SCADA, DMZ, and the Cloud

Posted on May 31, 2012 by Bob McIlvride

When we talk about connecting any aspect of a SCADA system to the cloud, even in the context of cloud-enhanced SCADA, some people get a bit nervous. The engineers and IT professionals responsible for keeping the SCADA systems safe and secure within their company will tell you that it’s best to keep their plant and the Internet on two completely separate physical networks. And should it ever prove necessary or desirable to bring these two networks together (for example to use the cloud to extend a SCADA system), then the generally accepted best practice is to use a Data Management Zone, or DMZ.

The acronym DMZ calls up images of a demilitarized zone between warring nations, where no fighting is allowed. That’s pretty much how it works. The DMZ provides a layer of protection in which company services like email and web servers that are exposed to the Internet get placed in a sub-network which is isolated from the rest of the company.

Companies using a DMZ might thus conclude that it places the cloud completely off limits to them. If their DMZ won’t allow an inbound Internet connection from a cloud system to read the data, then there is no way they can connect to the cloud, right?

Not necessarily. Properly configured, a DMZ can allow data from a SCADA network to be sent to the cloud without exposing the plant network to the Internet. In fact, the DMZ in such a scenario would act as a second layer of protection. This additional protection might even prompt a company that doesn’t use a DMZ to implement one.

How does it work? The DMZ connection is made through a computer specially equipped with two network interfaces. One network interface is on the plant network, and the other interface can access the Internet. Data from the plant gets routed through the first interface to a real-time middleware layer, which maintains an outbound connection to the cloud through the second network interface. The DMZ computer itself does not route between the two interfaces, so there is no direct connection from inside the plant out to the Internet, nor from the Internet back into the plant.

If the real-time middleware is configured to reverse the client-server relationship, then the DMZ computer will have no incoming ports open in its firewall, so it will effectively be invisible to the Internet and never accept a connection of any kind. In addition, the computers on the plant network do not need to open any firewall ports to send data to the DMZ computer. This means the plant computers would remain inaccessible from the DMZ computer and give you a double firewall layer between the plant and the cloud. Another advantage to this approach is that it gives the network administrator a single point of contact if he needs to cut off all data flow to the cloud server. He just disables the connection from the DMZ to the cloud and the plant continues to operate with no interruptions.

In most scenarios where a DMZ is being used to isolate a SCADA system from the cloud, the flow of data is one-way, from the plant to the cloud. Should a user need some form of write-back capability from the cloud to their plant systems, it can also be done securely, through the DMZ if necessary. But this is another discussion for a future blog.

Ultimately, there are a number of factors that determine the value and feasibility of using the cloud for enhancing a SCADA system. Each of these needs to be weighed on its own merits. Working in a system with an established DMZ, or implementing one of your own, it is possible to completely isolate your SCADA network even as you make your real-time production data more widely available to colleagues, customers and remote systems.

Cloud-Enhanced SCADA

Posted on May 17, 2012 by Bob McIlvride

It seems that industrial SCADA systems used to monitor and control processes in real time may someday evolve towards the cloud. Despite the doubts of skeptics and a little FUD being passed around, opportunities are beginning to arise even now. Although no one really expects to see full-blown SCADA systems in the cloud just yet, we can think of several ways to enhance a SCADA system by extending it to the cloud. Here are few ideas:

1. Web-based HMI. Already a number of SCADA vendors are offering web-based HMI (human machine interface) connections to their systems. These provide a way for operators, engineers, and managers to view live process data in a standard web browser. Following the core requirements for real-time cloud systems and extending this kind of application to the cloud would provide people with broader access to the data at significantly less cost than traditional SCADA expansion options.

2. Management dashboards. Using a hybrid cloud system, a plant could make a partial, read-only data set available to management levels within a company. The data would be sent to the cloud through closed firewalls and displayed in a web HMI to show real-time performance and historical trends.

3. Data aggregation. A real-time cloud system could be used to connect to remote locations, aggregate the data in a single, unified data set, and then stream the data to any number of client or server systems. This type of application would benefit greatly from a data-centric infrastructure.

4. Connections to off-site facilities. With low-latency data transmission it becomes increasingly practical to connect to remote sensors in off-site locations, and relay field data directly to in-plant servers. A real-time cloud system could thus effectively support machine-to-machine data exchange over the Internet in a secure and reliable way.

5. Collaboration with suppliers and customers. Through LAN-to-LAN bridging and synchronization of a real-time cloud system, companies could more easily collaborate with suppliers and customers. Exchanging real-time production data would better streamline manufacturing processes, allowing managers to plan production based on immediate sales demand and availability of raw materials.

6. Home and building monitoring. Appliances, thermostats, machinery, or any embedded device in a home or office building with Internet connectivity could stream data to the cloud. Home owners or building managers could then access this information through web HMI or other data streams.

