Securely out of IT's way?
Paul Lachance, president and CTO of Smartware Group, underscores the cost benefits of not needing to involve IT in cloud-based maintenance programs. "Cloud-based software lowers the total cost of ownership (TCO) for organizations," he says. "Why build up internal IT resources (people, hardware, and related resources) when you can let the vendor do all that tough and expensive work?"
The cost benefit may be there, but it can be a different matter entirely to trust your data to an entity that is not a full-time member of your own IT organization.
Says Joshua Carlson, global director of cybersecurity services for Schneider Electric: "As we look at the cloud, it's going to be very important that we continue to focus on security, focus on a standard that says this is how we're protecting it, this is how we're measuring ourselves. For example, with NextNine technology, that's a point-to-point connection secured through a variety of mechanisms which provides the user at a plant site the ability to request assistance from somebody up in the cloud, and then allows that assistance to come back down. During cybersecurity conversations, we have to show our customers that these are secure systems and show them which standard we are measuring ourselves against."
"We surveyed our customers on this recently and got some good feedback," says ABB's Lyndon. "Anything that allows an intruder to get into the operations system is a huge threat, and that's what they worry about most. The second one is privacy: Specifically, if this data gets out, what can people know about me, my company, and what we're doing, that I might not want them to know? The third one is performance, especially if you've got a system that you're moving to that may be near real-time, and it's informing operational activities. Fourth is data access. For example, let's say you stop offering your cloud service, or you go away, or something happens to this (cloud) product. Can I get my data? How do I keep using it? Now that it's not in my control any more and it's a service, what is the go-forward path?"
ABB's Lyndon adds that there can be some regional nuances to some of those concerns. "For example, in Europe, privacy rules tend to be a lot more stringent. One thing that really bothers Europeans is that if you're dealing with a U.S.-based company, those companies come under the jurisdiction of the Patriot Act, and they don't like the fact that the U.S. government has access to their data."
At Emerson, says Boudreaux, "We help set up conversations with our user’s IT organization, mostly to prove the independence of the networks and noninterference, as well as the security of the connectivity and the data." This means, he continues, "In the different cybersecurity zones, can someone hack onto the cellular networks and use that as a jumping point to other networks? Do we have the VPN and encryption from our gateway to the cloud, and do we have the right security in the cloud to ensure that someone can’t get into the network and obtain some sort of IP or otherwise sensitive data?
One of the first security considerations should be an evaluation of how sensitive the data are that would be stored off-premise. One rule of thumb to consider is that any machine data that are not critical to the physical output of the production process may be a good candidate to be hosted on the cloud. This would include condition-based maintenance data, as well as optimization, analysis, reporting, and alerts/notifications (Table 1).
"From a reliability perspective, the data that we're collecting is generally quite benign," says Emerson's Boudreaux. "The data being collected isn't business proprietary data, and it's not generally your control-system data. If you're talking about acoustic or vibration data, it's not as sensitive as process, temperatures, pressures, and flows. Sometimes the data will flow up through the control system if you're doing some of the more advanced type of performance monitoring, but a lot of the data isn't even process variable related."
LNS Research’s Miklovic considers the security of the cloud a benefit specifically to SMB customers. “Unless you are a big enough company to afford your own IT group which then has a strong security group, what you get with Amazon AWS and Microsoft Azure or one of the other emerging platforms is going to be far better. SAP and Oracle are examples of companies that also can provide cloud-based solutions and still give you security, and they themselves will even provide the application(s).”
"Microsoft is very open about their data center investment, their security model," says Boudreaux. "It's an impressive list of certifications they have from a security standpoint. That's their competency, so when it comes to security management, they have certifications that generally most companies don't have. If people are asking whether the cloud is secure, one of the things to ask is whether their on-premise servers and storage systems in their traditional architectures are more secure than what is in the cloud. Quite often, they're actually less secure, because IT isn't always a core competency."
Smartware's Lachance agreed: "It’s interesting that this is a concern, particularly as modern CMMS vendors typically have more secure servers than even clients themselves. For example, our server farm is SSAE16-SOC1/SOC3 certified. This is not trivial – you have to have an ultra-secure environment to pass this audit."
"There's a lot of organizations that are doing industrial automation, hear the word 'cloud', and right away say 'no, thank you', says Schneider's Carlson. "I think that's why stand-in terms for cloud like 'managed service' or 'remote management' have become more of a feasible option, where you're still exposing the customer to the Internet through those cloud-based opportunities and solutions, but you're making it less a situation of, "I'm going to put all of your data up on the Internet."