IT/OT convergence is hard work -- here's why it's worth it

On the way to Industry 4.0, IT and operations technology are coming together. Here's what companies are learning about the benefits and risks of IT/OT convergence.

Everyone, it seems, is bound for the promised land of Industry 4.0, where digitized processes open up new horizons of innovation. By implementing "smart" technologies based on IoT, industrial and manufacturing companies are eager to gain new levels of efficiency, build more responsive customer relationships and even develop entirely new business models. But organizations won't get to Industry 4.0 unless they can achieve what many have been working on for years -- convergence of information technology (IT) and operational technology (OT).

"IT/OT convergence is not optional at this point. It's becoming table stakes to compete in any market," said Jonathan Lang, research manager for worldwide IT/OT strategies at IDC.

Even so, there's plenty of work to be done. According to IDC's 2019 IT/OT Convergence MaturityScape Benchmark survey, only about 5% of companies have achieved fully optimized convergence, and nearly 75% find themselves in the early-to-middle stages of implementation, according to IDC.

IT/OT convergence challenges

The difficulty of bringing together IT and OT is no secret. "There are two groups, two sets of technology and two groups of concerns," said Sid Snitkin, vice president of cybersecurity advisory services at the ARC Advisory Group, a technology consultancy focusing on industry, infrastructure and cities.

IT departments deal with processing, storing and serving up business information to executives and managers, while OT environments are where raw materials are gathered, manufacturing is carried out and products are delivered. In IT environments, the latest servers, cloud services and personal devices are used; downtime is considered an occasional necessity that must be managed. In the OT world, however, factories must run continuously for weeks, months and even years at a time. Change happens gradually if at all.

Sid Snitkin, vice president of cybersecurity advisory services, ARC Advisory GroupSid Snitkin

"OT environments have old devices, old equipment and old software. Equipment was built to last 20, 40, even 50 years," Snitkin explained.

To overcome inherent differences, IT and OT professionals must find common ground. A good way to foster understanding is to make sure members of the two groups are interacting on a daily basis. "Take an IT person and put him or her on the OT team and vice versa. Too often, they are in different buildings and have different world views. It's easy for one to blame the other," said Paul Miller, principal analyst at Forrester Research.

Although essential, getting the two groups to interact is just a start. When IT and OT systems are melded, cybersecurity challenges multiply. And organizations must not lose sight of the ultimate goal: savings, efficiency and new ways of doing business on the way to Industry 4.0.

Bridging organizational divides en route to Industry 4.0

Schneider Electric, a France-based maker of electrical equipment, is in the midst of a global initiative to build Industry 4.0 factories. "The first step was sitting down with the plant staff and understanding their problems," said Mike Labhart, innovation leader for supply chain performance in North America at Schneider Electric.

IDC's MaturityScape, which tracked the overall level of industry implementation of IT/OT

Once factory workers are engaged, many will need to brace for an influx of technology that might completely change their jobs. "As an introduction to the fourth industrial revolution, we sent out ten-minute messages every morning, explaining things like fun facts about mobility, to familiarize the workforce with the basic technology," Labhart said.

As IT and OT gradually converged at Schneider plants, supervisors in one department gained understanding of what was going on in other departments, he said, and plant managers were given dashboards to see what was going on in the plant as a whole.

IT/OT convergence use case: Truck drivers become fleet orchestrators

Sandvik Mining and Rock Technology, a maker of mining automation technology based in Sweden, is shepherding many of its customers through IT/OT convergence. "We recommend customers focus on change management," said Jarkko Ruokojärvi, director of global business development at Sandvik.

Jarkko Ruokojärvi, director of global business development, Sandvik Mining and Rock TechhnologyJarkko Ruokojärvi

The challenge, he said, is to maintain productive operations while changing over to the new approach. As mining companies integrate sophisticated robotics technologies with drill rigs, crushers, loaders, hoists and trucks, the transformation is from manual control to robotic remote guidance, carried out by humans from a control room.

In this new cyber-physical environment, truck drivers will no longer be navigating hazardous mines, but they must learn new skills to operate their trucks from afar. "When people are taken away to a control room, it's safer and more comfortable. That person becomes more IT-oriented and needs to operate computers. That person needs to understand fleet management, not just operating one machine," Ruokojärvi said.

What is Industry 4.0?

