How IT and OT are merging: Opportunities and tips

How far have companies in various industries progressed with integrating their IT and OT architectures? What opportunities does the much-vaunted convergence open up and how can the previously separate worlds be efficiently controlled and managed in terms of IT/OT governance? A current study conducted by management consultancy 4C Group together with Markus Westner from OTH Regensburg examines these and other questions.

For this purpose, 31 CIOs and IT/OT managers from large companies were interviewed in qualitative interviews. The companies come from 12 industries, including automotive, chemical, electronics, retail, and mechanical engineering. They generate an average annual turnover of €3.2 billion and employ 10,700 people.

The vast majority of participants see IT and OT co-existing in the future, according to a finding by study authors Markus Matschi and Carolin Hantsch. However, this is closely linked to common processes and clear roles under the umbrella of a binding vision and strategy.

IT versus OT — what is it all about?

The study authors define operational technology as hardware and software that monitors and controls the performance of physical devices. The lowest logical level includes sensors in production plants. Above this is a control level that includes, for example, programmable logic controllers (PLCs).

The topmost layer in the OT cosmos, the “process control level,” is about monitoring, controlling, and managing entire industrial plants. A network of hardware and software is used for this, known as Supervisory Control and Data Acquisition (SCADA), usually connected to a human machine interface (HMI).

In contrast, classic IT revolves around systems that manage data and applications. At the top “corporate level” there are ERP systems, for example. One layer below, at the “operational level,” there are manufacturing execution systems (MES), for example. IT/OT convergence describes the complex project of linking and integrating IT and OT systems more closely.

CIOs leading IT/OT convergence

In 61% of companies surveyed, the CIO is responsible for IT/OT convergence. Less than a quarter have deployed a tandem of IT and OT managers. In more than 10% of cases, responsibility is not yet clearly defined.

Martin Stephany of the 4C Group comments on the dominance of IT managers by saying that experience and skills in areas such as security are usually more pronounced in IT. In addition, there is often no counterpart to the classic CIO on the OT side.

The greatest opportunities of IT/OT convergence

Those surveyed see increased security and cost savings as the greatest opportunities for convergence. Many things can be standardized, particularly in the area of ​​IT security.

Advantages include the consistent rollout of security updates and central user management. The IT organization’s years of experience in this area make it possible to “transfer best practices, technology, and awareness approaches to the OT side,” reports one study participant.

The interviewees also cite the synergy potential that could be leveraged through convergence as an opportunity. The standardization that comes with it helps, among other things, to eliminate redundancies, explains a CIO from the oil and gas industry: “There are many redundant systems such as Active Directories, which are often used and administered to a lesser extent in OT than in IT.”

Uniform processes, clear requirements

Because IT/OT convergence allows processes to be standardized and centralized, many companies can also reduce costs in this way. Other aspects contribute to this, including improved transparency, more intensive exchange between IT and OT teams and clear requirements, for example when procuring a production facility.

One requirement could be a specific protocol for data access, for example. “In the past, there was not enough communication,” reports Oliver Pütz, CIDO of Rolls-Royce Power Systems. “As a result, additional money had to be spent retrospectively because suppliers were selected who could not meet certain IT requirements that were only defined later.”

Production-related data offers new opportunities

Another advantage of the integration that comes with IT/OT convergence is data provision. “In general, production-related data offers enormous opportunities for companies, especially data that could not previously be processed and commercialized,” explains Mathias Bücherl, group CISO at Heidelberg Materials.

Robert Ellersdorfer, technical director of Binder+Co. AG, says: “Data-driven, digital products enable us to open up new markets. Without these digital products, we would lose our market leadership in this segment.”

In addition, production-related data can help to improve existing products. To do this, however, data flows should be collected as consistently as possible. “Most of the time, you have great individual solutions, but a consistent data flow that runs ‘end to end’ from the supplier to the customer must be promoted,” reports a CIO. “I believe that it will be less than two years before we have to deliver quality data directly from production to the customer.”

