Where IT and OT converge

Recommendations for building an IIoT-ready manufacturing network.

By Mike Bacidore, editor in chief

The promise of innovation is beneficial to customers and suppliers alike. And innovation is spilling over in the business environment that is cultivating and nurturing the Industrial Internet of Things (IIoT). The more enticing IIoT business outcomes include smart devices, smart machines and smart manufacturing, in which information technology (IT) and operations technology (OT) are able to leverage the intelligence that results from these evolutionary improvements.

“Right now, there are differences between OT and IT network infrastructures,” warned Gregory Wilcox, global technology & business development manager, Rockwell Automation, who spoke at the 2017 ODVA Industry Conference in Palm Harbor, Florida. “But, over time, you’ll see more similarities and fewer differences.”

Standard network technology and security services still differ considerably between IT and OT.

Standard network technology and security services still differ considerably between IT and OT. Network services for IT—simple network management protocol (SNMP) and low-latency data transfer (LLDT)—are pretty consistent. “If you look at the OT side, standards like SNMP or LLDT are sporadically or inconsistently deployed,” said Wilcox. “In the IT world, security is pervasive. Their focus is the confidentiality piece. In our world, it’s about productivity. EtherNet/IP is open by default.”


For those looking to create cloud gateways, there are many companies around the world that still have islands of automation. “The technology of choice is cellular,” said Wilcox. “You see that more and more around the world. Some companies have a fully blended IT and OT network. Or there’s connectivity by data diodes—one-way communication from the OT network up to the enterprise. Industrial demilitarized zones for industrial control are network-secure practices.”

Best practices for an industrial control system address key requirements for network infrastructure that includes scalability, reliability, safety, security and future-readiness. An application may be in place for decades.

The architecture can be used to create smaller connected LANs, which restore natural boundaries. The architecture should include key tenets such as smart endpoints, segmentation/zoning, managed infrastructure, resiliency, time-critical data, wireless mobility, holistic defense-in-depth security and convergence-ready solutions.

“We organize levels into functional zones,” said Wilcox. “Level 0 includes actuators, sensors, drives and robots. Level 1 is controllers, and Lever 2 is area supervisory control. Level 3 represents the highest level of the industrial automation and control system. The systems and applications that exist at this level manage plantwide functions. Levels 0 through 3 are considered critical to site operations and control. Levels 4 and 5 are data centers and enterprise networks.”

Zoning is based on the application environment. “In this concept of zoning, CIP security comes in,” explained Wilcox. “I’m creating smaller, Level 2 domains. It’s a great way to segment my domains into smaller levels of trust.” It also eliminates collisions if you have different vendor technologies.

“One size does not fit all,” warned Wilcox. “What’s sufficient for one customer may be insufficient for another. What are the application requirements? It comes down to the topologies—switch-level topologies, such as redundant star, ring and star/bus linear; and device-level topologies.”

Network address translation (NAT) enables controls engineers to reuse Internet protocol (IP) addresses and build system applications to integrate into a plantwide architecture, which requires unique IP addressing. NAT can be configured to translate only specific IP addresses from inside the application to the architecture, which also hides the inside IP addressing schema.

RELATED Report: 25 years of industrial networking

“OEMs like to clone their IP addressing,” said Wilcox. “Network address translation enables the reuse of IP addressing without introducing a duplicate IP address error. What do they have to do to make sure their solution is ready to be integrated? We recommend early and open dialogue on the OT and IT side.”

As deployment of wireless solutions continues to grow, equipment may roam across the industrial zone and associate to multiple access points. “There are lots of great use cases for wireless—static machines with moving parts; skids that are nomadic; continuous roaming capabilities such as AGVs; workforce mobility devices like tablets and smart phones,” said Wilcox. “We thought wired was the IT-OT battleground, but that was nothing compared to wireless. You have to worry about frequency spectrums.”

No single product, technology or methodology can fully secure control-system applications. “It requires multiple layers,” explained Wilcox. “Who are the characters? Controls engineers? IT personnel? How do I make sure I have tools in place to support the framework? I can do things physically for port security. There are things I can do electronically to disable a port.”