The IT/OT Insider

Share this post

The IT/OT Insider
The IT/OT Insider
OT in the cloud
Copy link
Facebook
Email
Notes
More

OT in the cloud

Seriously, why not?

Willem van Lammeren
and
David Ariens
Sep 12, 2023
4

Share this post

The IT/OT Insider
The IT/OT Insider
OT in the cloud
Copy link
Facebook
Email
Notes
More
1
Share

Every so often a manager or vendor will ask you: Why aren’t you running those OT / MES solutions in the cloud (or “my cloud”)? Let's see where the question comes from before we jump to an answer.

Some history : What the switch to the cloud meant for IT

If you come from an OT background you definitely heard from the cloud. But you probably haven’t experienced what it meant for IT.

Thanks for reading The IT/OT Insider! Subscribe to make us smile ;)

It was about servers…

20 years ago, back in the days before cloud computing, everybody had their own data centers. Rooms filled with hardware, servers and many, many cables (did you know there’s a subreddit dedicated to cables? Safe For Work, we promise…).

What azure datacenters look like. We never got the budget for things like blue LED’s or a fancy floor (source: www.microsoft.com )

Getting a new server wasn't easy. It meant purchasing hardware, cabling, network configuration. Then came advanced topics like data center management, redundancy, power management, disaster recovery, and implementing security measures.

Not only is this capital intensive, it also means you need a lot of 24/7 specialists.

When cloud computing came along it changed all that:

  • Flexibility : Need to scale fast? Don’t worry! You can order 100’s of servers with the click of a mouse (compare that to your old-school purchasing process).

  • Security & availability : you’re leveraging the scale and knowledge of huge players like Microsoft (Azure), Amazon (AWS) or Google (Google Cloud). They run globally redundant data centers giving you a seamless experience.

  • Automation & abstraction : With the advent of DevOps 10 years ago, infrastructure became software as well: you could now define your hardware needs in a config file instead of clicking through 100 menus for each and every server.

…Now it’s about services too

By removing infrastructure as a barrier to innovation, a surge of new technologies and business models appeared.

Instead of buying servers (IaaS - Infrastructure as a Service) or platforms like databases (PaaS - Platform as a Service) you buy a managed service (SaaS - Software as a Service). It has become so commonplace that it’s hard to imagine there was a time companies were managing their own email servers. (Are you still doing so? Or have you moved on?)

The state of OT hardware

Compare that with the reality in most OT shop-floor environments:

  • Poorly managed hardware. If your plant runs with a redundant, well managed and secure setup that ensures high availability for all critical systems, we’re happy for you. Unfortunately many are barely managed at all: EOL hardware, unpatched systems collecting dust in a closet without backups. Trust us when we say that we’ve seen PC’s as old as we are still running important machinery.

  • Scaling is hard. Do you need more capacity or an upgrade? Get ready for a months-long process of requesting a budget, comparing offers and finally physically installing and configuring your servers before you can start implementing the Firewall rules… and wait again.

  • Legacy technology stack from 20 years ago.  Do you want to leverage new technologies? Good luck finding a shop-floor environment where they are able to run containers in a supported way. We’ve even had OT vendors who stated they don’t support virtualization.

Look at this list, isn’t it about time OT got its act together?

It depends….

So can we move to the cloud?
We wish it was a resounding yes, but as always: it depends.

We’ve read about all the positives. But what are the caveats of moving to the cloud? Let’s share some headaches we encountered:

  • You now have to pivot from managing hardware to managing service contracts, which might become a full-time job depending on the scope of your Cloud environment and the number of vendors. As part of your service agreement you need to ask yourself the question: “Who will I (or my users) call when things go sideways?”

  • Is your data subject to regulations? Then having this data with another party from another country could pose legal problems.

  • Do you have the necessary expertise in house? And if another department/service provider is delivering that service for you, do they understand your needs or are they just slowing things down even more than before?

  • You now rely on the availability and performance of the internet connection to the datacenter(s) of your provider and additional latency. Is that acceptable?

  • You will probably run on a supported & patched OS and software. Sounds great right? Unfortunately in OT our vendors are… ‘conservative’:

    • Your system might stop working because the vendor doesn’t support a recent patch. Good luck convincing your vendor to fix that bug asap…

    • It happens that equipment comes with software to manage. Newer versions of the software are available but don’t support your old but functional equipment. And the old software requires Windows XP. All of a sudden the lifecycle of your hardware is shortened and your update is costing you 10-100k€ in new equipment.

  • If you are running SaaS: how easily can you integrate the data with other systems? Most will be happy to ingest your data and keep you in their ecosystem. What are the barriers, both technical and commercial, that you need to overcome when you want to get your data somewhere else?

Some guidelines

This is all good, but how can you actually proceed?  We can help you make a decision using our favorite ISA-95/Purdue model  

Level 4 : IT enterprise systems

No discussion here. 

Cloud (IaaS to SaaS) is probably even the default here. 

Level 2 : Automation Layer : PLC’s, DCS, SCADA 

Not gonna happen. 

These systems use direct cabling and require super low latencies. You’re not going to connect your sensors using 4-20mA cable pairs to the cloud without a local component.

This is important:  it means that If you have a decently sized automation installation you’ll need local infrastructure: at least a closet with ventilation and managed physical access.

It isn’t rare to find all the additional level 2 and 3 servers and firewalls in there . That also means that securing and patching these systems will still be your responsibility! 

Level 3 : MES/MOM

It depends.

Level 3 sits at the intersection of the local world of plant automation and global enterprise systems. This duality will be reflected in your landscape.

You’ll have central components that look like any modern IT application. Those can surely be deployed in a cloud environment  or be used as SaaS. 

…But you can’t go without local components:

  • Security: Connecting your PLC and DCS systems directly to the cloud (even private ones) is a serious security risk. We’re not only talking about data leaks but actual physical security. If somebody enters your HVAC system (Cooling & Heating System) your greenhouse might become too cold or warm and ruin the crop. If we’re talking about a plant with dangerous chemicals it could be even worse.

  • Technological: Long lifecycle times and the lack of  innovating in this space mean that most plant automation systems use protocols from before the internet was born. Even though OPC-UA has been knocking on the door for the past 15 years, the reality is that most production environments will not work well with regular IT software.

For example : Most control systems can not deal with the instability of larger networks (e.g. they will not queue their messages properly). This means guaranteed data loss if you want to connect a DCS over the internet.

  • Cost: People saying that the cloud is cheap clearly aren’t looking at the bills. Calculate and monitor your costs instead of assuming. Jeff Bezos didn’t get to be the richest person on earth by selling AWS services for cheap.

In Summary: there is no right answer

Sorry, no silver bullet today. But what is certain is that the extreme’s probably aren’t what you should aim for.

  • Not using cloud solutions and technologies at all means you’re missing out on one of the most important innovations in IT.

  • Believing that everything can go in the cloud is too simplistic of a view and probably ends up in high costs, failed projects and security breaches.

Our rule of thumb:

  • Use the Purdue level concept as a rule of thumb to get started.
    → Level 2: Nope
    → Level 3: Maybe
    → Level 4: Definitely

  • Will the component/software be managed centrally and/or used across multiple locations
    → Check out how you can save yourself time and money by moving to a cloud service.

  • Is it something that connects directly to DCS/SCADA and/or is only used in one location
    → Check if you can’t simply extend the existing local infrastructure at lower cost and risk.

Thanks for reading The IT/OT Insider! Subscribe for free to support us!

4

Share this post

The IT/OT Insider
The IT/OT Insider
OT in the cloud
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2024 Willem van Lammeren / David Ariens
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More