Architecting Cloud Industrial IoT Workloads – Part 2: The AWS IIoT Landscape and End-to-End Solution

This blog post is the 2nd part of our Cloud IIoT blog series. In the first part, we discussed IIoT use cases, how they are architected at a very high level, and their implementation challenges.

This part is focused on the AWS IIoT landscape and the AWS services that comprise an end-to-end IIoT solution. A review and comparison of these AWS services will serve as a starting point for building your IIoT solution.

Introduction to the AWS IIoT Landscape

This blog post covers 7 of the 12 AWS IoT services currently available that are the most relevant for industrials. However, in the figure below, you can see a comprehensive view of other AWS services that make up the AWS IoT landscape. Building a secure, reliable and scalable IIoT solution also involves networking, data storage, data processing and analytics, machine learning, CI/CD, landing zone, and security.

Figure 1: AWS IIoT Landscape

Starting from the manufacturing floor (box 1), equipment data is collected by IoT devices. AWS provides tools and services that help to run embedded software on these devices:

• FreeRTOS is a Real Time OS for MCU-based (microcontroller units) devices. It is bundled with libraries that simplifies the integration with AWS IoT services.
• Amazon SageMaker Neo processes low latency Machine Learning inference on IoT devices using cross-platform models built in Amazon SageMaker in the cloud.

The next set of services (box 2) are part of the interface between edge and cloud, commonly referred to as IoT Hub or IoT Gateway. Both of these services have a component on the on-premises/OT side and a corresponding cloud service.

• AWS IoT Greengrass Core is the component of AWS IoT Greengrass that runs on the OT side. It manages from the cloud the deployment and lifecycle of other software modules on IoT devices. AWS Outpost is essentially AWS servers running on your premises, and managed from the cloud. It allows you to run services such as Amazon EKS, AWS Lambda and Amazon Simple Storage Service (Amazon S3) directly on your OT network.
• AWS SiteWise Edge makes it easy to collect, organize, process, and monitor equipment data on edge. This service specifically targets industrial use cases. It provides visibility into the data collected and helps in making decisions that improve asset uptime, product quality, and process efficiency.
• Amazon SageMaker Edge Manager is a software component of Amazon SageMaker. It takes ML models trained and built in the cloud and deploys them on the OT Network.
• Amazon Monitron is unique in the sense that it is an end-to-end solution. It is a great option if you find value in collecting temperature and vibration data from non-IoT-enabled equipment. Also, Monitron is designed to be easy to use, it does not require extensive design, integration and testing.

It can be challenging at first to understand in which technology layer these edge services fit. Is it an app, a library, an OS, does it include hardware? We made the following chart to clarify technology layers mapped to edge services and added an indication of the service adoption complexity. The orange boxes indicate in which layers the AWS services fit.

Figure 1: Technology layers mapped to the AWS IIoT Edge Services

As cloud IIoT workloads are hybrid by definition, you may need the following networking services highlighted in box 3 to connect the factory to the AWS Cloud:

• AWS Direct Connect establishes a dedicated, low predictable latency, high bandwidth connection between your premise and AWS networks.
• AWS Site-to-Site VPN is a fully-managed service that creates IPSEC connections between your premise (OT Network) and AWS cloud resources.
• AWS Wavelength is an innovative AWS service allowing to run applications in a 5G hub near your factory so that they can be accessed with low latency.

Next, let’s review the key IoT services in the 4th box:

• AWS IoT Greengrass – on the cloud side this time – is used to manage the lifecycle of AWS or custom software components on the Greengrass-enabled IoT devices.
• AWS IoT Core communicates with IoT devices through protocols such as MQTT or HTTPS. You can then transform the data and take actions based on defined rules.
• AWS IoT SiteWise is a key AWS service in IIoT. It allows you to have a representation of physical assets and their characteristics in the cloud. You can collect and organize data such as model, serial number, and time-series data from sensors, and then use other services to analyze the data and take action when certain conditions are met.
• AWS IoT Device Defender is a security service that allows you to audit the configuration of your devices, monitor connected devices to detect abnormal behavior, and mitigate security risks.
• AWS IoT Device Management helps you register, organize, monitor, and remotely manage IoT devices at scale. It is integrated with AWS IoT Core and AWS IoT Device Defender to easily connect, manage and monitor the security posture of IoT devices from the cloud.
• AWS IoT TwinMaker creates digital visualizations using measurements and analysis from a variety of real-world sensors, cameras, and enterprise applications to help you keep track of your physical factory, building, or industrial plant.

