Since the first industrial revolution, operational technology (OT) has been central to the economy. It keeps industrial networks and processes running, letting businesses automate industrial activity where possible, delivering efficiency and control, avoiding threats.
As networked computers have changed almost everything about our professional and personal lives, two separate technology silos have developed: the OT environment, which sits separate from other technology; and the information technology (IT) environment, which connects the world via the Internet.
Due to the growth of the Internet, cloud, Internet of Things and Internet protocolbased communications, another, quieter revolution is taking place. This revolution is the convergence of OT and IT.
OT networks tend to be legacy-based, and in the past have been kept physically separated, or “air-gapped”, from anything connected to the outside world. Today, by connecting these systems to corporate IT systems, businesses can increase efficiencies, drive cost savings, cut delivery timeframes, improve decision-making capabilities, and enhance competitiveness.
These benefits are particularly attractive to oil and gas companies that have been hit by diminishing profits as a result of commodity price uncertainty and hard-to-reach resources reserves.
Oil and gas companies are driven to converge IT and OT systems for three key reasons.
1. The Need for Improved Operational Excellence
It is becoming more difficult to turn a profit from oil and gas fields. This naturally fosters a great focus on production efficiency and effectiveness. In turn, this drives a culture of high performance and is changing the way businesses are managed.
2. Capital Project Effectiveness, Skills Shortages, and Changes in Working Cultures
The investment required in increasingly large and complex projects to acquire the remaining natural resources from more challenging fields has risen. Workers must adhere to new
safety and security challenges, and a general skills shortage has made it more difficult to attract sufficient skilled workers willing to work in hazardous and remote locations.
3. The Need for Automation
As more oil and gas operations move to offshore and remote locations, they rely more on remote operation and automation. While delivering efficiencies, this reliance makes organisations more vulnerable to attack and more difficult to protect.
In response to these drivers, oil and gas companies are looking to be more connected. As they grow geographically, companies rely more on technology, analytics, and automation to stay competitive. This includes deploying components, systems, and people that can communicate and share information with each other in real time. For example, this is central to the technology-driven ‘Digital Oil Field’ initiatives that many of the world’s most prominent oil and gas enterprises are implementing.
However, through this connection to corporate IT systems, OT systems are now Internet-connected. Yet OT systems were not originally designed or implemented with this connectivity in mind. They are therefore largely unprotected from the security threats that abound on the Internet. The threat to these systems is very real, both from accidental misuse and also deliberately malicious activity from both inside and outside the business.
The approach required to manage these threats requires a different mindset and approach from traditional IT security for a number of reasons. Converged IT and OT systems result in more complex architectures, making it harder to accurately determine the various components’ security requirements and quantify the levels of risk. Network architectures to segregate different domains require a different approach, one that ensures availability of OT systems at all times, avoids any latency in realtime protocols, but also ensures the validity, integrity, and authorisation of data exchange.
BAE Systems Applied Intelligence recommends that organisations follow
these three basic steps to ensure security is managed as part of any IT/OT convergence activity:
Understand what assets and systems exist. Determine which components need to be protected, their relative importance with respect to the organisation’s processes, and the structure of the network.
Create a layered defence around each of the critical systems that have been identified, controlling access of people, data, and commands.
Establish ongoing periodic checks and assessments to ensure defences remain effective, and be ready to respond if attacks or vulnerabilities are detected.
The convergence of IT and OT offers companies tremendous opportunity to enhance productivity, increase efficiency, and competitiveness. However, they need to recognise that the risk of cyber attack and security violations has increased, opening up many new security challenges. Although not all security solutions for the world of IT map directly into OT architectures, following security best practice and using solutions designed for converged IT/OT architectures will let companies realise the benefits while minimising their risks.
Rajiv Shah is Regional General Manager at BAE Systems Applied Intelligence. He has more than 16 years’ experience in the technology industry, working with commercial and government sector customers to design and implement leading edge information intelligence solutions which help organisations in the hyperconnected world to protect and enhance their critical assets.