Industrial cloud applicationsAERZEN ensures the highest level of security for industrial cloud applications
In globalised markets, digital networking and communication of industrial automation and control systems is playing a rapidly increasing role. Such cloud applications enable, among other things, the remote monitoring of plant, the exchange of data between locations and the analysis of large amounts of data. It is also possible to control machines and plant, diagnose faults, and much more besides. This is accompanied by strong security requirements for users. Aerzen Digital Systems, the digitalisation specialist within the AERZEN Group, describes in the following article, using the example of the product AERprogress, how “state of the art” cybersecurity measures are implemented in both hardware and software. Around 20 years ago, the International Society for Automation (ISA) began to specifically define standards for the implementation of safe industrial automation and control systems (IACS). Today, legislators worldwide mandate compliance with minimum cybersecurity standards for critical infrastructure. In addition, operators of this infrastructure must report securityrelevant incidents. The manufacturers of automation and network components, integrators, as well as plant operators, are also obliged to comply with the so-called state of the art in terms of cybersecurity. This legal concept is relevant because technical development usually progresses faster than legislation.
State of the art is defined on the basis of existing national or international standards and norms - such as ISO/IEC 27001 or IEC 62443 - or specifications that have been successfully tested in practice. Manufacturers, integrators and cloud providers are also subject to the compliance and data protection regulations of the respective countries. The AERprogress infrastructure AERprogress is a digital solution for global machine park management. The cloud application adds digital services to AERZEN's high-performance blowers and compressors, enabling users to monitor their machine parks across locations and national borders. Supplementary add-ons provide an overview of energy efficiency, thus helping to prevent efficiency loss and increasing the availability and reliability of the machines. It is also possible to save energy data according to DIN EN 50001. Historical data is essential for future models and calculations. Typically, cloud applications consist of several components and working layers. The individual hardware and software components are subject to corresponding security measures. Both the safety functions of the machine controls and of the gateways themselves, and the measures taken in the development process, such as risk analyses, programming guidelines, code analyses and audits, are relevant here. Monitoring and compliance with processes are also important. In compliance with these safety requirements, the overall AERprogress system is divided into three levels: field level, platform level and user level:
• The field level is the machine level. This is where the blower or compressor is located, for example. They communicate via the IoT gateway over the internet with the platform level, the cloud level. Therefore, measures to protect against cyber attacks according to IEC 62443 must be implemented here.
• The platform level is the cloud application that provides the user interface in the form of a web-based dashboard (AERZEN Digital Platform). In addition, data storage and data processing in the cloud are both secured by encrypted data. The subsequent data analysis is carried out using methods from the range of artificial intelligence such as machine learning. The AERZEN Digital Platform is a cloud application based on Microsoft Azure and the Azure IoT Hub. Thus, responsibility for and implementation of cybersecurity measures rests with the provider, Microsoft. By operating multiple data centres across different countries, Microsoft ensures the highest level of redundancy.
• Users access the Digital Platform via a web browser. The connection is established via the Hypertext Transfer Protocol Secure (HTTPS). The encryption and authentication used in this process guarantees confidentiality and integrity in the communication between the machine and the cloud. The user logs in via a personal login in conjunction with two-factor authentication via e-mail PIN. Through appropriately assigned user levels, each user only has the access for which he or she is authorised and accredited. User management is carried out via a central administration.