There is potentially a lot of IoT data to be stored (box 5). For this, Amazon S3 is commonly used because it is a durable, low cost and secure object storage service. There are many other data storage services that could be relevant, including: Amazon DynamoDB, a NoSQL service, and Amazon RDS, a relational database service.

As mentioned in the first part of this blog series, data analytics is a common first step in the IIoT journey. This is where Data Processing & Analytics services come into the picture (box 6).

• Amazon Kinesis and AWS Glue respectively stream and transform the data
• Amazon Athena is used to query datastore such as Amazon S3
• AWS IoT SiteWise Monitor is a managed portal to view and share your operational data.

The key Machine Learning services (box 7) that we have chosen to highlight are:

• Amazon SageMaker builds, trains, and deploys ML models to the AWS cloud and to IoT devices using Amazon SageMaker Neo. Amazon SageMaker is the Swiss army knife of AWS Machine Learning that includes all required services and tools for the Data Scientist and ML Engineer.
• Amazon Lookout for Equipment and Amazon Lookout for Vision detects abnormal equipment by analyzing sensor data and images respectively. Unlike Amazon SageMaker, these services do not require deep ML expertise.

AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline (box 8) are used to store, build and deploy code to either IoT devices and to the cloud using best practices. Note that services such as Amazon SageMaker and AWS IoT Greengrass have their own CI and/or CD capabilities which can be used as a standalone or integrated with the Code* services.

In the traditional CI/CD environments for web applications, software components are built, deployed to a dev environment, and then promoted to multiple intermediary environments (QA, Staging) before reaching Production. For IIoT workloads, you will not be able to have a full scale “Dev Factory”, “QA Factory” and “Prod Factory”. You will have limited ability to test new software in lower environments for IoT devices. This means thorough testing needs to occur without dependency to industrial hardware. On the cloud side, you will have more flexibility, so you can separate production and non-production resources in different AWS accounts.

As security is paramount for IIoT workloads, the services in box 9 are extremely useful:

• AWS Secrets Manager manages secret lifecycles. These secrets can be used by both:
  • Applications running in the AWS Cloud
  • AWS IoT Greengrass-enabled devices in your OT network.
• Amazon CloudWatch collects cloud services and application logs.
• AWS Key Management Service (AWS KMS) manages keys used to encrypt cloud data.

The services in the 10th box are the last on our list, but they should be the first! It is critical to deploy workloads to a properly secured AWS Landing Zone. Landing Zones are application-agnostic cloud resources and guardrails necessary to establish a secure foundation. NTT DATA has a packaged an AWS Landing Zone called Build Cloud Foundations. Here are a few examples of services to enable as part of the Landing Zone:

• AWS CloudTrail logs all API calls to AWS services for audit purposes.
• AWS Organizations defines and enforce security policies across your AWS accounts.
• Amazon GuardDuty monitors your cloud to detect and report malicious activity.

This high-level architecture illustrates the diversity of options available for your IIoT solution. Not every IIoT implementation will use all these services, and you may add 3rd party hardware and software.

As a summary, here are key points covered in the blog:

• We reviewed some of the AWS IoT Edge services and features which can used in your OT network
• We explored AWS IoT Cloud services which are the most relevant to IIoT use cases
• We discussed some of the other AWS services which are commonly used to support IIoT workloads.

In the next blog post of this series, we will take you through an actual AWS implementation of anomaly detection for industrial equipment.