Ikaros Software

Unleashing Potential through Cloud Innovation

Category: AWS IoT

How Cybersecure Are PLCs Directly Connected to the Cloud? (AWS)

July 27, 2024 / / 0 Comments

The integration of Programmable Logic Controllers (PLCs) with cloud platforms like Amazon Web Services (AWS) has become increasingly common. This integration promises enhanced data analysis, remote monitoring, and scalability but also brings a host of security considerations. So the question comes: how secure are we if we connect directly a PLC to the Public Cloud, such as Azure or especially AWS?

The Challenge of the Industrial Pyramid

To grasp the security considerations, it’s essential to understand the “industrial pyramid,” a hierarchical model that illustrates the structure of industrial automation systems. At its base are Field Devices, such as sensors and actuators. Above these are PLCs, which manage and control industrial processes. Next, in the Supervisory Control and Data Acquisition (SCADA) layer, systems aggregate data from multiple PLCs. The top layers include Manufacturing Execution Systems (MES) and Enterprise Resource Planning (ERP) systems, which manage and optimize production processes and business operations.

When connecting PLCs directly to the cloud, bypassing the traditional layers of the industrial pyramid, we expose the network to potential vulnerabilities. In a typical industrial setup, data flows from PLCs to SCADA systems and then to higher-level MES and ERP systems, providing multiple layers of security and control. However, by establishing a direct link between PLCs and AWS, we effectively reduce these intermediary safeguards, which could compromise network security if not managed properly. This direct connection can be particularly risky in complex or large-scale operations with multiple interdependent systems. However, for a very simple factory with minimal complexity and fewer interconnections, the direct link might be manageable with appropriate security measures, such as robust encryption and strict access controls, ensuring that the risks are kept within acceptable limits.

Security Challenges and Considerations

When connecting PLCs to AWS, several security challenges arise, primarily revolving around the protocols used for communication. PLCs commonly use industrial protocols like Modbus, OPC, and Profinet, each with varying levels of inherent security.

1. Protocol Security: Many traditional industrial protocols were not designed with security in mind. For instance, Modbus lacks built-in encryption and authentication, making it vulnerable to interception and unauthorized access. OPC, while more versatile, also often requires additional layers of security to ensure safe data transfer. Profinet offers improved security features but still requires careful configuration to mitigate risks. Want to know how to integrate OPC UA with AWS?

2. Network and Data Security: To address these challenges, securing network communications is essential. Implementing VPNs, firewalls, and encryption can protect data in transit between PLCs and AWS. AWS provides robust network security features such as Virtual Private Cloud (VPC) and AWS Shield, which help protect against external threats. For data at rest, AWS employs encryption standards like AES-256, ensuring that sensitive information is safeguarded.

3. Access Management: Effective access management is critical for maintaining security. AWS Identity and Access Management (IAM) enables fine-grained control over who can access and manage AWS resources. For PLCs, using secure gateways or edge devices that enforce authentication and encryption is crucial for safeguarding data exchanges.

4. Compliance and Monitoring: Ensuring compliance with industry regulations and standards is important for security. AWS offers tools like AWS CloudTrail and Amazon CloudWatch for monitoring and logging activities, which help in detecting and responding to potential security incidents.

Best Practices for Securing PLCs on AWS

  • Use Encrypted Communication: Ensure that all data transmitted between PLCs and AWS is encrypted. This is how you set up a MQTT connection from TIA Portal.
  • Implement Strong Access Controls: Configure AWS IAM roles and policies appropriately, and secure edge devices with strong authentication.
  • Monitor and Log Activities: Utilize AWS CloudTrail and Amazon CloudWatch to monitor activities and detect anomalies.
  • Regular Updates and Patches: Keep firmware and software up to date to protect against known vulnerabilities.
  • Adhere to Compliance Standards: Ensure that your implementation meets industry-specific regulatory requirements.

For more detailed information, refer to AWS’s official documentation on AWS IoT Core Security, AWS Security Best Practices, and AWS Compliance.

Integrating OPC UA with AWS: Strategies and Best Practices

December 2, 2023 / / 0 Comments

The integration of OPC UA with AWS is transforming industrial automation and IoT. OPC UA (Open Platform Communications Unified Architecture) is a key protocol in this field, known for its secure and reliable data exchange capabilities. AWS (Amazon Web Services), a leader in cloud computing, offers scalable cloud solutions. This article delves into effective strategies for transferring OPC UA data to AWS, focusing on security, efficiency, and scalability. For more details on OPC UA, visit OPC Foundation.

