IT/OT Convergence

Posted date 02/01/2018
Autor
INCIBE (INCIBE)
TI-TO Convergence

In the past, we have explained the differences between operational technologies (OT) and information technologies (IT) in the article Differences between IT and OT or the tools that have been transferred from IT to OT in IT Tools that Evolve for OT. Nonetheless, this must be done again in order to talk about convergence between the two technologies.

While the technology used in OT is quite familiar to operators and engineers who work in the sector, knowledge thereof is limited for IT personnel. Traditionally, IT and OT environments were managed separately without any interdependence between them. The disconnection that existed has demonstrated that the information exchanged between these environments was not adequate and the important benefits of convergence, such as understanding the security risks and increased performance, require greater attention to all levels.

Traditional model with separate IT and OT environments

-Traditional model with separate IT and OT environments-

The reasons for convergence

The operation of many industries, especially those related to energy production, transport and distribution, mass manufacturing, people and materials transport and other automatic processes are more and more dependent on communications and computer networks. The increase in communications between a growing number of smart elements and the need to integrate the data from the process in corporate systems and applications have made it so information technologies are being found throughout the industrial environment. Many companies have handled this dependence by creating their own support teams within their business divisions, which are different and separate from the companies’ IT departments. This creates duplicate tasks, resources and personnel which can lead to problems and a lack of understanding among two departments with similar duties. These differences and separations increase the risks involved with management and compliance actions, tasks which OT engineers are not very accustomed to and where IT personnel have plenty of experience. In view of all of the above, it is best for both teams to work together.

The integration of IT and OT promises a number of benefits:

  • Improved automation, information capture from sensors and visibility.
  • Increased control of distributed operations.
  • Better compliance with regulatory requirements.
  • Systems with better responses and better organisation.
  • More effective work due to more and better information.
  • Improved decision making, based on more accurate and timely information.
  • Improved customer satisfaction as a result of proactive maintenance and lower downtimes.
  • Improved participant satisfaction due to better flows of information.

Integrated IT and OT services and systems

-Integrated IT and OT services and systems-

Challenges

The first challenges to be handled with IT/OT convergence are those that affect the work environment. However, much has already been written on topics like the harsh operating conditions, task repetition or the need for constant availability. This is why other aspects will be mentioned herein.

The high speed of innovation found with IT resources is a factor in the high value they take with error correction, failure tolerance and high availability and failure commutation functions. Compatibility is an intention but it’s not always achieved and, at times, this evolution is paid with certain failures which everyone must be ready for. OT systems always work by doing the same communications and possible IT system interruptions can block or reset said communications. IT product developers and sellers do not always consider these limitations as the sector itself does not require such limitations. Moreover, it must be kept in mind that the inclusion of new IT products following Site Acceptance Tests (SAT) can add new risks not considered and even a loss of warranty.

OT is a clear example of the late adoption of both technology solutions as well as updates and patches. This also means that OT equipment is habitually older than IT equipment and that the personnel require different knowledge to manage it. While IT personnel are usually well-trained with respect to the latest technological advances due to the pressure of security, the stability and interoperability required, OT means OT personnel must know about technology that has long since been abandoned in the corporate world and replaced with other faster, more secure and more easily replaceable ones. The average age of the workers is significant in these two sectors; reality shows that it is usually considerable lower in IT, although this gap is closing.

From a security perspective, most vulnerabilities that affect OT require a very close physical access to the target in order to be exploited. And this physical security is precisely one of the strengths of any OT system. The increasing prevalence of communications has expanded the attack surface to ground that is better known in IT systems. But all of the knowledge and maturity of IT with respect to network security cannot be directly applied to OT systems.  The tools must be adapted or, as is often the case, new ones must be created.

Solutions

The inclusion of OT systems in IT networks makes it possible to save time when doing routine maintenance and carry out these tasks remotely from a central control panel. Moreover, these technologies also allow new predictive models to be able to identify weaknesses, correct problems or replace devices before there is a high cost in time and money due to a failure.

Besides the actual technology, there are four things that will enable the convergence of these two worlds:

  • Support from management: No other department is as strong as the Chairman and the senior management group. If the initiative begins with this group and it offers the necessary support, convergence will be a success.
  • Planning: The convergence process will not be easy and possibly extend too much in time. This means certain steps must be followed yet they must be flexible enough to be able to adapt to regulatory and operational changes that may arise during the project.
  • Tests: Convergence involves the application of many changes and updates to the OT systems and, what is most important, they will begin to be constant. In order to achieve this, the necessary tests must be conducted to determine any problems that may be involved with each modification.
  • Education: The lack of understanding and even knowledge between IT and OT must be resolved with the integration of personnel with up-to-date and traditional knowledge as well as cross-training among IT and OT personnel in order to be able to share and outline their respective tasks.

How convergence affects security

The convergence of IT and OT will bring all the power developed for business systems to industrial systems. The greatest benefit for security will be through the monitoring as the continuous Ethernet protocol expansion will make it possible to better control the traffic flows, thus enabling the installation of firewalls, IDS and other mechanisms to segment and secure the network.

The patching policy will lead to outdated equipment and obsolete operating systems. This will involve great effort on the part of manufacturers and developers, who will have to quickly validate the security patches published in relation to the operating system as well as publish patches themselves to correct the security failures in their solutions.

The inclusion of other IT techniques such as audits and consultancy will also help raise the level of control system security, especially due to the frequency, although they are already being done in some areas at present.

IT/OT convergence is a process that was already begun. The faster companies approach it and put effort into completing it in a satisfactory manner, the better positioned they will be for the future. There will be many difficulties along the way, but the end benefits will compensate for the necessary effort.