Embed Size (px)
Citation preview
Confidential Property of Schneider Electric
SCADA in the CloudThe Risks, Challenges, and Benefits of Cloud Architectures for SCADA
Larry Combs
“Computing paradigm where the boundaries of computing will be determined by economic rationale rather than technical limits alone.”
Professor Ramnath Chellapa of Emory University, 1997
“Convenient, on-demand network access to a shared pool of configurable computing resources like networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
NIST, 2011
What is Cloud Computing?
• Cloud Computing dates back to the 1950s and 60s time sharing services• Virtualization dates back to the 1970’s with VM operating system on System/370 mainframes• Salesforce.com introduced their version of the cloud in the late 1990’s• Cheap and fast Internet access opened cloud computing to mass consumption
History of Cloud Computing
Definitions of Terms Associated with Cloud Computing
• Infrastructure as a Service (IaaS)• Platform as a Service (PaaS)• Software as a Service (SaaS)
Cloud Service Models
• Infrastructure as a Service (IaaS) Amazon Web Services is an example of the most mature and widespread service model used by HMI applications, since it allows the consumer to deploy and run off-the-shelf HMI software just like they would on their own IT infrastructure.
• IaaS provides on-demand provisioning of virtual servers, storage, networks, and other fundamental computing resources allowing a company to pay for only as much capacity as is needed, and bring more online as soon as required.
• The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and select networking components (e.g., host firewalls).
Infrastructure as a Service
• Platform as a Service (PaaS) like Microsoft’s Azure or Google Apps is a set of software and product development tools hosted on the provider's infrastructure that developers use to create applications over the Internet.
• The consumer of the service does not manage or control the underlying cloud infrastructure, but has control over the deployed applications and application hosting environment configurations.
• PaaS is used by consumers who develop their own HMI software and desire a common off-the-shelf development and runtime platform.
Platform as a Service
• Software as a Service (SaaS) is exemplified in web-based email, which affords the consumer of the service the capability to use a provider’s applications running on a cloud infrastructure from various client devices through a thin client interface such as a web browser.
• The consumer does not manage or control the underlying cloud infrastructure. They simply pay a fee for use of the application.
Software as a Service
• A public cloud infrastructure is owned by an organization and sold as services to the public.• A private cloud infrastructure is operated solely for a specific customer. It may be managed by the
customer or by a third party, and it may exist on premise or off premise.• Hybrid clouds consist of private and public clouds that remain unique entities but are bound
together by standardized or proprietary technology that enables data and application portability.
Types of Cloud Computing
Advantages and Challenges
• Integrated tools• Pre-built templates• Managed services• Open technology• Homogenous Infrastructure• Reliable• Flexible• Accessible• Available
Advantages of Cloud Services
• Cloud providers typically offer integrated tools through a simple and intuitive Web-based user interface.
• IT and operational technology (OT) staff no longer need to source and learn disparate and often incompatible tools.
• Tools and cloud resources integrated into a common console that allows everything from creating and managing resources, to viewing usage and billing.
Integrated Tools
• Cloud providers offer prebuilt templates to simplify deployment of new resources like virtual servers, storage, and applications.
• Templates are optimized for specific workloads and applications and include the operating system, database software, and other required software.
• Templates eliminate the IT and OT staff time normally required to manually install and configure the software.
• Create custom templates with all the software required for the HMI application.
Prebuilt Templates
• Cloud providers not only deliver infrastructure and applications, they also provide the managed services necessary to keep them running efficiently.
• Important especially for smaller businesses where it can be difficult and expensive to maintain an in-house IT organization. Inadequate internal resources can compromise quality and security.
• Cloud providers can maintain specialists for networking, security, privacy, and other areas of high interest and concern. The result is a virtual IT department, dedicated to meeting specific needs cost effectively.
Managed Services
• Cloud applications and interfaces are built on open technologies such as Java, HTML5, and RESTful Web services.
• Users and developers can access cloud resources using standard, well-known interfaces.• Open technologies like OpenStack, CloudStack, and Eucalyptus are available for creating a private
cloud-computing platform and used by commercial cloud providers allowing seamless hybrid clouds.
Open Technology
• Cloud computing structures tend to be more uniform than those of most traditional computing architectures that are often patched together in a piecemeal process.
• This more homogenous structure improves security measures by better delivery and implementation of configuration control, security audits, vulnerability testing and more.
• Updates and patches are distributed in real-time without any user intervention.
Homogenous Infrastructure
• In a traditional IT infrastructure environment, a complete system failure can occur if both the primary and the single backup server fail. If a single cloud computing nodes fails in a cloud-based system, other nodes take over the function of the failed cloud computing node without any interruption.
• The backup and recovery policies and procedures of a cloud service may be superior to those of a single company’s IT infrastructure, and if copies are maintained in diverse geographic locations as with most cloud providers, may be more robust.
• Data maintained within a cloud is easily accessible, faster to restore, and often more reliable.
Reliable
• Scalability is dynamic and inexpensive because it doesn’t involve the purchase, deployment, and configuration of new servers and software. If more computing power or data storage is needed, users simply pay on an as-needed basis.
• Companies don’t have to purchase redundant hardware and software licenses or create disaster recovery sites they may never use. Instead they can provision new resources on demand when and if they need them.
• The ability to easily switch back to a previous configuration lets developers make changes without having to start from scratch by taking a “snap shot” of a known working configuration. If a problem occurs when deploying a patch or update, the developer can easily switch back to the previous configuration.
Flexible
• Cloud computing providers have multiple, redundant Internet connections.• Users simply need an internet connection to access cloud resources and applications.• If a company chooses to implement its own IT infrastructure, access to user data generally
depends on the company’s single Internet provider. If that provider experiences an outage, users lose remote access to the applications running in the cloud.
