Until the past decade, corporate IT and manufacturing IT—typically referred to as operations technology (OT)—could not have been more separate. Even today the divide between the two persists at a number of industrial facilities. But the separation between the two is growing ever more narrow as Ethernet becomes the de facto plant floor network, remote access and data analysis initiatives proliferate, edge computing applications are deployed and supply chain network connections increase.
Though day-to-day activities on corporate IT and manufacturing OT networks remain largely specific to their unique tasks, the intertwining of these networks is bringing about a convergence of technology practices—the most prevalent of which is virtualization. Therefore, it’s increasingly important for OT professionals to understand the basic functions of the concept as it applies to extending the possibilities of the plant floor network.
To help explain this, I spoke with Frank Williams, CEO of Statseeker.com, a supplier of network monitoring software. Williams pointed out that virtualization is especially important in industrial environments because of device and application longevity. Whereas systems in an IT environment get replaced every few years, the passage of decades marks the lifecycle of most industrial technologies. As a result, “you may have software in frequent use which will not run on newer operating systems, and the software vendor has refused to upgrade it to run on, say, Windows 10 instead of Windows 95 or Windows 2000 server,” says Williams.
He says that virtualization provides a solution to such problems, by “allowing the easy creation of virtual machines and virtual servers. Virtualization has enabled plants to modernize their control system hardware, while continuing to run older control systems and operating systems on virtual machines that permit the use of old control systems far beyond their use-by dates. This is done by creating a virtual machine to run the operating system, within a server, that is up-to-date and running operating system software that is up-to-date and properly patched for security.”
Explaining that a virtual machine can be connected to physical systems and sensors, Williams stresses that it is “a very real part of the network. It is like a pocket universe where data goes in and data goes out, but all you can see is the physical server on which the virtual machine resides.”
To help grasp the magnitude of what virtualization brings to industrial networks, it’s important to understand how virtualization can help insure the network itself, its beneficial security aspects and the ability to leverage software-defined networking.
From the insurance angle, virtualization “increases the safety of control systems and prevents loss of intellectual property due to disk failure or outside hazards such as fire, earthquake, tornado or flood,” says Williams. “Virtualized backups, stored in the cloud, could be used to bring a plant back online as soon as new hardware is installed and the I/O is connected.”
As for security, Williams says that, “when properly protected, a virtual machine is less vulnerable to attack from outside the network than a completely outward-facing device would be.” He is quick to point out that virtual machines and devices, by themselves, don’t make a network safe, but that virtualized devices become components on the network that are within the network administrator’s ability to protect from outside-the-network penetration or unauthorized use from inside the network.
An added level of flexibility enabled by virtualization is known as Software Defined Networking (SDN). According to Williams, the idea behind SDN is to use open protocols, like OpenFlow, to apply globally aware software control at the edges of the network. This allows for access to network devices that use closed or proprietary software or firmware.
“Look at your current network,” says Williams, “with devices from many different vendors, variously aged and sometimes with firmware that hasn’t been touched in years. You may even have devices that have not been replaced or reprogrammed since they originally ran under Windows 95. Using SDN on this kind of network, you can avoid having to do a rip-and-replace by building an overlay network in which an SDN-enabled controller controls legacy devices in your infrastructure through existing, standardized protocols like the simple network management protocol (SNMP) or border gateway protocol (BGP). There is open software available to do this under the Apache license.”