The Cloud Advantage Six Reasons Power Leaders Are Moving to Cloud GE Power
With the advent of the Industrial Internet come the challenges of scale and speed. Scale is required to consolidate and manage massive volumes and varieties of dynamic and time-series machine data. Speed is needed to leverage this data with analytics in real-time. The imperative for industrial IOT is a secured environment with capacity to grow at the speed of machine data and the technical infrastructure to apply sophisticated analytics that drive insights for more profitable business decisions for industrial companies. Consumer, enterprise and industrial companies are turning to cloud computing as a means to solve for speed and scale and to lay the groundwork for competitive advantage in the future. Public Cloud Spending Outpaces Every Other IT Spending Category 2 20% 15% According to Gartner, the uptake in the use of cloud services is accelerating rapidly. Gartner forecasts that total annual spending on public cloud services will nearly double within four years from $152 billion at yearend 2014 to over $282 billion in 2018. 1 10% 5% 0% -5% Public Cloud Services Data Center Systems Enterprise Software IT Services According to the International Data Corporation (IDC) Worldwide Quarterly Cloud IT Infrastructure Tracker, for the five-year forecast period, IDC expects that cloud IT infrastructure spending will grow at a compound annual growth rate (CAGR) of 15.1% and will reach $53.1 billion by 2019 accounting for 46% of the total spending on enterprise IT infrastructure. At the same time, spending on non-cloud IT infrastructure will decline at -1.7% CAGR. 3 Power generation companies, in particular, are poised to drive operational transformations with the Industrial Internet. They are examining ways to reduce operating costs, leverage insights for greater production consistency and to create a market advantage using Big Data and analytics. In a recent global survey of senior executives from power generation 1 Gartner, Building a Solid Foundation for Choosing and Managing Cloud Service Providers, Kyle Hilgendorf, June 15, 2015 2 Gartner, Living in a World of Hybrid IT Webinar, Ed Anderson, Research VP, September 24, 2015 3 IDC press release, IDC Forecasts Worldwide Cloud IT Infrastructure Market to Grow 24% Year Over Year in 2015, Driven by Public Cloud Datacenter Expansion, 5 Oct 2015-10% 2014 2015 2016 2017 2018 2019 Source: Gartner webinar: Living in a World of Hybrid IT, Ed Anderson, September 24, 2015 companies conducted by GE and Accenture, these leaders identified cloud as a key component of their Big Data analytics approach for the future. This strategy, with its clear endorsement of cloud technologies for future deployments, also indicated that different cloud models are being applied, between public and private, with a slight preference for private cloud by power companies (as shown on the right). Due to regional data privacy considerations, many Industrial IOT projects will begin with a hybrid approach of on-premise and private cloud implementations. For these companies, as in-region public cloud capabilities are available, operations and IT staff will be able to identify areas that should be migrated to a public cloud environment to gain economies of scale and speed. Power Company Future Cloud Strategies Public Cloud 32.5% Private Cloud 39.5% On Premises 28% Source: GE and Accenture: Industrial Internet Report for 2015. The Cloud Advantage 2015 General Electric Company. All rights reserved. 2
Six Reasons for Cloud Adoption As the Industrial Internet gains momentum across power companies, it is clear there is significant business value from collecting machine data for insights into assets and operations. Doing this at massive scale dictates a new operating environment in the cloud with capacity to deliver the right levels of storage and computing power. There are six key advantages that leading Industrial companies are gaining by leveraging cloud infrastructure: 1. Speed to Implementation and Innovation: The ability to rapidly develop and deploy means a competitive edge and the ability to speed business benefits. Cloud architecture delivers this with: A ready platform for deployment, without delays of on-premise design, procurement, setup, testing and production hardening. A standardized approach for applications development, creating more rapid deployments as development teams use the same environment and take advantage of cloud-based microservices (see page 4). The ability for self-service so that application teams can provision new environments for development/ testing and speed time to market. Additional services and applications to be built by third parties, delivering new capabilities from an industrywide ecosystem. According to Gartner Analyst David Mitchell Smith, To date, there have been very few security breaches in the public cloud most breaches continue to involve on-premises data Power Executives Highlight Urgency 4 93% Put Big Data analytics in top 3 Priorities 2. End-to-End Security: Industrial companies need assurance that their critical