IT-OT Convergence and Cybersecurity – New Landscape Necessitating New Approach

This article was published in Global Systems Integrator Report (GSIR) on December 13, 2021 (Print Version).

In a PwC 2021 CEO Survey, more than 80% of surveyed CEOs expressed plans to increase investments in digital-driven transformation, and two thirds of these CEOs also plan to increase investments in cybersecurity. Digitizing operations can unleash considerable value in forms of factory output increase, productivity increase, overall equipment effectiveness (OEE) increase, product cost reduction, operating cost reduction, quality cost reduction, energy efficiency, inventory reduction, time-to-market reduction, and more according to some studies performed by the World Economic Forum and McKinsey. The set of advanced digital technologies that are available at a manufacturer’s disposal include robotic process automation, the Industrial Internet of Things (IIoT) connecting cyber-physical systems, cloud computing, advanced analytics, machine learning (ML) / artificial intelligence (AI), and so on. Implementing some or all of these technologies would propel a manufacturer into Industry 4.0. Cybersecurity, however, remains a key consideration in an organization’s digital-led transformation journey. This new IT-OT converging world presents new opportunities for system integrators that require building new competencies, experimenting with new business models, and changing their mindset.

According to experts, increased interconnectedness between information technology (IT) and operations technology (OT), and digital collaboration across a supply-chain can reduce operational costs by as much as 30% and reduce inventory requirements by 70%. So far, however, these systems have been addressed in a siloed manner. As figure 1 illustrates:

Area I: Plant automation is addressed by OT teams, and preferred to be highly segmented if not air gapped. Automation system integrators have been active in the design and implementation phase within this domain.

Area II: Building automation is typically designed, configured, and managed by building automation vendors, system integrators, and facility management teams respectively.

Area III: In most organizations, cybersecurity is managed by a centralized team and is heavily focused on Security Operations Center (SOC). OT assets are either excluded in the scope or managed only at the network/DMZ level for being special-purpose systems. Many organizations, especially small and medium size enterprises, outsource the bulk of cybersecurity activities to third party managed security service providers (MSSP).

Area IV: A centralized IT network engineering, administration, and monitoring team tends to manage all aspects of enterprise IT network. This team’s scope has traditionally excluded OT except for ensuring that required speed and bandwidth are always available. Many small and medium size manufacturers rely on third party managed services providers (MSP) for some of these services.

Area V: IT organizations typically lead procurement, implementation, and lifecycle support of various business software applications as per business or functional requirements.

IT-OT Converging Environment in Industry 4.0 Presented by ResiliAnt

Figure 1: IT-OT Convergence Opportunity in Industry 4.0

Organizations have successfully extracted available value from a narrow functional focus. The next frontier of opportunity lies in the digital-driven transformation that bridges organizational siloes. For example, remote health monitoring and diagnostics of the highlighted robotic arm (figure 1) can increase OEE by enabling faster detection and resolution of maintenance related matters. Instrumentation and built-in test (BIT) capabilities included in the robotic arm can continuously deliver health related data to the cloud through enterprise network. A remote engineer can monitor health and performance of the robotic arm via an advanced analytics and decision support software that uses the continuously collected data in the cloud and maintenance history from the maintenance management system. This application represents the converging IT and OT environment as shown below in figure 2. An ability to remotely control some system parameters can also be feasible in a low-risk environment. Cybersecurity in this application requires considerations in both IT and OT domains. For example, both vulnerability management of OT system and authentication as well as access management through enterprise network are important. Human-factors, such as knowledge of cybersecurity best practices while configuring and operating the system, shouldn’t be ignored. After all, more than 65% of cyber incidents in the manufacturing sector involved some form of human-factor and as many as 55% of cyber incidents involved a trusted party such as an insider or a partner.

Remote Monitoring of OT in Industry 4.0 as an Example by ResiliAnt

Figure 2: Value Realization through IT-OT System Integration

Despite all the potential, a McKinsey study indicates that as many as 70% of digital-driven transformation pilots in manufacturing companies fail to capture their anticipated value. Key reasons include integration challenges in a heterogeneous environment, overemphasis on technical capability demonstration as opposed to business value delivery, and insufficient attention given to change management aspects.

Integration challenges in a heterogeneous environment:

A typical medium-sized plant can have as many as 300 equipment with different hardware and software platforms and networking capabilities. Digital-driven transformation in such an enterprise may not only need to integrate these equipment but also other applications such as maintenance management system, manufacturing-execution system (MES), product lifecycle management (PLM) system, enterprise resource planning (ERP) platform, equipment manufacturers’ value-added services applications, customer relationship management (CRM) platform, and more. Different interface protocols and lifecycles of these equipment, applications, and platforms often make integrations challenging. While each integration point can bring some value, it also adds cost and introduces security related risk as shown in figure 3. Because the security risk can significantly outweigh the value of the integration, full lifecycle management cost, inclusive of interoperability and cybersecurity risk management, of each integration point should be considered against its value in the business case. Missing an element of cost, risk, and value in a business case can lead to a decision of an environment that differs from the actual situation on the ground. Insufficient engagement from various stakeholders during the pilot business plan development and implementation often leads to disparities between expectations and pilot outcome.

