Public cloud connections make some things easier, but they also increase the attack surface and security dependence on third-party providers. For its NIDS for OT, Rhebo opts exclusively for on-premise operation without connection to a public cloud.
In the digital world, the biggest selling point—and, on the user side, the biggest excuse—is convenience. This is especially true for public cloud connections to hyperscalers, but also for cloud infrastructure from component and service providers. Systems can be managed centrally, irrespective of location. If support is needed, manufacturers can sometimes help more quickly. So far, so good.
The downside is that cybersecurity for data and thus also for the associated systems in your own company is largely out of your hands. Attackers have understood this, too, and have repeatedly targeted cloud infrastructures in recent years.
From the cloud to temporary leave
Added to this are dependencies on the availability of cloud applications, as demonstrated by the widespread collapse of the AWS infrastructure in October 2025.1 Even though a large team at AWS was able to respond immediately to the collapse, the companies affected ultimately had no choice but to take a break and wait it out.
From the cloud to the dark web
Customers of firewall provider SonicWall had a more unsettling awakening in September 2025, at least if they had saved their firewall configurations in SonicWall's cloud backup service. A few weeks after a breach of the SonicWall cloud, it became apparent that attackers had compromised 100% of the customers' configuration backups. This gave the cybercriminals access to the settings and login details of SonicWall customers.2
Not only have attacks on cloud environments increased significantly3, but attackers are also getting better at maintaining control.4
From the cloud to [your favorite secret service]
However, it doesn't even take cybercriminals. Secret services and the manifold interconnections between non-European cybersecurity companies and their respective government agencies are also doing the job. We have already written about Cisco's hardcoded backdoor and Microsoft's confirmation that it cannot guarantee 100% data protection on its European cloud servers.
Moreover, KRITIS AG founder Manuel “HonkHase” Atug also spoke in our podcast about security providers with cloud access whose handling of sensitive customer data appeared more than questionable.
If cloud, stay on-premise
The network-based intrusion detection system (NIDS) Rhebo Industrial Protector can be operated both as a physical and as a virtualized appliance, but it ALWAYS remains on-premise with our customers. If an operator wants several instances of our NIDS to be virtualized centrally, this is done exclusively in a private (internal) cloud, never in a public cloud environment.
Rhebo Industrial Protector data collectors/sensors and controllers always run without an connections to the internet. There are no automated searches for updates, nor are there any external connection attempts for license verification or backups. The Rhebo support team provides our customers with all updates directly and offers hands-on support during rollout.
This manual approach may somewhat reduce the convenience, but it strengthens our customers' OT cybersecurity. After all, the decision-making power over updates and backups remains with the operators of the OT infrastructure, as does digital sovereignty over sensitive OT information and data.
1 https://dataconomy.com/2025/10/20/aws-outage-a-complete-list-of-every-site-and-app-that-went-down/
2 https://www.darkreading.com/cyberattacks-data-breaches/sonicwall-100-firewall-backups-breached
3 Bullets 35 to 38 at https://www.getastra.com/blog/security-audit/cloud-security-statistics/
4 https://cybersecuritynews.com/hackers-weaponizing-oauth-applications/