data assets are protected and overall risk reduced. Although dependent on the particular provider (See Predix Cloud, page 6), security in the cloud can be especially robust for the following reasons: Cloud providers make investments in security software, capabilities, processes and personnel that are leveraged across multiple customers, raising the overall security profile. With cloud the direction for IOT processing, cloud providers are attracting and securing key security talent wishing to work where the security market is trending. Reduced variation in a cloud environment means that strict security software and standards can be implemented and enforced across the entire system, unlike onpremise solutions, which can occupy various solution architectures. This simplification and visibility can lock down security holes while keeping flexibility of system administration required for specific domain ownership. Security updates can be rapidly pushed in a cloud environment for continuous deployment of the latest security patches and fixes. 31% Make it their #1 Priority 50% Urgency driven by Board of Directors With this sense of urgency, the cloud approach is a key enabler to achieve objectives around Big Data and analytics. 3. Lower Costs: Traditional approaches to systems implementations require IT teams to purchase and configure hardware with large up-front capital outlays. For the industrial IOT space, this can be especially challenging as the volume of machine sensor data can scale rapidly as new operating assets are connected for monitoring. Further, support requirements for on-site infrastructure can be costly, especially for multi-site implementations. Moving to cloud offers significant savings by reducing: Initial capital outlay for a large scale Big Data platform, with associated design efforts, hardware costs, load balancing, networking and backup environments. Total Cost of Ownership (TCO) for support and maintenance of largescale IOT environments, including personnel for 24x7 IT support, license fees, security personnel, administrators and supervisory support. Opportunity Costs, from being able to reinvest IT costs in other areas of the business, especially for large-scale IOT implementations. center environments. 5 4 GE and Accenture, Industrial Internet Report for 2015. 5 Gartner, The Top Ten Cloud Myths, David Mitchel Smith, October 1, 2014, Gartner Foundational June 30, 2015 The Cloud Advantage 2015 General Electric Company. All rights reserved. 3
4. Ability to Scale: Many industrial companies have collected machine data using on-site historian environments. However, with advances in data storage capabilities, sensor technologies, analytic data science and networking capacity, the possibilities with industrial IOT are expanding at a rapid pace a pace that on-premise systems will be challenged to match. With the cloud service delivery model, customers can specify the right amount of compute and platform resources they need today, and scale up and down rapidly and cost-effectively, as their requirements change. This is needed as new data-producing sensors are added to operating environments and operations are transformed to leverage insights from this data. The ability to add capacity on-demand, means reduced interruption in service and benefits as industrial companies scale out their monitoring operations to be crossenterprise and global. 5. Ubiquitous and Global Visibility: One of the key requirements of an Industrial Internet platform is its ability to support a global model so that data can be aggregated and analyzed across operating geographies in order to enable quick actions and business optimizations. In the GE/Accenture survey of power generation executives, 31% cited the issue of consolidating disparate data as a barrier to adopting data analytics. Further, 50% stated that they lacked the talent to consolidate and interpret disparate data. The ability to consolidate data to the cloud and provide visibility across multiple physical locations is of particular use to power companies to: Evaluate, in real-time, the performance of each plant to assess their ability to meet market demands. Understand where vulnerabilities exist for power short-falls and outages before they become real production problems and potentially shift capabilities to other locations. Provide visibility to power production KPIs, financial/cost analysis and capital planning data across locations for stronger bottom line results. 6. Failure Isolation with Microservices: Cloud-based microservices are reusable software modules that can be leveraged as building blocks to rapidly create applications. Because they are developed and delivered as discrete services, they can be loosely-coupled into applications without the complexity and dependencies of traditional, monolithic application architectures. And because microservices can be developed as separate, stand-alone components, the microservices architecture provides a level of isolation, enabling small teams of developers to deliver new capabilities and to version existing services such as Connectivity, Asset, Field Agent, Time-Series incrementally, enabling much faster innovation than traditional approaches. In a recent paper around cloudnative applications, author Matt Stine states: By composing systems from microservices, we can limit the scope of a failure in any one microservice to just that microservice, but only if combined with fault tolerance. It s not enough to decompose a system into independently deployable components; we must also prevent a failure in one of those components from causing a cascading failure across its possibly many transitive dependencies. 