Last but not least, employees also benefit from the closer cooperation between IT and OT areas: They can learn from one another and support one another. “If we talk to each other more, we can benefit much more from the knowledge we have in production and IT,” explains Thorsten Frosch, OT security officer at Andreas Stihl AG. “We have to exploit this potential in order to really move the company forward.”

Holger Blumberg, CIO of Krones AG, also sees advantages in employee development. He encourages colleagues to switch between the two areas. This way, internal careers can also be promoted and talent can be acquired and retained in the war for talent.

Maturity of IT/OT convergence: Still room for improvement

When it comes to the question of how far companies have progressed in terms of IT/OT convergence, a heterogeneous picture emerges. In a maturity model from the 4C Group, only 13% of organizations reach the highest level of “optimizing”: They have fully integrated IT and OT systems.

Twenty-three percent are still in the idea phase and are at best running pilot projects. Between these two poles there are various forms of implementation of IT/OT convergence. Differences are evident above all in terms of the necessary processes and the shared use of data.

In contrast to traditional IT, OT is generally more decentralized, observe the study initiators. Individual production sites often work with very heterogeneous system landscapes, especially when it comes to branches abroad. The willingness to cooperate with IT also varies greatly depending on the OT location.

OT areas have data sovereignty

When it comes to the central topic of data management, it is clear that in most cases the sovereignty lies in the OT areas. A lot of data is generated during production, is analyzed, and can be used to optimize processes. IT usually provides only the systems for this. To interpret the data, OT know-how is usually required.

There is also room for improvement in terms of communication between IT and OT areas. The majority of those interviewed reported only loose but at least regular exchanges, for example on a project basis or in working groups.

Security is the common driver

The respondents cite security as the biggest driver for IT/OT convergence. The numerous legacy systems in OT often have vulnerabilities that potential attackers can exploit. Against this background, both sides want to make progress in terms of cybersecurity and security resilience.

In practice, however, there is often a lack of security policies and standards that apply to both IT and OT. “IT sets the specifications, but OT is responsible for implementation,” reports Stefan Zach, VP of global IT at the Wieland Group.

IT/OT governance framework as a guideline

The authors have summarized what is needed to integrate and manage the various areas in an IT/OT governance framework. It describes the basic building blocks of the project and provides concrete recommendations for implementing the measures.

The starting point should be a common vision and strategy that must be communicated to employees. “The target image of convergence should be clearly defined for the company, otherwise implementation is not possible,” comments Stephan Heinelt, group CIO of Altana AG. 

An operational framework in the form of a project portfolio, combined with a concrete roadmap, is just as important. Clearly defined roles and processes are also essential. Policies and standards help to clearly define processes, responsibilities, and interfaces. For example, a company works with policies in the form of purchasing regulations that define minimum requirements for a production facility.

In addition, it is important to develop a common language. IT and OT employees should be able to communicate on an equal footing and develop a common understanding of the project. This also requires new formats of collaboration, such as interdisciplinary teams or project and working groups.

Six recommendations for IT/OT convergence

The study authors derive six concrete recommendations for action from the framework:

• Ensure top management support: Management should communicate and drive goals, strategies, and frameworks for achieving convergence. This also helps avoid conflicts between IT and OT areas.
• Use security as a driver: Because threats from cyberattacks in the OT sector continue to increase, systems must be better secured. Respondents cited ransomware attacks in particular, which is why those responsible should use the issue of security as a lever to drive convergence.
• Appoint a central OT manager: In many companies, apart from the respective plant managers at the production sites, there is no central manager. This makes communication between OT and IT areas more difficult. A central OT management position as a counterpart to the CIO would help.
• Increase the geographical proximity of teams: As IT and OT grow together, the respective teams should also move closer together physically. Greater proximity can increase awareness of the other side’s needs and build trust.
• Continuously demonstrate added value: OT areas are often only moderately interested in convergence, as they see no advantages in it. It can therefore be helpful to regularly present the associated added value to those affected, for example in the form of case studies with concrete cost advantages.

Proceed step by step and iteratively — OT employees should not get the feeling that IT is forcing its specifications and processes on them. Therefore, a step-by-step approach is appropriate in convergence projects. One recommendation is to start with the “willing” OT locations.