AWS IoT Security at the edge

Share

Summary

This session by Ryan de Souza, Principal Solutions Architect at AWS, discusses security at the industrial Edge. It covers two cybersecurity use cases: data exfiltration and cryptocurrency mining, demonstrating how AWS services can secure industrial Edge devices. The session also delves into design considerations for Edge security, the shared responsibility model, and available resources for learning more.

Highlights

Introduction to Industrial Edge and AWS Services
00:01:08

Industrial customers need to run applications beyond the cloud, often in factory settings, necessitating low-latency and local data processing. AWS offers a continuum of services from cloud to edge to address these needs, including AWS Outposts, AWS Local Zones, AWS Wavelength, and ruggedized Edge devices like Snowball and Snow Cone. These services extend AWS infrastructure to on-prem locations, enabling local compute and storage for operational technology (OT) data.

Understanding the Industrial Edge and its Challenges
00:04:13

The industrial Edge is a local storage and compute platform operating within industrial facilities, extending AWS cloud services to these environments. It's crucial for scenarios with limited or no internet connectivity (e.g., oil rigs), where data transfer costs are prohibitive, or where data must remain local due to security/privacy concerns (e.g., healthcare). Edge computing is governed by the 'three laws of edge computing': physics (latency), economics (cost-effectiveness of data transfer), and the land (data residency regulations).

AWS Products and Services for the Industrial Edge
00:07:09

AWS provides various options for compute and storage at the industrial Edge. This includes running AWS Edge software on customer-owned virtual machines, using ruggedized Snow Cone devices for local compute and storage in disconnected environments, or deploying Snowball Edge devices for greater capacity. For even larger needs, AWS Outpost servers and racks extend AWS infrastructure directly into factories, offering significant on-premise compute and storage capabilities.

Security at the Edge: Design Considerations and Architecture
00:09:02

Designing security into Edge solutions from the outset is vital, focusing on scalability. Key considerations include ensuring Edge devices perform only defined actions, access limited resources, report their state, and remain recoverable. The industrial IoT security architecture aligns with the Purdue model, with Layer 3 representing the industrial Edge where AWS services like Snowball, Outposts, and IoT Greengrass operate. Securing the OT/IT boundary with an industrialized demilitarized zone (IDMZ) and using services like VPN or Direct Connect for cloud connectivity are crucial.

Use Case 1: Detecting Data Exfiltration from the Factory
00:11:31

This use case involves detecting malicious data exfiltration from an Edge device (e.g., an Edge Gateway running AWS IoT Greengrass) in a factory. AWS IoT Device Defender is used to monitor device-side metrics such as 'packets out,' 'bytes out,' and 'destination IP.' By establishing a security profile for normal behavior, the service can detect anomalies (e.g., spikes in data egress or connections to unusual IPs), triggering alerts that indicate potential data exfiltration.

Use Case 2: Detecting Cryptocurrency Mining on Edge Devices
00:15:18

Edge devices with GPU capabilities can attract cryptocurrency miners. This use case focuses on detecting unauthorized cryptocurrency mining on an Edge device used for industrial computer vision, using its GPU. AWS IoT Device Defender monitors custom metrics like GPU load and average ML inference time. Deviations from normal behavior in these metrics, along with standard metrics like destination IP and listening ports, can indicate the presence of a cryptocurrency miner, triggering alerts.

AWS IoT Device Defender: Audit, Monitor, and Mitigate
00:18:05

AWS IoT Device Defender is a security service used to audit and monitor fleets of Edge devices. It audits security policies for best practices and continuously monitors device behavior. Normal device behavior can be defined through security profiles or automatically learned using machine learning. When anomalies are detected, alerts are generated, enabling mitigation actions such as quarantining a device, revoking certificates, or disconnecting it from the platform.

Security Monitoring Across Edge and Cloud Environments
00:19:39

Traditional security monitoring in factories has been siloed. AWS Security Hub offers a unified approach by consolidating security events from OT, Edge, and cloud environments. This provides a single view of security findings, allowing organizations to better understand and improve their overall security posture across the entire threat landscape, ensuring comprehensive protection.

Comprehensive AWS Services for Securing the Industrial Edge
00:20:35

AWS provides a suite of services aligned with its 10 security golden rules for industrial IoT solutions. These services cover asset inventory (AWS IoT Device Management, Systems Manager), identity and access management (AWS IoT IAM, Cognito), patching and updates (AWS IoT Jobs, Patch Manager), securing Edge Gateways (closing unused ports, securing credentials with secure elements, protecting secrets with AWS Secrets Manager), ensuring secure connectivity (IoT tunneling service), data encryption (at rest and in transit), and audit and monitoring (AWS IoT Device Defender, Security Hub). Backup and recovery solutions are also available for Edge Gateway configurations.

Shared Responsibility Model for Edge Computing
00:23:21

The shared responsibility model applies to Edge computing. AWS is responsible for the 'security of the cloud' (global infrastructure), while customers are responsible for 'security in the cloud' (their data and applications). When using AWS Edge software and appliances (e.g., AWS IoT Greengrass, Outposts, Snow family), AWS takes on additional responsibility for securing the software and appliances running on the customer's premises, including communication agents and identity/access management.

Learning More: Workshops and Builder Sessions
00:24:33

To further explore securing the industrial Edge, AWS offers an 'Industrial IoT Security Workshop' for hands-on experience with the data exfiltration use case. Additionally, a 'Builder Session' on building security defenses for Edge computing devices covers the cryptocurrency mining detection use case, providing practical guidance on setting up and securing Edge devices against such threats.

Recently Summarized Articles

Loading...