Industry 4.0, also known as the fourth industrial revolution, is characterized by the end-to-end digitization of manufacturing and other industrial processes. Industry 4.0 initiatives create an interoperable and highly optimized ecosystem of machines and services, from the supply chain to the factory floor to delivery logistics. Industry 4.0 builds on the previous three industrial eras, spanning the 18th, 19th and 20th centuries, which encompassed such innovations as division of labor, steam power, electrical power and the first stage of computer-based automation.

Cybersecurity challenges and solutions in IT/OT convergence

High-profile attacks against IoT devices have raised awareness -- and fears -- of catastrophic cybersecurity breaches. For example, Ryuk ransomware was reported in late 2019 to have been used to attack both shipping and oil and gas operations. Prior to that, Triton malware emerged several times to attack industrial control systems, along with Stuxnet and Industroyer, which were aimed at nuclear and power systems.

"OT systems have become targets, so there is a need for higher levels of cybersecurity. There are well-known instances where OT systems were air gapped but were still penetrated," said Chris Da Costa, global operations cybersecurity manager at Air Products and Chemicals.

The attacks are causing industry leaders to band together in efforts at common defense. "Alliances are being formed, standards are being set and the whole industry is rallying behind security," said IDC's Lang. (See "IT/OT convergence spurs cybersecurity alliances, industry standards.")

Air gapping in IT/OT convergence

An air gap is the physical separation of two networks -- so there is air between them -- that prevents data traffic from traveling from one to the other. OT networks are sometimes air gapped from IT networks and the internet itself in order to thwart cyberattacks and prevent data exfiltration. Should a breach or malware affect one network, it cannot spread to the next. Nonetheless, air-gapped networks have been subject to successful attacks, such as Stuxnet, through the introduction of USB devices containing malware. More sophisticated attacks are also possible by tapping electromagnetic fields through such techniques as van Eck phreaking.

Widespread awareness of the serious dangers is leading to broadly understood best practices.

Tammy Klotz, CISO at Versum Materials, a maker of chemicals used in the production of semiconductors and a subsidiary of Merck KGaA in Darmstadt, Germany, is implementing a cybersecurity strategy that begins with what she called macrosegmentation -- keeping IT and OT network traffic separate. Although both IT and OT data runs over IP networks, a firewall separates the OT world from the enterprise, with "very specific rules regarding traffic in and out." There is no internet connectivity to or from the OT environment, Klotz explained.

Likewise, Sandvik does not recommend connecting the OT environment directly to the internet. But since high-speed data networks are needed to achieve the benefits of Industry 4.0 through data collection and analysis, Sandvik implements a Cisco network that includes a variety of cybersecurity measures, such as traffic control, firewalls and microsegmentation, a technique that isolates subsets of the OT network according to risk factors.

Recent OT acquisitions

Meanwhile, within the OT network, Klotz has implemented microsegmentation by separating network traffic into separate zones, each with distinct security requirements. The zones are connected through tightly controlled paths, called conduits. This zone-and-conduit approach is specifically recommended by the ISA/IEC 62443 set of cybersecurity.

"If ransomware were to be introduced, it would be contained. Worst case, it only spreads to machines in that zone," Klotz said.

The need to bridge the cultural divide between IT and OT is especially important when it comes to cybersecurity. "In the case of malware, IT would say, 'Shut that system down, sandbox it and rebuild it.' But on the operations side, they would have to address the problem without having the plant go down. You need to balance those two viewpoints," Da Costa said.

One of those IT principles is centralized management. According to Klotz, a critical success factor is knowing what systems and assets are in an OT environment. Klotz implemented Cyber Integrity from security vendor PAS to maintain a centrally managed database of all OT assets so they can be quickly found and patched. Without such a system, it would be necessary to go site to site to see where the different systems are deployed, assess the business risk and then plan for proper remediation, Klotz explained. 

ROI in IT/OT convergence: Making it real and measurable

Converging IT and OT takes work and does not happen overnight. Is the effort worth it? "Absolutely," Schneider Electric's Labhart said. "We've already seen the benefits that outweigh the efforts -- but we are just now starting to understand the benefits."

