According to a survey of 134 individuals in critical infrastructure companies charged with responsibility for managing security, compliance and/or operations in industrial automation environments, conducted by security solution and services provider Industrial Defender (www.industrialdefender.com), the relations between operations and IT are complicated and will become more so in the future. The survey included those in the oil and gas, water, chemical and electric/gas utilities, government, manufacturing, pharmaceuticals and transportation.
According to the survey, this increasing complication springs from a number of factors. First, 73% of those surveyed expect to see either significant or moderate increases in connectivity between industrial endpoints and corporate IT infrastructure over the next three to five years. Meanwhile, the industrial infrastructure itself is growing more complex—at least in the eyes of the slightly more than 50% of those surveyed who expect the number of industrial endpoints to increase by 50% or more over the next three to five years.
Answers to questions regarding the growth of connectivity reflect another of the basic causes of complexity: the diverging opinions of the corporate and operation staffs. Thirty-three percent of the corporate respondents expect the growth in industrial endpoints will be more than 150%, while only 12% of those in the industrial control environment felt the same way. Corporate respondents also expect more connectivity between their corporate and control networks than do their operation colleagues.
Three to five year growth in industrial endpoints
Figure 1. In this chart from Industrial Defender, survey respondents predicted that
industrial endpoints will increase by 50% over the next five years.
Another disconnect that complicates the environment is the divergence of on-paper responsibilities and day-to-day activities. Industrial operations professionals have seen their responsibilities regarding security and compliance broaden over the last few years, but there is a clear gap between responsibility and the amount of time devoted to these activities. Of those surveyed, 66% have either "primary" or "significant" responsibility for managing security within automation environments, 57% for managing compliance/audits and 55% for operational management. But 72% admit to spending less than 25% of their time per month managing security.
Good News, Bad News
The good news is that there is a significant overlap between managing security, compliance and operations. Many of the activities and procedures required for monitoring critical systems' health and performance, alarm management, data and asset management, tracking changes and managing incidents and problems are the same for all three areas. The bad news is that a majority of the respondents feel they could be doing much better at managing all these areas—especially if they are working in a multi-vendor environment with assets from multiple suppliers., For example, only a third of respondents report having a "moderately strong" ability to monitor critical system health and performance, while more than 70% say they have a poor to moderate ability to gain a unified view of their operations. While nearly 90% felt that managing incidents and problems was "extremely" or "very" important to security and operation management, and 74% felt the same way about compliance and audits, only a quarter said their operations currently have a "very" or "extremely strong" ability to manage problems across a diverse asset base.
Brian Ahern, CEO of Industrial Defender, suggests that the solution to this growing complexity is to take advantage of that overlap. "Let's not try to justify investments in security and compliance. Rather than going at it that way, address the challenge of addressing the operational inefficiencies associated with a complex environment. If you can talk about gaining efficiencies there, security and compliance can become a byproduct of that investment. If you can get a solid understanding of real-time asset activity and state data, it puts you in a better position to manage. A unified approach to managing and protecting the infrastructure will justify investment in intelligent endpoints."