For industrial and manufacturing companies particularly, the Internet of Things (IoT) presents enormous opportunities — but also substantial challenges to integration with the siloed worlds of Information Technology (IT) and Operational Technology (OT).
In the past, IT systems tended to exist only on mainframes and servers that were locked inside organizations, based on a client server architecture. As a result, they were relatively easy to protect and CIOs focused primarily on the confidentiality of the information those systems contained.
In sectors such as manufacturing or power and utilities, heavy Operational Technology (OT) such as oil rigs, pipelines, mills, energy grids, factories and power stations existed in parallel with IT and OT considerations centered on the availability of service.
Bringing IT and OT together is a complex proposition, and potentially contradictory, as each has different priorities: availability leads to a deprioritization of security, and with IoT the focus needs to be on confidentiality of all the data generated and transmitted — particularly acute now that previously closed systems are open to new vulnerabilities online.
Opening up to the world
Today, OT ranging from production lines to pipelines as well as many finished products — have become IoT-enabled. In the new IoT landscape, virtually everything has, or can have, sensors on it. The value is locked in the integrity of the data coming from those sensors — feeding into analytics and offering the potential to infer trends, reduce operating costs, provide new and better services to customers, predict maintenance needs, and manage stock levels.
But IT, that supports OT, has previously been isolated. In the IoT era, IT and OT are now becoming connected to the internet. This opens up many new opportunities: at one end, to reimagine the role and effectiveness of hardware and machinery, and at the other to rethink entire business models and move ever closer to customers.
So, the challenge facing CIOs, who oversee IT, OT and IoT, is in bringing these discrete worlds together in a way that maintains an acceptable level of integrity and confidentiality without compromising physical safety.
Balancing priorities and considerations
In the OT world, there has historically been a focus on a culture of safety, how to respond to a crisis and the preservation of life. Because of the physical controlled access to a site, once inside the boundary, confidentiality was not prioritized — in an isolated or secured site, everyone who is there is supposed to be there. For example, operatives on an offshore oil rig may have shared logon credentials — it being more important to enable them to run the platform than having unique, frequently updated passwords. Contrast this to an office environment where people come and go, and screens (and the information they display) are visible to anyone who walks by — confidentiality is the priority in this IT context.
But, in an IoT context, remote OT sites no longer need to have engineers present — remote staff or even AI could log on and carry out tasks instead. Logon credentials, being exposed to the internet, are suddenly much more vulnerable to being accessed by a third party. And if there is a weak link in the security chain, the IoT can present real risks to human life.
As the IT, OT and IoT worlds increasingly overlap, it’s essential for CIOs to consider how best to balance the desire to harness IoT potential with the need to protect systems and the people that use them.
It’s up to CIOs to think about how to bring the worlds together effectively without creating yet more risk.
Legal disclaimer: The views expressed are those of the author only and do not represent the views of any of the member firms of Ernst & Young Global Limited.