I recently attended a conference for ICS SCADA security professionals where several colleagues asked me for my personal view of whether I see ICS SCADA systems ever moving entirely to a cloud infrastructure. In their eyes, that definition includes Level 1 of the Purdue Model, the place where the virtual world meets the physical one.
Being the old school, classically trained ICS SCADA person that I am, I reflected on the questions. I shrugged my shoulders, smiled at them and said, without hesitation or pause, “Yes I do.” With looks of astonishment, they asked me why. (To add further context to the scenario, many of the people engaged in the conversation have more years of service in the industry than I do, and I even worked for a couple of them in a past life.) Recognizing the look of concern on their faces that only process/control engineers can generate – especially when addressing a crisis that could be life-threatening – I explained why I see this happening and the reasons for my peace of mind with the migration despite all the recent targeted attacks against control network infrastructures.
No one can ignore the fact that advancements in technology, especially in the areas of communication and computing, have changed the world in ways few people thought possible. We can remember the days when an ISDN line was the pinnacle of broadband service, or the first laptop weighed close to 24 pounds, and see where we are now. ICS and SCADA must evolve, too.
As I attend customer meetings and conferences, the discussion of a cloud-based ICS SCADA control system, and the concerns around securing it, is a reality everyone seems to be facing. The concept is one met with mixed emotion, with all parties working to figure out the pros and cons. At these events, the cloud-based platforms that spark the most interest are infrastructure as a service, or IaaS, where the virtualized hardware (storage, servers, network services, etc.) is the service, and platform as a service, or PaaS.
Owner-operators tend to favor IaaS because it offers greater control over their data. Their main concerns are the operating systems, the applications and securing the data. Platform as a service (PaaS) is the model most manufacturers of industrial products are exploring as a way to deliver cloud-based services to future and existing customers. Focusing on systems used for monitoring and analysis, these vendors found they can offer both “historians as a service” and “human-machine interface as a service” to interested customers. The advantage to the customer is that they only need to supply their data, while the day to day maintenance and care of the infrastructure is the responsibility of the provider.
Regardless of the platform, most agree that the transition of ICS SCADA systems to a cloud-based implementation will happen in phases, with the business functions and monitoring moving first.
Operations like system monitoring, data analysis, system troubleshooting, and predictive maintenance can benefit from a cloud-based infrastructure and the elasticity at which it can scale. With this in mind, either approach is ideal to begin the OT transition from the plant site to the cloud because both are capable of addressing specific functions that require the continuous gathering of large volumes of data generated by these functions.
The advantages include more storage to handle data sent by smart devices, positioning security teams to leverage big data analysis from the creation of a private data lake, while lowering operational cost.
The prominent concern for the DevOps and OT groups with either cloud model are security and data integrity. What that usually means is a question of how to deploy it in a secure manner that scales well in both system performance and data volume, if done in a public cloud offering; and, for those industries with stringent compliance and regulatory restrictions, on how to remain compliant.
Palo Alto Networks Next-Generation Security Platform can help with your ICS SCADA cloud-based deployments by providing continuous and consistent protection to your company's cloud workloads. Providing seamless security to both your data and workloads through advanced security features that are consistent regardless of physical location or cloud.
You will find that we empower you so that you can achieve your ICS SCADA security objectivities through deploying:
- In-line security for your harsh environments with next-generation firewalls like our new PA-220R
- API services for discovering and monitoring resources
- Automated compliance reporting to help improve your cloud security and compliance
- Storage services for eliminating potential data leaks or exposure
- Ability to do outbound and east-west security at scale
With our Next-Generation Security Platform, you can even deploy on multiple cloud services to create an even more efficient, robust and secure ICS SCADA cloud ecosystem.
Learn more about our cloud solutions as well as the ruggedized PA-220R NGFW and other ICS SCADA solutions:
- VM-Series on AWS
- VM-Series on Azure
- VM-Series on Google Cloud Platform
- Aperture for Public Cloud
- Ruggedized PA-220R
You should also contact your Account Manager and ask about getting a Security Lifecycle Report on your ICS SCADA environment or the Hands-On Workshop for ICS SCADA deployments.