Home / Blog / My SCADA in the cloud

My SCADA in the cloud

Posted on 11/03/2015, by INCIBE
industrial cloud

Cloud computing. A growing cloud

Many businesses choose to use cloud technologies in order to implement parts of their systems more economically, allowing them to avoid investing large amounts of money in storage devices, staff training and the creation of new infrastructures.

In the same way, industrial environments have seized on the opportunity that this technology presents in terms of the implementation of parts of their processes.  The main advantages of cloud technology include increased storage space, flexibility, availability (which is particularly important in industrial control systems) and mobility.

Despite its many advantages, experts in this area are nonetheless reluctant to use this technology, since certain systems have a longer lifespan if they use older technologies and devices. For example, some control systems continue to use operating systems such as Windows 95 and software applications which only function using these older operating systems.  Virtualisation could, in some cases, be a complicated process, and it is unlikely that they would continue to function correctly.  On the other hand, applications and services available in the cloud are not designed for such specific environments. Furthermore, applications in the cloud may not be particularly useful for some of the processes used in the industry.

Examining cloud security

As well as considering the possible applications of cloud technology, there are also a number of security issues that must be addressed before it can be used in critical and high-availability environments:

  • Users with privileged access: If a system is introduced with cloud technology, it is important to establish a policy of access and to restrict access with administrator privileges. If the virtualised system was attacked by someone with maximum privilege access, they would have total access to the process.
  • Complying with regulations: In terms of regulations, clients are responsible for the security and integrity of their own data, even when it is in the hands of a service provider.
  • Data location: Businesses using cloud technologies must consider the locations of hosting services and the laws in force in these countries.
  • Data segregation: Cloud environments can be shared; it is therefore important to use coding to guarantee that the data from different clients is segregated. However, this coding can give rise to problems of availability when trying to access this data.
  • Backups: It is vital to ensure that the system can be recuperated if any error or system failure occurs. Using recovery copies, backup systems should always function correctly, and should not fail in any way.

The current “As a Service”

Many developments are already at work in control system applications, in the paradigm called “Software as a Service” (SaaS).

SaaS is a software distribution model which stores both software and managed data in servers accessed by clients over the Internet. The business responsible for storing these servers is also responsible for maintaining them and for supporting the software used by the client on a day to day basis.

Table of responsabilities in the cloud

- Responsibilities of cloud functions -

On the other hand, the SaaS model draws on other basic categories of architecture in the cloud:

  • Platform as a Service - PaaS: Model which offers the necessary tools for the development and implementation of applications and web services available entirely over the Internet.
  • Infrastructure as a Service - IaaS: This model provides the client with an infrastructure, meaning that, rather than acquiring physical servers, space in a data centre or network equipment, clients purchase these resources from an external service provider who then virtualises the entire architecture according to their needs. These services are managed entirely over the web.

pirámide de modelos

- Service distribution model -

Systems of industrial control come to the cloud

The evolution of cloud services and resources has not gone unnoticed by industrial systems, which have already begun to adopt improvements to this technology, bringing considerable advantages by reducing the costs associated with hardware, software and maintenance. A few examples of this evolution are:

  • SCADA Systems (SCADA as a Service), developed by PetroCloud among others, which has all the functions of a traditional SCADA.
  • Historians which collect data (Historian as a Service)); the ARC Advisory Group is just one of the numerous developments to this service. Using historians in the cloud allows for better data analysis.
  • Software which can be used to simulate PLCs in the cloud (PLC as a service), avoiding the costs associated with physical supports for PLCs themselves and with the energy consumed by them.
  • HMIs which show the data stored in the cloud para acceder a ellos desde cualquier parte del mundo poseyendo una conexión a Internet (HMI as a Service).

On the other hand, some vendors manufacturers in the industrial sector choose to offer support services which collect and store data in the cloud so as to improve quality of service, response times and availability. They also offer solutions which integrate cloud technology with industrial devices using platforms in the cloud itself.

Providers such as Oracle (Java Embedded), Microsoft (Azure IoT Suite) o TechBase (iModCloud) have developed cloud software which can be used to administrate industrial automation systems or devices, allowing the final user to manage them. This development increases the attack surface for possible attackers, since if the attacker gains access they will be able to modify parameters and the entire system as they please, due to the unification of access.

Cloud Computing

Virtualisation: another way to reduce costs

As an alternative to cloud technology, some major suppliers of information management solutions in industrial environments have chosen to virtualise their systems, reaching agreements with the specific software providers that create virtual environments, such as Microsoft, Oracle or VMWare. These major suppliers bring different hypervisors onto the market to respond to the needs of their clients.

These hypervisors fall into two broad categories:

  • First type of hypervisor (unhosted, bare metal or native): This hypervisor is directly installed into the hardware of the host machine, without needing to be incorporated into the operating system. In this way, the guest operating system moves directly from the hypervisor to the physical hardware. Examples include VMware ESX/V sphere, Microsoft HyperV and Xen, etc.
  • Second type of hypervisor (hosted): An operating system must be installed in the host machine, as the guest operating system must move through the hypervisor and through the operating system before reaching the physical hardware. Examples include Microsoft Virtual PC and Virtual Server, VMware Workstation, Oracle VirtualBox and QUEMU.

The pyramid of automation is evolving, and becoming a more linear architecture, which incorporates automation in the cloud with service-oriented architecture (SOA) and agent technology (server instance).

Linear pyramid

- Evolution of architecture. Present --> Future -

Virtualisation or cloud computing?

Virtualisation can allow for the creation of fault-tolerant environments, which ensure high availability and redundant environments. Hypervisors make this possible, by helping to immediately create redundant environments and facilitating the replication of environments which are already in production using virtual machines, therefore reducing both costs and response time.

Virtualization vs. cloud

- Virtualisation and cloud technology, and the associated benefits -

On the other hand, it would seem that cloud technology is the future, bringing advantages such as platform availability (which is essential in industrial environments), distributed systems creation, large-scale information analysis, scalability and the reduction of costs.

Nonetheless, the service provider must supply security for these environments, as it is not always as strict as one would hope.