6 Our cloud architecture supports customers varying degrees of opportunities to be found in the Industrial Internet, from capturing and analyzing time series data generated by the multiple sensors on a gas turbine, to delivering large object data like a 3D MRI image to a doctor for diagnosis. If you have really important things generating a variety of big data at velocity, we can help manage it, demystify it and turn it into actionable insight. Bill Ruh, CEO of GE Digital and Chief Digital Officer of GE 6 O Reilly Media, Migrating to Cloud-Native Application Architectures, Matt Stine, 2015. The Cloud Advantage 2015 General Electric Company. All rights reserved. 4
Impacts of Moving to the Cloud The introduction of a cloud environment brings benefits of cost reductions, operating efficiencies and organizational transformations for industrial companies. Common functions will change when an organization moves to cloud, especially for industrial companies who have a need for visibility to multiple plants/locations. Architecture Design and Implementation Code Development/ Testing/ Deployment Security Capabilities Infrastructure Maintenance and Support Asset Connectivity and Management Traditional On-Premise Approach Individual design, procurement and installation effort is incurred for each physical location, involving IT, Ops, Finance and Network Operations. Code migration and new environments typically involve intervention by central IT support, which can be time consuming and potentially error-prone. Variations between on-premise environments mean higher risks of unplanned issues due to dependencies and incompatibilities. Systems and networks are individually evaluated for security vulnerabilities. Dependencies must be identified between environments to assess security risks. Multiple security handling procedures must be documented and followed by operations staff. Support staff are hired and retained for hardware, software, security and network operations. Potentially duplicate support staff positions at each physical location. Assets are managed via a multitude of vendor-specific systems, rigid coupling of machine software and hardware, tedious retrofitting of legacy machines and limited correlation of data, events, alarms and alerts. Cloud Approach Commission new partition with near-immediate access to begin development. Cloud-based microservices encourage code reuse. Provisioning a new application environment by making a call to a cloud service API is faster than a form-based manual process by several orders of magnitude. Deploying code to that new environment via another API call adds more speed. Adding self-service and hooks to teams continuous integration/build server environments adds even more speed. 7 Common cloud architecture yields standardized security vulnerability assessments and control. Security software patches and procedural changes can be applied globally, through centralized security team. Specify support Service Level Agreements (SLAs) as part of cloud contract to provide production responses and escalation procedures. Connect all operating assets across geographies regardless of vendor or vintage. Decouple machine software from hardware with softwaredefined machines. Distributed computing with analytics running at sensors, controllers, gateways and cloud can meet fluctuating business needs. Vendor-agnostic solutions with standard interfaces apply across machines and legacy machines that are easily retrofitted with a standard mechanism. Positive Cloud Impacts Incrementally faster setup Reduced capital outlay for new projects Greater environment consistency across regions and development efforts Faster development and consistent design with cloud-based microservices Environment setup on demand Improved code migration and control Ability to react and fix security violations rapidly, across production environment Full security monitoring across cloud environment Lower support costs Access to most qualified IOT support expertise in a centralized support environment Lower OpEx due to reduced downtime through easier and faster software updates and scheduled hardware upgrades Extended lifespan of machines by retrofitting and upgrading software without mechanical modifications Improved operator response with deeper insights from consolidated data and scalable decision-making by analytics running on-premise and in the cloud Ability to meet fluctuating business demands by harnessing cloud to drive machine capabilities with analytics 7 Migrating to Cloud-Native Application Architectures, Matt Stine, 2015 O Reilly Media. The Cloud Advantage 2015 General Electric Company. All rights reserved. 5
