What is an IT/OT Gateway?
An IT/OT gateway provides two-way communications that benefits both IT and OT. IT gets visibility into the industrial processes that are driving the business, while OT can access advanced IT applications such as Big Data analytics. Effective IT/OT gateways are critical to developing advanced IoT networking capabilities.
For convergence between IT and OT, the issues are: (1) Security including threats, segmentation, access control, and data confidentiality; (2) Safety including cyber-hardening and line-of-sight protections; and (3) Data Transformation, convert data in OT formats (Modbus, DNP3, Ethernet IP) into formats instantly consumable by IT advanced analytics.
Before we can truly begin to understand what an IT/OT Gateway is, we need to first understand the circumstances surrounding the convergence between IT (Information Technology) and OT (Operational Technology) in the Industrial Internet.
IT is, of course, defined as the use of computers and telecommunications systems for storing, retrieving and sending information, but we all know it′s much more valuable than that. And according to Gartner, OT is hardware or software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise.
The key take-away here is that we recognize that IT and OT are distinct specializations that provide different services to the business. While IT keeps the organization up and running, OT produces the company′s actual revenue-generating service. While IT is frequently upgrading to new infrastructure and new applications, OT by definition relies on minimal disruption to its decades-old legacy frameworks.
Thanks to the obvious inherent business advantages in areas such as productivity and cost analytics, IT and OT are converging. Indeed, it is these business advantages that herald the advent of the Industrial Internet.
However, IT/OT convergence creates a problem which can be distilled down to this: IT is being asked to organize and manage solutions whose business benefits will redound largely to OT. Convergence ensures an expansion of the scope of IT activities, but this expansion extends to a technology realm that is not under their control.
IT departments are frequently put in charge of OT automation, but without a stake in OT business outcomes. The problem is exacerbated by the fact that the technology assets comprising OT are typically the most valuable assets in the business. These assets can provide the generation of energy, such as electricity or oil and gas. They can produce complex machinery such as cars or airplanes or computers, or process advanced pharmaceuticals,food, beverages, and so on.
As you might expect, visibility and risk aversion are high in these types of environments, often leading to complicated governance.
Given these circumstances, we can conclude that the key barriers to IT/OT convergence in an organization are cultural challenges. Agility is an ideal example that underscores the distinction between the two realms: IT people often think in terms of minimally-viable commercial solutions, while OT projects are generally much more structured. This is a key point of cultural friction. For this reason, as part of convergence best practices, we commonly recommend composing hybrid teams comprising members from both IT and OT.
In fact, the organizational challenge is the primary barrier to widespread development and adoption of new Industrial Internet applications and business transformations. That′s a strong statement, but it′s key to understanding why IT/OT Gateways will play a critical role in the Industrial Internet.
Understanding the context of the different functions and different charters of IT and OT, let′s look at how an IT/OT Gateway might be useful.
The word Gateway itself has different meanings on both sides of the divide. IT people almost immediately suggest that a Gateway refers to hardware devices that handle ISO Layers 2 and 3. Gateway lacks this particularly resonance with OT people, but usually describes a means of connecting data from one environment with data in another.
For the purposes of this discussion, we can think of a Gateway as providing two-way communications that benefits both IT and OT. IT gets visibility into the industrial processes that are driving the business, while OT gets access to advanced IT applications such as big data analytics. When the data in question is big data on the order of output of thousands of factories, or the chemical formulas of thousands of products, the IT/OT Gateway can clearly be considered to be providing indispensable capabilities.
In the near future, new roles will become visible, including the critical occupation of industrial data scientist. This will be challenging, because the OT realm consists of hard engineering disciplines that are hard to pick up. Also for that reason, the transition to new ways of doing things will be driven largely by OT people, which is a change from today, when the Industrial Internet is driven largely by skill sets and people from IT.
There are two ways that we can help to ease the path forward:
- IT and OT can recognize where their interests, practices and vocabularies are similar and where they are different.
- IT and OT can find some technologies and deployments models that grease the skids - an IT/OT Gateway present an ideal Exhibit A.
