IT/OT Convergence Recommendations

• On-the-go data in mobile devices anywhere, and digital workflows make work processes easier
• Enabling this requires IT for office automation and OT systems for plant automation to be integrated
• Use common technology for IT and OT, facilitate IT and OT people collaboration, but do not reorganize these people
• The result is transformation of work processes without disrupting people

Imagine, software predicting pump failure automatically triggering a maintenance workorder ticket in the computerized maintenance management system (CMMS) part of the enterprise resource planning (ERP) platform. Or people being able to open a live dashboard with leading real-time indexes like risk profile, efficiency, equipment health, and process variability – those impacting key performance indicator measures like number of incidents, energy consumption, availability, and throughput. This requires plan operational technology (OT) systems to be feed data to the office ERP platform, an information technology (IT) system: IT-OT integration. It requires OT systems for plant automation to connect to the internet, involving IT people: IT-OT collaboration. Lastly, IT and OT systems use some common technology: IT-OT convergence. Yet, using IT gear in the wrong place can be detrimental to process availability. Connecting IT and OT systems the wrong way will be detrimental to cybersecurity. Reorganizing people would be disruptive and cause friction. The terms IT/OT integration, IT/OT collaboration, and IT/OT convergence can be distinguished this way but are often used interchangeably so intent can be unclear. Regardless of terminology used, what is the recommended practice??Here are my personal thoughts:

IT and OT Systems Using Common Technology

OT, referred to as instrumentation and control (I&C) by those responsible for it, include systems like DCS, SIS, package unit PLC, plant information management systems (PIMS a.k.a. historian), manufacturing execution system (MES), machinery protection system (MPS), and other automation systems as well as sensors, analyzers, valves, and other automation components used to control the process and manage the process equipment. This may also be referred to level 0 through level 3.5 systems. Long ago the computers in OT systems used various flavors of Unix, and the OT networks were built on coax cable or RS485. However, since ca. 1996, OT systems instead started using Windows, Ethernet, and TCP/IP. That is, the same information and communication technology (ICT) as IT systems. That is, a convergence of technology in IT and OT towards the same ICT; IT/OT Convergence. Note that this shift occurred more than 25 years ago. And it is interesting to note that Unix and RS485 also originated in IT. So IT/OT convergence dates back even further. And that original Ethernet used coax. That is, IT tend to adopt new ICT first, with OT only a few years after once it is proven. However, the application protocols that run on top of Ethernet and TCP/IP is very different for OT and IT. OT systems like DCS support standard industrial automation protocols like Modbus/TCP, HART-IP , OPC-UA, and a few others. IT systems like ERP platform rely on proprietary protocols. When it comes to using standard application protocols, OT is decades ahead of IT. Also note that Ethernet in OT systems is mostly used among workstations, servers, and indoor mounted device, very seldom in field mounted devices. The reason being that regular Ethernet does not lend itself well to the long distances, the environment associated with field instruments, and the large number of devices. For now, most field devices use analog 4-20 mA and discrete on-off signals. Mixing in Ethernet field devices would require a second wiring infrastructure. In some plants the field devices use digital FOUNDATION fieldbus which is like a ‘USB for plants’ (but isn’t based on USB) in that there is no IP address. The future Ethernet-APL will make it easier to use Ethernet also for field mounted devices in the process area. Other ICT which has made its way into both IT and OT include HTML5 for web-based user interface and RFID for asset identification, even Bluetooth Low Energy (BLE) for field instrument configuration.

IT/OT technology convergence is in most plants already completed

The recommendation is to use regular Ethernet for workstations, servers, and indoor mounted devices which is easy. For devices in the ‘field’ process area requiring high bandwidth and TCP/IP, the future Ethernet-APL will be an easier option.

IT and OT Systems Integrated

When pump analytics software, which runs on an OT server, predicts a problem with a pump using underlying sensor data, it should trigger a maintenance workorder ticket in the CMMS module of the ERP platform for the maintenance planner to approve for a maintenance technician to in turn carry out the recommended action. This is part of the vision of the new way of working which many plants have for digitalization. Such integrated work processes require digitally integrated workflows based on integrated information flow between the OT systems for plant equipment prediction automation and the ERP platform for office admin automation, an IT system. That is, it requires integrated systems, office IT systems connected to plant OT systems and digitally integrated through protocols and software interfaces; IT/OT integration. Note that the data management and analytics to predict equipment problem do not require IT/OT integration but triggering workorders does.

Many plants have not connected their IT and OT systems out of fear for cybersecurity

Note that different cybersecurity standards apply to IT and OT systems. IT systems must follow ISO/IEC27001 or US-CERT cybersecurity standards whereas OT systems must follow ISA99/IEC62443 or ICS-CERT cybersecurity standards. Not following IEC62443 for the OT systems would be a cybersecurity risk. IT and OT teams provide checks and balances for the interface between their systems. And you get a great deal of transparancy when teams from different departmetns work together.

ERP platforms are notoriously proprietary. There are no standards providing semantic interoperability between ERP platforms. Every ERP platform has its own protocols and software interfaces. System integrators may add further proprietary interfaces. This makes integration of the ERP platforms to external systems a challenge. The problems associated with custom coding drivers for protocols and software application programming interfaces (API) are well understood.

