“Information is the oil of the 21st century, and analytics is the combustion engine.”
– Peter Sondergaard, Senior Vice President, Gartner Research
Digital transformation (DX) promises increased competitiveness, optimized processes and profitability through big data, along with improved employee and customer relations. Gathering data is essential in the 21st century data-oriented environment and requires flexible, interconnected components. Businesses will need people with the specialized skills to implement and optimize all of this. Beyond that, each firm will have to work with its unique DX plans and existing IT environment.
DX efforts are typically divided into three phases: digitization (transitioning from analog to digital data), digitalization (processing and analyzing digital data), and digital transformation (building on digitalization to optimize the business).
The first phase, digitization, can be impacted by dependence on legacy components, particularly within industrial control system (ICS) environments. The need to digitize information to move forward with DX efforts can create numerous challenges between IT and operational technology (OT) assets. For example:
Why isn’t everyone upgrading all their devices to realize the benefits of DX? Many reasons. It’s hard to find practical guidance for planning and making DX decisions. Also, financial resources and the personnel to support upgraded components may be lacking. Within ICS environments, it’s difficult validating the safety of upgraded devices, so another barrier is matching the level of trust people have for legacy components.
Trying to meet a firm’s DX priorities using legacy components can result in hybrid implementations that impact safety, availability and cybersecurity. For example, creating a bridged or multi-homed system that connects legacy components to the data collection infrastructures or cloud services might solve connectivity and data sharing issues (see Figure 2). However, this may negate the protections established by the network isolation and communication controls for protecting the legacy components.
Connecting legacy components to support DX data collection without impacting operational capabilities or safety requires careful planning. In some cases, a hybrid approach might work where devices send data to on-premises systems that reside in levels 2 and 3 of the Purdue Model, for example a data historian or edge system.
This can allow access to approved data streams without connecting directly to sensitive OT components or networks. Overall, finding the safest method to achieve DX goals while also protecting people, processes and technology is not easy and requires a collaborative effort between the IT and OT staff members.
Changes to the environment must consider both cybersecurity and DX objectives to minimize organizational risks. NIST SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy provides guidance for establishing a risk management approach for organizations. A key aspect is having a cybersecurity program. One misconception I often hear is that cybersecurity is an IT issue or that it is a technology issue. While we would like this to be true, the reality is that cybersecurity spans the entire organization. The NIST Framework for Improving Critical Infrastructure Cybersecurity and the NISTIR 8183 Rev. 1, Cybersecurity Framework Version 1.1 Manufacturing Profile, are guides that can assist organizations with approaching the challenges or defining and implementing a cybersecurity program in a methodical and consistent way. With a cybersecurity and risk management program in place, organizations can evaluate changes to the environment to verify that they meet their DX goals while also minimizing the cybersecurity risks. While there will always risk, the key is for organizations to find the balance that minimizes risks while also achieving the organizational, regulatory and cybersecurity requirements.
As previously mentioned, legacy components can add complexity to implementing DX and cybersecurity. Careful planning and testing whenever possible is strongly recommended. Building on the NISTIR 8183, NIST also published the Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide to provide a more quantitative approach to determining the performance impact on ICS environments when implementing common cybersecurity controls based on the guidance and recommendations in NIST SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security.
More interconnections supporting rapid and accurate data gathering are needed to achieve DX objectives and each company’s approach will depend on the types of legacy components within the environment. While upgrading legacy components would be ideal, the reality is that many firms need to support DX with their existing technology. When planning, organizations should carefully balance how to integrate with their existing processes and devices while also protecting their people, data and devices.
Implementing DX can be a daunting task, but is manageable with careful planning, collaboration among company IT and OT staff and the use of valuable resources such as NIST publications and the MEP National Network.
The MEP National Network can help companies find the right balance through strategic planning and offer guidance for DX investments. Contact your state’s MEP Center for more information on services offered across the country and in Puerto Rico.