Cybersecurity and IT/OT convergence: A pathway to digital transformation
The history of industrial information technology (IT) set the stage for the Industrial Internet of Things (IIoT) and digital transformation; keep it safe with cybersecurity best practices.
The technologies that make up a company’s industrial operations today are evolving faster than ever. Competing platforms leapfrog each other for market dominance and user preference, while start-ups flush with cash from investors shake up established norms. Mergers and acquisitions can alter the trajectory of innovation and impact experts’ speculation on the future, creating a moving target for those trying to envision what the future will be.
Those facts alone make it difficult for leaders to navigate their options, but it’s not just the available technologies and solutions that are changing. The underlying problems people, organizations and society are wrestling with are changing too. For example, cybersecurity in the controls environment was not a forefront concern a few decades ago, nor was the privacy of user and customer data.
We can take comfort in knowing while things are moving fast, they’re not moving too fast to understand, and we are riding the same wave of change together. If the problem is boiled down to its core, and we look at the past and present of our own organization and our peers, the next step isn’t as difficult to determine.
Information technology (IT) is a broad term, but today it is used to describe computer systems and networks used by businesses. Operational technology (OT), on the other hand, describes the systems that monitor or control industrial equipment and processes. Both emerged in the same timeframe using similar underlying technologies. However, they did so in relative isolation from each other. At times, some innovations on one side were adopted by the other. Ethernet is a good example of this, which has been adopted for the industrial environment following its success in the business environment.
IT and OT begin to converge
Over time, the financial and competitive value to an organization for interconnecting its OT systems and connecting them to the internet began to change the landscape. Cloud computing and centralized virtual server infrastructures promised to (and do) deliver economies of scale and reduced operational cost. Smart manufacturing technologies such as manufacturing execution systems (MES) and predictive analytics promised to (and do) allow organizations to make business decisions in an informed and optimized way based on real-time conditions on the plant floor, which gave organizations that implemented them an edge over those that didn’t.
Industrial systems became connected, routed to the internet and integrated into the business network. Tasks forces were set up to navigate an organization’s “digital transformation” toward “the modern factory” under the pressures of working toward “the fourth industrial revolution,” or Industry 4.0. The trend toward convergence of IT and OT (aka industrial IT) and the pursuit of leveraging the Industrial Internet of Things (IIoT) had begun.
This history is critical to understand to explain why things are the way they are today, and to decipher where an organization should go next (see Figure 1). Legacy breadcrumbs often remain, which still challenge us today — industrial communication protocols that are open and insecure, island networks remain, which need to be re-networked into an enterprise-wise architecture and ownership of the industrial IT infrastructure is often not fully established. The connectivity surge can expose systems to cybersecurity risks that can seriously threaten businesses’ health, leading industrial control system (ICS) cybersecurity to boom into a multi-billion-dollar industry decades after the underlying environment first emerged.
Recognizing the industrial IT “layer”
Many organizations struggle with developing an industrial IT infrastructure that is stable, secure and a foundation that enables the pursuit of smart manufacturing technologies. The commonly cited (and valid) reasons for this include:
- The return on investment (ROI) is difficult to calculate, and infrastructure costs are high in general
- The technologies and their benefits are not widely understood
- The skillsets to maintain the infrastructure are difficult to find.
In addition to and perhaps transcending these challenges, is organizations do not always recognize the infrastructure as its own “layer” within their OT systems. Instead, many — especially those who are not technical — lump the infrastructure together with the control system as one. And by doing so, it makes it difficult or impossible for the organization to identify and invest in infrastructure upgrades.
The most succinct way to demonstrate the detriment by considering how control systems are purchased. When a machine or manufacturing system is procured, the vendor will deploy the system along with some networking hardware, touchscreen PCs and perhaps servers to host the control system. Separately, a different system may be procured, which is deployed with different networking hardware, touchscreen PCs and servers and so on. Before long, the industrial IT within the facility is inconsistent, fragmented, difficult to manage and difficult to integrate into one seamless architecture.
When it comes to acknowledging the industrial IT “layer,” an important observation is most organizations’ IT departments already understand the technologies in use. IT departments can help by spearheading infrastructure requirements and standardization efforts for the industrial environment and being included in conversations at the earliest stages of the procurement process.
The stages of industrial IT maturity
Organizations — especially those experiencing the evolution for the first time — can benefit from following industry best practices and by following in the footsteps of other organizations. By doing so, the total cost required to achieve a mature and optimized industrial IT environment can be reduced and rollout can be done within a shorter timeline.
