The IT invasion of OT

istock 696234018
jeffbergen/istock

Regardless of where you sit in the enterprise, you undoubtedly will see some impact of  “digital transformation” initiatives that affects you.  OT, or  “operations technology,”  is experiencing a quiet revolution – yet a sweeping revolution, nonetheless.  In particular, the digitalization of operations is compelling a comprehensive invasion of IT people and processes into the OT domain.  I will explore the forces driving this revolution, and touch on how IT itself will change in the process.  First some background.

Digital transformation and what it means to OT

Digital transformation is the adoption of digital technology to transform services or businesses, typically for the purpose of either redefining experiences (for example, customer experience) or gaining more insight and control over the operation (typically for efficiency purposes).  Either of these can involve a change in the company’s operating model. Operations technology (OT) is the capital behind these processes; everything from warehouse robots, to production line control systems, to the building management systems that run a store’s HVAC (heating, ventilation, and air conditioning).

There are two big changes to OT that are being forced by digital transformation: 

1) OT systems are being connected to networks they weren’t connected to before to extract new data about the operation, and;

2) Data-rich software applications are being deployed in this operations environment, in order to use this new data. 

By definition, OT systems live at the “edge” (not in an IT data center), so the infrastructure to enable #1 must be deployed, secured, and managed at the edge. Since this data may be high bandwidth, and since the processing of this data frequently has latency constraints, much of #2 must also be deployed, secured, and managed at the edge. These deployment, security, and management processes are what drive the IT invasion of OT.

IT is not an organization; IT is a set of processes

Another important piece of background is that the notion of  “IT invasion”  is not necessarily about the CIO becoming your boss’s boss. Rather, it’s about operations organizations adopting real IT processes.  Sometimes that means buying new tools and hiring new people with IT skills. Other times, it means expanding or shifting the role of IT organizations to include OT.  We have seen companies take both approaches.

Security and vulnerability – the original OT problem requiring IT processes

The first problem, predating any digital transformation project, was cyber security for OT systems.  Many operations people were surprised a couple years back when the WannaCry ransomware attack infected OT systems that they thought were isolated from any dangerous networks. Operations people have since come to realize there’s no such thing as a completely (so-called) “air-gapped” network or system. Every digital system has I/O of some sort. Thus, if it can be used, it can be compromised.

The most important realization from this, of course, was that OT environments frequently have a LOT of systems that are unknown (in the aggregate) and not closely managed. The concept of “air gapped” had created a false sense of security and freedom – and this sense of security had enabled a dangerous drift from process fundamentals. For example, if cyber security risk were truly always a factor in operations’ decisions, vendors of OT systems would all be required to support modern operating environments, hitless patching processes, advanced AAA (Authentication, Authorization, Accounting), and likely forms of intrusion/anomaly detection. In the real world, however, many OT systems run on older OS’s like Windows XP, haven’t been patched in years, and are only inventoried on some obscure spreadsheet.  Thus, cyber security is the first place IT processes are being brought to bear in the OT world.

Meanwhile, the Purdue model, a wonderful framework for describing the layering of industrial control logic, fails to capture the topological complexity being compelled by digital transformation. In particular, while the Purdue model assumes that data from end equipment and sensors flows through a control layer, virtually all of our customers are adding direct-connected IP sensors on the plant floor that do not flow thru the control logic layers at all, basically bypassing the Purdue model.

Thus, the Purdue model is no longer an adequate framework for describing the new OT environment.  Not only does new sensor data frequently flow outside the model, but the new applications that use this data frequently interoperate directly with the “plant systems” in the model – e.g. MES, PLM, ERP, etc. – rather than through a separate layering. These new apps typically utilize a more modern run-time environment than the legacy plant systems, and thus must be hosted with net-new processes and systems.

New apps need a place to run, and need to be managed

As new data-rich applications appear in the OT environment, they impose new process requirements on the operation: infrastructure provisioning, monitoring, patching, release management, possibly CI/CD, platforms for hosting, VM or container orchestration, data/storage tiering, backups and continuity, runbooks & deployment processes, and much more.

Furthermore, connecting these apps to their sensor data requires very complex network segmentation, in order to maintain separate firewalled segments from the plant floor sensors all the way back to the respective data room VMs or containers. The network architecture for OT is evolving to be more complex than the networks found in most data centers! This is a result of the need to span from the actual physical world (sensors and controllers) all the way back to the servers, in addition to connecting individual users en masse (akin to an office) – things no data center network must do.

IT processes and skills, of course, become critical to address all three of these phenomena:  1) cyber security, 2) application hosting and management, and 3) complex network management.

IT will become something different as a result of this invasion

“IT for OT” will be different from classic IT.  While cloud computing has impacted the role of centralized IT in most enterprises, the demands from the OT side of the business will readily consume the skills and capacity from classic IT. However, the mission and measurement of operating organizations is much more focused than that of classic corporate IT. As a result, many are growing complete IT organizations within their confines, with dedicated CIOs focused on supporting only that organization’s mission. As digital transformation continues to lean ever more on information technologies, the role of  “IT for OT” (or perhaps we might call it “OT IT”?) may finally furnish the tight business alignment so many CIOs have sought for so long.

Learn more here.
For further information please reach out to digitaladvisor@hpe.com.

____________________________________

About Lin Nease

lin
Lin Nease is an HPE Fellow and Chief Technologist for HPE Pointnext’s IoT advisory practice.  In this role, He is responsible for setting strategy, building a technology plan, and driving innovation with key enterprise customers/partners of HP.  Lin also provides IoT strategy consulting directly with HPE’s enterprise customers.  He co-founded HPE’s EdgeLine business, drove portfolio enhancements to HPE’s GreenLake services, established the IoT practice, and led HPE’s membership in organizations like the Industrial Internet Consortium.

Copyright © 2020 IDG Communications, Inc.