Predix A Secure Cloud Infrastructure Predix TM cloud delivers a unique approach to industrial data security. GE has invested in building an end-to-end industrial cloud infrastructure in secured data centers including both hardware and software. With Predix cloud, customer production data is not shared by other cloud services. Instead, all Predix cloud data is handled exclusively in a managed community cloud. This cloud space is a complete, end-to-end hardware and software environment, built exclusively for industry, and managed by GE to meet the demanding requirements of industrial businesses. This model of a managed community cloud offers the best of both security and functionality. Predix cloud has security embedded at every level of the cloud stack. This specialized approach offers industrial-grade security. Every layer is monitored and scanned for vulnerabilities. Predix cloud features network-level security sniffing and traffic management far beyond anything available in the public, commercial cloud marketplace. Capabilities such as two-party encryption, support for end-to-end chain of custody reporting for code and data, a 24/7 security operations center provide a level of security and governance that would be out of reach for most one-off corporate data centers. Built by industry for industry to run industrial workloads unlike traditional public cloud services, which are open to any individual or organization, Predix is based on a gated community model to ensure that tenants of the cloud belong to the industrial ecosystem reducing the risk of bad actors entering the community. Support for various data governance, federation and privacy needs are included as well as stringent security requirements such as perimeter security, data security, access control and data visibility. Predix Cloud Security Data security is built into the Predix environment from the machine s edge all the way to the cloud through application development and production. Intelligence Identification Inspection Monitoring Continuous Monitoring Developers Connectivity Services Industries Design, Develop & Deploy Lifecycle Assets Analytics Data Access Authorization Operations Energy UI / Mobile Applications Predix Machine Software / Analytics Cloud Foundry Healthcare Platform Hardening Services Data Infrastructure Transportation Platform Enterprise Systems The Predix Cloud Industry Governance & Certification Asset Optimization Vetting Segmentation Isolation Resilience The Predix TM cloud solution is projected to extend the life of RasGas assets, as well as lower operating costs through greater efficiencies. This Software Defined Operations will provide RasGas with deeper insights into their plant operations to enable more forward looking decisions, in turn providing inputs for how to manage their business operations. RasGas Company Limited, one of the world s premier integrated Liquefied Natural Gas (LNG) enterprises, established in 1993 The Cloud Advantage 2015 General Electric Company. All rights reserved. 6
Governance and Certification to Secure Operational Infrastructure In addition to security, Predix cloud prioritizes regulatory compliance and data governance. Predix has adopted ISO 27001 / 27002 based Information Security Management System and Cloud Security Alliance based Common Controls Matrix (CSA-CCM) for building a security governance and controls framework. This will help support more than 60 regulatory and compliance frameworks. The structure of a managed community cloud allows GE to meet stringent regulatory requirements in ways that IT-focused public clouds cannot. With Predix cloud, GE is accountable for the safeguarding of Industrial Internet information managing OT data, customer SLAs, security, support and export controls. CSA / CCM 3.01 ISO 27001 / 27002 SOC 2 Type 1 SOC 2 Type 2 FedRAMP HIPAA Export Controls / ITAR PCI The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider (GE Digital - Predix PaaS). The CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 16 domains. CCM also provides a customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, PCI and NERC CIP. Developed by the International Service Organization for Standards (ISO), this specifies the requirements for establishing, implementing, maintaining and continually improving information security within the organization. Once certification is attained, it provides users of the service comfort that security standards are being followed, thereby reducing time and resources needed to address customer-mandated audits/reviews. Developed by The American Institute of Certified Public Accountants (AICPA), a Service Organization Control (SOC) report provides insight on internal controls and risks to Users for services provided by a third party service organization (GE Digital - Predix PaaS). SOC Type 1 reports is point in time assessment and reports on fairness of management s description on the processes and design of the controls. Developed by