Pico MES Security


1. What does the Pico MES System Architecture look like?

There is one central Pico Server. The Pico Server connects to the secure Pico VPN over the Internet. Updates are pushed to the Pico Server over the Pico VPN.

  • Pico manages a cloud service which the Pico Server connects to for system updates, configuration management, daily backups, and remote assistance from our customer support team. The remote connection is critical for troubleshooting and support.
  • There are also one or more Pico Hubs, which consists of a small, single board edge device that communicates with tools & machines.
  • The Pico Server is connected to the customer’s network and it must be able to communicate over the local network to each of the Pico Hubs.
  • For tools/machines that are already connected to the network or have capability to do so, the Pico Server can communicate directly with the tool over the network.
  • For tools/machines that don’t have the capability to connect to the network, Pico Hubs connect the tools via USB, RS232, etc. while also communicating to an HDMI touch-screen; the data will then be sent over the network to the Pico Server
  • Pico Hubs can be connected over ethernet or Wi-Fi; when a customer first receives a Pico Hub, it must be registered over ethernet and requires outbound Internet connectivity initially. Once connected to the server, the Pico Hub no longer requires Internet connectivity.
  • The Pico Server hosts a web application that can be accessed via a browser. This web application serves the Manage Pages where process, device, and stations can be created, modified, and deployed. The web application also hosts the Operator Interface which provides the step-by-step instructions, error proofing, and data tracking for each of the stations and operators.
  • User PCs, tablets, and cell phones can connect to the server web application over secure HTTPS. A dedicated operator Mobile App is available for tablets and cell phones which includes the ability to take photos as part of process steps and notes.


2. How does our software interface to a tool/machine?

  • Pico MES typically uses Open Protocol (PFOP) to communicate with torque tools
  • Pico also currently support the following protocols for other tools:
  • Serial/RS232
  • HTTP
  • Modbus
  • Bluetooth Serial
  • OPC UA
  • ZPL/PNG/PDF (for printers
  • Digital/Analog IO
  • USB Webcam
  • Pico Operator App (including built in camera)
  • USB PCSC (for badge readers)
  • TCP/IP
  • For any additional protocols, we can develop the integration with a lead time of ~1 week.

3. How are we getting the data from the tool/machine to the Pico Server?

  • If the tool/machine is on the network, the server communicates with it directly.
  • If it’s plugged in through a Pico Hub, then all data is received at the Pico Hub and then sent to the Pico Server.

4. Can Pico communicate with a network share drive?

  • Pico has the ability to access files on a network drive, if specifically requested by the customer.


5. How does Pico MES interface with machine/robotic systems?

  • Pico MES uses protocols like OPC UA or Modbus to send requests to machines, read machine states, and collect machine data. Through this interface, you can trigger the start of tests, and capture resulting data and cycle time all in one.
  • OPC UA: If you have an existing OPC UA server to communicate with your machines, Pico can develop a custom device integration to meet your needs. To do this, Pico needs:

i. A brief description of the desired functionality. This can be written or hashed out in a quick 15-30 min meeting
ii. A list of OPC UA tags necessary to achieve the desired functionality
iii. Credentials to access the existing OPC UA server. This is needed for the Pico MES server to communicate with the customer’s OPC UA server. Pico will only access the tags specified in the
list given by the customer. If there are security concerns, we’re happy to discuss further.

  • MODBUS: If you have a device that has the ability to communicate via Modbus, Pico can connect a Pico Hub directly to the machine and communicate that way. With Modbus, Pico generally can start tests, read machine states, and retrieve data from Modbus registers. This will vary depending on the set up of your machine, so Pico would need:

iv. A written description of the request, and likely also a 15-30 minute meeting to discuss how you would like Pico to interact with their machine
v. A list of Modbus registers that identify where the desired test data is located

  • NETWORK SHAREDRIVE: If you have a machine that is configured to send data to a shared network drive (often in CSV format), Pico can access that data and parse it. In this way, Pico can read pass/fail data, and store other data from the process for traceability. This is the most “hands-off” method, and so if you have safety concerns, you can opt for this method of connection. Pico has no connection to the device directly, just read-only access to the data that’s produced. For this, we need:

vi. A written description of the desired functionality
vii. IP Address and credentials to access the network share drive
viii. An example of the data Pico will be parsing
(eg. an example CSV)

  • If Pico hasn’t yet supported a protocol, the Pico team can connect with you to speak more about the integration/protocol and what it would take to bring up Pico support. Custom integrations like this typically take about a week from the time Pico receives all the necessary details. Upon completion, Pico generally requests a 30min period with an on-site engineer to test.


6. How does Pico address employee safety when communicating with an in-use tool?

  • Pico never directly drives a machine or forces a machine program to start. Pico only sends start requests, and the machine can determine if all safety conditions are met prior to starting.
  • All emergency stop functionality on the machine is retained for use by the operator.


7. How do you make sure your system is secure?

  • Pico MES is completing the SOC2 compliance process as of 3Q 2022
  • Pico’s Cloud backups are through trusted SOC2 compliant partners.
  • Access to the on-premise Pico Servers & Hubs by Pico employees is strictly managed through a series of controls. Pico utilizes a secure VPN whose process controls have been evaluated by expert 3rd party cybersecurity firms. The VPN uses shorewalling and leverages TLS 1.3, TLS Ciphersuite SHA-256, and encryption using ECDSA (curve secp384r1) with a shared TLS-Auth key.