Because so much equipment on a production floor runs different types and versions of software and firmware, it is common for engineering managers to lack a full understanding of the state of the equipment currently in operation. They may have limited knowledge of all devices' ages and stages in their lifecycle, the version of firmware being run and how to connect the device to their larger network.
Sometimes even the physical whereabouts of certain operations technology (OT) assets is unclear. With this uncertainty, it is difficult to measure and suggest meaningful improvements for overall production line efficiency. It is also challenging to determine areas of high cybersecurity exposure and risk. As a result, capital planning becomes a murky task, lacking the required data to make fully informed decisions on best areas of investment.
To get a handle on this kind of disjointed environment, the first step to take is to complete a full accounting of all equipment in operation using automated and onsite data collection methods. This is referred to as an IT/OT assessment.
Documenting assets In an IT/OT assessment, each piece of equipment is evaluated to obtain information such as:
- Firmware revision currently in operation.
- IP address.
- Network location.
- Communication across the network.
- Frequency of packet errors.
- General performance compared to expected performance.
Once collected, this data can be used to make fully informed, rather than speculative planning decisions. Recommendations can then be given for how best to move forward with problem area remediation and, possibly, the need for new design work.
Connected OT—rewards with risk
As obsolete equipment is replaced, OT network infrastructure and security becomes an increasingly important design consideration. In the past, most plant equipment operated in isolation to some degree. Modern equipment, however, comes with network connectivity, allowing for remote communication and updates, as well as for real time data to be shared elsewhere for analysis. These connected devices offer enormous potential benefits. They gather operational data, giving insight into efficiency, which ultimately helps drive decisions to improve profitability. This default remote connectivity, though, also poses risk if not properly understood, configured and managed.
As the demand for full connectivity increases, so does the need for a properly implemented OT network to operate reliably and protect the equipment connected to it from cybersecurity threats.
As updates and upgrades to OT are considered and implemented, common questions and concerns for the OT network that connects them are:
- Should OT networks have internet access?
- Should maintenance technicians have access to email and web browsing while connected to the OT network and able to access PLCs?
- Should there be a shared password on an HMI for use by all technicians?
- Should we have key batch systems in place?
- How urgent is it that older devices be replaced?
- Should the IT network and OT network be physically separated, or just logically separated via control access rules?
- Should active directory domains be segmented, or can they be shared across IT and OT networks?
Connectivity with security
When using connected OT equipment, it is important to have network visibility to all devices in a properly secured manner. Visibility without securities can expand, rather than reduce, problems due to increasing exposure and vulnerability to attacks. An OT network should operate with a zero-trust approach, i.e., only allowing required communication and blocking the rest. By segmenting traffic as much as possible, the risk of a security breach propagating to multiple machines is reduced, if not eliminated entirely.
However, to effectively design a zero-trust environment for OT, without risking disruption to production processes, requires a full understanding of the equipment that must be protected and how OT assets must communicate with one another. An IT/OT assessment helps with this by telling you:
- How each piece of equipment interacts on the network.
- Type of data (traffic) each one is sending and receiving.
- The firmware or software revision currently in use on each device.
New cyber threats come out daily. As more OT equipment is connected, the requirement for OT network monitoring software, that is alert to new threats and continually monitoring network traffic, becomes more urgent and less optional. Furthermore, to remain protected, connected equipment should be updated with new firmware revisions as those updates become available. A robust OT network with monitoring capabilities can handle security risks, all the while allowing vital data to be collected and stored for further analysis and decision making.
Benefits of a third-party assessment The task of implementing an OT network is frequently first given to the IT department. However, IT and OT networks operate in different physical environments and carry their own vulnerabilities and risks. Internal IT departments often quickly realize that they don’t have the expertise needed for proper design and implementation of an OT network.
A third party with IT/OT expertise can be a key resource. They provide information about how to best connect devices to an OT network, as well as areas of largest security exposure and risk. A third party will provide unbiased information based on years of experience in the field and up-to-date subject knowledge.
Overall equipment effectiveness (OEE), plant efficiency, data logging capabilities, predictive maintenance and cybersecurity are the common goals of many production decision makers. The first step to obtaining these goals is the OT assessment. Once complete, the assessment serves as a guide towards the future. You don’t have to have all the answers before obtaining an IT/OT assessment. It will serve as a guide to choosing the next steps forward.
Matt Smith works in information technologies at E Tech Group. E Tech Group is a certified member of the Control System Integrators Association (CSIA). For more information about E Tech Group, visit its profile on the Industrial Automation Exchange.