The Path to IT/OT Convergence
Today's new system is tomorrow's old system
It’s clear that business IT and production OT are converging at an increasing rate. While standards and practices that have long been used in IT are becoming increasingly important for OT, merging the two areas will take more than simply transferring management techniques.
In fact, successful convergence requires that all stakeholders understand three key factors:
- how IT and OT each evolved.
- the practical differences and requirements.
- the strategic opportunities available if you keep those two things in mind.
At first glance, IT seems very complex. From network protocols to different vendors, there are lots of questions to ask when procuring IT assets, beginning with which hardware platforms best meet your needs. The combination of market dynamics and technology advancements means that the range of available brands, models and configurations is huge. The level of complexity increases when you add mobile devices to the mix. It’s not simply a case of selecting a particular manufacturer -- HP, Lenovo, Dell, Apple, Samsung, Motorola, etc. -- but which hardware, software and support ecosystem you’re buying into.
However, the apparent complexity quickly dissipates because IT infrastructure is largely integrated and interoperable. The range of options in the desktop and mobile worlds usually boils down to two operating systems -- Windows and Linux. The nominal exception is macOS, but that necessarily follows a commitment to Apple hardware. For mobile devices, everything revolves around iOS and Android Enterprise. Due to high levels of integration and the long-standing focus on security, there are many solutions available to protect all of those platforms.
The situation is quite different in OT. The growth of networked production environments has been driven by highly specific needs and occurred over a much longer timeframe. Network devices tend to be very heterogeneous and intended to remain in operation for several decades. Today's standards were unknown for machines that were commissioned 20 or more years ago. In addition, infrastructure complexity has increased due to the enormous variety of programmable logic controllers (PLCs) and proprietary software created to fulfill specific requirements. Security wasn’t a high priority as a veritable potpourri of machines and controls were added because most didn't have network connections.
Now, however, many of those systems are being made network-capable through retrofitting. That’s exposed a host of device security and management issues. For example, the software running on some OT systems was developed before some of today’s IT admins were even born. Windows XP-based controllers are not uncommon. They’re also very outdated and present hundreds of attack vectors even when fully patched. OT device manufacturers also developed proprietary systems with a wide range of applications and protocols to meet specialized needs. Compared to the IT world, managing and monitoring OT systems can be extremely complex.
With Industry 4.0, networked production is being driven further and faster as manufacturing organizations seek to take advantage of operational, financial and competitive opportunities that OT opens up. OT is increasingly following IT but with an understanding of the different requirements and prerequisites in those two worlds. For example:
- Active Directory (AD) is often not found in OT environments.
- Logical linking of endpoints is mostly decentralized via Windows Workgroups.
- Networks are highly segmented.
- System and device interdependencies means that special software is often preferred over patching.
Also, while vulnerabilities in legacy systems used in OT are familiar from the IT world, security and remediation practices need to be adapted to meet the priorities of manufacturing environments -- system availability being at the top of the list. In other words, you can’t easily shut down all or part of a production line to deploy a patch.
First and foremost, an OT organization must be created to modernize production infrastructure and implement an appropriate security strategy. It’s important to determine which legacy systems can be replaced or upgraded and which need to be separated on a network. In addition, device management policies and responsibilities need to be defined to reflect operational and security requirements, e.g., who has remote maintenance access to a particular system.
By applying the knowledge of how IT and OT management evolved, where the two areas complement each other, and where they differ, it’s possible to unlock the benefits of convergence. Improved OT security and availability can be complementary outcomes of modernization, with increased production efficiency and output and less downtime. That begins with analyzing and qualifying OT processes to see where IT management practices can be adapted, for example, determining if legacy systems can be modernized by deploying current operating systems, updates or software such as WinCC.
Finally, IT/OT teams can and should always keep in mind some familiar wisdom from the IT world when creating and implementing a convergence strategy: Today's new system is tomorrow's old system!