Interested in linking to "Firewall Needed Between AT and IT?"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
"Ask the Experts" is moderated by Béla Lipták, (http://belaliptakpe.com) process control consultant and editor of the Instrument Engineer's Handbook (IEH). He is currently recruiting contributors for the 5th edition. If you are qualified to contribute or answer questions in this column, or want to ask a question, write to firstname.lastname@example.org.
Q: We are having an internal argument as to who loads the DeltaV machines when it comes to the Windows software. My question is should we allow the "Business IT" group to do it, or is this the "Controls" group's responsibility? Are there any regulations about this?
A: Over the years, I've received 322 questions for this column, but none was more important than yours. It's so important because it asks about the domains of information technology (IT) and automation technology (AT), and if a "firewall" is needed between them. This is important because, running any industry, it is essential to clearly understand who is responsible for what activity in order to make that industry safe, reliable and efficient, while complying with all regulations and producing globally competitive, high-quality products.
It must also be clearly understood that one cannot control a process without fully understanding it, and that it takes education and decades of experience before one can obtain the required level of understanding. A good process control (AT) engineer fully understands the process he/she is operating. This is an important distinction because a ChE, EE, ME or IT professional understands only one aspect of the plant design, but not the total process.
In the distant past, computers were new, and only the programmers and IT engineers understood them. As our DCS systems began to look like desktop computers, the IT departments got involved with them, but this period is long past, and modern management clearly understands that this age is over. They now understand that IT is for business and AT is for plant operation. They understand that on the outside the DCS systems might look like computer equipment, which the IT people used to work on, but inside them is the combined know-how of the AT profession about which IT people know nothing. Therefore, the domain of the AT department must include all that has to do with plant operation (Level 1–dealing with measurement; Level 2– dealing with control; and Level 3–covering manufacturing execution and operations management, or MES and MOM).
AT is different from IT because the control of industrial production operates 24/7 and in real time! For example, if the operating pressure is dangerously high, AT immediately opens a relief valve. (This is not what the people at Fukushima did, who waited seven hours, while they debated business and PR implications of an accident, and thereby caused hydrogen explosions). AT is also different from IT because society as a whole is entering the age of cyber terrorism. Remember what the slammer virus did at the Davis-Besse nuclear plant, or what Israel did to the Iranian centrifuges. Therefore, while very hard to achieve and inconvenient to top management, the only foolproof protection against virus attacks on industrial plants is to disconnect the AT domain from the outside world.
This is a basic difference from IT, which can and must use the Internet all the time, and must also secure the company business systems. Naturally, while the AT and IT domains must be totally separated, IT display screens can also be present in the control room to keep plant operators abreast of business related information.
Today, the "magic" of computers is gone, so IT should be involved only with the business and its associated networking needs in order to collect data and assist management in scheduling production, estimating market demands and making decisions on personnel management, salaries, job titles, etc. IT should not be involved in process operations because they don't take place in the "business environment." For example, IT people usually do not understand that one cannot just load and update software, work on cybersecurity, or do patching at any time they feel like it because doing the wrong thing at the wrong time can shut down the plant or worse. Therefore, such in-plant activity must always be directed by the AT department, which (in larger plants) should also have at least one IT specialist in it.
Today, unfortunately there are no regulations that clearly separate the AT and the IT domains, and the few standards that do exist (ISA-95, TÜV) are rather vague. What the process control industry needs is a "firewall" between the IT (business) and AT (operations) domains, and universal standards that clearly define where the IT domain ends and the AT domain begins.
A: My response is that no critical control computer should ever be on the network and thus subject to IT control.
A: This historically has been a very important question, although perhaps less so today as process automation groups have been assimilated into the IT organizations in many companies.
I recall vividly the tensions that existed between process automation and IT groups in the company where I worked. In general, IT groups did not understand the special challenges and needs of control manufacturing processes in real time. Process automation groups had to correct program code errors in their real-time process control computers ASAP—in minutes, if possible—while IT groups required an extensive, bureaucratic, change control procedure that sometimes took weeks to complete. There are two paradigms that have been used by some companies.