7. Remote system monitoring and diagnostics. Key engineers and service technicians would be able to receive the information they need to effectively resolve issues and investigate problems, using a complete up-to-date picture of the remote operation.

Cloud-enhanced SCADA can probably be used in other ways, in addition to these examples. As the cloud becomes more widely used for real-time applications, no doubt this list will be expanded. The take-home point is that although SCADA may be in the early stages of evolving towards the cloud, even now there are some real possibilities for enhancing current SCADA systems through cloud-based solutions.

SCADA and the Cloud – FUD and Facts

Posted on May 10, 2012 by Bob McIlvride

A lot of information and questions have been swirling through the industrial automation community over the past year or two regarding SCADA (Supervisory Control And Data Acquisition) and the cloud. The din of voices from seasoned users, visonary cloud proponents and industry gurus has made it difficult sometimes to distinguish between true benefits, realistic options, inflated hype, and ominous warnings. Some vendors, who are apparently more concerned about their slice of the SCADA market than helping the conversation, are adding a dash of FUD (fear, uncertaintly, and doubt) into the mix. Before holding any serious discussion, we’d like to address these issues.

FUD: Putting a SCADA system in the cloud is risky and unwise.
Fact: Agreed. Don’t do it. Instead, use the cloud to enhance a SCADA system.

Let’s start by eliminating the main FUD factor right from the get-go. Nobody expects to plop a SCADA system on the cloud and have it perform as well as running it in-house. The technology is still evolving. What is possible right now is to extend or enhance a SCADA system by connecting it to a real-time cloud system. Here is how the concept of SCADA enhanced by the cloud cuts through the typical FUD:

Performance

FUD: SCADA in the cloud will impact your system performance.
Fact: Cloud-enhanced SCADA keeps primary control in the plant with zero impact on system performance, while any connection to the cloud should meet the core requirements for real-time cloud for performance.

FUD: SCADA in the cloud will have speed and latency issues.
Fact: Cloud-enhanced SCADA systems can support high data rates and low latency.

FUD: SCADA in the cloud means long polling cycles.
Fact: Cloud-enhanced SCADA can be implemented on a publish/subscribe, event-driven basis, with no polling necessary.

FUD: SCADA in the cloud would require several layers of protocol conversion, resulting in poor performance.
Fact: Cloud-enhanced SCADA can be implemented using a data-centric infrastructure, eliminating the need for protocol conversion until the data arrives at its destination.

Security

FUD: SCADA in the cloud exposes your process to hackers and spies.
Fact: Cloud-enhanced SCADA keeps your process running safely in the plant, behind closed firewalls.

FUD: Cloud hosts are more vulnerable to being hacked than in-house systems.
Fact: Cloud hosts typically invest far more in security than most manufacturing companies.

FUD: SCADA in the cloud exposes sensitive data on a public network.
Fact: Cloud-enhanced SCADA should allow you to select which data points you send to the cloud and protect them with encryption and access control restrictions, if necessary.

Reliability

FUD: SCADA in the cloud means that a connection failure equals system failure and costly plant downtime.
Fact: Cloud-enhanced SCADA means that a connection failure causes momentary loss of non-essential remote HMI interfaces. The primary control system continues to run, because it is completely independent of the cloud system.

FUD: SCADA in the cloud is vulnerable to hosting service outages.
Fact: Many hosting services support 99.9% and better up-time. In addition, a properly designed cloud-enhanced SCADA system can provide fully redundant data paths from inside the plant firewall to inside the client firewall.

These are a few examples of how to clear up any fear or doubt, using the approach of enhancing SCADA with cloud computing. From this perspective we can now hold a more meaningful conversation. Next week we’ll consider some of the more practical questions: What does cloud-enhanced SCADA look like? What can it do for me? How can I use it to get the most out of my real-time data?

Will SCADA Evolve to the Cloud?

Posted on May 3, 2012 by Bob McIlvride

One of the most common applications for real-time data in manufacturing and process industries is SCADA, supervising remote processes over a network. With the growing popularity of cloud computing, many engineers and managers in the automation sector are looking at the possibility of using the cloud for SCADA. Are they being realistic, or just dreaming in technicolor? Is it possible that SCADA will somehow evolve to the cloud?

The acronym “SCADA” stands for Supervisory Control And Data Acquisition. SCADA systems connect sensors and devices in the field or factory floor to an HMI (human-machine interface), allowing plant operators and engineers to view the data in their industrial processes in real time. This interface often supports a supervisory level of coordination and control, such as uploading new recipes to a candy-making machine, changing global settings on a wind turbine, or acknowledging a high pressure alarm for a boiler.

SCADA systems have evolved over time. The first generation systems were “monolithic”, running on mainframe computers, connecting to field devices over proprietary wide-area networks (WANs). The second generation did “distributed” processing, using mini computers communicating with each other over a local-area network (LAN). Communication to the field was still by proprietary protocols on WANs. The current, “networked”, generation uses PCs and open standards such as TCP/IP and open protocols for wide-area networking. Thus it is now possible to access SCADA systems and data from the Internet.

