Operational technology (OT) systems in chemicals are rapidly gaining the ability of connecting to the company’s information technology (IT) infrastructure. This connectivity is a positive development overall that can:
- Improve production planning
- Reduce operating costs
- Improve resolution times for operational issues
- Decrease both planned and unplanned downtime
- Increase yields and quality
Imagine the benefits if all plants operated as well as your company’s best plant. Visibility into the data can have powerful effects. Your process experts being able to notice and correct problems before the plant starts losing significant yield – or worse – ends up with an unplanned shutdown. Companies can accomplish this by leveraging the expertise of their best technical personnel across multiple facilities more easily and comparing data from multiple plants to better plan maintenance and avoid production disruptions.
Networking is hardly a new technology, so why aren’t these OT systems taking advantage of it already? There are many answers to that question, not least the long lives that many of these assets have, but certainly one of the reasons is concern about security. No corporate IT environment of any significant size can claim to have completely avoided all adverse effects from malware or external hackers. As the industry connects operational systems to the corporate network in an effort to improve visibility and enable some remote operational control (the two are not always easy to separate), no VP of Operations, Plant Manager, or CISO can fail to consider interruptions to these systems can have much more negative consequences than email going down.
The question quickly becomes how can you connect the OT systems and yet limit their exposure to the broader corporate network.
Corporate networks already have considerable resources devoted to security in the form of personnel, software and hardware, but they are typically designed with a relatively hardened perimeter (Firewalls, IDS/IPS, etc.) around a relatively open internal network. Access to that internal network in well-designed environments requires strong authentication, but after a computer and an individual pass these checks they typically have relatively broad access. This design is probably near ideal to achieve the goals of corporate IT networks where the tradeoff between the value of sharing information and risking that information is different than in operational systems.
Companies do see substantial benefits from making operational systems visible to a group of personnel who have specialized expertise or similar roles in different facilities but don’t necessarily need to make the data – and certainly not operational access - widely available. The question quickly becomes how can you connect the OT systems and yet limit their exposure to the broader corporate network. Certainly physical or virtual network segmentation combined with network access control can be an important starting point but likely won’t meet all needs – particularly if remote operational control is desired or unavoidable. A new class of security products has emerged that can monitor many operations protocols and provide fine-grained discrimination between the types of remote commands desired and those deemed too risky. Of course, this level of control also provides a valuable layer of defense to the operational systems to prevent deliberate or inadvertent interference from hackers or malware which may be present in the wider corporate network. Given the value that can be captured from sharing operational information and control with remote personnel and the risk that entails, these security systems are certainly worth investigating.
In future blog posts, I’ll delve into production planning and operational benefits, particularly across multiple sites in more detail.