing resources and minimizing downtime. Enhanced cybersecurity improves the protection of critical infrastructure. Embracing cloud-based SCADA is crucial for navigating the dynamic and interconnected landscape of the industry.