- By Christopher Logue
- IT and OT personnel have often been at odds in process manufacturing plants and facilities.
- Industry 4.0 and the IIoT force IT and OT to work together, which can be difficult.
- New tools and techniques foster improved working relationships between the two groups.
Many in OT view IT moving into process plants as a good thing due to Industry 4.0, IIoT, and other initiatives
By Christopher Logue
Much of the discussion about the development of Industry 4.0 has concentrated on discrete industries. Manufacturers of all sorts of products, from cars to shoes, are discovering how integrating the entire manufacturing process-from design to aftermarket service-can be supported by one all-encompassing digital system. When applied well, these concepts are possible and very effective, but companies find there is much to learn when trying to implement them.
So, what is the situation with process manufacturers? What does Industry 4.0 mean to a refinery or fine chemical producer? Automakers show how a consumer can use a website to order the desired combination of options and have the car made exactly as specified with everything carried out automatically. How are such concepts relevant to a continuous processor or even batch manufacturer, with industrial customers instead of consumers?
Moving manufacturing in these directions may not be practical or even desirable in process industries. At the same time, the ability to create more comprehensive and integrated digital platforms to support production is very compelling. The connected enterprise elements of Industry 4.0 can be adapted and applied for process manufacturers. However, implementation has its challenges, and one of the most serious is how it drives the integration of existing plant automation systems and networks with business networks. It is the integration of corporate networks and plant networks, also known respectively as information technology (IT) and operational technology (OT).
These two sides have traditionally been separated, perhaps not like oil and water, but they have had their own domains, responsibilities, and ways of doing things. IT responsibilities center around corporate functions and business applications. Technologies and platforms need to stay up to date so the latest cybersecurity and enterprise analytical tools can be used.
OT responsibilities concentrate on keeping manufacturing running safely, reliably, and efficiently. Technology can bring a variety of benefits, but there needs to be a good reason to change something that works.
The responsibilities of network managers of all stripes have been defined by three main areas of concern, which can be arranged into "triads" indicating relative levels of priority (figure 1).
- network availability
- system integrity
- data confidentiality
IT managers tend to stress number three as paramount because of the criticality and sensitivity of company and customer data. System integrity is important to maintain, but if it is necessary to interrupt network availability to install a patch or make some other modification, it can be done within reason. Some contend this characterization is an oversimplification. They point out how availability can be enormously important for networks handling financial transactions and the like, but even these types of networks can be shut down for extended periods after hours and on weekends.
OT managers, on the other hand, do generally stress number one above the others, although two and especially three are not the distant followers they once were. Availability is necessary to keep production running, which is clear enough. Maintaining a high degree of system integrity is necessary to support availability, so those two priorities are linked.
Data confidentiality and cybersecurity long took a back seat. It was assumed, or at least hoped, that the relative isolation and proprietary peculiarities of manufacturing networks provided some protection-the old security-by-obscurity argument. The data that could be captured by a hacker would be effectively indecipherable anyway. This has changed with the realization that cybercriminals can disrupt networks and hamstring manufacturing, whether they are trying to steal data or not.
Although the IT and OT triads still have their differences, they are not as pronounced as they used to be. Nonetheless, each department tends to be evaluated against its own set of success metrics. For IT:
- data security
- risk reduction
- cost savings
- data visibility
For OT, it is more about production:
- overall equipment effectiveness
- operational safety
- production uptime and availability
- product quality
Putting aside differences
So, when the two areas work together, what are the biggest adjustments that have to take place? To begin with, "working together" means IT people moving into the plant. Such togetherness is often imposed on the OT folks, like a shotgun wedding. Situations where individuals from the plant are brought in to work in IT are far rarer-OT stays off the carpet. OT tasks are more specialized and there are generally fewer of those people.
When IT people come into the plant for the first time, they are usually shocked by what they find. Many of the younger technicians have never seen some of the technologies they encounter. "This computer is still running Windows XP." "Where do I find a driver for a dot-matrix printer? I do not even know what that is." "What's Modbus?" "Is everything this old?"
Once the initial shock has worn off, the OT guide may have to restrain some of the new person's enthusiasm. "We can't replace that Windows XP machine, because the software on it is necessary to run this part of the production unit. It was developed by vendor X and has never been updated to run on later versions of Windows. If you update the OS, it won't work correctly anymore, and this part of the production will stop. We haven't rebooted this computer in four years, so don't touch it."
The OT guide will also have to remind the new person how interconnected things are in the plant, and how changing something in one area can ripple through and affect others. Gradually IT technicians begin to see and understand their actions in a larger systemic context rather than thinking of each task in isolation. The notion of how a change might affect safety or production will, hopefully, begin to sink in, and the larger picture will take shape.
Going in unarmed
For many IT technicians, moving into the plant means leaving their favorite networking tools behind. While standard security techniques, such as switchport security and intrusion detection on the backplane, are common approaches on corporate networks, they might not work in the plant. Switches may be configured to work with specific equipment and have specialized scan rates, throughput, or other settings. Changing something may interfere with a controller talking to a workstation.
