As more industrial plants evaluate the use of Big Data / Machine Learning for Predictive Asset Maintenance, the topic of cloud versus on-premise deployment is expected to generate renewed discussion. This article reviews factors that plant owners should consider when deciding between a cloud and on-premise solution.
Please note that the cloud is both an integral part of an IIoT Platform as a Service (PaaS) offering as well as Industrial Analytics for Predictive Maintenance Software as a Service (SaaS) offering. Although this article focuses on SaaS solution for Predictive Asset Maintenance, we review some of the traditional objections to PaaS.
Internal versus External: The Saga Continues
Six years ago, Harvard Business Review warned that C-level executives would face resistance from middle-management and that migration to the cloud would be a sea-change:
“Companies shouldn’t give such people too much influence over plans to move into the cloud; that would be like putting the crew that ran the boiler and steam turbine in charge of electrifying a factory.”
Although the above quote is somewhat condescending, the traditional arguments against the use of third-party cloud service providers are often based on internal politics and turf wars.
Security: The Traditional Objection to Cloud Deployment
The topic of cyber security typically dominates the cloud versus on-premise debate. The most recent data from the Department of Homeland Security’s (DHS) Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT)is alarming for industrial plants. In fiscal 2015, ICS-CERT responded to a total of 295 cyber incidents, up 20 percent from the previous year. In the critical manufacturing category (including makers of machinery, electrical equipment, and transportation), the DHS invested 97 cyber security incidents.
Cyber experts point to an increase in state-sponsored cyber-attacks as a driving force. Industrial espionage is at an all-time high and attackers seek to exploit any security vulnerabilities.
Does the Selection of Either Cloud or On-Premise Impact a Facility’s Cyber Security Protection?
Let’s start with generic differences between cloud and on-premise.
When third-party cloud solutions were initially marketed to enterprises, the first wave of objections was based on security considerations. First, the assumption was that there is enhanced virus protection when infrastructure is on-premise. This is because trusted internal staff are responsible for hardware upgrades, software updates and patch management. Second, physical control is good for security. When a data center is managed by internal IT, they have more control of who accesses the location. In a cloud scenario, there is less flexibility on the part of the company to control data.
The underlying assumptions for these (and other concerns) are that a) In-house IT staff are inherently more skilled and proficient than vendors’ IT staff, b) internal staff are less likely to be the cause of a breach and c) on-premise is synonymous with control.
Based on our experience in the industry, this traditional attitude does not reflect the current IT reality. Cloud service providers operate in a very competitive marketplace. Their advantage relative to internal IT resources is the extent to which they provide the in-house capabilities to address service and security requirements.
With cloud service providers, the Service Level Agreement or SLA includes penalties based on operational performance. To support hundreds or even thousands of customers, the service provider needs to scale and deploy patches and other anti-virus mechanisms. With a single business focus, the service provider dedicates resources to deep cyber-security measures including DDoS, brute force and penetration testing. With the benefits of economies of scale, these organization can exceed the internal IT capabilities.
The perception that internal staff is somehow more reliable and trustworthy is not supported by third-party research. According to a report by E&Y, 44% of senior management believes that employees pose the greatest cybersecurity vulnerability. Furthermore, 55% of all cyber-attacks are carried out by Internal staff or inadvertent actors.
Predictive Asset Maintenance: Cloud versus On-Premise
In the section above, we outlined the generic comparisons between the cloud and on-premise solutions. Let’s drill down further. A manufacturing plant needs to address whether there is a fundamental difference between Predictive Asset Maintenance and other cloud scenarios.
Deloitte research suggests that trade secrets / IP theft is a major driver of cyber attacks on manufacturing. Today, state-sponsored actors view industrial espionage as a national priority and dedicate significant resources to penetrating industrial plants.
For industrial plants considering using a cloud-based solution for predictive asset maintenance, it is prudent to inquire about how a company accesses, stores and transfers data. For instance, in the case of Presenso, we use the same security protocols used in the online banking sector. Furthermore, we do not record machine asset information: our advanced algorithm is looking for patterns of abnormal sensor data and is an unlikely target for state-sponsored or criminal cyber-attack. Conversely, one should not simply assume that an on-premise solution is more secure. Cybersecurity is a function of data policies and protocols, employee training and various other factors. In my experience, there are many industrial plants that lag behind other industries and are therefore more vulnerable to attack.
Is Predictive Asset Maintenance technology a high target for cyber-security? Cyber-criminals that are seeking detailed production information prioritize R&D plans, manufacturing flows, and machine blueprints. Is it possible that some of these attackers may seek operational information such as Mean Time Between Failure (MTBF) and Root Cause Analysis? Perhaps. But a cyber-attacker could find other ways to access this information after it has been disseminated to internal stakeholders. Just because a Predictive Maintenance solution is cloud-based does make it into an obvious target.
The core issue is whether Predictive Asset Maintenance solutions (cloud or on-premise) require additional layers of security that can only be provided in-house. In the section above, we reference virus protection and physical control as the two traditional arguments made in favor of in-house versus cloud infrastructure.
Let’s address each of these issues individually:
First, IIoT Predictive Asset Maintenance vendors are incented to maintain robust defensive cybersecurity policies to protect against the spread of malicious viruses. There is no data or research to suggest that an industrial plant’s internal IT resources will be more vigilant and component dealing with the threat of viruses.
Second, physical control of the hardware and software relative to cloud hosting has not been shown to improve cybersecurity. This applies to multiple applications including Predictive Asset Maintenance. Furthermore, the Operating Technology (OT) of many industrial plants are based on outdated legacy systems that use Operating Systems that are no longer vendor supported.
The major IIoT infrastructure offerings such as GE Predix, SAP Leonardo, and PTC Thingworx are all based on cloud technology. The following are recommended best practices for engaging with a PaaS service provider.
Include Security in Service Level Agreement (SLA’s): One of the best blueprints for SLA’s comes from a whitepaper published Tom Trappler. He recommends that an SLA should affirm the clients’ ownership of its data and lays out the security standards of the cloud vendor. Specifically, the client should have the right to audit the vendor’s compliance. If the vendor does not meet the requirements in the SLA, then fines for non-compliance need to be formalized.
Require White Hat (Ethical) Penetration Testing: Vulnerability testing is used to simulate how a hacker identifies and exploits security weaknesses. Only a limited number of people within the organization are informed of the White Hat project so that current defenses can be tested under typical security conditions. Tactics used by Ethical Hackers include DoS attacks, social engineering, and efforts to breach physical security.
Require Service Provide to Business Continuity Plan (BCP) and Disaster Recovery (DR): Every organization needs a plan in place in the event of a disaster. The BCP is designed as a roadmap of actions that need to be implemented in the event of a partial or complete shutdown of a facility or infrastructure. It also includes a Disaster Recovery Plan how IT will recover after an event. Both the BCP and DR need to be updated to reflect the current employee resources and technologies in use.
Summary and Conclusion
Every industrial plant is different and there will be times when the extra investment in the on-premise solution can be justified from a cost and resource perspective. For example, there are certain unique requirements based on regulatory issues where on-premises is mandatory such as certain critical infrastructure and defense scenarios.
We are not suggesting that it is any more or less safe to use a cloud-based solution for IIoT Predictive Asset Maintenance. Each vendor adheres to different standards of cyber-security protocols and it is incumbent upon the industrial plant to perform a rigorous analysis of any external vendor. At the same time, the argument that cloud-based solutions are inherently less secure is no longer cause for concern for most industry observers.