Security Experts:

Tech Debate: Is The Cloud Critical Infrastructure?

There’s been a lot of debate lately over the role the Cloud has within Critical Infrastructure, and whether or not the Cloud is itself a Critical Infrastructure. In a recent webinar, “Cloud Computing, and Critical Infrastructure,” it was put to debate. The later point proved nolo contendere — it was unanimously agreed that the Cloud is a technical infrastructure that could impact a nation’s safety, security and prosperity. However, there are two sides to the critical infrastructure coin: there are critical national infrastructures, upon which a nation depends, and there are critical technical infrastructures, upon which those national infrastructures depend. A nation certainly depends on power generation (as an industry), and power generation depends on safe and reliable industrial automation (as a technology).

When you think of “critical infrastructure” in terms of industrial automation and control systems—the critical technical infrastructure that drives energy—the question of whether or not cloud computing is suitable gets an entirely different response. At best, it’s rejected outright as inherently insecure. At worst, it is treated as a joke, as when little Bobby asks, “is SCADA in the cloud too?” and he’s answered “Naahh — that would be silly.”

Cloud Computing Comic - Used with Permission from “SCADA and Me” by Robert M. Lee

Used with Permission from “SCADA and Me” by Robert M. Lee

This is somewhat ironic for two reasons. One, the industrial control systems used within these industries — legacy systems that are lagging the IT world by a decade or more in terms of cyber security — are also inherently insecure. Yet we use them ubiquitously and often with nary a second thought about enforcing cyber security.

Is the Cloud less secure than an ICS, running automated systems with little to offer in terms of network identity, authentication, access control or policy? Supported by legacy computing platforms that may have gone years without being patched, and whose components and sub-systems are crawling steadily towards their rated Mean Time Between Failure?

Secondly, the cloud is already utilized within critical infrastructure. According to NIST, the Cloud is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” That all sounds good and beneficial for industrial control systems, but by NIST’s definition, a Cloud must also have five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.

Using this definition, cloud computing has been in used in critical infrastructure for decades: outsourced management for device support and diagnostics is extremely common, so that a small operation with limited resources can get on-demand service and support, when needed, to ensure the reliability of their operation.

Looking at more modern critical infrastructures, there’s another critical infrastructure that conceptually maps to these requirements: the Smart Grid1. With recent announcements around General Electric’s “Industrial Internet,” this becomes a direct correlation rather than an analogy: providing Smart Grid as a Service by distributing intelligence across devices that historically functioned in isolation.

It makes sense, of course: the assets used to build critical infrastructure are producing more data, and dependent upon more data. This data needs to be stored, managed and controlled, and as infrastructures expand to great scales (e.g., the Smart Grid) the same “big data” issues that enterprise businesses have been struggling with for years. The Cloud offers the same benefits (and the same concerns) to critical infrastructure data management issues.

So does cloud computing for critical infrastructure make sense? Whether it does or not, it’s clear that it’s already in use. The real question is, how can the cloud evolve to the point where it provides the trust necessary for critical infrastructures to openly embrace it? It will require governance and transparency as well as security, but if we can get there, the many benefits of the cloud can be fully embraced by critical infrastructures, evolving them to a point where they’re actually more reliable, more robust and more secure. It’s a big “if,” but one that deserves consideration.

Perhaps Little Bobby is on to something, and instead of trying in vain to shutter our windows against industrial cyber attack, we should look to the skies? … Naahh!

1 Home Energy Management Systems provide self-service. Measured service is handled by advanced metering, and Rapid Elasticity is handled by Demand Response and EMS systems. Distributed generation supports the concept of Resource Pooling. Finally, the Smart Grid provides a service (power) to consumers over a broad network known as Transmission and Distribution, and the various subsystems of the Smart Grid are highly interconnected as well.

view counter
Eric D. Knapp (@ericdknapp) is a recognized expert in industrial control systems cyber security, and continues to drive the adoption of new security technology in order to promote safer and more reliable automation infrastructures. Eric is currently the Director of Cyber Security Solutions and Technology for Honeywell, and is the Chief Technical Advisor, North America for the Industrial Cybersecurity Center. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA and Other Industrial Control Systems.” His new book, “Applied Cyber Security for Smart Grids” was co-authored with Raj Samani, McAfee CTO EMEA. The opinions expressed here represent Eric's own and are not those of his employer.