Cloud computing has captured popular imagination. Some people have used the analogy to vaporware—as in the sense that a real cloud is only vapor. The thing is that cloud computing is not vapor. What’s called the cloud actually exists in very real hardware. It may be a server stashed away somewhere in your office, or it may be in one of those huge “server farms” thousands of miles away.
Bill Gates stated many years ago that someday you will access your information and you won’t know, or care, where that information resides. That someday is today. In many ways, you don’t really care where the data is as long as you are assured of safe and secure access. There are a lot of caveats, though. Just as security of your Google account or your iPhone have recently made news, keeping data secure on remote servers also must be managed with knowledge and common sense.
As Maryanne Steidinger puts it, “With those challenges of accessing information, we’re talking cloud products that customers already have an understanding of on the plant floor. The cloud is just the next level of collaboration—a more pervasive technology for the company. It’s optimized for reporting and protected with firewalls.” Steidinger is director of Advanced Applications product marketing for Invensys Operations Management (www.iom.invensys.com), the Plano, Tex. automation technology supplier.
>> Layers of Clouds Defined: Click here for a definition of the three levels of cloud computing.
Even though enterprise information technology (IT) professionals are quite familiar with cloud computing and use it for many applications, professionals in manufacturing are not so sanguine. Saadi Kermani, manager of Industry Applications and Solutions at Invensys Operations Management, says, “From our experience working with reporting and business management tools on the cloud with Microsoft, we’ve seen security is the customer’s number one concern. But customers are concerned about many things, including better service delivery. We work with customers to break down concerns into where their security might be factor.”
Adds Paul Forney, chief technologist for Software Platform R&D at Invensys, “We’re working on the innovation, the future side, where the cloud can be more secure. A lot of IT departments realize they can’t keep things like email servers secure, but they can do better with hosted email. We can do applications in a safe way with the cloud, particularly with Microsoft and Azure. The cloud comes in where you need complex computing power to see all the data, make comparisons, do analysis and then report back.”
Control in the cloud
One major point of concern is moving process control data to the cloud. Kevin Staggs, senior engineering fellow at Honeywell ACS (www.honeywell.com/acs), Phoenix, says, “The cloud will apply to process solutions eventually. Some things are there now; for example, virtualization is a piece of it. Virtualization will allow organizations to do more advanced things, more efficiently, and things you normally couldn’t afford the equipment and the support staff for. The cloud is real, and we’ll move to it.”
Staggs continues with some tips. “Here are some considerations for implementers. The biggest thing is to put it in your service level agreement. Clearly define requirements. Clearly define availability requirements and recovery. Treat it similarly to outsourced IT organizations, and write in your procurement language the same as your own IT requirements.”
Staggs continues, “If you do the right work and infrastructure, then your data is as safe as on your own computer. Threats are in the applications—the same in the cloud as in corporate computing. About the only new threat introduced is concerns on data leakage from one cloud to another.”
Mark Estberg is senior director of Information Security Governance, Risk and Compliance Management for Microsoft’s Global Foundation Services division in Redmond, Wash. Global Foundation Services manages the cloud infrastructure and platform for Microsoft’s cloud and online services.
Estberg takes the definition of cloud from the U.S. National Institute for Standards and Technology (NIST, www.nist.gov) [see sidebar, “Layers of Cloud”]. This three-layer view defines Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (PaaS). “Most people think of SaaS as the cloud, for example, Office 365 or hosted email,” says Estberg. “We consider three buckets relative to security. First are consumer and small business services, such as, Bing and Hotmail. Next is enterprise services, such as hosted Exchange or hosted customer relationship management. And then there are third-party hosted services. That’s where customers write their own application but it’s hosted somewhere else.”
There are three security aspects according to Estberg. First, Microsoft recognizes trust is key to the cloud. “And to make it happen we’re committed to giving customers all the information that is needed to operate,”
Estberg adds. “The third can be thought of as abstract, but we approach it from industry best practices and experience, founded on basic security principles.”
Safety systems in the cloud
“I submit that systems directly or indirectly involved with safety systems e.g., all HMIs and their supporting servers should not be outsourced at this time,” states Andrew Ginter, director of Industrial Security for Waterfall Security Solutions (www.waterfallsecurity.com), Calgary, Alberta, Canada. Cloud providers don’t get safety. The best protections for safety systems are hardware protections, not software protections. Waterfall sells hardware-enforced unidirectional security gateways into industrial markets, for example.
Further tips on handling security in the cloud come from Graham Speake, principal systems architect at Yokogawa IA Global Marketing Center (www.yokogawa.com/iat-in) in Dallas. He says, “When users are deploying systems in the cloud, the same rigor that is applied to on-site systems need to be applied. Systems need to be patched with at least the same frequency as those on-site, especially those in a public cloud.
“Analyzing cloud deployments for a major oil and gas company showed that a lot of their systems in the cloud were many patch iterations behind. Whilst a lot of these were only test systems with no useful data to be gleamed, if real data is used, particularly user names and password, then a hacker could gain very precious data to attack the host’s corporate network.”
On the other hand, adds Speake, environmental data often must be sent from a plant to the regulator. As end users want to reduce the number of connections they have entering and leaving their control system, using a cloud based solution may be a useful technology to consider, particularly if data is needed to be stored for a number of different regulators, he continues. Depending on the sensitivity and readability of the data, encryption should be considered.
