Cybersecurity Requirements that should be considered and evaluated
- Access control measures such as multi-factor authentication, role-based access control, and network segmentation should be in place to ensure that only authorized individuals can access the OT machine.
- Secure communication protocols such as SSL/TLS and encryption should be used to ensure that data transmitted between the OT machine and cloud remains secure.
- Data should be protected both in transit and at rest, using encryption and access control measures.
- The cloud service provider should comply with all relevant regulations and industry standards. And this is yet to mature or be regulated yet, especially for OT compared to other industry sectors such as healthcare, finance etc.
Pros of moving an OT system to the cloud: (I personally still believe these are more hypothetical in nature than practically reasonable)
- Easily scale up or down to meet changing business needs, providing the flexibility to add or remove resources as required.
- Can be accessed from anywhere with an internet connection, enabling remote access and collaboration.
- More cost-effective than on-premises solutions, as they eliminate the need for hardware, software, and maintenance costs.
- Offer advanced security features, such as data encryption, intrusion detection, and DDoS protection, which can provide greater security than on-premises solutions. (this is based on marketing whitepapers I have seen on AZURE and AWS)
Cons of moving an OT system to the cloud:
- Compatibility with cloud solutions and virtualization. There specific vendors who do that, OEMs as in OT solution providers are yet to start offer such solutions directly. So its is another third party who does that, this further increases the complexity. I understand siemens has some concepts but not sure if it is already commercial.
- Moving an OT machine to the cloud creates a dependency on the cloud service provider, which can create issues if there are service disruptions or outages.?
- Cloud-based systems can be subject to latency, which can impact the performance of real-time OT systems.
- Depending on the type of data being processed by the OT machine, regulatory compliance requirements may need to be met, and the cloud service provider may not be able to meet those requirements.
- Integration with existing OT systems and data sources can be challenging and time-consuming, requiring additional resources and expertise.
Just because cloud seemingly offers various benefits such as scalability, accessibility, cost-effectiveness, and advanced security features etc. But its purely based on the promises of the cloud vendors. How effective their promises are and what benchmarks they use are not clear.?So it must be understood that there could be critical failures as above.
Very crucial to carefully evaluate the specific requirements of the OT system in discuss.
Moving OT processes, especially of critical infrastructure still has a long way to go in terms of research and development and maturity of virtual controllers.
- Enormous cost savings in hardware procurement, wiring, operation, and maintenance
- Machine and plant operators can provide and manage hardware platform themselves.
- Independence from hardware and hardware manufacturers
- Easy scaling through dynamic creation of control instances and the ability to expand hardware independently from software
- Security by design by distributing tasks to several independent control instances with powerful intercommunication
- Interoperability with other services ("micro services")
- Simplified rollout of security updates
- Central maintenance and care of virtual controls with the technologies and convenience of IT systems, including application updates
Join the telegram groups for interesting discussions and notifications
IEC 62443 Industrial Cybersecurity
International Automation Professionals
https://t.me/AutomationProfessional
OT/AI Security Leader | Security Instructor | Podcast Host
1 年I received a call last week from a friend asking, "Do you think it would be okay if we moved the SCADA to a distance location?"." The process and the criticality of the processes, as well as the protocols used in the system, have been the subject of my questions to him. After much discussion, we came up with a positive solution for moving the server, but with some limitations. It's now a business decision.
OT Cyber Security Consultant | OT Security Leader | Trusted Advisor | Pre-Sales | Cyber Security Strategy | ISA UK President
1 年Interesting Article, however it is almost impossible to generalise what we consider as OT System and what is considered OT Data. Any OT System or Mission critical OT data should never reside or be hosted on Corporate IT Network. Secondly OT does not need to be on the cloud. The compute and processing speed required and limitations in Transmission bandwidth from a plant environment to cloud would make it unworthwhile and infact cloud migration of OT Data very very Expensive. If I was running a mission critical OT Asset, generating sensitive OT data, why would I trust it on the cloud ?
SCADA Integration and Security Engineer
1 年Another key disadvantage that nobody discusses: It is more subject to failures in telecommunications. For example, if you run a plant DCS this way, and a fiber cable is cut, you have NO automation at all. Better yet, if you get an unacceptable error rate, have fun with your telephone tree ("Your call is very important to us, please stay on the line; the current wait time is.... 45 minutes... for an agent") If you're dead set on virtualizing the HMI, have at it. But personally, I'd keep a few stand-alone operator interfaces available. As for virtualizing SCADA, it may be more practical IF you did your homework and set it up with an event oriented protocol. If you don't understand what I just wrote, you have a lot of learning ahead before you even consider putting anything like that in the cloud. Also, you should consider interdependencies between the cloud infrastructure and your utility, especially if you're a transmission provider. I could write a book about this. Automation in the cloud may be practical, but I don't think the ROI is worth the risk.
?? IKARUS is Nozomi Networks MSSP of the Year 2024 ??
1 年Hi there! I found your post on LinkedIn quite interesting. It's true that the term "OT" encompasses a broad range of areas from safety, sensors, actuators, PLCs, HMI, to operations management. And it's clear that levels 0,1,2 of the Purdue model tend to run at the edge, while levels 3,4,5 move towards fog and cloud. It's also worth noting that cloud computing can be on-premise (private cloud). I totally agree with you that an often overlooked aspect is the need for automation control processes that must work autonomously and meet safety requirements. Responsibility lies solely with the on-site operators. It's interesting to think that real-time applications with virtual cloud PLCs could be possible today with TSN technology. This is already happening in some areas like building automation (Building IoT). However, we should not forget about the importance of system understanding. Sometimes, things can become overly complicated, and maintenance personnel can be faced with almost unsolvable problems. Thanks for sharing your insights! Regards Herbert
Cybersecurity & Regulatory Leader | Principal Cyber Security Advisor at Ofgem | Cyber Investment | Risk & Compliance | GRC | Critical Infrastructure Security
1 年Hi John, Great point for discussion and personally I’m of the camp who believe in not running before we walk. In this instance before considering the binary question of whether to migrate to the cloud to gain the Crown Jewels of saving money, consider an intermediary point. Examples of baby steps that could be considered which in themselves bring benefits are the areas of digital twinning of OT to examine how stable/resilient it is for the OT business model. The added benefits here are: a. Organisationally the new technology is sampled with reduced risk of ‘We must make it work or we are doomed’. b. The re-education of the workforce with new skills but also to build experience in new technologies the skills will apply to. c. Begin to build use cases to assess what parts of the digital twin could release on-premise capabilities and whether an organisation has the appetite to do so. d. Does it really have to be a binary choice of one or the other or should we be viewing the use of ‘Cloud OT’ as a way of improving resilience first. OT telemetry monitoring is one example of this how solutions can harness cloud and on-premise capabilities.