Risk and Opportunity Considerations during API Decisions - ResiliAnt

Figure 3: ROI-minded Integration Decision in Digital Transformation Strategy

Overemphasis on technical capability demonstration vs. business value delivery:

A pilot implementation decision is often championed by a functional leader with hopes of persuading the rest of the organization for an enterprise-wide roll-out. While labeled as pilots, many such implementations are no more than technical capability demonstrations - proof-of-concept - in reality. From the initial stages, they miss sufficient involvement from cross-functional stakeholders. They also miss formal business plans that include all elements of lifecycle cost and expected “net” value. For example, the remote monitoring and diagnostics pilot highlighted earlier would likely be championed by an OT leader. In absence of sufficient involvement from IT and cybersecurity teams, many critical cost and risk elements could be missed while developing the pilot architecture. A possible outcome could be an architecture that is technically feasible but commercially invaluable. Hence, a good pilot would often follow a proof-of-concept, involve all stakeholders in planning, implementation, and operational phases, and track cost as well as business value against the business plan.

Insufficient attention given to the change management aspects:

An outcome of almost all digital-driven transformations is a change in stakeholders’ job responsibilities – addition, change of scope, or elimination. For example, a SOC analyst may now have to monitor additional applications, devices, or integrations; an engineer may now have to learn new remote diagnostics software; a business process automation may eliminate the need for a full-time headcount and turn that role into an on-demand contractor. Not incorporating change management aspects in the planning phase can severely impact the outcome. While organizations know the importance of change management from their experiences in implementing systems such as ERP or CRM, they often miss these aspects in smaller digital-driven transformation initiatives.

Thus far, this article has purposefully sprinkled cybersecurity considerations in the broader IT-OT convergence and digital-driven transformation discussion. Cybersecurity is a key enabler of digital-led transformation. Cybersecurity efforts should be led in a programmatic manner using an enterprise-wide framework while requiring cross-functional engagement. All stakeholders, including system integrators, have a role to play within that framework and must support the broader organizational strategy.

The challenges outlined above of managing the IT-OT converging environment create new opportunities for system integrators, as shown in figure 4. A significant portion of a typical system integrator’s revenue comes from automation implementation services. In that context, system integrators have the opportunity to establish themselves as a trusted partner with not only OT but also IT teams by demonstrating “design for cybersecurity” as a practice in their implementation services; they should align with both industry and their clients’ cybersecurity frameworks. They can include cybersecurity aspects in system operations training after each implementation project to support change management. Engineers within system integrator organizations can contemplate obtaining cybersecurity-related certifications and developing an understanding of relevant industry standards.

New Opportunities for Systems Integrators in Digital Manufacturing and Industry 4.0 by ResiliAnt

Figure 4: New Opportunities and Cybersecurity Considerations for System Integrators

Manufacturing enterprises can certainly benefit from having lifecycle support services at affordable rates that guarantee uptime of the integrated system(s). Many IT systems integrators have begun to offer business process as a service (BPO) by taking on risk to deliver the expected value via a contract. Such models have also found their way into the OT side. For example, an aircraft engine manufacturer outsourced a handful of business processes within its remote monitoring and diagnostics operation. These opportunities, however, require a new set of competencies and business models. More importantly, it requires a mindset shift as outlined in figure 5. System integrators would take on a broader cybersecurity related risk under these new models. Irrespective of their decision of implementing cybersecurity strategies within their operations or supporting clients’, they should consider adopting an ROI-mindset – the cost to reduce $1 of risk!

New Mindset for New Opportunities in Industry 4.0 by ResiliAnt

Figure 5: New Mindset for New Opportunities

System integrators have played a pivotal role in supporting manufacturing enterprises to gain productivity from industrial automation over the last few decades. They are faced with an opportunity to support these organizations again in their digital-driven transformation journey by helping them address tough challenges involving interoperability, network reliability, and cybersecurity. Some may seize a bigger share of the opportunity by reinventing themselves and adapting to an innovative business model. Irrespective of the approach, they will have to live up to their brand of being “integrators” by not only integrating systems but also teams. Yes! That is by being a bridge between the IT and OT teams through new IT-OT capabilities and services.

ResiliAnt has developed proprietary platforms to help organizations manage their IIoT/OT, enterprise, and supply-chain cybersecurity. If you have interest in learning more about ResiliAnt’s solution, you can reach us at