Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

Utilities are increasingly recognizing the strategic benefits of modernizing their operational technology (OT) networks to enhance business value. These OT systems are repositories of valuable data that can facilitate simulations, incident response, and informed decision-making, yet the networks they operate on are often constrained by limited onsite storage and computing capabilities. Traditionally, OT networks are designed to function in isolated, secure environments disconnected from external threats. However, what if you could leverage the cloud to expand your OT network without compromising security or isolation?

By extending your OT network to the cloud and utilizing Amazon Web Services (AWS), you can access enhanced elasticity, scalability, and resilience that promote efficient data collection and analysis to support vital business decisions and improve operational reliability. This integration does not necessitate alterations to your existing OT network; instead, it provides a mechanism to transfer data—including NERC CIP Bulk Electric System Cyber System Information (BCSI)—to the cloud for storage and analysis using AWS services. Potential use cases for utilities include:

• Contingency Analysis and Planning: Execute dynamic simulations in OT settings with real system data to identify, mitigate, and prepare for potential reliability challenges.
• Incident Response: Retain OT system backups for extended periods for use during operational or cybersecurity incidents. Gather event logs from OT systems for analysis and correlation to investigate operational and cyber events.
• Advanced Analytics: Leverage Amazon Machine Learning tools for demand forecasting, predictive maintenance, and outage management to inform business strategies.
• OT Security Monitoring: Implement modern AWS security controls for centralized network visibility and automated OT security monitoring to correlate events effectively.

Utilities extending their OT networks to the cloud through secure methods, such as AWS Virtual Private Clouds (VPCs), gain complete control over their virtual networking environments while ensuring necessary security, scalability, and resilience.

Solution Approach – AWS Networking Services

AWS provides over 200 services tailored to meet various computing needs, with a strong emphasis on security. An Amazon VPC is a user-defined cloud network that defaults to no routes for inbound or outbound traffic unless explicitly configured. This default isolation is the first step in securely extending an OT environment into the cloud. This raises a crucial question: How can an OT network extend into an Amazon VPC that offers no routes for network traffic?

There are several methods for assets within a VPC to communicate externally, including:

• An internet gateway for open internet access.
• A VPN gateway or AWS Direct Connect for establishing secure connections to your AWS environment.
• A NAT Gateway, enabling instances in a private subnet to connect to external services while preventing external access to those instances.
• Peering connections between two VPCs.
• Transit Gateway to connect multiple VPCs and VPN connections.
• VPC endpoints for services, allowing access without requiring a public IP address.

None of these capabilities are configured by default. Only individuals with the appropriate AWS Identity and Access Management (IAM) permissions can set up these services, which necessitate deliberate configurations of route tables and security group rules. Moreover, employing AWS Config allows you to assess, audit, and evaluate the configurations of AWS resources, notifying you of any alterations in near real-time. In addition, AWS Organizations can help manage and govern your environment as it scales, allowing you to create service control policies to restrict configuration by users irrespective of their permission levels.

It is important to note that a VPC exists within an AWS Region, a geographical area containing multiple data centers known as Availability Zones (AZs). You can select the AWS Region(s) for your content storage, and AWS will not transfer or replicate your data outside your chosen Region(s) without your consent, except as needed for legal compliance.

A utility managing a distribution, transmission, or generation system can extend its OT environment to AWS by establishing a VPN connection from the OT network to an Amazon VPC. The encryption provided by the VPN tunnel safeguards data in transit from the OT network to the cloud-based Amazon VPC. Within the VPC, you can create private subnets with only a local route and a route to the VPN Gateway, ensuring that servers in these subnets can only access the VPN tunnels and are not accessible from any other source.

To bolster resilience, consider implementing dual VPN connections from different telecommunications or internet service providers. Each AWS VPN connection can create two tunnels, allowing for four VPN tunnels to the Amazon VPC, significantly enhancing connectivity resilience and placing your electronic access points firmly under your control.

While this configuration ensures security and resilience, it does not guarantee bandwidth or network performance between your OT network and Amazon VPC. For additional assurance, AWS Direct Connect can establish a dedicated network connection to AWS, using industry-standard 802.1q VLANs to connect to Amazon VPCs via private IP addresses. Direct Connect supports IEEE 802.1AE (MACsec), providing native encryption for 10 Gbps and 100 Gbps links, thereby securing data in transit at high speeds. Like the VPN scenario, redundant connections can be configured for a highly secure environment extending your OT network into the cloud over resilient encrypted connections, ensuring you meet your reliability needs.

For more information on workplace dynamics, check out this related blog on hostile work environments. Additionally, you can find valuable insights on invisible disabilities from a credible authority on the subject. For a glimpse into the first-day experiences at Amazon, visit this excellent resource on Reddit.