Examples of IT/OT Boundary
To help paint the full picture of what an IT/OT Gateway might be, let′s identify a meaningful number of paradigmatic examples at the IT/ OT boundary. In these, we can examine the various IT/OT convergence issues and look for commonalities.
In general, we expect convergence tensions to look like cases where IT or OT proposes some extension of the way they do things, into the other realm - and a non-recognition of why that′s taken as a bad idea on the other side. Over time, as we identify more and more cases, these anecdotes will emerge into patterns. Here are a few for your consideration:
- ICS/SCADA systems connected to historians
- Partially-open control loops extended into carpeted space
- Industrial Internet applications where equipment vendors have visibility to customer environments
- Edge computing in advanced manufacturing
- Completely nontraditional environments where there is no traditional IT and OT boundary in place, such as smart cities, aircraft-based asset monitoring, and connected cars
- Emerging environments in which analytical results "close the loop" and become fully integrated into new ways of doing industrial activities. This is the stuff that hasn′t even been really figured out yet, and we need to define a more seamless convergence, which will critically involve the development of new roles beyond traditional IT and OT.
What do we learn from this list? It becomes evident that there are fundamental differences between IT and OT but there is also some common ground.
For true convergence, the technical problems will always boil down to enabling:
- Security, including threat intel, segmentation, access control, and data confidentiality
- Safety, including cyber-hardening and line-of-sight protections, and
- Data transformation, which provides the capability to convert data in OT formats (Modbus, DNP3, Ethernet IP, etc.) into formats that are instantly consumable for IT advanced analytics (http, https, JSON, etc.).
Networking itself is very different in the IT and OT realms. High throughput, dense connectivity, and standard protocols on the IT side contrast with ring and line topologies, very strict latency bounds, and proprietary protocols. Note that there is a critical OT concern with safety as opposed to security In OT, safety has historically been a much more critical requirement than cybersecurity, and vice versa in IT.
Perhaps we can reasonably agree that a proper IT/OT Gateway is to provide general capabilities needed for Industrial Internet applications, where the need is defined by either IT or OT personnel, but managed by the other group.
Having established that, the current crop of IT/OT Gateways is low-powered, somewhat ruggedized computers that are often multi-homed. But not all of these solutions operate at the virtual demarcation line between IT and OT, which should by definition be a requirement. Some Gateway capabilities are needed in some environments, others in other environments, and some in nearly all environments.
On to the future
In the near term, IT/OT Gateways will become more intelligent and more capable in the coming years, but at some point, industries will inevitably ask the question: Do we need smarter machines, or just smarter processes? It′s proven quite natural and fairly easy to add communications capabilities to sensors and machines, but compute capabilities? Not so much.
It′s not unlikely that the industry will elevate this observation to a real paradigm and we′ll begin working on smart interfaces and gateways to which machines talk, and a bi-directional interface to cyberspace.
Here′s the hope: that reimagining and reinventing processes (business as well as industrial) does not require a wholesale transformation of a vast range of existing engineering practice and management. We′re extending the industrial internet to a well-defined boundary layer that stops just short of permeating the machine space itself.
Of course, there is a contrary point of view that industrial machines will rapidly become computing machines, and the practice of industry will rapidly converge with data processing. It′s up to the community to determine the extent that the two futures are compatible. The metrics we use to gauge success will be:
- Manageability (security and cost effectiveness)
- Isolation between IT and OT spaces such that practitioners don′t have to leave their comfort zones
- Rapid accession to solutions
We can conclude that technology evolution and migration on the OT side is severely constrained compared to the IT side. This notably affects firmware updates and control programs, but also data functionality and responses to security threats.
Since the apertures are coming from the IT side, can we usefully define the IT/OT Gateway as a place where technology evolution reaches a barrier?
We need to consider the rise of smarter machines. Their uptake will be slow but steady, and larger, more expensive industrial machines will more visibly acquire many of the characteristics of computers. Does this presage an eventual evolution of IT practice into industrial environments?
Can we identify industrial sectors where this is more or less likely to happen? What are the "classic" application strategies for the industrial internet?
If it turns out that it′s possible to identify some of these, then maybe it gets easier to articulate standard implementation strategies, also known as "best practices." It is important for IT people to understand that in the OT world, standard practice may be highly stressed but it is highly valuable.