AICPA, a Service Organization Control (SOC) report provides insight on internal controls and risks to Users for services provided by a third party service organization (GE Digital - Predix PaaS). SOC Type 2 reports on fairness of management s description on the processes and design of the controls (test of effectiveness of controls) throughout a specified period. Administered by US General Services Administration (GSA), Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Once certified, it would provide government agencies greater confidence in using the GE Digital - Predix PaaS. Enforced by The Office for Civil Rights, Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of individually identifiable health information. This certification would provide Predix customers that store and manage patient health information greater confidence in using the GE Digital - Predix PaaS. The U.S. government regulates the transfer of information, commodities, technology, and software considered to be strategically important to the U.S. in the interest of national security, economic and/or foreign policy concerns. Non-compliance with export controls can result in severe monetary and criminal penalties on both an individual and corporations, including the loss of government contracts and inability to export items. Compliance with the Payment Card Industry s Data Security Standard (PCI DSS), means that your systems are secure, and customers can trust the service provider with their sensitive payment card information. The Cloud Advantage 2015 General Electric Company. All rights reserved. 7
50 million data elements GE monitors daily for our customer s fleets of GE and non-ge equipment toward no unplanned downtime The Predix Security Profile GE has combined security certifications, hardware, software, expertise and sound practices to create an environment of trust for industrial companies. Platform Hardening The platform and the underlying infrastructure are hardened to remove unnecessary services, applications, and network protocols, configure OS user authentication and to configure resource controls appropriately Automated and manual controls are deployed to identify and patch system vulnerabilities Common and layer identity for users, devices, software and data are enforced Unified and clean run-time environments are provided Secure Industrial Applications Capability to validate and trust apps. Experts in OT/IT security designs that can help reduce time to deploy secure apps. SAST, DAST, artifact integration and automation Code vaulting and vetted delivery Routine Predix Red Team assessments DevOps security evaluations for platform base code Continuous Monitoring for Visibility End-to-end platform and infrastructure visibility to ensure trust Full Security Operations Center (SOC) and tooling Automated isolation and monitoring of incidents App-to-app behavioral evaluation Maintain chain of custody for data communities Predix PaaS Security Responsibilities Physical security for hardware infrastructure Isolation of customer environments - To ensure business environment and data are hidden from other customers - To protect customer privacy OS security - Hardening and maintaining base OS images for provisioned Virtual Machines based on Predix hardening standards and related guidelines developed to comply with ISO27002/01 and SSAE16 SOC 2 standards and industry best practices Hardware security - Architect and securely deploy hardware for the cloud infrastructure based on Predix hardening standards and related guidelines developed to comply with ISO27002/01 and SSAE16 SOC 2 standards and industry best practices Secured storage - Providing encrypted block and object storage with associated services Secured data in transit within the cloud network - Securing the network (using IPSec and SSL/TLS protocols) based on controls defined in Predix hardening standards and related guidelines Federated identity management - Tools to use existing identity stores and remove the burden of identity management - Secure single sign-on (SSO) services for access to Predix cloud Vulnerability and patch management - Test and update software/hardware based on security advisories and regular vendor patch releases utilizing proper change management procedures Monitoring and logging - Actively searching for network intrusion, malicious activities, and compliance policy violations that are a threat to the infrastructure - Communicating and remediating any incidents Rigorous risk assessments against the cloud infrastructure - Perform penetration testing and compliance scanning to detect any vulnerabilities and compliance violations and quickly remediate them - Perform assessments against security controls and procedures The Cloud Advantage 2015 General Electric Company. All rights reserved. 8
