The types of equipment connected to OT networks (manufacturing) are fundamentally different than the equipment connected to an IT network (office). This difference represents a whole new set of challenges for IT professions attempting to extend their business’s network into the manufacturing environment. The equipment isn’t the only difference faced by IT professionals who are tasked with addressing the OT world. Many of the practices and procedures traditionally applied to managing IT networks, and the security policies applied to those networks, conflict with the reality of the manufacturing shop floor.
For example, a common practice for managing an ethernet-based network is to assign a specific series of IP addresses to devices connected to the network, or different series of addresses to individual portions (segments) of the network. This practice makes it easier to implement various tasks associated with managing the network – identifying logical groups of equipment, enabling security methods to control the flow of information across the network, and enabling software updates to be automatically distributed to equipment attached to the network.
To implement this practice, it is necessary to configure each piece of equipment with a specific IP address. This can be problematic for some of the equipment found in the manufacturing environment. The controllers on newer manufacturing equipment tend to support re-assignment of IP addresses. Older equipment, which represents the majority of equipment installed on the shop floor, either does not have the ability to have its IP address changed or changing the address requires interruption of the process being executed on that equipment when making these changes. For the equipment that does not support changing the IP address, it becomes necessary to install an edge computing device which isolates the equipment from the network. That edge computing device then becomes the “managed device” on the network. While effective, installing these devices are an extra expense.
Whether a company reassigns the IP addresses for their equipment or not, the standard IT practices and procedures for deploying security software and associated operating system patches can cause significant problems for shop floor equipment. All shop floor equipment that is not isolated from the plant network by an edge computing device is exposed to software updates that may be deployed across the network.
Many pieces of equipment connected to the network do not incorporate a standard “PC-style” operating system. For these systems, security software cannot be installed directly on the equipment, leaving individual pieces of equipment with no local security protection. Network security for this equipment is relegated to higher-level systems that manage the security functions for entire segments of the network. This leaves these systems exposed to security risks associated with system-to-system communications within the network segment.
Other equipment may support a standard “PC-style” operating system. However, installation of additional software or updates to the operating system may be incompatible with the operation of the control system on these pieces of equipment. The impact of these software changes can vary significantly depending on each control system. For some systems that are designed to be highly dependent on a specific hardware/software configuration, the impact is usually very obvious and significant. The system simply will not function. Not only is this an immediate problem from a production standpoint, it can also result in significant downtime, since rebuilding these systems to their original configuration can be difficult and time consuming. Typically, companies have backups of the application software on these systems. However, the operating system is typically not backed up, and many of these older operating systems are no longer commercially available. Also, the tools (disk drives, floppy drives, etc.) and media required to rebuild the operating systems are no longer available either. A simple software download can result in a major headache for the business.
Another significant scenario is the case where the software update does not cause a major failure to the system but does impact the performance of the system. This performance change may not be immediately obvious, but the long-term impact to productivity can be significant. These cases are hard to identify quickly and may only become obvious when analyzing longer-term production data.
The OT network is the foundation of any digital manufacturing infrastructure. It is critical that IT professionals working in the OT environment fully understand the unique characteristics of the control systems installed on each piece of equipment on the shop floor and the impact of applying network security policies and software maintenance procedures to these control systems. What works in the office environment most likely will not work in the shop floor environment without modifications to accommodate for the different types of equipment.
Ideally, the shop floor would look just like the office environment from an IT perspective. To do this, every piece of equipment must either have the same characteristics as an office PC or must be isolated from the network with a device that hosts the network security functions. The reality is that this option is not practical due to both the types of equipment required to support manufacturing operations and the costs that would be associated with isolating each piece of equipment with an edge computing device. Therefore, the most realistic approach to securing an OT network is to adapt traditional IT practices and procedures to the unique environment of the shop floor.