For decades, the office environment had been on an Ethernet network, the factory floor had operated independently on fieldbus, and each were happily separate in their operations and needed little contact with one another. Now, with the proliferation of Ethernet on the industrial side and the organization converging into a single data network spanning both information technology (IT) and operational technology (OT), the conflict seems inevitable—which department gets oversight and control of the Ethernet network?
A lot of organizations are finding out—perhaps not without a bit of pain—that the “either/or” question can be problematic. The chasm between IT and OT, in everything from processes to knowledge to culture, can be quite large. Right from the start, the department that is traditionally responsible for data flow and the department that is responsible for industrial controls are managed to fundamentally different incentives. For OT, availability is king, representing millions of dollars in manufacturing productivity, whereas IT tends not to mind a little downtime as long as data security can be maintained. Therefore marching orders coming from the top drive the organizations with different priorities, which lead to the creation of different procedures and mindsets.
In addition, IT and OT professionals might both be technical wizzes, but their areas of expertise differ. IT professionals often know little about the redundancy protocols that can be the saving grace of a production line, and OT professionals are often well behind IT people in their understanding of and ability to implement and maintain cyber security. IT and OT’s relative regulatory requirements are likely quite different, as is their relative experience with mitigating environmental factors such as temperature extremes and chemical exposures. Further, IT tends to eagerly embrace the latest technology while OT tends to delay upgrades as long as possible to avoid interruptions. Sometimes it seems that they are even speaking a different language altogether. For example, tell a group verbally to make sure that the new network management software is compatible with “sip” and the professionals with the OT background will hear “Common Industrial Protocol” while the IT professionals will hear “Session Initiation Protocol”— with both equally certain that they are looking to spec the correct product!
IT & OT - Bridge the Gap
So if keeping IT and OT network ownership separated is an inefficient course of action, and turning OT networks over to IT or IT networks over to OT would likely lead to less than optimum performance of one side or the other, what is the answer? How can organizations get together on this—not only to help consolidate their organizations for the most effective operation day by day, but also be well positioned to benefit from the powerful new data-driven technologies emerging through the Industrial Internet of Things? Belden, based on our extensive experience with both IT and OT networks, has developed a suggested path forward.
The key point is that there needs to be an individual capable of communicating with and relating to both departments and ensuring that they work synergistically rather than adversarially, as well as an organization around him or her to ensure that the proper backing and resources are provided. We call this individual the “Automation & Data Exchange (ADX) Engineer,” and the support system for this person the IT/OT “Joint Task Force” or “Steering Committee.” Both are vital for success.
The ADX Engineer, leading a new virtual department
The ADX engineer is a professional who understands the functions and priorities of both the IT and the OT worlds. Responsibilities under his or her purview will likely include:
- Ensuring seamless communication among all network parts
- Implementing and maintaining appropriate controls to ensure data security
- Compiling the massive amounts of data generated from connected devices and making it actionable and usable as input for bottom-line decisions
- Maintaining maximum uptime on the production lines
- Reducing required resources by centralizing functions through one control center
As to the background of this person, it matters little what discipline they came from originally but they need to be cross-trained in both OT and IT practices. This person could be a networking engineer who has spent time working or training on the plant floor learning about automation operations, needs, and challenges. This person may also be an automation engineer who has completed networking classes and earned certifications from educational organizations or vendors. Belden, for one, has established a very robust and well respected training program in this regard, with education designed to help “fill in the gaps” for individuals of all backgrounds.
However, hiring this person might not necessarily be the first step. It is important that the ADX Engineer operate with a full support team visibly behind them. A strong foundational step might see the C-Level head of IT—usually the Chief Information Officer—as well as the C-Level head of OT—usually the Chief Operating Officer—join together and express their support for the addition of an ADX Engineer. They should give their blessing to the formation of a joint task force that meets regularly and includes key members from OT, IT, and related disciplines. The National Institute of Standards and Technology (NIST) has weighed in and made recommendations on the individuals that should be included in the group:
- A member of the IT staff
- A control engineer
- A control system operator
- A network and system security expert
- A member of the management staff
- A member of the physical security department
Ultimately, the ADX Engineer may be assigned responsibility for leading this steering committee and act as the liaison between the task force and the OT and IT departments. Upfront though, perhaps the CIO, COO, and steering committee members could be the ones to jointly interview candidates and select and hire the ADX Engineer, ensuring that optimum buy-in of key stakeholders is achieved right at the start.
Once the full team is in place it is best to start off slow, perhaps with a pilot program such as updating the network or upgrading the cyber security framework at a smaller manufacturing facility, so that the impact of a change is minimal. This way the team can learn to work together, improve their joint processes, and increase their odds of success at the next location.
How is your organization managing convergence? Let us know what’s working for you.
Related LinksBlog: IT-OT Convergence and Conflict: Who Owns ICS Security?
Blog: IT-OT Convergence: Working Together for Better Industrial Networking
Blog: IT-OT Convergence Means Greater Resources for Both
Blog: IT and OT Must Adapt for the IoT – 13 Experts Share How
Blog: ICS Security: How Your IT Dept. Can Help
Blog: Why Industrial Networks are Different than IT Networks (and What to do about It)