Enhancing OT Network Visibility with AWS Network Synthetic Monitor

Written by: Tom Ricardo | Oxford Global Resources | Practice Director, Cloud and Cybersecurity

Coming back from the RSA conference, one of the things that struck me was a renewed focus on data networking from the OT side. Operational Technology (OT) environments underpin critical industrial processes from manufacturing lines to utility grids.  It makes sense as AI and machine learning (ML) continue to take shape, that companies will focus on being able to chain their master data and capture functional data to use tools to optimize their supply line and production performance. Network performance has become vital from the OT front. When network performance degrades (even subtly), its impact can cascade into safety incidents, production slowdowns, or regulatory non-compliance. The biggest issue is where to manage this network performance and your data stack.   

Many companies are turning to the cloud to manage centralized data stacks. AWS provides companies with the ability to capture data from manufacturing sites around the world and aggregate that data to business applications like SAP or data warehouses like Snowflake or Informatica. AWS can also act as a clearinghouse for different tools, such as ETL pipelines, security applications and alerts, or governance. Networks can get neglected in this because traditional network tools often lack the visibility and automation needed for hybrid OT–IT architectures, especially those spanning on-premises control networks and AWS. However, now you can use AWS Network Synthetic Monitor (NSM) to fill this gap by providing real-time, agent-less insights into packet loss and latency across hybrid connections.   

AWS NSM is a fully managed CloudWatch feature that enables proactive monitoring of hybrid network paths. This is ideal for environments where OT assets connect to AWS via Direct Connect, VPN, SDWAN, or Cloud Networking Services like Alkira. NSM sends periodic ICMP or TCP probes from selected VPC subnets to on-premises IP addresses, measuring round-trip latency, packet loss, and overall reachability without requiring any agent installation.  

For Direct Connect scenarios, NSM introduces a unique Network Health Indicator (NHI) that helps teams pinpoint whether a degradation is occurring within AWS infrastructure or the customer’s external network, significantly accelerating root-cause analysis. Its agentless design leverages Elastic Network Interfaces (ENIs) and AWS PrivateLink, allowing for secure and scalable deployment in sensitive environments, without touching endpoint devices. This becomes a powerful tool for maintaining high availability and visibility in OT network architectures while seamlessly integrating AWS global platform.  

Applying AWS NSM to OT networking assets begins with asset discovery and segmentation. You should identify critical OT subnets, such as SCADA VLANs (for which you can use tools like Elisity), within your VPCs to serve as probe sources, and catalog on-premises control system IPs, PLCs, or HMIs as probe destinations. Within the CloudWatch console, you can configure monitors by selecting an aggregation interval (typically 30 or 60 seconds to balance cost and data granularity), choosing between ICMP for basic reachability or TCP for port-specific checks, and specifying packet sizes that align with control-system payloads like Modbus/TCP.  

Once configured, NSM automatically provisions probes and ENIs in the designated subnets. You can use built-in CloudWatch dashboards to visualize latency and packet loss trends by setting alarms on metrics, such as average packet loss exceeding something like 0.1% or latency that breach control-loop tolerances. Then apply anomaly detection to identify early signs of degradation. Finally, integration with OT asset management tools allows you to route alarms to AWS Systems Manager or external ITSM platforms, linking network events back to specific assets, while enabling automation, such as triggering AWS Lambda functions for failover or traffic adjustments, ensuring fast and effective response to network issues. 

By employing AWS NSM, OT teams gain proactive, end-to-end network visibility while transforming “grey failures” into actionable insights. With real-time latency and packet-loss metrics, clear differentiation of AWS versus customer-side issues, and seamless integration into CloudWatch, you can ensure resilient connectivity for mission-critical control systems.  

Start your NSM journey today to safeguard your OT assets against hidden network degradations. If you are looking for guidance, Oxford can help. We partnered with AWS to provide our clients with expert support for their cloud operations. We have a network of over 2,000 subject matter experts having 15+ years of experience who are available on-demand to meet your unique AWS needs. Let’s get started today.