We’ve all seen the headlines: SolarWinds hacked and ransomware attack at Colonial Pipeline. No one wants to find their network in that position.
It can be a bad actor with malicious intent, as in the SolarWinds situation. Or an unintentional internal threat. Either way your network is down, and no one is happy.
The question often remains how do you bridge the gap between OT and IT?
From our colleague James Powell of JCOM Automation, here is your primer, a downloadable PDF: The Convergence of OT and IT from a Diagnostics Point of View.
Here are a few highlights from the whitepaper.
The change from proprietary to open protocols and the introduction of IT has had a massive effect on how people maintain and troubleshoot their systems, including what diagnostics are available and how they are handled. This paper will examine how this has developed over time and how it has addressed or not addressed end-users needs.
ProfiTrace is almost the perfect OT troubleshooting tool. The only problem was that it could not look back in history and see what happened on the network before you plugged it in. You had to wait for the problem to occur again. That is why PROCENTEC developed COMBRICKS, a permanent monitoring system with built-in ProfiTrace. This product is a maintenance person’s dream come true. It sits on your network 24 hours a day, seven days a week, every day of the year and records what is going on. When you get a call that the operator thinks that something is wrong, you can quickly log on and see everything you need to know.
As soon as OT started using Ethernet, IT started getting involved. Many IT departments believe that anything with an Ethernet port belongs to them. As we will show in this chapter, getting IT involved is a good thing. Having them as owners may not be the best option.
The requirements of OT compared to IT are vastly different: (here are 3 of 9):
- Packet delay is important for IT, but not like it is for OT. A one second delay in IT is not a problem. In OT, a 100ms delay can mean disaster.
- IT has had to deal with network security for a long time. OT, not so much. For most of the time that OT has existed, any network that they used was so specialized and removed from the public that they were secure by default – how can you hack what you can not get to or see. With the Ethernet-based industrial protocols, this situation has changed. Security is perhaps the most significant opportunity for IT to help OT.
- Updates are handled differently. Since IT has been so concerned with Security in a Wide area network world, rolling out security patches as they come out has become very common in IT. On the other hand, OT likes to get a network/system working perfectly and then make no changes. A software update is viewed as a potential source of bugs that might disrupt the factory/plant. Therefore, any software update must be rolled out very carefully in OT.
Reviewing Ethernet Troubleshooting OT tools. James divides this into three categories:
- Packet sniffers
- IT tools
- OT tools
From the OT Tools section:
- Osiris has Delphi, a digital assistant who shares PROCENTEC’s 20 years of network troubleshooting knowledge. I think of it as help on steroids. In other words, we are talking about help that actually helps you. Both netIOT and INspektor have some help built into the software, but as near as I could tell, they were ‘normal’ help. This comment is really more of a complement to Delphi than a negative to netIOT and INspektor. Delphi’s help is quite exceptional, based on my experience.
- Osiris and netIOT support PROFINET, EtherNet/IP, Modbus TCP and standard Ethernet. INspektor supports PROFINET and EtherNet/IP but not at the same time.
IT has a lot to offer OT. However, OT and IT have very different requirements.
OT needs to know:
- Who is on the network
- Has anyone joined or dropped off the network
- Any packet losses
- What are the update times and jitter
- What is the network loading
- Any diagnostic messages
Many monitors on the market will provide this information. It is best to use one specifically designed for OT since IT and OT have different objectives. The monitors can provide both active and passive monitoring. It is up to the end-user to decide what type they want or if they want both.
Osiris by PROCENTEC is currently leading the market for Industrial Ethernet monitors. With all of the Ethernet Monitors, having an educated staff is key in their successful deployment.