Joel Langill, a security expert who writes at SCADAhacker.com, also discusses control systems’ relationship to the cloud. “In my honest opinion, ‘control systems’ and ‘cloud’ should never be mentioned in the same sentence without mentioning ‘security’. One of the leading causes for vulnerable control systems is interconnecting these systems to less secure networks, and failing to provide sufficient protective measures on top of these connections to defend against a completely different type of cyber threat that was not previously considered part of the control system environment.
“From what I have seen so far, the business driver for integrating these systems with the cloud is entirely based on access to information, and rarely has anything to do with the protection of this information and the information assets, in terms if either availability, integrity, or confidentiality.”
Langill also offers a few tips to those contemplating moving to the cloud. “Before any company considers moving these automation assets, I would advise that they consult with an external ICS expert to understand the risks and threats that they could be exposing themselves to. If the company had poor security practices when they managed their assets locally, they may not be able to spot weaknesses in this new design that could further expose their manufacturing assets to unnecessary risks from additional threats.”
Utilities industry perspective
The utilities industry is no stranger to the move to the cloud. John Boyd, general manager of hosted services at Industrial Defender (www.industrialdefender.com), the Foxborough, Mass.-based security firm, recently headed IT managed services company Fandotech until its acquisition. His experience is in the utilities space.
“Should utilities connect to the cloud or not?” Boyd asks rhetorically. “The answer is, you’ve been connected for 40 years. It’s a little about how you define clouds.”
Boyd says utilities have been connected to agencies such as the Naitonal Regulatory Commission and state emergency centers, not to mention to General Electric and others for controls, weather systems and more. “The question is, are they known, trusted, secure links, and do we have the proper annual or biennial or whatever checks and validation processes that a partner needs to be connected and trusted?” he says.
Brian Ahern, CEO at Industrial Defender, chimes in, “One of the most important factors is how does the data coexist in the data center. Control of the physical and logical structure is an important decision criteria. If they are going to upload important data, not just data but often configuration data, then we wanted to own our own data center. The next step then is to make sure data centers attest to some form of industry accreditation and operate in conformance with industry best practices.”
“Internet traffic is like water in Africa,” says Husam Kinawi, co-founder and chief scientist Wedge Networks (www.wedgenetworks.com), a network security firm with offices in Canada, China and the U.S. His company’s solution, differing from most, focuses on cleaning the pipes. “There’s lots of stuff coming in that you don’t want,” he says. His proposed solution is an in-line application that applies security policy based on visibility to content level objects (MIME objects) at line rate speeds, regardless of protocol and operating system of end-devices. It uses deep content inspection and can scan at very high speed.
Who owns it
“It’s all about control,” declares Richard Moulds, vice president of product management & strategy at Thales e-Security (www.thales-esecurity.com), an European based electronics and systems group that employs 68,000 people in 50 countries.
“What do we control and not. In a SaaS application, you own and control the data. In IaaS, such as Amazon.com, you give up control of hardware, but you get to decide all the other stuff. The big two threats are eavesdropping and integrity of data or data substitution. Cryptography is the way to protect both. Cloud customers must own the encryption keys.”
Markus Braendle, group head of cyber security at Swiss supplier ABB Group (www.abb.com), says, “As with all emerging technologies, the cloud presents both great opportunities but also poses challenges. Cyber security is definitely one of these challenges, and it is therefore imperative that cyber security is properly addressed from the very beginning. Addressing cyber security for cloud-based applications does not require a completely new approach. It requires an evolution of the cyber security approach that is and has been developed for today’s automation systems and can leverage the many advancements the industry has already made.”
“Watch what you’re pushing to the cloud,” advises Brad Hegrat, business manager for Industrial Security Products at Rockwell Automation (www.rockwellautomation.com) in Milwaukee. “The last thing you want to do is take a latency- or jitter-sensitive application and push it there. Obviously take control local. As you move to the cloud, watch for longer response time for servers, and application and the software reengineering effort to make it appropriate for actions in the cloud. Don’t take a standard Windows app and throw it up there.”
Taryl Jasper, security architect and principal engineer, also at Rockwell, says, “There other critical attributes. Consider multi-tenancy making sure your data is separated from others. And to reemphasize, many Windows applications don’t map well unless they have been re-architectured.”
Considering the human behavior problem that is the cause of many security problems, Hegrat invokes the saying “You Can’t Patch Stupid” and advises that training is essential. Doug Wylie, manager of Industrial Security Program at Rockwell, concurs: “It’s essential to account for variables, some in policies and procedures, then training. Assure employees are well informed about different risks including accidental or malicious ones. Another problem is with social networks, where people show many details of their personal lives.”
Ken Modeste is the principal engineer for Security and Global Communications, at UL LLC (www.ul.com) in Northbrook, Ill. He points to all the work that NIST has done in spreading the word about the cloud and security. This includes the following advice:
· Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
· Organizations should take a risk-based approach in analyzing available security and privacy options and deciding about placing organizational functions into a cloud environment.
· Understand the public cloud-computing environment offered by the cloud provider.
· Organizations consuming cloud services must understand the delineation of responsibilities over the computing environment and the implications for security and privacy.
· Understanding the policies, procedures, and technical controls used by a cloud provider is a prerequisite to assessing the security and privacy risks involved.
· Ensure that a cloud computing solution satisfies organizational security and privacy requirements.
· Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
The cloud is not an ethereal vapor in the air, but it can be useful if secured.
