The Risks And Rewards Of Cloud Connected Scada
Intro - The promises of SCADA
SCADA (Supervisory Control and Data Acquisition) systems have always promised improvements in efficiency, productivity, and reliability. If you just collect lots of data from the production floor and throw it into a database you can use this information to eliminate downtime, optimize production rates, prevent quality defects, etc. Right? Well, in theory yes. In reality most SCADA systems have been collecting data for years while failing to deliver on these promises.
A common phrase among SCADA users is “There is no R in SCADA”, referring to the lack of reporting capability. Sure, you can ask your IT department to write a bunch of queries, or you can buy reporting packages to put the data into charts and tables, but this falls well short of providing the actionable business intelligence you need to improve productivity. What you need are things like OEE software (Overall Equipment Effectiveness) that can provide interactive tools to analyze downtime, quality, and production rates with drill downs to uncover root causes. From there you can add artificial intelligence (AI) software for predictive maintenance, predictive quality, digital twins, etc.
The problem is that most companies struggle just to maintain their SCADA systems. Every security patch to the Windows operating system or virus software can have a ripple effect that requires you to upgrade your SCADA system. When there is any software error in the SCADA system, your engineer needs to call into the SCADA hotline where they typically are told “Try installing our latest upgrade. Maybe that will fix it.” These frequent upgrades are time consuming for the engineer and may actually increase the downtime you were hoping to prevent in the first place.
Telling your engineers that they now need to also support OEE and AI software, makes the local support requirements orders of magnitude worse. So what’s the solution?
The Benefits of Software as a Service
Software as a Service (SaaS) is a cloud hosted architecture where the cloud vender manages not only the physical servers but also the software including the OS, middleware, and applications. Using SaaS eliminates most of the local support issues associated with traditional on-premise software. The cloud hosting company is responsible for maintaining all the software including the upgrades to the operating system, reporting and analytic packages (OEE, predictive maintenance, and other AI), communication drivers, database maintenance, etc. Since most cloud systems run on redundant servers with backup power generation the system rarely if ever goes offline.
But how do you run the equipment if your plant temporarily loses it’s internet connection? There are two ways to address this. One option is to maintain your local SCADA system for local operator interface functionality. The SCADA system would continue to provide operators with a local view of the system and allow them to start and stop equipment, change setpoints, and acknowledge alarms. The SCADA system would collect data from the PLCs and push it to the cloud server.
The other option is to eliminate local SCADA entirely by using local operator interface touch screen to start and stop your equipment or change setpoints. In this scenario edge node devices would collect data locally, buffer it during network outages, and push it to the cloud server.
What about Cybersecurity?
When I talk to people about cloud hosted services for industrial equipment,often times the immediate response is “The IT department will never let us connect”. The IT department’s cybersecurity concerns are well founded. We should absolutely be cautious when it comes to connecting industrial manufacturing equipment to the internet. The IIoT is like fire - extremely dangerous if used carelessly, but incrediblyvaluable if used safely and responsibly for a specific purpose.
Most IT departments will object to firewall holes and VPN access by third party companies, and they should. When you do online banking, you never ask the bank for a VPN connection into their network. You connect to your account using an encrypted TLS tunnel with signed security certificates. This same approach can be used by an edge node or a local SCADA server to connect to the cloud. The outbound connection from the SCADA PC or from the edge node is made either via an open port or through a proxy server. This approach should be the minimum security level for connecting equipment to the cloud.
For even greater security, you could consider using a data diode. A data diode contains two separate processors. One connects to the plant floor network, the other to the cloud via the internet. The only connection between the two processors is a single fiber cable that allows data to be sent from the plant side to the cloud side. The plant has full control over what data values are sent out, and it is physically impossible for any data or security threats to come into the plant thru this device. Data diodes are commonly used in the most security conscious applications such as aerospace and power generation utilities and are becoming more common in manufacturing environments as well.
Using cloud based Software as a Service (SaaS) for reporting and analyticscan streamline your path to downtime analytics, production efficiency, and predictive maintenance while reducing operating costs. All this comes at a fraction of the price of traditional in house software and a timeline of weeks rather than months.