A major component of any Industry 4.0 product is getting information from deep within the manufacturing environment out to the enterprise in a contextualized, secure manner. Fortunately, most offerings that have been used in manufacturing for many years are based on Ethernet technology, making them very easy to connect to a plant network. Unfortunately, the protocols used by these systems are typically unencrypted and unauthenticated. As a result, unsuspecting companies often connect these systems in ways that leave them open to outside compromise resulting in downtime, or worse, out-of-spec products that may not be caught by final quality inspections.
There are several cyber standards (as well as best practices) that have been developed by major automation vendors to create a monitored perimeter around these systems, with appropriate security controls in place to allow access to this gold mine of information contained in the control systems. One of these standards is produced by ISA/IEC and is known by many as IEC62443 or ISA S99. When this standard is implemented correctly, the result is a hardened, monitored edge for your manufacturing network, which can provide the contextualized information that artificial intelligence or machine learning products are looking for.
Assuming that the interface to the manufacturing environment is properly secured (unfortunately, this is rarely the case), what is the most secure method to consume that information and begin to use it? The prevalent thought has been that on-premises offerings are more secure because they do not require the internet as a conduit to move data. With that in mind, let’s review the three primary types of offerings and then we can consider the associated risks.
First is a true on-premises offerings in which the tools used to ingest and process the data are located at the same physical location as the manufacturing facility. The second is a hybrid offering that leverages a multiprotocol label switching connection tied back to a private data center where the tools are deployed. This is often-called an on-premises cloud offering. The third offering uses a true cloud provider leveraging either software-as-a-service, infrastructure-as-a-service, or platform-as-a-service technology. Which of these three cloud offerings you choose is normally driven by the tool you plan to use to ingest the data.
The question then becomes somewhat simplified. Is it more secure for the connection between your Industry 4.0 tool and your manufacturing environment to be managed by you, or managed by a cloud service provider? It really comes down to how well you manage your own security posture.
The advantages you get by using a secure cloud provider should be deeper than your in-house resources from a security perspective because the costs are spread across multiple clients. The challenge is making sure that the provider is providing a secure service. How well have you vetted their security policies? Are they based on an international standard like ISO 27001? Do they have an incident response plan that is effective? Are qualified individuals performing the appropriate level of threat hunting to assure your data is safe and secure? If the answers to these questions is yes, and assuming you are already providing similar services for your enterprise information technology strategy, then there is likely no difference in the security posture for cloud-based offerings than the one that you can create on your own in an on-premises environment.
Taking note of the scenarios described above, the next questions you need to ask yourself are:
• Do you have the correct skills within your organization to address your manufacturing security posture?
• Have you done your homework creating an appropriate standards-based security offering for your manufacturing environment?
• Do your technology and system integration partners understand the security risks, and are they appropriately positioned to help you make your systems more secure?
• Do you have appropriate controls in place for your enterprise system, whether it’s located on-premises or is cloud based?