Predix Cloud Global Footprint As part of the GE Predix cloud roadmap, Predix cloud services will be offered in the Americas, Asia Pacific and EMEA regions. These locations are being selected based on provider diversity, network peering, technology capabilities, privacy Zone Committed considerations, customer needs and security considerations. All data center locations will be ISO27002, SSAE SOC II compliance data centers and are either Tier 3 or Tier 4 levels based on the Uptime Institute Standards. Network Infrastructure GE provides dual connectivity across the network for Predix at each point of potential failure for reliability, redundancy and site availability. Multiple, high-bandwidth, burstable (to 10 gig) Internet connections from Predix data centers to Internet Service Providers (ISPs) to accommodate massive transmission volumes. Dual connections between Predix data centers are designed with Dense Wavelength Division Multiplexing (DWDM) links with different paths to protect against site failure. An out-ofband connection provides an alternate route of connectivity. Each ISP provides a /24 address space in each region. Zone Planned $1 Trillion industrial assets GE secures and monitors continuously The Cloud Advantage 2015 General Electric Company. All rights reserved. 9
Predix Machine: Integrating On-Premise Needs with Cloud Computing The vision of the Industrial Internet is to connect brilliant machines, analytics and people in a way that enables both asset and operations optimization with benefits ranging from improved fuel utilization to pushing the performance of individual assets through predictive analytics that can learn how equipment degrades more accurately. Due to the demands of storage and compute requirements, most of this will occur in the cloud. However, there are control systems and software required to be on-premise to consolidate data with machine sensors and actuators, orchestrate machine applications, prepare data transmission to the cloud and execute edge analytics that are extremely time sensitive and require immediate response. The primary responsibility of Predix Machine is to provide secure, bi-directional connectivity to and management of industrial assets (GE or Non-GE), while also enabling applications (analytical and operational services) at the operations site. The latter is particularly important for delivering near-real-time processing in controlled environments. Predix Machine can make equipment or devices more intelligent software-defined machines, enabling a new generation of smarter, more connected products. Predix Machine also provides security, authentication, and governance services for endpoint devices. This allows security profiles to be audited and managed centrally across devices, ensuring that assets are connected, controlled, and managed in a safe and secure manner, and that critical data is protected and readily available for audit purposes. This hybrid environment, on-premise integrated with cloud with a variety of data collection mechanisms (see below), makes it possible to create a new, different type of operating environment where hardware, communications, configuration tools and user experiences can be seamlessly interconnected to build a full range of system capabilities for greatest business benefit. On-Premise Data Transmission Mechanisms On Gateways On Controllers On Sensor Nodes Predix Cloud Predix Cloud Predix Cloud On Cloud On Premise Direct to Cloud Gateway Gateway Gateway IT / OT Protocols Sensor/ Device 1 Sensor/ Device n Machine Controller Sensor Nodes The gateway acts as a smart conduit between the cloud and the machines; provides connectivity to assets via a variety of IT or OT protocols. Enables industrial and commercial assets that previously operated stand-alone to be connected to the cloud for data collection and analytics. Leverages low cost intelligent sensors deployed on or near the assets, which transmit data (directly or through a gateway) to the cloud. The Cloud Advantage 2015 General Electric Company. All rights reserved. 10
The Future of the Industrial Internet in the Cloud As more industrial companies move to create transformational strategies around the Industrial Internet, they will be faced with choices for data management, security and IT infrastructure. The difference between managing data for internal enterprise and that of industrial control systems is profound. These are systems that control electricity, water, transportation and other critical functions for working cities ones that have different signatures and protocols that require a unique set of security capabilities and a robust global infrastructure. GE, with its level of investment in Predix, the cloud platform for the Industrial Internet, combined with decades of operations management can singularly offer industrial companies the assurance of scale and speed they will need to succeed within a highly secured global cloud environment. The Cloud Advantage 2015 General Electric Company. All rights reserved. 11
For information on Predix: www.predix.com For information on GE Power: www.gepower.com Copyright 2015 General Electric All rights reserved. No parts of this publication may be reproduced or transmitted in any form or by any means, electronical or mechanical, including photocopy, recording, or any information storage and retrieval system, without prior permission in writing from GE.