Understanding OPC UA and Its Importance in Industrial Automation

OPC UA provides interoperability and reliability in automation, with platform independence and comprehensive security. It’s ideal for various industrial applications. Learn more about AWS’s role in industrial automation on the AWS Industrial IoT page.

Why Transfer OPC UA Data to AWS?

Transferring OPC UA data to AWS offers scalability, advanced analytics, and global accessibility. For insights into integrating industrial data with cloud solutions, visit ikarossoftware.com.

Key Strategies for Transferring Data to AWS

Various approaches exist for this integration, each suitable for different needs.

1. Direct Integration using AWS IoT Greengrass

AWS IoT Greengrass is a service that extends AWS to edge devices, allowing them to act locally on the data they generate while still using the cloud for management, analytics, and storage. For OPC UA, this integration has several specific features:

  • Local Processing: IoT Greengrass can process OPC UA data locally on edge devices. This is particularly useful for real-time decision-making where latency is a critical factor.
  • OPC UA Protocol Support: It supports direct communication with OPC UA-enabled devices, which means that you can read and write OPC UA data directly without needing a separate translation layer.
  • Seamless Cloud Integration: While it allows for local processing, the service also ensures that the processed data can be seamlessly sent to the AWS cloud for further analytics, storage, or other services.
  • Security Features: It provides secure data communication channels, ensuring that the data transferred from OPC UA devices to the AWS cloud is encrypted and protected.

2. Utilizing AWS IoT SiteWise for Asset Modeling

AWS IoT SiteWise is a managed service that makes it easy to collect, store, organize and monitor data from industrial equipment at scale.

  • OPC UA Data Collection: IoT SiteWise can directly collect data from OPC UA-enabled devices, which is essential for industries that use OPC UA as their standard communication protocol.
  • Asset Modeling: This service allows you to define models of your industrial equipment, processes, and facilities, creating a virtual representation of your physical assets (digital twin).
  • Data Visualization and Monitoring: Once the data is collected and modeled, SiteWise provides tools to create custom dashboards for easy visualization and monitoring of equipment operation, which can help in making informed decisions.

3. Implementing AWS IoT Core for Broad Connectivity

AWS IoT Core is a managed cloud service that lets connected devices easily and securely interact with cloud applications and other devices.

  • Broad Protocol Support: IoT Core supports MQTT, HTTP, and WebSockets protocols, and also offers OPC UA compatibility, enabling diverse types of devices to connect to AWS.
  • Device Management: It provides features for managing and authenticating devices, ensuring secure communication between OPC UA devices and AWS services.
  • Integration with AWS Services: IoT Core integrates with other AWS services, such as AWS Lambda, Amazon Kinesis, Amazon S3, and more, enabling comprehensive solutions that leverage OPC UA data.

4. Custom Solutions with AWS Lambda and Amazon Kinesis

For specific needs or custom solutions, AWS Lambda and Amazon Kinesis provide flexibility and scalability.

  • AWS Lambda: This is a serverless compute service that lets you run your code without provisioning or managing servers. With Lambda, you can create custom functions that process OPC UA data, triggered by various AWS services.
  • Amazon Kinesis: Kinesis is perfect for streaming large amounts of data from OPC UA devices. It can collect, process, and analyze real-time data streams, enabling timely insights and reactions.
  • Custom Data Processing: Using these services together, you can build a custom pipeline that collects, processes, and analyzes OPC UA data in real-time, providing tailored insights specific to your operational needs.

In summary, these AWS services offer a comprehensive set of tools to integrate, process, and utilize OPC UA data effectively. They cater to different aspects of the data lifecycle, from collection at the edge (IoT Greengrass) to complex processing and analytics (AWS Lambda and Amazon Kinesis), making them versatile options for various industrial IoT applications.

Security Considerations

Ensuring secure communication and managing access is crucial. AWS’s security features are detailed at AWS Security.

Optimizing Performance and Costs

Efficient data protocols and selective data transfer are key. AWS offers scalable services to adjust resources based on demand, as explained on their Cost Management page.

Conclusion

Integrating OPC UA data with AWS optimizes industrial automation through cloud computing. The right strategy, coupled with a focus on security and performance, maximizes the potential of industrial data.

Key Takeaways

  • OPC UA and AWS integration offers scalability and advanced analytics.
  • Various AWS services cater to different OPC UA data integration needs.
  • Security and performance are vital for effective data transfer.

For more insights and guidance on OPC UA and AWS integration, visit ikarossoftware.com.

Front panel of industrial computer system with I/O ethernet connectors and cables. Selective focus on primary CPU module.