The recommendation is to use a readymade off-the-shelf “portal” software that accepts data over standard OPC-UA supported in all modern automation systems (OT systems) and pushes it to the ERP platform using the ERP platform’s proprietary protocol and software API. By using ready-made software you need not have custom software coded specifically for your plant. Such customization is notoriously expensive and time-consuming to build, and even more expensive and resource consuming to maintain over time. Off-the-rack software makes the integration to the ERP platform easier. The second recommendation is that the integration between OT systems and the IT platform must be done in accordance with IEC62443. In IEC62443, IT and OT are independent cybersecurity zones with a limited number of interfaces between them, managed as conduits for the data. This helps preserve the security of critical OT systems and makes security easier to manage. That is, do not mix IT and OT data storage or IT and OT compute functions into the same system and do not tightly link IT and OT system components in a mishmash of connection.

IT and OT Teams Collaborating

Checking production data, process condition, equipment health, and device status from a laptop in the office or a mobile device on-the-go requires an OT system connection across the public Internet, to the office LAN, and corporate Intranet. This too is part of the vision of the new way of working which many plants have for digitalization. The same applies to supervising multiple plants from a fleet management center, integrated operations (iOps) center, or whatever you prefer to call it. Sending plant automation system and sensor OT data to analytics in the cloud such as for industrial internet of things (IIoT) solutions also requires a connection across the Internet. The office LAN, the corporate Intranet, and usually also the connection to the Internet is managed by the IT team. So to connect OT systems to the office and web requires IT and OT teams to work together: IT/OT collaboration. This collaboration is not difficult in the way it is often made out to be in media. IT and OT teams collaborate well on projects. Engineers are very good at collaborative problem solving with multiple constraints between multiple departments. It what engineers do all day. They are friends and colleagues. They go for lunch together.

In many plants the local IT function supporting office equipment may be outsourced to a third-party. In this case management of the connection to office LAN, Intranet, and Internet is handled by the corporate IT function located elsewhere.

The recommendation is to have a clear line of responsibility between IT scope and OT scope. This line is above level 3.5. This way each team knows what they are responsible for so there is no overlap and no gap. This helps avoid conflicts in projects and daily operations. Each team knows that the other team has their standards they must follow, and their systems have certain requirements and limitations, and there is a mutual respect. With that they can work through the issues. This makes it easy to collaborate on projects involving both sides. On many projects IT and OT work independently because the scope does not involve the other, on some projects IT and OT sit at the same table as needed. Thus there is no need for reorganization or other changes affecting people.

IT and OT People Independent and Specialized

IT systems for office automation and OT systems for plant automation use common ICT, and are connected for some use-cases, but that doesn’t mean the people supporting them should be merged into the same department. Both IT and OT teams each require a lot of specialized knowledge in their respective domains, far beyond Ethernet and Windows. The IT team supporting the ERP platform for customer and employee data, accounts, order processing, and other office functions must understand GDPR, finance, trade compliance, and associated legalities. The OT team supporting the DCS, SIS, PLCs, PIMS, MES, and MPS etc. automation systems for process control, safety, asset management, and other plant functions must understand process equipment, control loops, functional safety, hazardous areas, rotating machinery, and associated risks. So just like finance and production are independent specialized departments, the independent specialized systems used by those departments are supported by independent teams with specialized know-how. For instance, the OT (I&C) team together with mechanical and electrical are part of the plant maintenance department. The I&C team also works very closely with the other departments in the plant because they look after the vibration systems used by the reliability team and the corrosion instrumentation used by the integrity team. The I&C team looks after the instrumentation and control system used for production so close collaboration there. The I&C team has a very natural fit in the maintenance department where it sits because I&C is intimately coupled to maintenance & operations (M&O). A new IT+OT department separate from the maintenance department would make it harder to work with the maintenance department. Having to absorb a whole new domain of additional information, possibly also at the expensive of not being able to keep up as well in your original area of expertise, could be frustrating for a person. But there is no need to reorganize the people.

Collaborate, not complicate

The recommendation is to not pull out the I&C team from the maintenance department. Not reorganizing makes it easier on the people. It is not an “IT/OT merger”.

Action Plan: Transformation by Automation

Digital transformation means a new era in automation. In the plant area, digitalization means greatly expanded OT systems. In the admin office, digitalization means further investment in the ERP platform, the principal IT system. Some use-cases involve both the IT and OT systems. These are the recommendations for IT/OT “convergence” as part of Industry 4.0, digital transformation, digitalization, or IIoT. Allocate a person responsible, date of completion, budget, and other resources for each item:

• Upgrade indoor OT plant automation systems to Ethernet if not already
• Plan for future Ethernet-APL for outdoor process area high-bandwidth requirement devices
• Use ready-made ‘portal’ software for ERP platform integration
• Design with IEC62443 cybersecurity zones and managed conduits
• Define a clear line of responsibility between IT and OT teams; above level 3.5
• Reassure IT and OT teams that digital transformation does not require reorganization

As the plant’s I&C team deploys Digital Operational Infrastructure (DOI) including data management platform, analytics software, and advanced sensors, also take the opportunity to upgrade older coax and RS485 networked automation components to Ethernet. Such as HART multiplexers with HART-IP.

Lead the way. Schedule a meeting with your I&C and IT teams today. Share this essay with your I&C and IT managers now. Well, that’s my personal opinion. If you are interested in digital transformation in the process industries click “Follow” by my photo to not miss future updates. Click “Like” if you found this useful to you and to make sure you keep receiving updates in your feed and “Share” it with others if you think it would be useful to them. Save the link in case you need to refer in the future.