Thoughts and Observations
With ever increasing linkages between industrial control (fuelled by Industry 4.0 initiatives) and business systems and the increasing integration of ‘IT’ technologies into control system platforms. There is an increasing expectation that the management of IT and OT functions will converge, much of this is being driven by consultants and industry analysists.
This convergence was first predicted by Gartner in 2011, I personally have seen little in practice however, as of 2018, Gartner are reporting that 47% of utilities have converged IT and OT functions (the level of convergence is not consistent across industry sectors).
More recently in 2018 Strategic Roadmap for IT/OT Alignment, Gartner’s stance is somewhat softened with the acknowledging that the IT department ‘take over’ of OT systems needs to be gradual and stresses that convergence cannot occur without there first being alignment.
What is the Difference Between IT & OT?
“Operational technology is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.” Wikipedia
Operational Technology is also known as Process Automation, Industrial Process Control, Control Systems etc. originated in the 1600s when thermostatic furnace control was first developed.
Control technologies include mechanical, pneumatic, electronic, and now digital control. From the 1970s computer-based control of manufacturing and process plants has become widespread with the introduction of the Programable Logic Controller (PLC) and Distributed Control System (DCS). These were originally proprietary micro-processor based systems for controlling industrial processes.
“Information technology (IT) is the use of computers to store, retrieve, transmit, and manipulate data or information. IT is typically used within the context of business operations as opposed to personal or entertainment technologies. IT is considered to be a subset of information and communications technology (ICT). Wikipedia
While humans have stored information since 3000 BC when writing was developed, electronic computers were first applied to this in the 1950s when it was known as Electronic Data Processing (EDP).
Much of the underlying technologies used in IT and ICT is developed by Electrical, Electronic and Software Engineers.
The table below attempts to summarise some of the key differences between IT and OT.
IT / OT Convergence
There are many potential benefits of having closely integrated IT and OT functions. OT systems are becoming increasing more dependent on IT technologies, are Internet connected exposing them to security risks and are increasingly integrated with business systems.
Many management consultants are actively promoting the idea that IT and OT functions should be performed by the same teams or at least be under common management.
Some of the purported benefits of IT/OT convergence are,
- Cost reduction through the use of common platforms and shared resources
- Risk reduction
- Performance and productivity benefits through the use of common data platforms to enable better decision making
A more detailed discussion of the benefits of IT OT Convergence (according to Gartner) is provided here.
Barriers to Convergence
Often times, the IT and OT teams have a long history of mutual distrust and lack of respect for the unique aspects of the business drivers in each domain.
The IT team generally underestimates the technical complexity of the OT environment and rarely appreciates the imperative to maintain system availability. Similarly, when the complexity of the OT environment is appreciated, the cost and complexity of upgrading (or ‘remediating’) these systems to provide a homogeneous environment is not appreciated.
Frame of Reference
Both teams can be guilty of framing every issue using their own frame of reference. An example at the moment is that phishing attacks are getting a lot of attention in the cybersecurity space.
Cybersecurity professionals are advising OT teams of the dangers of phishing attacks when this is not a significant issue for OT systems given that they almost invariably do not allow any email traffic or clients to be present.
There is generally a significant lack of alignment between IT and OT teams due to differing business drivers in each domain. Examples of this would be a focus on system availability and relative lack of concern for data security in OT system while security can be assigned a high priority in IT systems, sometimes at the expense of availability.
If differing drivers are not acknowledged and adequately managed, this can often lead to inappropriate IT requirements being imposed in OT systems leading to conflict, resentment and general lack of cooperation.
Generally, both groups are fairly immature in their approach to risk management.
IT teams generally have very poor risk management skills and tend to seek to eliminate all threats (regardless of likelihood or consequence). In contrast OT teams generally have advanced risk management skills when dealing with process safety, however they can be quite cavalier in their approach to cyber risk.
The two groups could benefit from the application of rigours risk management approaches taken to the management of process risk being extended to cyber risk which would ensure adequate but not overinvestment in cyber controls is implement. The added benefits of the application of analytical engineering methods to cyber risk being implement is that the implementation of a given set of controls can be justified. Current IT systems tend to lead to the expectation that a treatment will be in place for every threat (regardless of the likelihood or consequence)
Merging two teams can lead some team members losing status, power and possibly a reduction in the number of positions.
As a result, the decision to merge the two functions can lead to power struggles and the desire for IT or OT to be seen as having ‘won’.
Typically, where IT and OT teams have been converged the OT team has been absorbed into a larger IT organisation with the most senior manager being from an IT background.
