One of the main differences between an OT (operational technology) network, such as one found on the manufacturing floor, and an IT (information technology) network , such as one found in an office environment, is the equipment that is connected to the network. This difference is the primary factor that drives the need for different strategies when implementing each of these types of networks. These differences also impact the strategies for deploying security solutions to protect the connected equipment in each of these environments.
Most of the equipment connected to an IT network is based on some form of standard computer technology – PCs, servers, printers, etc. All connected devices natively connect using some form of Ethernet communication, either direct connect or wireless. Also, most of this equipment is fairly new, typically less than 3-5 years old, and older equipment can be replaced or upgraded at a reasonable cost – typically several hundred dollars to thousands. Commercially available network security tools used to protect these networks and the connected equipment are specially designed for this environment.
This is not the case for OT networks on the manufacturing shop floor. While the percentage of equipment on the shop floor that can be directly connected to an Ethernet network is increasing, this still only represents a minority of the equipment found in manufacturing operations. Of this equipment, a still smaller percentage incorporates PC-like capabilities where traditional security tools can be deployed. For the balance of the equipment, extra steps are necessary to connect the equipment to the network and then provide the security tools needed to protect that equipment.
For the portion of the equipment that does connect to an Ethernet network, a majority utilizes any one of a variety of proprietary communications protocols and data formats that are not supported by most commercially available network security tools. For this equipment, an edge computing device will typically need to be added to the architecture to isolate individual pieces of equipment or groups of equipment. These edge computing devices can host the required security tools to protect the equipment from the balance of the network and protect the network from the equipment.
For the equipment that does not natively connect to an Ethernet-based network, an edge computing device can also be added to the architecture to provide both a translation/data collection function and to host the required security tools.
Deploying and then managing these edge computing devices are necessary, and they represent both an initial cost and ongoing maintenance/support costs. While these edge computing devices are an incremental cost to the business, losing significant production time due to a security attack can be much more costly.
Another factor that differentiates the equipment on an OT versus an IT network is the cost and impact on production for replacing older equipment. Manufacturing equipment tends to be used a lot longer than equipment found in the general business environment. It is not uncommon to find 20- and 30-year-old equipment in most facilities, whereas the typical office equipment is 3-5 years old or newer. In the office environment, the solution to addressing older equipment that cannot support current networking and security standards is to replace the equipment. In manufacturing, the costs associated with upgrading and/or replacing such equipment can be significant – often measured in tens or hundreds of thousands of dollars per device. Additionally, the disruption to production is another significant cost. Upgrading the electronics on a piece of equipment can easily be measured in days or weeks of lost production. Likewise, commissioning a new piece of equipment can also have a significant impact on production schedules. Deploying edge computing devices becomes the default standard method for connecting older pieces of equipment to the OT network environment with no, or minimal, impact on production.
The OT network is the backbone of all digital manufacturing implementations – delivering increased productivity and cost benefits. However, as described in this article, there are significant differences in the approach and technologies needed to deploy a secure OT network – it isn’t just a matter of running Ethernet cabling to each machine. As companies move forward with their digital manufacturing strategies, it is important to recognize that most pieces of equipment can provide valuable information to the decision-making process. However, it is equally important to recognize that the OT network requires special consideration for connecting equipment to create an effective and secure environment.