Cloud computing is the use of internet-based IT and computing hardware, software and services (“the cloud”). These bring a wealth of powerful computing and collaboration opportunities and that are ideal for providing standardised functionality to multiple users in multiple locations. Although the chemical industries are at an early stage in the adoption and use of cloud computing and collaboration, particularly for operational technology (OT) applications, companies are increasingly recognising that the cloud provides direct and timely access to data and can provide operational efficiency and business advantages. These tools are becoming essential for organisation’s flexible work policies, including working from home. They can enable people across different geographies and organisations to work seamlessly together without ever needing to be in the same location. Large capital engineering projects can be executed with multiple vendors and third parties using shared design documents, digital twin models, etc. with minimised document control overhead. 

Companies who hesitate to adopt cloud solutions and architectures risk being left behind as their competitors realise the operational and financial benefits of cloud computing and collaboration. New software will increasingly be designed and optimised for cloud deployment and may not be available to those without a cloud-friendly business environment. However, there is also a need to be circumspect when embracing new digital technologies. Cloud-based software and systems can weaken cybersecurity, and cyber attacks can result in significant or even catastrophic business, safety and environmental incidents, compromising the business reputation as well as having financial and operations impact. As cloud-based applications and work environments become more prevalent in the chemical industries, it is critical for chemical engineers to understand both the benefits and risks (business, safety and environmental) of these powerful tools as they will increasingly be expected to use them by their employers and clients. 

Cyber risks of cloud computing and cloud collaboration 

Cloud computing offers benefits to a business: the business has access to and pays for required resources as and when they’re needed. The infrastructure and maintenance costs are also largely outsourced, but the crux is that customers are essentially using someone else’s computer, over which they have limited or no control – a situation which has significant security implications. Cloud collaboration is the use of cloud-based environments for storing, managing, sharing and accessing documentation and other resources via a common platform. This enables real time collaboration for remote, distributed or hybrid work forces, as well as direct access for external contributors such as contractors. The use of these services needs to be strictly managed, as it is easy for employees to adopt cloud-based solutions to improve their efficiency and workflow, but can result in uncontrolled access to company data and processes if improperly managed. 

Internet-based cloud storage changes the cybersecurity risk to a company, depending on how the third party manages cyber risk relative to the company themselves. In some cases, outsourcing cyber security may even increase the company’s security. However, a company may also decide that the cybersecurity risk of storing their data and conducting their cloud-based business activities using an internet-based cloud is too high. Rather than forego the computing and collaboration advantages of cloud-based systems and solutions, they can decide instead to host the services in their own data centre in a private cloud that is accessible only via the company intranet. The infrastructure and maintenance can still be provided by a third party with the relevant expertise. A private cloud provides a collaborative environment with a greater degree of segregation and may be required for companies that need to separate some activities based on differences in confidentiality, security or legislative requirements. Another risk is the reliance on a third party to completely delete data when required to do so. Remnants of data can be exploited in similar ways to complete data sets, if security around them is not maintained.  

As well as the considerations around storing data in the cloud and enabling upwards data flow from OT to the cloud via IT, enabling the ability of cloud-based systems to write down to OT and infrastructure layers needs to be carefully managed to ensure that the safety and security of the lower levels of the control system architecture are not accessible in the event of a cyber attack on the cloud services. 

Cloud architecture 

The cloud consists of virtual resources on remotely accessible hardware that are accessed from client devices via a network. Data that is used in cloud computing and collaboration can be stored locally or in the cloud. A company can still take advantage of cloud-based data analytics while maintaining their data collection, storage and access protocols and security. However, anything that is digitally accessible, whether it’s a public or private network, can be a cybersecurity risk.  

The classic and familiar “layered” control system architecture can be largely maintained when implementing cloud-based analytics and services. Operational technology (OT) hardware, data and networks are still segregated to the lower levels and can be physically isolated if it is deemed necessary. Cloud-based data analytics can be implemented with locally stored data at plant level to improve product quality, asset monitoring, production and scheduling, and utility management, without affecting basic process control and safety systems. At the higher levels, cloud computing can improve connectivity in traditionally siloed companies and processing plants by providing a convenient central location, maintaining necessary security and separation, while removing barriers and significantly improving internal collaboration and coordination. In the context of plant or process data, this type of consolidation is sometimes called a data lake. 

Risks and challenges 

Outsourcing to a cloud provider may increase risk to the business, but in most cases this can be managed. Outsourcing data and services means that companies entrust their data, their clients’ data, and sometimes their intellectual property to an outside entity. To mitigate the risk of not storing their own data, companies should aim to fully understand the security at the location where their data is stored and encrypt it themselves before storing it in the cloud. It is important also to consider what may happen to the data if the cloud provider changes their policies, sells up, or goes out of business.  

Misconfiguration due to lack of understanding is a common issue. Some organisations may be unfamiliar with cloud infrastructure, and it’s easy to make configuration mistakes that can be exploited. In addition, the whole purpose of cloud-based solutions is to facilitate easy information sharing, but it also means that it’s easy to share information with the wrong person, who may be looking for a way in. It is critical, therefore, to ensure that all internal and external personnel with responsibility for cloud-based systems for the organisation are properly certified and experienced. 

Unauthorised access, especially if the cloud-based infrastructure and services are hosted outside the organisation’s private network, can occur via insecure interfaces or devices. These are typically well documented for ease of use, and therefore their vulnerabilities are also easy to exploit. For example, accounts may be hijacked using login information obtained in a separate data breach where an employee uses the same or similar passwords across personal and employment-related accounts. Insider threats, including intentional and accidental release of data, are particularly difficult to manage. Staff training to prevent such incidents is critical. 

Mitigating the risks 

Some of the strategies that chemical engineers’ organisations can use to prevent or mitigate the cybersecurity risks of using cloud-based infrastructure and services include: 

• only using cloud-based storage for data that will be used in the cloud
• carefully designing cloud solutions to make sure they meet the organisation’s security requirements, as well as complying with any local regulatory requirements. Cloud-based infrastructure can be located anywhere in the world and may not be subject to the same legal rigour as the locations in which the organisation operates.
• arranging regular “penetration testing” to assess the robustness of the current defences, and introduce new ones if necessary
• requesting or performing regular audits and updated risk assessments of the security controls implemented by the cloud storage provider 
• organising and requiring employee participation in regular cloud security training  
• selecting a cloud provider with local data centres, and then configuring your cloud subscription to only replicate data within country
• use cloud providers with suitable security certifications (SOC2, ISO27001 etc)
• only engage service providers with proven capabilities, including checking that staff working on the project have relevant vendor and security certifications.

Cloud infrastructure is designed to be easy to use and highly accessible, which makes protecting the data it contains challenging. Traditional security tools and strategies used for site- or intranet-based data centres may therefore not be effective. Security models for cloud service providers operate on a shared responsibility model, meaning some of the onus is on the organisation to ensure their data is secure. Chemical engineers will therefore need to be increasingly aware of the security implications of working in the cloud as it becomes more prevalent in industry.