Mike Labhart, innovation leader, supply chain performance North America, Schneider ElectricMike Labhart

Using its own EcoStruxure architecture, Schneider Electric has turned its 60-year-old Lexington, Ky., plant, which makes load centers -- such as circuit-breaker boxes -- and safety switches, into a showplace for its Industry 4.0 initiative. Key to the initiative is the use of sensor data gathered from some 700 factory inputs and sent to the Microsoft Azure cloud service, where it is analyzed with Schneider's Aveva Insight analytics tool to anticipate emerging issues before they become problems.

By gathering and analyzing sensor data with an EcoStruxure tool, Schneider is able to gain 3.5% annual improvement in energy usage, according to Labhart. "It provides understanding of what equipment and processes are using the most energy, and how energy usage relates to overtime," he said. By comparing electrical power usage to all plants in North America, the company has been able to save $6 million over the past seven years, Labhart said.

IT/OT ROI: Operational savings, productivity gains

According to IDC's Lang, IT/OT convergence measures taken at a large pulp and paper manufacturer, which Lang declined to name, achieved operational savings of 10% of gross revenue. When the company applies the same measures to the enterprise's customer experience, it gains another 10% of gross revenue.

Jonathan Lang, research manager for worldwide IT/OT strategies research, IDCJonathan Lang

These gains represent a significant improvement over the pulp and paper industry generally, which typically is able to increase efficiency by 1% to 2% per year. The key to the company's improvement, Lang said, is its ability to speed up decision-making. For example, the company previously might have taken a year to study and decide on a process improvement. However, by linking IT-based decision-making to OT data, the company can make the decision to act in only six months, according to the analyst.

According to Ruokojärvi, the introduction of robotic equipment has made mining operations much safer, while enabling 24/7 operation. "Automated machinery can operate at the highest speed and accuracy, while minimizing maintenance. It keeps machines productive," he said.

By automating a truck fleet and increasing its productivity, it might also be possible to reduce the size of the fleet, a significant savings, he said. Overall, mining companies that automate with Sandvik's AutoMine automation and remote operation system and OptiMine performance monitoring and analytics technology are able to increase productivity by 20% to 30%, according to Ruokojärvi.

"All industrial companies rely on physical assets. If you can get equipment data from OT systems to IT for analysis, you'll get better predictive maintenance, limit failure and gain output," said Kristian Steenstrup, analyst at Gartner.

IT/OT convergence spurs cybersecurity alliances, industry standards

As IT and OT converge, the need to provide airtight cybersecurity is spurring vigorous activity on several fronts. For example, the Operational Technology Cyber Security Alliance was launched in October 2019. Based in Switzerland, its goal is to guide OT staff on how to protect their operational technology infrastructure, to strengthen interfaces for OT and IT connectivity and to support the implementation of a more secure physical infrastructure. Meanwhile, the Industrial Internet Consortium, a group operating under the auspices of the Object Management Group, published in 2019 its Industrial Internet Security Framework report, a set of security best practices for industrial IoT deployments.

These consortia are cropping up against the backdrop of industry standard guidelines, the most prominent of which is International Society of Automation (ISA) and International Electrotechnical Commission (IEC) 62443, for industrial automation and control systems. A new standard in the series, ISA 62443-4-2 addresses embedded devices, network components, host components and software applications.

Meanwhile, cybersecurity officers from the IT side of the house often assume responsibility for OT networks as well. "CISOs say they need to get more visibility into OT systems," ARC Advisory Group's Sid Snitkin said.

A major benefit of industrial IT/OT convergence, he said, is the creation of digital twins of physical machines that can be used to observe performance, analyze stresses and improve product design.

Even so, Steenstrup added, businesses should not neglect the more mundane gains of convergence, such as reducing infrastructure expenditures and software licensing costs by consolidating data centers. Managing the convergence process efficiently is also critical. "If you get projects done sooner, you get the benefits sooner," Steenstrup said.

Empowerment through breaking the mold

Because the journey to Industry 4.0 is different in every industry, technologies and timetables will vary. But for industrial workers, the ability to access and use data on the job means that work will never be the same.

Perspectives on IT/OT convergence

"The biggest thing is empowering employees through the sharing of data. They can connect to the cloud platform to share data at any time," Schneider's Labhart said.

For IT leaders, making Industry 4.0 happen requires dedication, skill and diplomacy to bridge the IT/OT divide, while keeping systems safe from attack. And it requires new ways of thinking. As Versum Materials' Klotz said, "You have to break the mold of what is traditional IT and traditional OT."

Dig Deeper on IoT industry and vertical markets