Configuring TIA Portal for MQTT AWS IoT Core using PLC

October 23, 2023 / / 0 Comments

In this tutorial, we’ll delve deeper into configuring a Siemens PLC (e.g., S7-1200 or S7-1500) for MQTT communication with AWS IoT Core using TIA Portal.

If you are interested into an easier 5 minutes setup for an AWS-MQTT connection, check this post.

Prerequisites:

  • A Siemens PLC supported by TIA Portal.
  • TIA Portal software installed.
  • Previously generated certificates from AWS IoT Core:
    • Root CA certificate.
    • Client certificate for the PLC.
    • Private key for the PLC.

1. Set up your PLC in TIA Portal

1.1. Launch TIA Portal and create a new project by selecting Create new project.

1.2. Give your project a name and choose a location to save it.

1.3. Add your PLC to the project:

  • Click on the Add new device button.
  • Choose the appropriate PLC from the list.
  • Follow the wizard to set up the basic settings.

2. Configure Communication

2.1. With the PLC selected in the project tree, open its Properties.

2.2. Navigate to the Communication section to configure the communication settings:

  • General: Ensure the Profinet port is enabled.
  • Advanced: Check if any advanced settings are needed, such as speed or mode.

2.3. Look for the MQTT tab or section (note that this option might not be available in all TIA Portal versions or all Siemens PLC models):

  • General:
    • Enable MQTT: Check this box.
    • Broker Address: Enter the AWS IoT endpoint (something like a12345abcd.iot.us-west-1.amazonaws.com).
    • Port: Typically 8883 for MQTT over TLS.
    • Client ID: Typically the name of your PLC or any unique identifier.
  • Security:
    • Security Mode: Select TLS.
    • Certificates:
      • CA Certificate: Upload the root CA certificate from AWS.
      • Client Certificate: Upload the client certificate for the PLC from AWS.
      • Private Key: Upload the private key for the PLC from AWS. Ensure that the private key is in a format supported by TIA Portal, potentially converting it if necessary.

3. Set up Data Publishing

3.1. Navigate to the data publishing section (might be in the MQTT tab or a related section):

  • Topics & Payloads:
    • Click Add to define a new topic.
    • Set up the topic name (e.g., plc/sensors/temp).
    • Choose the data from the PLC that you want to publish on this topic.
    • Define the payload structure, such as whether it’s a simple value, JSON, etc.

4. Deploy Configuration to PLC

4.1. Save the project.

4.2. Download the configuration to the PLC:

  • Click on the Download button/icon.
  • Choose the appropriate interface (usually Profinet for Siemens PLCs).
  • Ensure the PLC is in STOP mode and initiate the download.

4.3. After successfully downloading, change the PLC’s mode to RUN.

Your Siemens PLC should now be configured to communicate with AWS IoT Core using MQTT with TLS security, thanks to the TIA Portal. Regularly check the AWS IoT console for incoming messages to ensure everything is functioning as expected. Remember, communication configurations can be intricate; always double-check settings if things don’t seem to work initially.

If this doesn’t work, please check this Siemens’ official post so you can find more information.

Connect IoT device in AWS with MQTTX: A Step-by-Step Guide

September 9, 2023 / / 0 Comments

Testing Internet of Things (IoT) devices in Amazon Web Services (AWS) can be a complex yet crucial task. One of the most widely used protocols for IoT communication is MQTT (Message Queuing Telemetry Transport), and MQTTX is a powerful tool that simplifies MQTT testing. In this article, we will guide you through the process of using MQTTX to test your IoT devices in AWS, step by step. If you want to know more about MQTT-AWS connections, check this post.

Step 1: Setting Up AWS IoT Core

Before you start using MQTTX to test your IoT devices, you need to set up AWS IoT Core. AWS IoT Core is a managed cloud service that allows IoT devices to connect securely and interact with cloud applications and other devices. Follow these steps to get started:

  1. Sign in to AWS Console: Log in to your AWS account.
  2. Open AWS IoT Core: Navigate to the AWS IoT Core service in the AWS Management Console.
  3. Create a Thing: Create a new “Thing” in AWS IoT Core to represent your IoT device. You’ll need to define attributes and certificates for this Thing.
  4. Create Certificates: Generate X.509 certificates and store them securely. These certificates will be used to authenticate your IoT devices.
  5. Create IoT Policy: Create an IoT policy that defines the permissions and actions that your IoT devices are allowed to perform.
  6. Attach Certificates and Policy to Your Thing: Associate the certificates and policy you created earlier with your Thing.

