Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Digitalization: Time for Some Straight Talk in the OT/ICS Community

Digitalization is not a new topic. It’s been more than an idea for several years now. Whether it is specifically called Digitalization, Industry 4.0, Smart Plants/Facilities/Cities, or discussed in terms of the enabling technologies, such as industrial internet of things (IIoT) devices, 5G wireless communications, or Big Data isn’t really important. What is important are what is driving it, the implications (both positive and potentially negative), and what the OT/ICS (operational technology and industrial control systems) community should be doing about it.

If you talk to a C-level executive from a leading industrial organization, you will most likely hear that digitalization is all about creating new customer value, increasing the pace of innovation, and improving profitability and efficiency. But what is really meant behind these high-level objectives? For sure, these same executives consider their digitalization strategies among their top corporate priorities and so they are fairly guarded about the specifics. For example, at a recent industry conference, the CIO from a major chemical company (who is also the company’s chief digital officer) said they used to view themselves as a chemical company that does digital projects and now they see themselves as a digital company that does material science. Other companies tout how they have created digital collaboration centers, but again they don’t usually give specifics on exactly what projects are being implemented. At some level, digitalization seems more of a mindset than anything and actual use cases are rare in the public dialog. So, let’s start with a definition of digitalization and a few potential use cases.

Digitalization Defined and Some Use Cases

Gartner defines digitalization as “the use of digital technologies to change a business model and provide new revenue and value-producing opportunities; it is the process of moving to a digital business.”1 This definition is okay, but leaves me wanting as a 30-year practitioner in industrial operations. I would define it this way: digitalization is the use of digital technologies and digitized data to adapt how work gets done, transform how customers and companies can engage and interact, and create new technology-driven revenue streams. This is in contrast to a simpler concept of digitization, which the automation industry has been doing for years, by converting analog signals into data used to improve process safety, reliability, and profitability.

For some use cases, let me illustrate how each of the three digital technologies mentioned aboveIIoT, 5G, and Big Datacan be combined to support multiple industrial digitalization use cases. In an industrial facility, many of the devices today are connected via hard-wired networks. In most cases, these are older Ethernet-based networks with systems communicating via proprietary protocols. For offshore facilities, they are often using slower satellite-based or microwave communications. With 5G communication access points across plants and connecting offshore sites, the number of IIoT sensors across an industrial process has the potential to expand exponentially from the number of sensors typically in place today, enabling more fine-grained visibility into process activity, performance, and potential safety concerns. The bandwidth of these communications will also be significantly greater (gigabit Ethernet-level speeds). This will greatly expand the ability to leverage this data in real-time and enable an increase in remote operations, thereby reducing cost and safety risk with fewer onsite personnel. All of this data will now be able to move more freely and rapidly up to corporate systems, such as cloud-based data lakes, which will enable increased visibility for big data scientists and business analysts to iterate faster and with more in-depth process simulators, supply chain forecasting models, and response models for market price fluctuations. Taken a step further, organizations might also consider “closing the loop” by directly affecting change to production based on these new analytical capabilities (although, I think we are still quite a way off from that due to the risks).

Now you may be reading this and saying, “This sounds more like an evolution vs. some completely fundamental change in how we are doing things.” And you’d be right. That is the casetoday. The increasing digitalization of industrial operations will unlock new potential, starting first with projects and use cases that extend our current ideas and thinking, but, over time, will enable us to embark on initiatives that we have yet to imagine. This is why the C-suite is so eager to drive digitalization forward, because they understand that it represents a potential existential threat to their organizations if their competition is harnessing the potential and they are not.

It’s Not All Benefits & What We Should Do About It

What should be self-evident based on the discussion above is that the interconnectivity of OT, IT, and wireless communications is on its way to becoming completely intertwined, a mesh network of devices with data being fed across corporate and third party provider networks. This means the cyberattack surface is expanding dramatically along with the complexity to manage this hyperconnected network. That is the ideal scenario for malicious actors, whether they are intellectual property thieves, nation-states spies, ransomware seekers, or others who wish to do harm to industrial organizations and the countries whose critical infrastructure they support.

There are 5 specific things I recommend every industrial organization should be doing about this right now:

  1. Build a comprehensive inventory of your control systems down to the detailed software, hardware, and version levels running in each device and supporting componentso you can assess and remediate current and future vulnerabilities;
  2. Build a relationship dependency map across your control system devices and how they connect to existing corporate networksto segment your network topology, isolate and/or apply additional security controls to critical systems, and analyze risk vectors as you add 5G and IIoT devices;
  3. Document your control system configurations so you can assess any deviationsbecause it is a configuration change that turns a breach into a process-impacting cyber incident;
  4. Monitor your OT data health as it flows from sensors and other Level 0 devices to historians and corporate data lakesso you can reduce the risk of decisions being made based on corrupted or manipulated data;
  5. Adopt one or more industry standards to help guide your risk evaluation and mitigation strategiesthe NIST cybersecurity framework and ISA/IEC 62443 are two I recommend.

And, finally, here’s one thing we should be doing as an OT/ICS community: we must educate senior-level decision makers about the potential risks of digitalization and not dismiss their calls to go digital as “chasing shiny balls.” The digitalization wave is here and we have a responsibility to support it for all the potential benefits it will bring and to avoid the risks that come with it.

1Gartner Information Technology Glossary, accessed March 6, 2020

Mark Carrigan, PAS Global
Mark Carrigan, PAS Global
Mark Carrigan is the chief operating officer at PAS Global. He invites this article's readers to connect with him on LinkedIn.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM