IT and OT converging, how do we keep a grip on this (r) evolution?
IT and I(I)OT are converging, developments are accelerating, now what, evolution or revolution?
Actually, there are 3 major developments happening simultaneously in the world of operational technology (OT). First, the number of business and management processes that require both office automation (IT) and OT to be available is growing; with or without interfaces between them. Applications are growing, but information security is not automatically growing with them. This makes a second development even more important, that of growing external threats, with most in the news ransomware, such as previously at Maersk, recently at the Gelderland security region. Last but not least, there is a new player in this domain, dubbed by someone the "IoT virus. It often starts with 'sensors,' but eventually it involves large data streams, which need to be controlled. Lots of potential but immature in terms of security, thus vulnerable. What should enterprise management do with this? Adapt quickly to these new developments, at the risk of making mistakes because of this speed? Opt for evolution or revolution? Our answer is 'both', but according to a controlled change approach, in which IT and OT are aligned, with a stepped Architecture process and appropriate Communication at each stakeholder level.
Vendors think from their own technical solutions
Companies want to adapt to new developments, they even have to, as they themselves point out. They often want to respond to new developments as quickly as possible, under the guise of wanting to be at the forefront of innovation. Many directors outsource the development and management of their (OT) infrastructure, including its security, to external ICT suppliers. The result is, that these suppliers bring in 'their' technical measures, without looking at the total picture of the organization, its environment and the changes therein. Of course, they make a 'technical' network drawing and abstract it for management. Usually the impression then is just: 'quite complicated'. Yet organizations are increasingly seeing the benefits of integrating their IT and their OT, both in technology by sharing the IT-OT infrastructure, and efficiency improvement by combining management processes and tooling. The result is more consistency and interdependence. How now to deal with uncertainty about the vista and the route to be chosen and conditions to be monitored? In short, the captain must decide, himself on the Bridge of his ship with his helmsman and engineer. But how?
Take control yourself
The answer depends on the situation but is usually a solid long-term strategy with a global plan, a roadmap, from global to a tiered detailing for the shorter term. This is not to say that the development of this strategy must block all desired changes. Stagnation can be avoided by a mature management process for innovation and change management, in which the relevant experts identify and weigh the short- and longer-term impacts up to and including a proposal for decision-making. To this end, this change management process needs an adequate overview of the relevant IT-OT assets, the components, all endpoints and systems, (also) in the OT infrastructure. How often does it turn out that there is an Internet connection somewhere, or an old server hanging in the network: TadaTada, the door is open! With a mature change process designed according to best practices, supported by reliable asset management, relatively simple changes can, to begin with, be approved and implemented in a controlled manner.
If the situation is complicated, then more is needed to assess the desired change: Insight into the whole, the coherence, the lifetime, the correct and technically and financially feasible sequence, etc.
New-style helmsman: The IT-OT architect
What management, or the captain of his ship, needs in addition to the machinist is a "helmsman new style". To fill this role, I recommend the connecting role of IT-OT architect, who has sufficient knowledge of both worlds. Of course, the technology in the OT remains the core of process automation. But the strategic/tactical IT-OT architect brings in his expertise and toolbox of IT and OT computerization. From the IT world, the architect uses a best practice approach, such as TOGAF, an enterprise architecture framework, the layered OSI model and knowledge of common standards and norms. These include models, which provide the opportunity for the previously mentioned necessary understanding of the whole, of the interconnectedness of things. He uses from his toolbox what is needed for the situation, no more, but also no less. Fortunately, the (architecture) toolbox for OT is also becoming more mature. Three tools have already proven themselves in practice: The old Purdue model for Computer integrated Manufacturing, the fairly young Reference Architectural Model for Industry 4.0 (RAMI 4.0) and, for security NIST.SP.800-82r2 and the comparable IEC 62443. These models are what architects need not only for their own products, but also to tell the story to all stakeholders, including the aforementioned captain on the ship and the engineer. This brings us to one of the key competencies of the proposed IT-OT architect: Communication.
Directing, how?
Roles are changing. Until now, the technical developer or technical architect was sufficient to provide direction for the desired changes. Today, even in the OT world, more is needed, as has already happened in leading IT. Simply copying best practices from each other is only partially a real option. For this, in our practice, IT and OT appear to be too different from each other. Moving from the analog to the digital world of IP seems easy, however. OT knows different protocols than IT, which a traditional IT firewall, for example, does not necessarily know and thus will not simply filter. IT network scans are often not allowed in OT because of the risk of process failure; passive at best. The OT world is complex, geographic, systems with different place on the lifecycle, high availability requirements, latency, robustness, safety, increasingly also security challenges. The revolution concerns Operational Technology, the choice of moving from analog to digital and integration: IT and OT converging, technically and in management. In my opinion, the way requires a "managed revolution". This requires OT-IT and business to come closer together in communication. Here, the IT-OT architect creates strategic/tactical solutions.