Healing the IT-OT divide

By Jim Montague

Jun 12, 2018

TechED 2018 LeadImage 2

It's easy to talk about bridging the gap between information technology (IT) and operational technology (OT). It's far more difficult to step to the edge and extend a hand over the chasm. And, for some individuals, this means starting at the beginning.

"One guy at a recent session didn't know what OT stood for, which means many of us are still entering this area for the first time," said Alan Raveling, manufacturing IT senior analyst at system integrator Interstates Control Systems Inc., who presented "Crossing the IT and OT Divide" this week at the Rockwell Automation TechED conference this week in San Diego. "Many users still have applications that were cobbled together over years, and they don't want to touch them further."

Different languages, perspectives

Because of their different histories and technical goals, Raveling reported that OT and IT professionals have different priorities about what's important in their applications and organizations, and also express themselves using language that's often alien to each other.

"The classic security triangle defines confidentiality, integrity and availability as what needs to be protected,” Raveling said. “And although some attitudes are beginning to change, IT's most important aims have been confidentiality and integrity, while OT's most important aim has been availability," said Raveling.

Raveling added that today's data collection efforts typically require that plant-floor information be meshed with other data sources that can be coordinated in time. This shift parallels recent transitions from the older data communication protocols to Ethernet. "OT can talk wiring devices to get information where it needs to go, but IT thinks that Ethernet means it's all theirs now. So someone has to say 'not so fast,' because IT usually doesn't know what PLCs are or how they work," he explained. "IT needs an education, too, such as why we need different network zones for safety.

"As applications and users move up the chain from process control, everyone can begin to talk about where their organization's handoff point from OT to IT should be, or even if one needed. This is a discussion that every business needs to have. Some say a network demilitarized zone (DMZ) is required with IT above and OT below, while other IT departments want jurisdiction right down to the device level, even though this means dealing with safety and environmental issues."

Education, patience for everyone

To diffuse these old turf battles, and get IT and OT talking the same lingo and on the same page, Raveling reported that both sides need continuing education that will eventually allow their applications and organizations to cooperate more calmly and efficiently.

"It's important to remember that IT may not like paperwork, but it's driven by it anyway, including all the requirements, mandates and other compliance criteria they must follow," said Raveling. "As a result, PCs must be updated all the time, but that might not be okay with users on the plant floor, which could cause some suppliers not to support those devices. Nonetheless, IT needs education on the reality of the world, and they can't simply patch devices whenever they want."

On the other hand, Raveling added that, "OT needs to get more educated on lifecycle management. Some patches can be done right away, and some not. Their corporation may mandate use of antivirus software and require patching, so we've had to tell customers that their whitelisting efforts may not meet their company's requirements, but may still do what they're trying to accomplish. IT policies are usually exact, but OT can still ask what those policies do and what their intent is. So, if OT can't follow a particular rule, they can still try to meet the intent. In short, OT can't just say 'no' all the time."

Policies, procedures and regions

Because many companies adapt IT policies from others and then adopt pieces for their own use without consulting OT, Raveling stated that better-performing firms must get OT involved from the beginning, and encourage them to explain which policy is or isn't working and why.

"Participants must be willing to say when they don't understand something and ask what it means," said Raveling. "We must teach IT what controls means, and ask IT about policies and procedures. This is especially important for controls folks for whom English is a second or third language, who may know less about their corporate IT policies because they're isolated in plants outside the U.S. or Europe, and may be more attractive targets for cyber bad guys. Information and policies can trickle slowly into these areas, but consistent policies are still needed at all locations."

Even though it can be a struggle to develop and implement unified IT-OT policies, Raveling added they must try to avoid finger-pointing along the way. "Everyone wants to know that the right information is on their network, but you can't just buy any white-bread software, and pop it in without testing, verification and vetting. One of our clients had to take out this kind of software, set up a testing lab, and be patient in implementing it at a slower pace.

"I think it's OT's responsibility to take the initiative on this,” Raveling said. “Only OT can ask what a supplier's software actually provides, how it should best participate in policy updates, and how to get data from the plant to the cloud.

“It's complex, but if OT asks the right questions, they can educate their IT peers,” Raveling concluded. Once OT's hand is extended, then IT will start to do it, too."