The information technology (IT) and operational technology (OT) domains are converging. As reported by Automation, a webinar poll conducted by Forrester and Nozomi Networks in the summer of 2019 found that 82% of respondents worked at organizations where IT-OT collaboration was either in its early stages or already a productive business reality. Acknowledging this trend, Gartner estimated that 50% of OT service providers would create partnerships with IT-centric providers for Internet of Things (IoT) offerings by the end of 2020.
These findings require several questions to be answered, including what are the benefits of an IT-OT convergence? Is this integration smooth, or are there specific challenges with which organizations must contend?
This article explores these questions by first examining the definitions of IT and OT and analyzing their differences. It then outlines the benefits of having IT and OT teams collaborate before identifying some considerations for realizing this convergence. Finally, it explains how organizations can make this grand challenge a more seamless and collaborative process.
What is Information Technology (IT)? IT vs. IS?
According to the definitive international standard for corporate governance of information technology ISO/IEC 38500:2015, Information Technology is the set of “resources (especially computers and telecommunication) used to acquire, process, store, and disseminate information.”
IT is a blend of communication networks and interfaces, IP protocols, computing and server systems, software applications and operating systems, databases, data backup, and data restoration technologies. The combination of these IT components as part of Information Systems helps companies analyze information and make business decisions.
Information Systems (IS) is an encompassing term that includes the use of technology, systems, people, and processes for scalable information and intelligence sharing. The ISO/IEC 2382:2015 Information Technology – Vocabulary standard broadly defines IS as an “information processing system, together with associated organizational resources such as human, technical, and financial resources, that provides and distributes information.”
What is Operational Technology (OT)? OT vs. ICS vs. IACS?
Defined in the international standard for information technology, cloud computing and edge computing landscape ISO/IEC TR 23188:2020, Operational Technology is the “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices and systems, processes and events in the organization.”
Contrary to general perception, OT does not just include customized communication networks and interfaces, IP protocols, computing and server systems, software applications and operating systems, databases, data backup, and data restoration technologies critical for industrial processes’ real-time operation. OT also includes interface and component technologies of the engineered Industrial Control Systems (Basic Process Control Systems, Process Alarm Management Systems, Safety Instrumented Systems)
- Proprietary protocols
- Graphical interfaces
- Advanced control
- Variable control
- Online optimizers
- Equipment monitors
- Process historians
- Human and machine interfaces (HMI)
- Programmable logic controllers (PLCs)
- Remote Terminal Units (RTUs)
- Intelligent Electronic Devices (IED)
An important distinction is that while OT by definition explicitly includes the technologies (hardware and software), it implicitly excludes OT as the ‘systems,’ or the engineered and designed industrial control system functions and physical control components, used for plant operations and safety. The relationship between OT and ICS is the likeness to that of IT and IS. ICS encompasses OT. Examples of ICS:
- Supervisory Control and Data Acquisition (SCADA)
- Distributed control systems (DCS)
- Manufacturing Execution Systems (MES)
- Plant Information Management Systems (PIMS)
- Energy Management System (EMS)
- Monitoring and Diagnostic Systems
The U.S. National Institute of Standards and Technology’s Special Publication, NIST SP 800-82 rev 2, defines ICS as a “general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).”
The IACS term encompasses both OT and ICS, including people and processes. The definitive international standard for the security of industrial automation and control systems ISA/IEC 62443 defines IACS as the “collection of personnel, hardware, and software that can affect or influence the safe, secure, and reliable operation of an industrial process.
NOTE These systems include, but are not limited to:
- industrial control systems, including distributed control systems (DCSs), programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices, supervisory control and data acquisition (SCADA), networked electronic sensing and control, and monitoring and diagnostic systems. (In this context, process control systems include basic process control system and safety-instrumented system (SIS) functions, whether they are physically separate or integrated.)
- associated information systems such as advanced or multivariable control, online optimizers, dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems, and plant information management systems.
- associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.”
IACS is about real-time information and intelligence sharing for reliable control, safety, and industrial operations functionality.
IT vs. OT: What’s the Difference?
While they might utilize IT devices, many modern OT systems have fundamentally different objectives and constraints than IT systems, as outlined in the grid below:
What Is Convergence?
Before going further into why IT and OT are converging, let’s take a moment to examine the concept of convergence.
Merriam-Webster Dictionary defines convergence as “the act of converging and especially moving toward union or uniformity.” The National Research Council’s May 2014 report takes this definition further to functionally describe convergence in the science, technology, engineering, and mathematics (STEM) domains as “an approach to problem-solving that cuts across disciplinary boundaries” for the benefit of society.
Throughout the ages, the act of convergence has helped society develop new ways to design, collaborate, and bridge fundamentally different disciplines while preserving their distinct perspectives and values.
Convergence seeks to transcend existing constraints or problems through collective intelligence to achieve visionary outcomes. The solutions obtained through convergence are often more sustainable than through an independent domain-siloed approach.
An essential method to facilitate convergence is creating and applying a high-level cross-domain language (or “convergence language”) with traits and goals common to each domain. This convergence language enhances understanding of complex cross-domain systems and enables reaching shared objectives faster with reduced effort. An efficient convergence language requires each domain to maintain a minimum capability and maturity level to derive the added value and meet the shared goals.
Convergence is typically not an absolute merger of domains or assimilation of one domain into another. The absolute merger or assimilation may be achievable in the case of IT and OT convergence. However, it would require both domains to be operating at exceedingly high capability and maturity levels to apply a convergence-language broad and deep enough to enable fruitful merger or assimilation.
Organizations at the forefront of such convergence will undoubtedly achieve more incredible innovation and productivity, ultimately securing themselves the ability to accelerate response to the needs of the demanding, faster, and more connected world.
Why Are IT and OT Converging?
Availability is paramount for organizations with industrial environments. Indeed, an outage could cascadingly disrupt a nation’s economy, undermine national security, and/or jeopardize public safety. That explains why most organizations traditionally sequestered their proprietary OT networks from their enterprise networks, including their IT assets. There was no apparent need to connect industrial assets to the web, so organizations kept these environments separate.
But things are changing.
Many organizations are now experiencing a digital transformation. In the process, they’re connecting more of their services and systems internally with corporate systems and externally with third parties and the Internet. They hope that doing so will improve their operations, increase their manufacturing production, and generate essential insights for tomorrow’s business needs.
In this spirit, organizations are starting to bring their IT and OT environments together to enhance their physical operations. IT-OT convergence enables organizations to use the IT network of workstations and servers, including application and database servers, within the OT domain to better manage their OT and ICS assets. Some organizations apply these traditional IT technologies to control critical operational functions of controlling-sensors, actuators, circuit breakers, and other Industrial Internet of Things (IIoT) devices to realize this culmination.
The U.S. Department of Energy noted in 2018 that IT-OT convergence enables organizations to share information across utility processes that were once separated from one another. This ability to share information allows organizations to plan more efficiently for their operation needs, conduct support in real-time, and use operational engineering data for system protection. In other words, IT-OT convergence facilitates the ability of industrial organizations to optimize the efficiency and operations of their utility processes, all while saving maintenance costs and conducting preventive fixes to minimize downtime.
The Challenges of the IT-OT Convergence
Notwithstanding the benefits identified above, organizations face several challenges in bringing their OT and IT environments together. The most crucial challenge in managing industrial processes is ensuring their security to maintain safe and reliable operations. For that, the organizations need to first be aware of the many difficulties.
The increased use of interconnected IT devices in the OT domain has created or increased interdependencies among all OT components. Thus, it’s crucial to understand the consequences of such an evolution. These interdependencies can lead to systemic risks; that is, the emergence of unforeseen OT and ICS behaviors that could not have been predicted from understanding the single components or systems.