Inadequate OT Budgets
In recent decades OT systems have progressively moved to utilize mainstream IT technologies. IT technologies typically have short refresh cycles and are generally high maintenance (monthly patching cycles for example). In contrast, OT equipment historically has had very long refresh cycles and lower levels of required maintenance.
There is often currently a discrepancy between the maintenance and renewals budgets for OT systems and the higher costs associated with the newer technologies.
Experiences of Convergence
In my personal experience, I have worked in both separate and integrated IT/OT teams. I have not personally found that the management structure has been the key determinant of the success of the working relationship.
Periods when IT and OT experienced the best working relationship was when they were managed separately but both groups were highly focused on delivering business outcomes, to the full range of business users (i.e. both IT and OT system users).
Periods characterised by relatively poor cooperation between IT and OT have coincided with the teams being under common management. One of the reasons for this was a joint culture not being established and the most senior manager encouraging conflict rather than alignment.
I have observed only one instance of on OT team absorbing the IT organisation on a large manufacturing facility. The driver for this was the facility management team’s expectation regarding core IT system availability. (The IT team on this particular site was in the habit of initiating frequent unplanned and extended business system outages during working hours). The OT team brough discipline to outage management and prioritised system availability.
How to Make IT/OT Convergence Work
In my experience the barriers to successfully merging the IT and OT functions is that fundamental cultural differences between the two teams have not been addressed and the lack of acceptance or understanding the differences between IT and OT environments. (This appears to also be Gartner’s current position, stating that alignment is a prerequisite to convergence).
I would suggest that the keys to successfully merging IT and OT functions are,
- Establishing a genuine culture of unconditional mutual respect and understanding (more than just words, this needs to be backed up by consistent actions at all levels, especially the top of the organisation)
- Accepting that IT and OT environments can have different business drivers and unique challenges which may necessitate different solutions and work practises.
- KPIs and Services Levels need to be aligned and incorporate the business drivers for both groups. There also needs to be joint responsibility to meet these objectives.
- Management needs to drive engagement and integration rather than expecting it to be bottom up.
- Development of a culture of openness to change and the pursuit of best for business solutions (regardless of impact on headcounts, budgets etc.)
- Accepting that bad actors on either the IT or OT side may need to be removed.
- Zero tolerance of turf wars, petty disputes, and obstructive behaviours
- Co-location of staff should be considered.
- Where feasible job rotation should be encouraged between the two groups
- Do not ignore change management. Changing some job titles and issuing a new organisational chart is unlikely (read, will never) achieve the results that you are looking for.
- Have a clearly defined end goal. Much reorganisation and structural change is change for changes sake without any clearly defined objectives for the change to achieve.
Many discussions of IT/OT convergence (including this one) focus on convergence of staff and management rather than a convergence of technologies and platforms.
My own organisation run IT and OT under separate management, but over the past decade or so we have seen a steady migration of enterprise IT technologies into OT systems including,
- Server virtualisation
- Server (rather than desktop) grade hardware
- Server rather than desktop operating systems
- Active Directory servers for OT networks
- Firewall and security products
- Managed switches implementing complex network segmentation strategies.
- Ethernet networking to the plant floor and device layer
- Web protocols (many industrial automation products run web servers for administration)
- Web based HMIs
- Management systems including ISO 27001 and the NIST cybersecurity framework.
In the future we expect to be deploying the following technologies,
- Virtualised Programable Logic Controllers
- General purpose programming languages for automation
- Cloud platforms and integration (services like AWS Outposts will become viable automation system platforms when the price point becomes more realistic).
- Machine Learning and AI to augment traditional process automation algorithms.
Remaining key challenges,
- Data sharing and integration.
- Data models (or lack of)
Unification of all ‘Digital’ Technologies
Gartner and others promoting digital unification under a CIO or Chief Digital Officer. This approach in relation to OT system is naïve to say the least when process safety systems are involved.
“IT works under a misconception that it has all the answers in managing technology, including the IoT and OT”, (Maverick* Research: What Engineers Can Teach CIOs About IT, Gartner 2015 & 2017).
 Risk ≠ Threat. Risk is the combination of the likelihood and consequence of an event occurring.
 SIL/LOPA assessment are a highly structured and analytical method of managing risk which is often applied to process and personnel safety.
Thanks for reading, hope you enjoyed this article.
To explore further,
- Subscribe to email notifications
- Click on the ‘follow’ button at the top of the article
- For all things Industry 4.0, check out my Industrial Digital Transformation & Industry 4.0 publication
- Feel free to join my network on LinkedIn (remember to mention that you have read the article)
To support medium authors, consider a subscription.
Remember to click on the subscribe and follow button,