Industrial organizations are facing a new challenge as they try to merge the traditional physical world (Operational Technology or OT) and the digital world (Information Technology or IT). In our experience, companies who prioritize organizational change management when implementing digital solutions get better results from their investments. This is even more true when building Industrial Internet of Things (IIoT) systems due to the complexities inherent in bringing together OT and IT organizations. Advances in technologies such as IIoT, Industry 4.0, data analytics, machine learning (ML), artificial intelligence (AI) and cloud platforms are making it possible for the digital information world to see, understand, and influence the physical operational world. The data collected from physical equipment and IIoT devices (sensors, cameras, gateways, and other equipment) can be used to identify problems and improve operational efficiencies in the physical world. However, OT/IT convergence can also open new avenues for cyber-events. Therefore, doing things faster, more cost-efficiently, and more sustainably carries risk, which can be mitigated with proper planning and implementation across all aspects of business – people, process, and technology.
This blog provides supportive guidance on how to approach OT/IT convergence from an organizational transformation perspective and mitigate the increased risk with robust cybersecurity measures.
OT and IT are generally divided due to different priorities, competencies and operational practices. OT deals with mission critical and life-critical systems. OT professionals generally focus on uptime, reliability, stability, and safety. They typically did not prioritize cybersecurity as most of their equipment was isolated from the internet to reduce risk. OT networks are typically designed to be time critical, run perpetually, and failures can be catastrophic, impacting machines, safety, and the environment. Change in OT is perceived as a source of risk. Therefore, software patching or running network scans requires more rigor in planning and impact assessment. Many OT systems are autonomous, self-contained, often vendor-dependent, and run on proprietary software. Organizationally, OT teams are typically siloed, autonomous, and operate under local /factory leadership.
On the other hand, IT deals with business-critical systems. IT professionals tend to focus on confidentiality, integrity and availability. They typically practice agile methodologies and are more open to change as compared to OT teams. IT security personnel are cybersecurity savvy and have established processes to keep networks protected but lack an industrial engineering background. IT networks can sustain downtime. A failure typically is a temporary recoverable disruption with loss of data. IT systems are intrinsically interconnected, have limited autonomy, and utilize standard operating systems. Software patching or running a network scan is considered business as usual. Organizationally, IT teams typically roll up under a centralized corporate leader, the CIO.
With so many differences between OT and IT teams and the challenges thereof, one might wonder if it is worth bringing them together. IDC predicts that the potential return on investment from advanced technology deployments in operations has crossed a critical threshold, and companies can no longer ignore the transformational opportunities presented by OT/IT convergence. By digitizing processes, industrial firms can boost productivity, make faster decisions, proactively remove bottlenecks, increase agility, and reduce waste, while assuring regulatory compliance.
A committed and engaged senior leadership is required to overcome culture issues, which often is the real challenge in OT/IT convergence. Leaders can develop a collaborative culture where open dialogue and trust are encouraged. Clarifying roles and responsibilities and establishing accountability between teams is crucial. “Technology” is mentioned in both operational and information contexts, but it’s dramatically different and can be confusing. OT can be viewed more as a business function, enabled by IT – the technology service provider. OT leaders can benefit by realizing that a connected, smart industrial operation can simplify their work without compromising uptime, safety, security and dependability. Likewise, IT leaders can demonstrate business value through IIoT innovation, when they understand the uniqueness of OT requirements.
The ultimate success of an industrial digital transformation initiative is dependent on the business benefits it produces. According to a McKinsey Global Institute study, manufacturers can use IIoT data to reduce product development costs by up to 50%, reduce operating costs by up to 25%, and increase gross margins by up to 33%. However, each business is unique; hence their business objectives will be different. All OT/IT convergence initiatives need to tie back to business objectives. For example, consider a manufacturing facility that experiences frequent unplanned equipment outages. A digital initiative to install sensors that proactively notify OT operators about equipment status, health, and performance would be a game-changer, as timely actions can be taken to prevent equipment failures, reduce costly downtime, and ensure workplace safety.
Building trust between the OT and IT teams is critical for successful convergence. Mobilizing teams toward shared goals and establishing a safe environment where open communication, and collaboration are encouraged without judgement or fear of reprisal, can foster synergy between the two teams. One of the ways to start building confidence is to consider digitizing non-critical processes using familiar tools and technologies. IT personnel can demonstrate how digital tools provide data sets and actionable insights. This can ultimately develop OT champions of IT. For example, secondary sensing and everyday manufacturing operations, such as weighing, can be an excellent starting point for demonstrating the value of digitization and data analytics. See how KAMAX used IoT sensors to free up their operators’ time.
In a striking prediction, Gartner said that within three years, cyber criminals could weaponize OT assets and it predicts that the financial impact of cyber physical system compromises will reach over $50 billion by 2023. The integration of IT and OT introduces risk since systems built for usage in hostile networks are integrated with those that were not. Additionally, standard security solutions that work in IT cannot be directly applied to OT systems. Besides quality risk, production risk, reputational risk, personnel safety risk and regulatory risk, the growing OT skill gap is a matter of concern, as OT specialists are hard to find. As part of their digital transformation, organizations should consider a comprehensive cybersecurity plan covering staff training, plant security, network security, software security, workplace safety, system integrity, and incident response and recovery. A 7-step approach to assess OT and IIoT cybersecurity risk is covered in Assessing OT and IIoT cybersecurity risk.