Do you see where this is going? Since SCADA systems have followed the progress of computing in general, and as many view cloud computing as the next logical step in this evolution, enthusiastic visionaries foresee a fourth, “cloud” generation of SCADA, where an entire control system would be running in the cloud.

Back here on earth, most industry experts agree it would be foolish to put the primary control of a power plant, water treatment system, or railyard switching system on the cloud, as it is right now. These kinds of mission-critical control tasks require rugged, reliable data networks and extremely fast response times. Advocates of cloud computing may hope that Internet speed and reliability will eventually support this level of SCADA, but we have no guarantees of that today.

That said, there are other ways of using SCADA, and other uses of process data that lend themselves to real-time cloud applications. Designed properly, with the core requirements for real-time cloud systems in mind, it is possible to put live data from SCADA systems on the cloud in a secure, reliable way. Using specially-designed middleware that supports high data rates and low latency on a data-centric infrastructure, perfectly acceptable real-time performance can be achieved for many types of applications.

Cloud computing can be implemented in different ways. As we explained a few months ago, a private cloud option can be implemented on-site to maximize security, or off-site to reduce costs and gain other benefits associated with the cloud. Another possibility is a hybrid cloud, a combination private and public clouds. With the right kind of infrastructure in place, any of these options could support a system to meet the growing demand for providing access to data from a SCADA system to local or remote users, in real time.

Evolution is a gradual process. It takes time, and it goes step by step. A first step in the evolution towards cloud-based SCADA may well be some kind of cloud-enhanced SCADA. We will talk about that in an upcoming blog, but first we need to clear up some of the fear, uncertaintly and doubt surrounding the discussion about SCADA and the cloud.

Cloud-Capable “Real Time”

Posted on April 12, 2012 by Bob McIlvride

Our review of definitions for “real time” over the past couple of weeks has brought us to the point where we are now ready to answer the question: Is the cloud capable of real-time performance, and if so, how? We have reviewed some of the technical definitions for “real time,” and considered some expert advice on a practical, realistic definition of “real time”. Now let’s see whether or not the cloud really is capable of supporting real-time computing, according to these definitions.

To sum up E. Douglas Jensen at Time-Critical Technologies, real-time computing in the real world means achieving optimal system performance within given time constraints. So, what is optimal system performance for a cloud system? And what time constraints are we considering here?

Each cloud application has its own time constraints. What seems uselessly slow for one set of users may be perfectly acceptable for others. For example, in many business applications data that is just a few seconds old is considered real time. In fact, many executives would boast about having access to up-to-the-minute data. Managers and analysts running certain industrial applications like inventory control or end-of-shift reports have similar requirements. When these users talk about real-time data in the cloud, delays of a few seconds or even minutes might be perfectly fine.

On the other hand, most operators working at a control panel in a plant expect to see things happen immediately. When they click a button, the light should come on right away, not after a few seconds, or even one second later. Values should update as they change in the process. Trend lines should be smooth curves drawn on the page, not jagged peaks that appear intermittently. As far as we are concerned, a cloud system that claims to be real time should be able to emulate that experience very closely. For our purposes, then, we can define “real time” for the cloud as follows:

“Real-time” cloud: Remote accessibility to data, with local-like immediacy.

Of course, the remote aspect of any cloud application will always have an impact. The Internet and other networks inescapably introduce latencies into the data flow. This kind of delay in delivering the data brings to mind the US Defense Department Military Dictionary definition of “real time,” which is: “Pertaining to the timeliness of data or information which has been delayed only by the time required for electronic communication. This implies that there are no noticeable delays.”

A real-time cloud system should have no noticeable delays, or at least, no more than absolutely necessary. Any intermediate software running on the cloud should support high-speed data throughput. Latencies should be no more than a few milliseconds over the network latency. The infrastructure should almost certainly be data-centric, minimizing the need to convert between HTML, XML, SQL, or other data formats.

Broadly speaking, when people are working with the system, we can aim high and set a goal for our time constraints at human response time. The user should feel like he or she is working on a local system. Any extra processing time over and above network communication time should be kept to an absolute minimum. And what about in M2M (machine to machine) applications? Here again, there should be as little delay as possible beyond any networking latencies.

Although the debate about the definition of “real time” may continue for years to come, we can glean enough for our purposes. For our real-world applications on the cloud, we can define “real time” as achieving optimal system performance within given time constraints. So, if we define our time constraints to be human response time, and accept the limitations of networking latencies on system optimization, then we can confidently assert that the cloud is capable of supporting real-time systems.

Real-Time Cloud

Explore the questions, watch the developments, and evaluate solutions for one of the biggest challenges of our time: How to implement cloud computing using real-time data for industrial and embedded applications. – Bob McIlvride, Cogent Real-Time Systems