Accessible
• A traditional IT infrastructure environment poses the risk that both the primary and the single backup server could fail, leading to complete system failure. In the cloud environment, if one of the cloud computing nodes fails, other nodes take over the function of the failed cloud computing node without a blip.
• Data maintained within a cloud is easily accessible, faster to restore and often more reliable.• Instead of numerous servers and backups in different geographic locations, the cloud offers its own
redundancy.• On-demand resource capacity can be used for better resilience when facing increased service
demands or distributed denial of service attacks, and for quicker recovery from serious incidents.• Companies can provision large data servers for online historical databases, but only pay for the
storage they’re using.
Available
• Building an IT infrastructure is usually a long-term commitment. Systems can take months to purchase, install, configure, and test. Equivalent cloud resources can be running in as little as a few minutes, and on-demand resources allow for trial-and-error testing.
• On-site IT projects involve significant cost, resources, and long timelines—and thus include significant risk of failure. Cloud computing deployments can be completed in a few hours with little or no financial and resource commitments, and therefore are much less risky.
Increased Velocity
• Add new resources on demand when and if needed• No need to purchase redundant hardware and software licenses, or set up disaster recovery sites
that may not be used• Provides huge amounts of storage capacity that can be purchased incrementally• Provides improved reliability and redundancy via multiple Internet connections and more backup
servers• New infrastructure can be running in a few minutes• Makes real-time and historical information available on any type of Internet-connected device,
including laptops and Smartphones• Easier to manage updates and patches, and• Provides testing advantages through the ability to clone machines
Benefits
• Loss of control• Increased network threats• Shared infrastructure
Challenges and Risks
• Data stored in the cloud typically resides in a shared environment. Migrating to a public cloud requires a transfer of control to the cloud provider of information as well as system components that were previously under the organization’s direct control.
• Organizations moving sensitive data into the cloud must determine how these data are to be controlled and kept secure.
• If one cloud service or even service provider goes down, a second one can be kept ready or provisioned on demand.
Loss of Control
• Applications and data may face increased risk from network threats that were previously defended against at the perimeter of the organization’s intranet, and from new threats that target exposed interfaces.
• In reality, public cloud security is rarely breached when off-the-shelf security tools are configured and used properly.
Increased Network Threats
• Access to organizational data and resources could be exposed inadvertently to other subscribers through a configuration or software error.
• An attacker could also pose as a subscriber to exploit vulnerabilities from within the cloud environment to gain unauthorized access.
• Botnets have also been used to launch denial of service attacks against cloud infrastructure providers.
• Sharing an infrastructure with unknown outside parties can be a major drawback for some applications, and requires a high level of assurance for the strength of the security mechanisms used for logical separation.
Shared Infrastructure
Security
• It is vitally important not to expose the critical, control infrastructure to the Internet.• For that reason, it is recommended to utilize push technology to move data to the cloud rather than
pull technology.• Using push technology, there are no open network ports on the control infrastructure.• The control infrastructure pushes all the data to the cloud.• Using a hybrid cloud with a VPN connection to the control infrastructure is also recommended.
Security Considerations
• As with all web-based access, robust security must be enabled.• When accessing applications via the cloud, users should be required to go through an
authentication process where they enter a user ID and password.• Encryption is recommended. SSL encryption comes standard with Microsoft Windows and with
mobile device operating systems, but it must be enabled. Encryption ensures any data accessed by noncompliant devices and methods will be incomprehensible. For example, if a wireless snooper were to pick up data transmitted from the cloud to a mobile device, it would find the data encrypted and indecipherable.
Ensuring Secure Access
SCADA in the Cloud
• Remote monitoring of critical equipmentand processes through web browsers, smartphones, and other mobile devices.
• Cloud-based SCADA is attractive alternativefor the water and wastewater industry.
• Shifts the task of housing, maintaining anddisplaying data from the municipality to theservice provider.
Water and Wastewater
• Provides machine operators and site managerswith access to real-time data, even whenthey're at remote sites like other drilling rigs.
• SCADA software is installed in a dedicated PCat the remote site.
• Data is transmitted from the local server via asatellite connection to the cloud, where it canbe viewed instantly from web thin clients via aweb browser.
Oil and Gas Applications
• OEE and other operational data sent to ahistorian in the cloud.
• Machine builder uses data to predictproblems and plan preventive maintenance.
• Create new revenue streams for machines.
Machine Builders
• Manage inventory at shipping docks spread out over a large area.
• Trucks are lined up and loaded at the docks, and manifests come from a cloud-based ERP system and define what needs to be loaded to each truck.
• HMIs located at the warehouse pull data from and pushdata to the cloud-based ERP system as needed to route boxes on conveying systems and directed to the correct shipping dock to get the trucks loaded and unloaded properly.
Warehousing
• Reduce startup risk and cost.• Virtual development environment gives access to the latest and greatest versions of SCADA
software.• All the tools you need are preconfigured and ready to go with vendor provided maintenance and
updates.• Wait until project delivery time to acquire your system hardware: Defer costs, maximize warranty,
minimize hardware inventory, avoid depreciation.• Manage all your projects from one consolidated virtual dashboard.• Support collaborative development which can be accessed world-wide.
Cloud-Based SCADA Development
Confidential Property of Schneider Electric |
Email• (US) [email protected]• (Brazil) [email protected]• (Germany) [email protected]
Support [email protected]
Web site• (English) www.indusoft.com• (Portuguese) www.indusoft.com.br• (German) www.indusoft.com.de
Phone +1 (512) 349-0334 (US)+55 (11) 3293-9139 (Brazil)+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763)
Fax +1 (512) 349-0375
Contact InduSoft Today
36
Germany
USA
Brazil
