How to Implement IT Compliant OT

Adam Burgess — Thu, 26 Oct 2023 14:32:53 +0000

As manufacturing operations adopt more intelligent systems, we’ve seen control systems, equipment, and networks rebranded as Operational Technology (OT). With this has come a change in approach from IT departments, who for decades wanted nothing to do with the weird and wonderful equipment that populated the OT space. While keeping the operational world at arm’s length was possible for IT in the past, they are now converging at such a pace and in a way that is impossible, or even perilous, to ignore.

A vital convergence

Cybersecurity is a crucial concern. OT equipment has become more IT aligned by necessity through standard protocols and ethernet/IP connectivity. Like a bucket of cold water, this fact woke the IT world to the significant vulnerabilities presented by connected operational systems. Furthermore, the press has continued to fill with stories of backdoors exploited by nefarious actors and the dire consequences of which to reputations, service, and profitability.

It was time for OT to be taken seriously and become part of the IT estate with the same high standards and best practice approaches to security.

So, what does this mean for you as a manufacturer?

Firstly, you must ensure that your control systems, such as PLC, SCADA etc., are secure from threats by keeping systems up to date and only providing connectivity between systems that require it. Leaving your entire operation wide open, with everything connected to everything else, is particularly hazardous. The optimal solution is to establish communication channels secured via switches and routers, allowing protocols to be enabled and disabled as required. Through this method, you can install firewalls between departments to further mitigate the threat of a cybersecurity breach.

The second point to consider is access control. Users should only be granted permissions to systems they require within an IT-supported domain. Paired with appropriate password complexity, a policy of regularly changing those passwords can minimise a potential vector of attack.

Next is virtualisation. By abstracting OT systems from the IT hardware, you can install physical hosts in an environmentally controlled data centre; rather than the old method of putting server racks under desks in control rooms, where they were subject to dust, heat, and the occasional accidental kicking from a steel-toe-capped boot.

Rounding out this brief overview is patching and backups. Patching regularly, at the same frequency as IT systems, ensures systems are constantly kept up to date and reduces the impact of ‘timely’ vulnerabilities such as Log4j. We still visit sites where Windows XP, NT and Server 2000 are still in use. These operating systems are running long after official support has ended, meaning security patches are no longer available and the vulnerabilities are well known and widely published.

Because OT should now be firmly on your IT department’s radar, creating a thorough backup regime will mean your systems are recoverable in the event of data loss due to a ransomware attack, operator error or any other disruption.

Experience and Expertise

Novotek Solutions delivers operational technology with a methodology shaped by a deep knowledge gained in over three decades of experience in IT domains.

We’ve led the way in delivering all our projects to a high, IT-compliant standard. Our solutions are supportable, maintainable, and extensible to keep your operation fit for the future.

Amie Shannon — Mon, 24 Oct 2022 09:46:04 +0000

One of the advantages of managing technology assets is that you can do things with them beyond “just running them”, such as, keeping track of them and repairing them! Optimising a productions process for efficiency or utility usage if often a matter of enhancing the code in a control program, SCADA, or related system, so the tech assets themselves can be the foundation for ongoing gains. And similarly, as customer or regulatory requirements for proof of security or insight into production processes increase, the tech assets again become the vehicle to satisfy new demands, rather than re-engineering the underlying mechanical or process equipment.

It’s this very adaptability that makes version control around the configurations and programs valuable. As configurations and programs change, being sure that the correct version are running is key to sustaining the improvements that have been built into those latest releases. With that in mind, a good technology asset management program, such as octoplant will have version control as a central concern.

Whether deploying solutions in this area for the first time, or refreshing an established set of practices, it’s worthwhile to step back and evaluate what you want version control to do for you – operationally, compliance-wise and so on. And from that, the capabilities needed from any tools deployed will become clearer. With that in mind, we’ve noted some of the key areas to consider, and the decision that can come from them. We hope this helps you set the stage for a successful project!

Decide How to Deeply Embed Version Control

We take VPNS, remote access and web applications for granted in a lot of ways – but this combination of technology means that it’s easier than ever to incorporate external development and engineering teams into your asset management and version control schemes. Evaluate whether it makes sense to set up external parties as users of your systems, or if it makes more sense to have your personnel manage the release and return of program / configuration files. The former approach can be most efficient in terms of project work, but it may mean some coordination with IT, to ensure access is granted securely. Either way, setting your version control system to reflect when a program is under development by other can ensure you have a smooth process for reincorporating their work back into your operation.

Be Flexible About the Scope of What Should be Version-Controlled.

Program source codes and configurations are the default focus of solutions like octoplant. Yet we see many firms deploying version control around supporting technical documentation, diagrams, even SOP (Standard Operating Procedure) documents relating to how things like code troubleshooting and changed should be done.

Define Your Storage and Navigation Philosophy.

In many cases, this can be a very easy decision – set up a model (and associated file storage structure) that reflects your enterprise’s physical reality, as illustrated below. This works especially well when deploying automated backup and compare-to-master regimens, as each individual asset is reflected in the model.

However, some types of business may find alternatives useful. If you have many instances of an asset where the code base is genuinely identical between assets, and changes are rolled out en masse, and automated backup and compare is not to be deployed, it can make sense to think of a category-based or asset-type-specific model and storage scheme.

It may be that a blended approach make sense – where non-critical assets and programs may have variance both in their automation, and therefore in the program structure, an enterprise model can make sense. But in some industries (food, pharma, CPG), it can be common to maintain identical core asset types, and associated automation and process control. So having some category / type-based manager versions can be useful, too.

Reporting and Dashboards – Version Control Data is Not Just for Developers and Engineers.

A robust solution will track actions taken by different users in relation to different asset’s code bases, and in relation to any automated comparisons. This means you can have a rich audit trial that can certainly be used to ensure disciplines are being followed, but it also means that you can easily support any regulatory or customer requirements for data. And with a model of your operation reflecting the different makes models, variants and generation of tech assets, you’ll have a tech inventory at your fingertips that can make reinvestment and replacement planning much more efficient. So, make sure your plan to share dashboards and reports reflects the different people in your organisation who could use their own view of the tech assets, and the programs running in them.

If you’d like to learn more about the work we do with our customers on technology asset management, you can get in touch here; or ring us on +44 113 531 2400