Although not optimal for working with defensive strategies, leaving part of the network in a suboptimal state may have to suffice until a more comprehensive solution can be found. These situations demand balance and require working with all the stakeholders to avoid making a network more secure but unable to perform its primary function.
Once IT technicians have spent some time in the plant, they might be assigned a specific task that will mean using their new knowledge to find and extract some low device-level network data. Say the task is to create a soft sensor, using data from a group of five process instruments installed in a production unit to support calculating a value that can be used to help optimize the process. The instruments are all installed and operating, so the assignment is simply finding a way to extract the relevant data streams, so they can be sent to a controller with the new analytical algorithm. However, in the OT world things are not always as simple as they seem.
What's all this analog stuff?
The IT technicians begin to examine the situation and find a complex situation:
- The instruments are all in place and connected to the distributed control system (DCS) I/O cards, sending their information continuously.
- The DCS was installed almost 20 years ago and uses standard dumb analog I/O, meaning all the instruments for the project are communicating using conventional 4-20 mA current loops.
- The DCS has a historian that was added about 10 years ago, and it serves as the main interface for connections to the corporate network. However, data streams from these specific instruments are not captured individually.
- The historian is not easy to modify, so it is not available to serve as the means to provide data for this project.
- The instruments themselves are working just fine, so there is no interest in upgrading them.
So, what does our IT team do? What does a signal of 17.54 mA even mean? The standard IT tools simply do not apply in this situation, so there is no way to talk to those instruments. What mechanisms are practical or even available to capture data from these five instruments?
One possibility emerges: something called a highway addressable remote transmitter, or HART. It is a new one for some technicians, but it means there is a digital signal superimposed on top of the analog signal. Digital sounds more promising than analog, but it is a long way from Ethernet. It is still a different protocol, and there is no mechanism to talk to the instruments. Or is there?
All the instruments involved here have HART capability, but the I/O for the DCS cannot handle this protocol, so it is no help at all. Still, there are mechanisms that can capture the HART data externally without affecting the basic performance of the instruments. Wired solutions are cumbersome and costly due to the cabling necessary to make the connections and the code written to operate them. The budget and schedule for this project will not cover such an approach.
Applying newer tools: WirelessHART
A more recent technology, developed after these devices were installed and operating, is WirelessHART. It can carry all the data, including primary and additional variables, diagnostic data, and configuration mechanisms. These instruments have no wireless capability, but a WirelessHART adapter (figure 2) can be added to send all the information via a wireless signal without interfering with the basic wired connection to the DCS. Nothing about the existing setup has to change.
These wireless adapters communicate with a gateway, which captures the data and sends it wherever it needs to go using a wired Ethernet connection. Finally! Something an IT person can relate to. Here is a bridge to span the chasm between these two analog and digital worlds, and it can be done painlessly and without high cost or installation hassles.
Many plants already have a WirelessHART network infrastructure in place (figure 3), and it can operate without interfering with wireless Ethernet networks in the same space. In fact, there are wireless Ethernet routers that include radios to communicate with WirelessHART transmitters in addition to wireless Ethernet (figure 4). These two protocols are different, but they can work side by side very easily, with each supporting its respective types of devices.
These multiprotocol routers are simple and economical solutions that combine plant and field networks into a seamless architecture. The IT team can now use something familiar to quickly enable technologies that the OT team can implement to better meet their success metrics of improving productivity, safety, and operational efficiency. The routers also have world-class security and data reliability. Next-generation versions of these routers in development will bring even more capabilities and flexibility around implementation.
These types of communication make many Industrial Internet of Things (IIoT) implementations possible and practical. When IP-based networking extends farther through the levels of plant networks, and protocols such as WirelessHART can reach individual end devices, a company can realize a true connected enterprise. The assignment to gather data from five process instruments can be accomplished in a week instead of months.
OT as legacy
Anyone watching the development of industrial automation technology over the past 15 years has seen many technological changes. The notion of proprietary equipment, unique operating systems, and networking strategies is rapidly disappearing. Therefore, OT is looking more like IT all the time, and to most, this is not a bad thing.
Where there used to be a gap between the two sides, now there is barely a line, and in some places, it is not even visible. IP-based networking strategies are being used for industrial applications as issues such as determinism get worked out. The ease with which WirelessHART and wireless Ethernet can interface and work together is a prime example.
This convergence helps mitigate one major challenge for process manufacturers: personnel. The number of people with qualifications and experience to work with older systems is rapidly declining, and, as mentioned earlier, younger engineers do not see a great future in learning systems as they are being phased out.
Automation suppliers are taking advantage of the change as well. A DCS offered today is far less dependent on specialized hardware. In some respects, the new systems are far more upgradeable than their predecessors, to the extent that the thought of having to perform a system migration may no longer be necessary. Just as a personal computer purchased today may have its operating system upgraded multiple times over its useful life, with more configurability via software, industrial automation systems can be incrementally improved more easily.
In the meantime, for the majority of companies, maintaining the old and new will continue. Smart individuals will realize the importance of keeping a foot in both camps and learning all they can about how everything works together. An IT professional who understands how manufacturing works and what is necessary to support it will have opportunities for some time to come.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.