How Pico MES Protects Manufacturing Data in Strict IT Environments

The technical details of a typical PICO deployment, including our system architecture, tool and machine connectivity capability, and IT security procedures, are detailed in our Technical Guide. For factories operating in ITAR or other strict IT environments, PICO accommodates the additional required security measures as detailed in this complementary guide.

PICO Server

The Pico Server is maintained, monitored, and updated by PICO personnel. At no point should you need to worry about accessing any of the internal structures and/or the operating system of the Server, as it can be considered a black box deployment. The internal black box system is running the Ubuntu Server operating system with the proprietary PICO web application (software) for creating and maintaining work instructions as well as serving the operator worker guidance screens.

PICO Hubs

PICO Hubs are small computers built on Raspberry Pis which serve as gateways to connect USB equipment (such as barcode scanners, printers, and USB serial testers) to the Pico Server. These Hubs can also drive HDMI output for touchscreens to run the operator interface at Pico stations.

Pico Hubs need to be able to communicate over the local network with the PICO Server. The
following ports are utilized between the Hubs and the Server:

1. The Pico Hubs will need bidirectional communication to the PICO Server on ports 443, 8443, and 8140. The Server will also need to connect to the PICO Hubs on port 9100. We typically recommend allowing port 22 for remote diagnosis on the Hub if any issues arise. If the Hubs and Server are all on the same subnet, then port access typically isn’t an issue.
2. The PICO Hubs do not have a battery for a real-time clock, so they use NTP for updating their system time on boot (in order to make secure HTTPS requests to the server). Hubs default to *.debian.pool.ntp.org for NTP. This can be adjusted to a different NTP time server at your request.
3. The PICO Hubs can be added to Wi-Fi if that is desired. DHCP reservations are not required for Ethernet nor Wi-Fi.

Data

All data, including work instructions and assembly build information, is stored locally within the on-premise PICO Server. You can choose to replicate the on-premise database to a secondary location. Most users choose to replicate their local database to a PICO-controlled cloud service for business analytics purposes, but this is optional.

Data Backups

Pico performs nightly backups to a Pico-controlled cloud storage solution running in GCP
(Google Cloud Platform). The customer can instead choose a few different backup solutions:

1. The backup can be synced nightly to a local storage solution within your network. When this option is used, typically a Windows Shared Drive or some other file system is provided to us and configured on the PICO Server as the destination for the nightly backups.
2. The backup can be synced nightly to a customer-controlled cloud storage solution. This could either be a GCP or Amazon AWS S3 storage provider. When this option is used, secure credentials will need to be provided to our team along with a destination location for where to upload the nightly backups.
3. The backup functionality could be disabled. This is certainly not recommended as your data could be lost in the event of a catastrophic failure of the on-premise PICO Server.

PICO VPN

The PICO Server is programmed to reach out to and connect as a client to our PICO VPN running in the cloud. When your PICO Server connects to our VPN, it allows for remote access for specific PICO employees to access the on-premise Server & Hubs. PICO employee access
is strictly managed through a series of key-based controls which have been evaluated by expert third-party cybersecurity firms. The VPN uses shorewalling and leverages TLS 1.3, TLS Ciphersuite SHA-256, and encryption using ECDSA (curve secp384r1) with a shared TLS-Auth
key.

Through the VPN, authorized PICO support personnel are able to remotely login to the server as a command-line interface and push software updates. PICO support personnel can also complete and troubleshoot your requests, such as bug fixes or development and integrations with datasmart systems. Depending on the customer, only a limited number of U.S. citizen PICO employees will be authorized to remotely assist strict deployments.

The PICO VPN is reachable at vpn2.picomes.com and accessed on port 443 by default but can also use 1194 if available. This VPN connection can be disabled by blocking outbound connections to vpn2.picomes.com.

Authentication

PICO utilizes multiple authentication methods for operators and Manage Page users. Manage Page users are able to create, modify, and deploy processes to the factory floor. Operators can only complete builds using a given process/set of work instructions.

Operators can log into a PICO workstation with either a 6-digit pin key or by scanning a unique barcode on their user badge with a barcode scanner or badge reader connected to a PICO Hub.

Manage Page users are authenticated using their company email domains. We currently
support logins with Microsoft or Google. PICO maintains an account server (at https://account.picomes.io) hosted in the cloud. This allows PICO to communicate with other account systems running in the cloud such as Microsoft and Google. When PICO uses a
Microsoft or Google login, browser cookies are used to keep a particular user logged in on their computer until the cookie expires. The default time-to-expire is 7 days. This can be increased to 30-days or more as needed. Once the cookie expires, the Manage Page user will need to re-authenticate with the PICO cloud account server.

Whenever new users or operators are created, the PICO Server will need to reach out to the cloud-hosted account server to fetch the latest user list. Once the latest user list is stored locally on the PICO Server, no outbound cloud connection is necessary to log in operators using pin codes or badge readers.

NTP Server

If outbound internet access is limited, or specifically outbound NTP (Network Time Protocol) access is limited, then an alternate NTP server will need to be provided to PICO. This ensures that the PICO Server system clock as well as the clocks of each PICO Hub are kept in sync. Clock synchronization is necessary for many of the secure authentication APIs including HTTPS.

For questions or additional security related requests, please contact us at support@picomes.com.