Like companies in other industries, energy and utilities (E&U) organizations want to more efficiently leverage data generated in the field by conducting real-time analysis.
Why it matters: The integration of operational technology (OT) and information technology (IT) promises to help E&U companies enhance real-time decision-making and increase revenue. But doing so requires removing barriers between the offline (air-gapped) OT and online (connected) IT environments, a practice that introduces the potential risk for disruptions in everyday life and the economy.
The bottom line: Before launching an OT and IT convergence initiative, E&U organizations should draft well thought-out plans, paying special attention to considerations such as technical debt and cybersecurity.
___ ____ ___
Energy and utility companies have long sought to leverage data collected by their operational or production systems in the field to improve performance, predictive maintenance and decision-making. But traditionally, the wall between the unconnected OT environment and an organization’s back-office IT network has prevented the collection and processing of OT data in real time, forcing E&U organizations to conduct inefficient and time-consuming procedures such as manually extracting the information, entering it into spreadsheets, and transferring the data via removable media (e.g., USB drives) or email.
Because of those challenges and inefficiencies, E&U executives are shifting their view on the separation of OT and IT environments. They not only want to know more about what’s happening in the field, but they also want to know it immediately. As a result, we’re seeing E&U organizations pursue the integration of OT and IT systems with more frequency so that the available IT analytical tools can better support operations — the driver of the business.
A Delicate Task
The convergence of OT and IT brings with it a fresh set of challenges stemming from variables such as the presence of technical debt in the OT or field environment and the potential need to upskill and train employees on how to securely and responsibly use the newly integrated technology. But by far the biggest and most problematic difficulty facing E&U organizations undertaking a convergence strategy centers on increased cybersecurity vulnerabilities and risks.
Anyone who has experience supporting digital transformation efforts in general is no stranger to increased cybersecurity threats: The more connection points created in digital systems — in this case, between OT and IT — the more inroads available that hackers could potentially leverage in an attack. But in this instance, the possible danger is compounded by the fact that the E&U industry provides services essential to life and powers the economy.
Utilities provide critical services that we use in our everyday lives — from the electricity that powers our homes to the water that we drink. Imagine if a community in the northeastern United States didn’t have natural gas access to heat their homes during the coldest day or week of the year, or if a city’s drinking water was contaminated due to a cyberattack that resulted in a safety-system bypass and a failure in the water-purification process. Those are the potential high-stakes scenarios we are dealing with when we talk about the impact of a cyberattack on companies in the utilities industry.
The cyberthreat is especially relevant given the warning delivered by FBI Director Christopher Wray to Congress earlier this year. The Chinese Communist Party, he testified, is positioning itself to launch cyberattacks against the U.S. electrical grid, natural gas pipelines, water treatment plants and other critical infrastructure to “wreak havoc and cause real-world harm to American citizens and communities.”
For these reasons, a well-planned integration of OT and IT is essential for optimizing the operational day-to-day benefits of a convergence as well as securing the environment from malevolent actors. For E&U organizations weighing the possibility of launching a convergence project — and even those already in the throes of one — Protiviti suggests considering the following key elements:
Technical Debt
Historically OT networks have been “air gapped” — meaning they are not connected to any outside system or network — and, depending on the age of the device, may require patches or complete hardware replacement to have any possibility of linking to IT systems. But patches may not exist and, when they do, may introduce instability by impacting device functionality. Moreover, vendors that manufacture field technology such as programmable logic controllers (PLCs) and human-machine interfaces (HMIs) offer device updates less frequently than IT vendors do.
Consequently, even if an E&U organization desires to aggressively pursue an OT and IT convergence strategy, it may find itself at the mercy of those vendors. Additionally, because updates, upgrades or replacements may require a shutdown of operations for several hours, it’s important that energy and utility companies have reliable and resilient continuity plans to contain any negative operational impacts.
Cybersecurity
In many cases, organizations will not be able to replace all their OT hardware and will have to concede some level of cyber risk. That will require E&U firms to weave in mitigation strategies and processes throughout the convergence journey. They can begin by taking an inventory of their OT assets, an often-difficult task made more so by the likelihood of past corporate mergers in which detailed OT-device inventories and logical network diagrams were an afterthought. Once the organization has a clear picture of connected systems in the field, a more comprehensive strategy to secure those devices can be defined and established through tools and techniques such as endpoint protection, secure remote access, and security monitoring and log aggregation.
Transmission and Storage
E&U organizations need to determine where the key information from the OT environment resides or originates and how well their existing IT resources can facilitate that movement to hasten analysis. An example use case for convergence could be pulling real-time production or operational data into a data lake or warehouse for visualization or an enterprise resource planning (ERP) system or to a repository in the cloud. Organizations may have the opportunity to deliver data from separate OT systems to a single repository in a more automated fashion as part of a consolidation. Regardless of the OT–IT pathways they create, organizations will require rules and guardrails to control and protect the delivery of the data.
Compliance
When undertaking OT and IT convergence, E&U organizations should make any architecture changes with caution and remain cognizant of how regulators may limit the scope of such integrations. The North American Electric Reliability Corporation (NERC), for example, is adapting its Critical Infrastructure Protection (CIP) standards to be more dynamic and flexible to address future security challenges posed by the rising number of convergences and increased utilization of cloud resources and repositories. The growing momentum of IT–OT integration, coupled with events such as the 2021 Colonial Pipeline ransomware attack, which crippled a major fuel pipeline and revealed the vulnerability of the country’s infrastructure, have resulted in additional compliance requirements from the Transportation Security Administration (TSA) and its Pipeline Security Directive (SD), issued in direct response to the Colonial Pipeline attack.
Defining Success
In addition to those considerations, it is imperative that E&U companies outline their end-state goals and objectives early when planning a convergence. Success may be defined as simply having the ability for the first time to capture and analyze data using machine learning. Alternatively, it could mean seizing the opportunity to consolidate certain competing systems and applications to eliminate redundancy and enhance efficiency.
No matter how success is defined, organizations that pursue OT and IT integrations are positioning themselves to leverage an abundance of ready-made data to optimize operations and revenue. These endeavors are hardly free of risks and challenges, but companies that plan effectively, safely deconstruct the walls between the two environments and adeptly manage the new state will give themselves the best opportunity to realize the full value of convergence.
Add comment