Do's and Don'ts of IT/OT Collaboration

The adoption of Internet Protocol in manufacturing is prompting a new era of cooperation and collaboration between IT and OT. Both have essential roles to play in helping manufacturing companies successfully transition to a single, secure IP-based network.

The human capital required to completely usher manufacturing into the Internet Age still remains largely divided between two camps: Information Technology (IT) and Operations Technology (OT). For decades, IT professionals have worked exclusively on the business side, while operational technology experts have controlled the manufacturing zone.

But the adoption of Internet Protocol (IP) in manufacturing is prompting a new era of cooperation and collaboration between IT and OT. Both have essential roles to play in helping manufacturing companies successfully transition to a single, secure IP-based network that unifies the industrial environment with the corporate enterprise.

The first step in forging a new-age IT/OT relationship is far from simple: The two sides must have a meeting of the minds. We all know that, generally speaking, IT doesn’t understand controls; and control engineers don’t understand IT.

But that long-standing knowledge gap must be bridged to allow organizations to take full advantage of the vast business benefits offered by a converged, IP-centric network infrastructure. Foremost among those is end-to-end connectivity from plant floor to the corner office. And by investing in IP technology, manufacturers can leverage emerging tools and technologies — such as video cameras, digital tablets and RFID readers — to improve production quality and efficiency, as well as support security and cost-containment initiatives such as energy management.

So what should IT and OT professionals do to help guide their organizations into the industrial IP evolution? First, overcome old and often adversarial attitudes toward each other. Empathy needs to replace enmity. And both groups need to become more flexible regarding their priorities.

But attitude adjustments are just the start. The real work lies in the realm of collaborative policies, practices and procedures necessary to create a unified, 21st century enterprise network.

Here we provide some practical guidance that can help professionals from both sides of the divide implement practices that will make life easier for their peers.

How IT Professionals Can Help?

Don’t be stingy with IP addresses. Traditionally, some IT departments manage IP addresses as part of their business model — meaning they charge other departments for IT services based on the number of IP addresses “owned” by a particular office group. This model makes sense when the IP address is a proxy for, say, a PC, a printer or an IP telephone.

But that approach fails on the factory floor. Here, just one piece of machinery — a printing press, for example — could have 800 or more IP addresses. So now we’re talking about a couple of million dollars in charges a year for a machine that IT people will never even touch.

The solution? Instead of keeping a tight grip on IP addresses, IT should be saying to manufacturing, “have as many as you need.”

To manage this major change, however, IT departments need a new accounting method. The choices are many, but whatever choice is made, it must enable rather than limit innovation in equipment design.

Embrace network address translation. Another change necessary to accommodate IP technology on the factory floor is network address translation (NAT). While NAT is an obvious approach to managing identical machines, IT departments traditionally have opposed it because it makes central network management very complex and difficult.

But the complexity of managing network address translation is much smaller than the complexity of managing different machine configurations. IT policies against NAT were right for the environment for which they were written, but they pose a problem on an IP-connected plant floor.

Support routing at the machine level. Routing is a key function for a unified plant infrastructure. IT can help by recommending industrialized routers at the machine level. That’s because a typical, enterprise level router has too much functionality and power for a single machine, and tends to fail in the rugged environment of the factory.

Historically, IT departments have deployed routing in relatively centralized locations. They have avoided distributing it because routing is a complicated and relatively expensive function.

There’s no downside to that approach when the majority of your communications come from clients to remote servers. But in the manufacturing environment, where lots of different machines are deployed and most communication is peer to peer at low levels in the architecture, a lack of distributed routing creates performance and maintenance problems.

Deploy a manufacturing DMZ. Establishing a DMZ to separate manufacturing from the enterprise helps keep industrial data centered inside the industrial zone. The DMZ contains all the physical/logical servers and databases, allowing the plant to run autonomously.

