Uniting
IT and OT

Johnson Controls Breaks Down IT/OT Barriers, While Enhancing Plant Cybersecurity

Johnson Controls is helping process plants navigate the convergence of IT and OT. Some view the collaboration as an effort to break down barriers that divide IT (information technology that’s used for data-oriented computing) from OT (operational technology that monitors processes, devices and events).

To further the formation of the IT/OT combination, Johnson Controls plans to use its eChem Expo exhibit to display building automation systems and mechanical systems, according to David Morgan, the company’s sales leader for strategic owner sales for Mid and East Central Tennessee. The company’s Physical Security Group will also be on hand to discuss fire and physical protection, he notes.

Johnson Controls is expanding its display of physical security at this year’s eChem Expo exhibit hall because the company extended it reach in that business in October 2016, when it merged with Tyco, which owned SimplexGrinnell, according to published reports.

The SimplexGrinnell name will live on in the fire security products market because of their well-established reputations, the company says. The companies are a good fit because the fire and security businesses of SimplexGrinnell complement the mechanical and automation systems of Johnson controls, Morgan says. “It was a really good adjacent market space for us,” he observes.

Some view the collaboration as an effort to break down barriers that divide IT from OT

David Morgan

While the products and services of all of those businesses will receive attention in the Johnson Controls booth, the presentations the company plans to make at the eChem Expo conference will center on cybersecurity and the convergence of IT and OT, says Jesse Bociek, Johnson Controls deputy chief information security officer.

One session will address the challenges and opportunities that come with mating IT and OT, while the other will center on the cultural changes that should occur in a company to accommodate the convergence of IT and OT, Bociek says.

Both sessions appear likely to attract large crowds of attendees. Combining IT and OT has been on the minds of chemical industry officials recently, as evidenced in many of the more than 100 stakeholder interviews that eChem Expo has conducted during the months leading up to the conference and exhibition, Expo officials say.

The first session will define “digitalization.” Until now, the term has been used casually as it applies to IT and websites, but in 2018 and beyond digitalization should mean taking advantage of data and interconnected systems to produce value, Bociek maintains. “We want to connect every building in the world, and we want to mine our sensors for data,” he declares.

“We want to (digitally) connect every building in the world, and we want to mine our sensors for data.”

Jesse Bociek, Johnson Controls deputy chief information security officer.

Plant personnel have to embrace the convergence of IT and OT to make the combination work, Johnson Control executives say.

Jesse Bociek

Just the same,

there hasn’t been enough discussion of how IT and OT can benefit from coming together and how they can do so while still retaining their identities, Bociek continues. Ways of doing both should become clearer In the session on linking IT and OT, he predicts.

The second session will address how management and workers can learn to embrace combined IT/OT. Attendees will find out why an organization “has to swallow convergence hook, line and sinker in order to be successful,” Bociek says. Companies should understand what digitalization means for their industry, their products and the services they provide, he asserts, adding that they should search for insights that arise from their data.

But with that mounting acceptance of the interrelated nature of IT and OT comes the realization that the convergence brings on cybersecurity risks that did not exist before, Bociek continues. He views the risks as falling into two categories.

First, cybersecurity risk is endemic in IT, so when IT and OT converge the IT risk is introduced to OT, Bociek says. In other words, a building management system or facilities engineering system that had been operating quietly in the background suddenly becomes prone to the same cybersecurity risks as an average, everyday laptop – like ransomware or malware, he notes.

Second, fixing a laptop differs greatly from taking down all or most of a plant to combat a cybersecurity threat. Shutting down the control system for a smelter in a recycling plant, for example, can reduce productivity and give rise to health and safety issues, Bociek says.

There hasn’t been enough discussion of how IT and OT can benefit from coming together and how they can do so while still retaining their identities.

Cybersecurity means more than just confidentiality, Bociek continues. Confidentiality requires guarding against theft of Social Security numbers and other personal information that hackers can use to make fraudulent purchases. Maintaining confidentiality also means prevent hackers from breaking into Facebook accounts or gaining access to email messages. But confidentiality constitutes just one of the three critical pieces of cybersecurity, he says.

Cybersecurity also includes the second piece, data integrity. Take the example of a smelter that requires hourly dumping to prevent melting the bottom out of the equipment, Bociek says. If the plant converts from a 12-hour time block to a 24-hour time block without making the proper adjustments, a calamity could occur.

Data availability, the third piece of cybersecurity, applies to the smelter example. If the data’s not there, the equipment can’t be programed to allow for the once-per-hour routine maintenance that safety and uninterrupted work requires, Bociek says.

Systems in plants vary greatly as to which of the three critical elements of cybersecurity takes precedence Bociek continues. If availability is deemed most important, for example, a system is designed to come back online quickly after an incident, he notes.

Johnson Controls representatives at eChem Expo plan to discuss ways of protecting chillers.

Bridging the gap between IT and OT calls for changing expectations for cybersecurity and much work remains to be done.

Actions that plants can take with regard to cybersecurity range from doing nothing to mitigate a risk that’s considered acceptable to going beyond cost-effectiveness to deal with a crucial risk, Bociek says.

However a company chooses to view a particular risk, bridging the gap between IT and OT calls for changing expectations for cybersecurity and much work remains to be done, Bociek maintains. “A lot of people out there don’t know about cybersecurity risk, don’t care about cybersecurity risk or believe it truly does not exist,” he says. Cultural transformation can change those attitudes, he contends.

Combatting risk that arises with IT/OT also requires a monetary investment Bociek notes. “I need to fund controls of risk, and that funding eats into my profitability,” he says. That results in a tug-of-war that he sees played out every day in companies.

But any entity that operates a plant or plants has to face that tradeoff among many others while meeting the challenges and seizing the opportunities of the convergence of IT and OT – even Johnson Controls can’t avoid the push and pull.

That’s why the company has been working to bring its own IT and OT together – a set of challenge that multiplied with the Tyco merger. “We want to make sure we are developing products and services and going to market with security in mind,” Bociek says of those efforts. “We certainly have the IT/OT challenge ourselves.”