Stage 1: Islands of automation. When beginning the manufacturing digitalization journey, leaders may not be familiar with the value of enhanced connectivity or, if they are, it’s considered a problem that does not yet need to be addressed. In their minds, the priority is manufacturing to meet customer demand and reducing investment costs to keep operations lean. Often, the output of this type of thought process is installing original equipment manufacturer (OEM) equipment and systems that operate independently and within their own networked environment.
It is not uncommon to see connectivity between systems being addressed in some locations, but not all locations. The islands of automation are limited to certain areas or types of systems. For example, a facility may determine process systems must be integrated into a plant-wide network, but material handling is less critical and can be left isolated. In general, smart manufacturing technologies available benefit the business from end to end and islands of automation can cause operational inefficiencies, so it is common to see areas of a facility with less network maturity being “brought up to par” with the rest of the facility.
Stage 2: Flat, connected industrial network. Eventually, the operational pains of having islands of automation and the ways it restricts progress force the organization to re-engineer its industrial IT architecture. In the absence of a higher-level plan, the operational staff makes do with the resources and time available, and change is made via “the path of least resistance.”
This manifests itself as low-cost, unmanaged switches being installed where physical space can be found and wherever an Ethernet connection is needed. Workstations meant for monitoring or controlling industrial systems may have internet connectivity to make staff’s day-to-day obligations simpler without thought toward security implications.
When OEM equipment is purchased, it is shipped to the owner with pre-configured IP addresses, so staff installs a gateway to bridge the new equipment to the plant’s existing network. Or to assist with on-demand troubleshooting needs, a cellular virtual private network (VPN) router with low security is installed on the network to allow remote service providers to troubleshoot equipment.
From a functional standpoint, a flat but connected industrial IT architecture is an improvement from islands of automation. Basic remote connectivity can be put in place and higher-level implementations like plant-wide data collection and reporting is possible. However, the plant will face new critical challenges with manageability and security.
Stage 3: Architected infrastructure. Organizations operating with flat, connected industrial networks can face pressure on several fronts to invest in industrial IT improvements. Organizations will start to understand the value in digital transformation technologies, use them to remain competitive and may realize they must invest in their infrastructure to pursue those technologies. Operational inefficiencies, staff frustration and downtime attributed to the lack of standardization and management of an organization’s infrastructure may convince leaders to set aside funds for improving the infrastructure.
Regardless of which pressure tips the scale, most organizations will turn to validated architectures and industry best practices for further improving their connectivity and (finally) start to prioritize security. Within their computing infrastructure, investments will be made in server virtualizations and standardized hardware. Organizations may also invest in thin client deployments and other remote connectivity solutions to centralize the way they host and access industrial applications across facilities. In terms of networking, virtual local area networks (VLANs) may be implemented to segment the network and demilitarized zones (DMZs) may be installed for management and IT/OT connectivity.
Stage 4: Managed ICS security and cloud technologies. Once an organization has an underlying industrial IT infrastructure following best practices and standard architectures, they will be well-suited for implementing Industry 4.0 technologies and optimizing their operations. Plant floor data can be collected and analyzed to improve overall equipment effectiveness (OEE) or quality, and data may be synchronized to the organization’s enterprise resource planning (ERP) in real time to improve business decision making such as managing supplies and product orders.
Just as the organization experienced during its transition from having islands of automation to a connected industrial network, the ICS security risks increase as connectivity is expanded and infrastructure improvements are made. Technical configurations alone — such as VLAN segmentation — are not sufficient for managing the cybersecurity risks, and a continuous cybersecurity program akin to a safety program is required to manage the ongoing risk.
Making the digital transformation journey
While this article provides a summary of how manufacturers often progress through industrial IT maturity, the greater value is in understanding the stages, then leveraging the knowledge to improve your business’ plans. Any organization traversing through its digital transformation journey — especially those in the early stages — have the opportunity of learning from the mistakes of those before them to make forward-thinking decisions to shorten the process.
From that perspective, less matured organizations have a significant advantage. Organizations can plan for the challenges of tomorrow and make investments now that will accelerate growth in the future and avoid decisions that limit the company’s options later. In this way, organizations today can transform faster and more cost effectively than ever.
Grantek is a member of the Control System Integrators Association (CSIA).