IT professionals traditionally oppose the deployment of a DMZ between the enterprise and manufacturing. Again, their reasons come down to cost and complexity. But the potential cost savings are huge, considering the high value of secure manufacturing processes.

Allow entry to remote experts. Today’s changing workforce dynamics — including the receding pool of engineers and technicians who specialize in automation systems — means most plants don’t contain all the expertise they need to operate effectively. Meanwhile, nearly every enterprise is determined to drive down operational costs by reducing employee skill sets so their people can focus on their core competencies.

The good news: IP-enabled technology, particularly video, can allow outside experts inside the manufacturing zone, regardless of their physical location. So third-party specialists — or simply the machine guru at a sister plant — can help troubleshoot a problem on a line or provide maintenance using VPN tunnels into the manufacturing zone.

This means manufacturers can increase their talent pool by committing to a technology platform that in sync with the rest of the Internet-working world.

But before remote experts can tunnel in, they need IT’s help — and that’s often tough to get. The IT “vetting” process includes multiple and often complicated forms that contractors must fill out before they can gain VPN access to the enterprise.

If manufacturers are going to drive down their operational costs, IT must be part of that solution. And effective IT means enabling third-party contractors remotely connect to network assets.

How OT Professionals Can Help

Engineer and architect networks. Traditionally, factory-floor networks have been integral parts of the control system. So conventional controls engineers think of networks as a somewhat passive commodity.

But to reap the benefits of the emerging Internet of Things, OT needs to design IP-enabled networks with a high level of engineering discipline. They must apply the same rigor to the network architecture that they administer to the design of software in the system.

Adopt structured cabling. Controls engineers are accustomed to using bus and line topologies, which have adequately served plant-network needs for decades. The biggest advantages of bus and line are the ease of implementation and extension, and the fact that they can be initially less expensive than other topologies.

But their drawbacks outweigh those advantages. Bus and line topologies are difficult to troubleshoot, driving up maintenance costs in the long run. Also, performance declines as additional computers are added or with heavy traffic. And security is low because all computers on the bus can see all data transmissions.

Star topologies offer a superior solution. They enable the best diagnostics and security. And star topology allows auto device replacement and provisioning, while providing a foundation for future network expansion.

Learn layer three. The third layer of the Open Systems Interconnection (OSI) Reference Model is the network layer. This layer defines how interconnected networks function. The IP address is a layer 3 address. IP is the defining technology of the Internet and the Internet of Things. Thus, layer 3 is key to understanding the benefits of industrial IP, and how to attain them.

For example, virtual segmentation is a layer 3function. This segmentation is key to security, both isolating data flows to device groups that ‘need to know’ and also restricting users’ access to systems they need to interact with.

Embrace security. A threat to a control system doesn’t always emanate from someone with malicious intents. In fact, many threats stem from a good person trying to do the right thing. To address security risks, welcome a robust discussion of technologies and policies that are needed to protect your assets and your ability to innovate. But the most sustainable security policy is a single policy throughout the enterprise and that requires IT and OT to cooperate on its deployment at the plant floor level.

Don’t build islands of information. Separate networks are easy for OT to deploy on day one, but they are hard to integrate. And without the ability to integrate, these often expensive, proprietary networks create islands of information, confining data to the point of creation.

Deploying IP from enterprise to plant provides the unprecedented ability to combine hardware and software over industrial Ethernet for ever-greater levels of performance and connectivity. IP-enabled networks also deliver the ability to analyze big data from all connected devices and turn it into actionable information.

Who Should Lead?

Every organization is different, so there’s no single answer to the question, “Who should lead an industrial IP initiative?”

That decision could be advanced by the answer to this question: “Who is more prepared to listen to and understand the needs of the other stakeholder?”

But one thing is certain — manufacturers stand to reap significant financial benefits from the flow of information enabled by industrial IP. Neither IT nor OT can deliver those benefits alone. The only path is collaborative cooperation.

Paul Brooks, Business Development Manager at Rockwell, on behalf of Industrial IP Advantage.