Finding common ground for IT/OT convergence
Finding a common understanding between information technology (IT) and operations technology (OT) means avoiding a lot of issues with overall facility operations.
The traditional definitions of information technology (IT) and operations technology (OT) need to be explored and revised to allow these two groups to work together, not against each other. A lot of common ground between IT and OT needs to be understood to optimize operations and to further understand the need for IT/OT convergence.
IT personnel may be associated with minor computer issues, however one of their most important jobs is to maintain security for networks and devices. To many, the visible side of OT is the person who gets a call when a machine goes down. Or it may be the person who wants to add devices you haven’t heard of to the network. OT is responsible for keeping the plant, machines, and manufacturing processes running reliably and efficiently. OT also includes configuring and maintaining controls devices, such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), and variable frequency drives (VFDs), which often communicate over EtherNet/IP. When it comes to OT, control systems engineers are typically the ones responsible.
Conflicts between IT and OT
When conflicts occur between IT and OT, it is often due to competing priorities of security versus efficiency and uptime. For example, to maintain computer security, IT needs to update and patch operating systems. However, this may cause someone in OT to be apprehensive. An update could "break" specialized controls software, resulting in machine shutdowns or some other unintended negative effect. It is not to say OT also doesn’t have cybersecurity concerns. Rather, a security approach often taken by OT is to isolate computers and other devices onto a standalone network and physically restrict access to the network and devices.
Conflicts can also arise with access control and networking. If an issue with a machine process occurs, someone from OT may need to quickly connect to the network to troubleshoot the issue to get the process running again. However, if they have an issue logging into a network or computer, or if they log in and have limited access, these delays could cost the manufacturer thousands of dollars in lost production. Often, IT does not like to give out unfettered network access or administrative logins that may be required to troubleshoot an issue on the OT side.
Controls devices such as PLCs and VFDs often require high-speed Ethernet communications, and a communications loss of a fraction of a second can be enough to shut down a manufacturing process. There is the risk that a networking change made by IT could have the unintended consequence of disrupting OT manufacturing operations. For example, controls issues can occur as a result of changes made to virtual local area networks (VLANs), gateways, or upgrading routers and firewalls.
At times, network changes have resulted in either throttling the bandwidth used by controls devices or the flooding of unnecessary network traffic into the controls network. Some of these issues have shut down entire facilities. This is another reason why OT often prefers to maintain standalone Ethernet networks.
Common ground for IT, OT
While the two priorities of security and uptime may seem at odds, there is room for common ground. The days are gone when a network could be considered secure just because it was isolated and locked inside a room or industrial enclosure. Several high-profile cases have demonstrated computer viruses have the potential to impact control systems and can be transmitted by a USB drive or laptop, not just over the internet. Also, through the networking of controls equipment with the business side of the network (typically the domain of IT) data can be collected and analyzed to provide powerful feedback to management, operations, and engineering teams.
A takeaway for OT is it is not necessarily efficient or secure to simply isolate controls equipment on its own network. However, a takeaway for IT is many of the procedures and practices that are geared for devices found on the business side of the network such as servers, email, and personal computers, can cause issues for control systems.
What this means is IT and OT professionals must find common ground. There is not a sharp dividing line between the two groups. IT professionals need to understand OT and devices such as PLCs, HMIs, VFDs, and supervisory control and data acquisition (SCADA) software. OT professionals need to understand networking, security, and be capable of configuring equipment such as firewalls and routers.
The same point can be made about the network architecture. OT devices should not be added to the IT network. It’s also not necessarily a good practice just to put OT equipment on its own isolated network. There needs to be a level of separation, but also an overlap between the IT and OT network. Achieving this type of network design is a subject unto itself. However, there are practical ways to do this such as creating industrial demilitarized zones (DMZs) by using industrial-rated routers and firewalls. Many security devices (hardware and software) are designed specifically for control systems. These devices rely on standards and best practices already followed in IT but are designed with OT in mind.
Better defining IT and OT makes it easier to see they are not separate disciplines and the traditional definitions may need to be reconsidered. Some have referred to this trend as the "IT/OT convergence." The line between OT and IT is becoming more blurred, and they will need to work together in the foreseeable future.
KEYWORDS: information technology (IT) and operations technology (OT)
- Traditional definitions of IT and OT
- Understanding the roles of IT and OT
- The convergence of IT and OT operations.
How can IT and OT converge to optimize your facility’s operations?