Step 2: Installing MQTTX

MQTTX is a cross-platform MQTT client that simplifies the testing and debugging of MQTT-based applications. Follow these steps to install MQTTX:

  1. Download MQTTX: Visit the MQTTX webpage (https://mqttx.app/downloads) and download the appropriate version for your operating system.
  2. Install MQTTX: Follow the installation instructions for your operating system. MQTTX is available for Windows, macOS, and Linux.

Step 3: Configure MQTTX

Now that MQTT X is installed, you need to configure it to connect to your AWS IoT Core instance:

  1. Open MQTTX: Launch the MQTT X application.
  2. Add a Connection: Click on the “Connections” tab and then click “New Connection.”
  3. Enter Connection Details: Fill in the connection details:
    • Connection Name: Give your connection a name for reference.
    • Host: Enter the AWS IoT Core endpoint (e.g., <your-iot-endpoint>.iot.<your-region>.amazonaws.com). You can find it on AWS IoT → MQTT test client → Endpoint.
    • Port: Use the MQTT port (usually 8883 for secure connections).
    • Client ID: Enter the client ID for your IoT device (this is usually auto-generated).
    • Username: Use the AWS IoT username.
    • Password: Use the AWS IoT password.
  4. Add SSL Certificates: In the “SSL” tab, configure the SSL/TLS settings using the certificates you generated earlier.

Step 4: Connect and Test

With MQTT X configured, it’s time to connect to your AWS IoT Core and test your IoT device:

  1. Connect: Click “Connect” in MQTTX to establish a connection to AWS IoT Core.
  2. Subscribe to Topics: Under the “Subscriptions” tab, subscribe to the MQTT topics you want to monitor or test.
  3. Publish Messages: In the “Publish” tab, send test messages to your IoT devices by specifying the topic and payload.
  4. Monitor Logs: Use the “Logs” tab to monitor incoming and outgoing MQTT messages for debugging purposes.
  5. Disconnect: When you’re done testing, click “Disconnect” to terminate the connection.

Step 5: Analyze Results and Debug

MQTTX provides a powerful interface for monitoring and debugging MQTT communication. Analyze the results, check for any issues, and iterate on your IoT device’s development as needed.

Getting Started on AWS: Connecting an IoT Device via MQTT

August 24, 2023 / / 0 Comments

In the world of IoT (Internet of Things), AWS (Amazon Web Services) provides robust tools and services for managing and processing data from connected devices. In this guide, we’ll walk through the steps to prepare your AWS environment and connect an IoT device using MQTT (Message Queuing Telemetry Transport), a lightweight messaging protocol commonly used in IoT applications.

Setting Up on AWS:

  1. Create a Thing on AWS IoT: In the AWS IoT console, create a “Thing” to represent your IoT device. A Thing is a virtual representation of your device within AWS. This involves giving it a name and optionally adding attributes, policies, and other metadata.
  2. Configure an Access Policy: Create an access policy that defines the permissions for MQTT devices to interact with AWS IoT. This policy should specify the resources the devices will have access to, such as MQTT topics.

Device Configuration:

  1. Install an MQTT Library: Depending on the programming language used on your device, install an MQTT library that allows you to establish a connection with AWS IoT via the MQTT protocol. Popular examples include “paho-mqtt” for Python and “MQTT.js” for JavaScript.
  2. Configure the MQTT Connection: Set up the MQTT connection with the security and connection details provided by AWS IoT. This typically includes the address of the AWS MQTT broker and security credentials, which can be access keys or X.509 certificates.

Subscribing and Publishing:

  1. Subscription and Publication: Once the MQTT connection is established, you can subscribe to specific topics to receive messages and publish messages to those topics to send information to the AWS service.

Testing and Validation:

  1. Testing and Validation: After configuring both the AWS and device sides, perform tests to ensure that communication is working correctly. You can publish messages from the device and verify if they are received in AWS IoT, and vice versa. You can click here for setting up a quick environment to test this AWS feature.

Data Management and Actions:

  1. Data Management and Actions: Once messages are successfully transmitted, you can set up rules and actions in AWS IoT to process the received data. This may involve storing data in a database, triggering notifications, executing Lambda functions, and more.

Remember that this is a general overview of the steps involved in connecting an IoT device via MQTT to AWS. Specific details may vary depending on your device, programming language, and application needs. Be sure to follow the official AWS IoT documentation and the MQTT library you are using for detailed and up-to-date instructions.

© 2025 Ikaros Software

Theme by Anders NorenUp ↑