In general terms, “systemic risk” to OT and ICS can be defined as a global risk to IACS not related to the vulnerability of a specific part of the system but its global behavior. The IACS may collapse as a whole entity while none of its components appear to be vulnerable. The reason for this systemwide failure scenario is related to the interdependence of constituent systems. Interference on a single IACS component may cause a domino effect that could not have been predicted from the analysis of the single IACS component, but that emerges from the interdependent vulnerabilities of the constituent systems.
A sobering example of “systemic risk” is the Aurora Project research effort led by Idaho National Laboratory in 2007. Aurora demonstrated that the opening and closing of circuit breaker(s) in out-of-phase conditions could damage the alternating current (AC) power generator connected to the power grid. Circuit breakers are designed to protect electrical equipment from high voltage damage. However, their designed capabilities were applied to interfere with the safe and reliable operation of the grid. The video of the demonstration is viewable here.
Keep in mind that OT devices such as sensors, actuators, circuit breakers, and their deployments are designed and engineered for predictable availability and reliability and not for cybersecurity.
Increasing the number of system communications by applying interconnected IT and IIoT devices in the OT domain increases the complexity of the challenge organizations need to contend with to secure their critical infrastructure.
Suppose the organizations have limited knowledge of effectively building their IT-OT convergence personnel team and the convergence program. In that case, such a gap to protect the most vulnerable assets could make converging rather more challenging.
The Art of Convergence: IT-OT (IS-IACS)
There is no denying that IT and OT, or more aptly IS and IACS, convergence is essential and inevitable. It is not an end but rather a journey of disruptive innovation that leverages synergies to sustainably evolve beyond our current technological constraints for the benefit of society.
Organizations mastering the art of convergence will secure their most critical assets, establish a sustainable competitive advantage, and accelerate their vision towards the future real-time economy and Industry 5.0.
One of the emerging methods to facilitate this convergence is by performing a detailed bottom-up physical-cyber risk assessment, establishing capability and maturity level targets, and developing an integrated cybersecurity program that considers your organizational and staffing constraints.
The cybersecurity risk assessment and the cybersecurity program would together help establish the “convergence language” that enables the development of common concepts, terminology, process relationships, and methodologies across your IT, OT, Engineering, and Operations domains. The cybersecurity program would also help identify and establish job roles based on the complex needs of the organization and what the market can offer to help derive realistic initial and phased capability and maturity level targets for IT, OT, and ICS convergence. The “convergence language” processes and controls would be layered based on the capability and maturity level targets. The breadth and depth of the “convergence language” would dictate the convergence’s extent and speed.
This methodology enables any organization to understand its most critical cybersecurity vulnerabilities, from the cyber-physical systems (CPS) and up. It also helps create a sustainable and scalable cybersecurity program to help achieve the right convergence to meet their business objectives.
While some components of this methodology are being implemented in the industrial sector today, ORIGNIX is the first to introduce this as a complete disciplined integrated methodology. Our cyber Process Risk Analysis (cyberPRA) and cyber Operations Resilience Management (cyberORM) services work together and can be scaled to meet the custom needs of critical infrastructure clients.
ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize systematic cyber and operational risk assessment using well-established techniques and templates. Our cyberPRA methodology identifies potential gaps, hazards, vulnerabilities, and independent protection layers associated with engineered industrial processes at plant facilities. Our cyber Hazard and Operability (cyberHAZOP) study is a component within cyberPRA that helps clients systematically identify and qualify the risks on their cyber-physical systems’ (CPS) availability and reliability. Our cyberORM system framework can help you fast-track and achieve the desired functional and strategic risk tolerance level of your CPS. Our methods are based on recognized and generally accepted good engineering practices (RAGAGEP), including internationally recognized industry standards ISO 27001/2, ISA/IEC 62443, ISA/IEC 61511, and NIST 800-82.
For more information, click here.