PROGNOST® systems are located in the OT (Operation Technology) network; on the plantfloor close to the production assets. The PROGNOST® user sits in his office and the computer is connected to the IT or business LAN. The connection of these and data transfer between these two networks is always a discussion point during the sales and engineering phases.

To combine security with a positive user experience, PROGNOST® offers several system architectures. This Technical Briefing outlines the most popular options.

  • Storage of data in the cloud
  • Storage of data in a S3 compatible drive in the customer network
  • Https gateway server or data diode

Storage of data in the cloud

Transferring monitoring data, sourced in the OT network to a cloud space and call it a means for cybersecurity sounds odd. Usually, IT people never use the terms „OT network“ and „Cloud“ in the same sentence without getting scared.

The initial idea for this approach came up when our Marine customers reported poor or no satellite connections during their cruise. In these phases, PROGNOST Customer Support could not access the systems via VPN to provide the requested consultancy and machine assessments.

What we do: We can upload the analysis results, snapshots, ringbuffer, logbook and configuration from the Monitoring Unit via the Communication Unit unidirectional to an AWS cloud storage. The use of the http commands „Post“ and „Put“ ensure an unidirectional data transfer. When in the cloud, all uploaded information can be accessed and displayed with the PROGNOST® VISU user frontend. The VISU uses the HTTP(s) command „Get“ only to read the data – writing is not possible.

Storage of data in a S3 compatible drive in the customer network

Another option is to implement the cloud environment, i.e.an S3 compatible storage in the customer network on L3 / L4. The idea is here the same: ensure that all data transfer and communication is unidirectional and always from OT (L1/2) up to the IT network. This S3 compatible storage can be e.g. TrueNAS – a royalty free solution we have qualified and implemented.

HTTP(s) gateway server or data diode

The use of different hardware firewalls, e.g. HTTP(s) proxy server or data diodes is a third option. In this case, it is possible to have a physical firewall at any point in the data route. This can start between PROGNOST®-SILver and the Monitoring Unit, between Monitoring and Communication Unit or from there upwards to the business LAN and the cloud. And of course, can an comparable setup be used between the visualization and the cloud.