Meaningful OT/IT convergence requires focused and organized effort, which a COE can facilitate. A COE is a multi-disciplinary team of passionate OT and IT subject matter experts (SMEs) who act as change agents to accelerate IIoT adoption by standardizing and evangelizing best practices, developing repeatable patterns to scale implementation, driving governance, and providing thought leadership. The COE can start small with 3-5 members, cross-trained in both IT and OT aspects and can scale as needed. For a COE to be successful, it requires executive sponsorship and ability to act autonomously. The COE can focus on making incremental improvements instead of a big-bang approach. A prioritization framework is used to identify pilot use cases starting with low-risk, high value, and low effort use cases with measurable success metrics. After the pilot use cases are deployed and business value demonstrated, this activity continues cyclically to implement the pipeline of prioritized use cases.
A robust governance strategy across people, process and technology covering both internal teams and vendors can help run business efficiently. From a people perspective, well-documented policies and processes, role clarity with measurable goals, and a transparent decision-making framework are essential. Process-wise, a business case-driven approach to selecting investments, proven program management methodology, financial discipline, and a robust risk framework are key. And, from a technology perspective, a technology architecture blue-print for IIoT adoption, playbooks/runbooks/drills for operational functions such as maintenance, telemetry, incident response and disaster recovery with assigned ownership are crucial.
Key Performance Indicators (KPIs) can serve as critical navigation tools, assisting organizations in understanding how well they are performing in terms of delivering on their strategic goals and provide timely opportunities to correct course. Most often, a single KPI does not provide the full story about performance. For example, if your objective is to improve equipment availability, just tracking uptime hours is not enough. You will also need to measure the number of times the system goes offline. Furthermore, building consensus within the organization on how the KPIs are set and measured, is equally important. Ideally, you would want to baseline the current as-is state, to allow for a data driven comparison with pre-transformation KPIs.
Investing in employees’ fluency and continuous learning with a focus on innovation, results in a greater appreciation of digital transformation. Misconceptions such as IIoT automation is a threat to an OT personnel’s job have to be dispelled. For example, with IIoT enabling predictive maintenance, staffing is still required to perform the actual maintenance. OT personnel will need to be trained on how to interpret and act on data from the connected factory. IT personnel need to trained to understand that routine IT practices won’t necessarily apply to OT. More apprenticeship-style learning and job rotations can be considered as a supplement to classroom instruction to overcome the OT skills gap and aging workforce. The U.S Department of Energy’s National Cyber-Informed Engineering Strategy, provides useful guidance on how to build a culture of cyber security in OT teams.
With OT/IT convergence, the lines of distinction between IT and OT continue to fade and the attack surface of interconnected systems continues to widen. With IT’s skill in network security, we recommend that IT be responsible for securing OT as a first line of defense. This needs to be done thoughtfully using a phased approach, by combining the respective intellectual power, know-how, and experience of both teams. IT teams will need to understand the unique requirements for OT networks and system, the Purdue model, and standards such as NIST, ISA/IEC 62443, NERC CIP, MITRE ATT&CK for ICS. Additionally, we recommend working with partners with deep technical security expertise and proven customer success to help accelerate adoption.
Successful implementation of OT/IT convergence for industrial digital transformation requires strategic management of organizational change as it is not just about technology integration. Although OT and IT teams tend to have different priorities, they can be brought together by driving them towards shared organizational goals and working backwards from these goals to prioritize digital initiatives and building trust.
IoT Lens – AWS Well-Architected Framework
Securing Internet of Things (IoT) with AWS
Industrial Internet of Things
Security Best Practices for Manufacturing OT
How to implement zero trust IoT solutions with AWS IoT
Ten security golden rules for Industrial IoT solutions
Building an industrial Internet of Things (IIoT) digital transformation strategy
Ryan Dsouza is a Principal Solutions Architect for industrial IoT at AWS. Based in New York City, Ryan helps customers design, develop, and operate more secure, scalable, and innovative solutions using the breadth and depth of AWS capabilities to deliver measurable business outcomes. Ryan has more than 25 years of experience in digital platforms, smart manufacturing, energy management, building and industrial automation, OT/IT convergence and IIoT security across a diverse range of industries. Before AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving customers for their digital transformation initiatives.
Nurani Parasuraman is part of the Customer Solutions team in AWS. He is passionate about helping enterprises succeed and realize significant benefits from cloud adoption, by driving basic migration to large scale cloud transformation across people, process and technology. Prior to joining AWS, he held multiple senior leadership positions and led technology delivery and transformation in a variety of industries including financial services, retail, telecommunications, media and manufacturing. He has an MBA in Finance and BS in Mechanical Engineering.