Critical Hardware and Software Aspects in the Merger of IT and OT Networks

AW: How do you see OT networks continuing to differ from traditional IT networks? 

PS: Industrial OT networks are typically quite a bit different from traditional IT networks, but it is increasingly common for the two domains to be interconnected. A simple way to understand the difference is to look at the lowest-level devices in the hierarchy of each network. In a typical IT network, the lowest level of device is usually a desktop workstation or a printer.

For more than 30 years now, these devices have been connected to the network through some form of wired or wireless Ethernet internet protocol. For an industrial network, the lowest-level device is something like a sensor, transmitter, field instrument, drive or actuator. These field devices are often hardwired and/or connected via industrial fieldbus connections. But they may be connected to a supervisory controller or gateway that links them to an Ethernet-based OT network. Many field devices produced today can directly connect to an OT network.

MM: A key difference between the two networks is the distribution of servers, PCs and other devices in the control hierarchy. IT networks are usually flat, meaning the servers and machines reside in the same domain. OT networks, on the other hand, are mostly configured according to the Purdue Enterprise Reference Architecture. Components at the top of the network typically exert greatest control over the manufacturing process, with control diminishing the further down the hierarchy a device is installed.

The two networks also give different priorities to the elements of the well-known CIA (confidentiality, integrity and availability) triad. IT networks are usually designed with CIA given consideration in equal measures. OT networks, however, typically have availability prioritized over integrity and confidentiality.

FC: Industrial networks require deterministic, real-time communication to ensure precise process control. IT networks, on the other hand, typically prioritize high bandwidth and data transfer. OT systems also have much longer lifecycles than IT networks and often integrate legacy technologies. OT networks handle a mix of traffic types, using industrial protocols like Profinet and Modbus alongside the more recent adoption of TCP/IP, whereas IT networks are predominantly based on TCP/IP protocols.

AW: What roles do hardware components play in an industrial network?

PS: The typical IT network establishes connectivity using devices such as switches, routers and various security apparatus like firewalls. Industrial networks use these too, but they will almost always have additional components, such as gateways, edge devices and, in many older installations, multiplexers. And because industrial networks are usually deployed to create a monitoring and control system, various types of specialized controllers, programmable logic controllers (PLCs) and distributed control system (DCS) elements are also often present on the network.

Industrial networks also contain sensors, transmitters, field instruments, actuators and drives that are not IP enabled. These devices must either be directly connected to a controller or undergo some type of protocol translation or encapsulation to an IP-enabled protocol if data is going to flow using the IP-enabled communications that form the backbone of modern industrial networks. Devices that perform this protocol translation in an industrial network are generally referred to as gateways. If the device has an expanded scope that includes communicating over the Internet or with a cloud server, the device may be referred to as an edge device.

AW: What is your recommendation for manufacturers when it comes to determining the appropriate hardware for specific industrial applications?

PS: Any networking hardware used for industrial applications must be designed to withstand the challenging temperature, vibration, dirt and electromagnetic conditions commonly present in industry. In many automated environments, but more frequently in process automation, OT hardware is installed in hazardous areas where there is a real risk of explosion or fire if a process begins to operate outside of the planned parameters. Therefore, the electronics installed in these areas must adhere to regional standards that govern the electrical characteristics of the equipment.

Because of these hazards, traditional IP-enabled Ethernet devices could not be installed in these applications in the past. By default, all sensors and instruments used standardized industrial media and protocols such as Modbus or HART. In 2022, however, a new two-wire Ethernet standard named Ethernet-APL, which can deliver data and power, was announced for hazardous applications. APL-enabled switches and instruments are now extending Ethernet IP communication into hazardous areas.

As use of IP technology becomes a possibility from the controller all the way to the field device, users need to keep in mind that IP communications are non-deterministic. This means that there is no guarantee for when a packet might be delivered to its intended recipient. In most cases, this is not a concern because the network’s communications speed and bandwidth far exceed the requirements for the application. However, in some applications, and in some cases by regulation, determinism across the network is required. To address this requirement, several TSN, or time-sensitive networking, standards have been created.

MM: Another important aspect of determining the suitability of hardware is testing. Availability is one of the most important considerations when designing an industrial network. A device that has not been tested within a control system holds the risk of shutting the network down — and quite possibly an entire unit or the whole plant.

FC: It’s also vital to choose hardware that not only supports both current and legacy equipment but also offers scalability for future upgrades. The security posture of the vendor is also becoming increasingly important. Evaluate how vendors handle patching, updates and their approach to advanced security. 

AW: What types of software are essential for managing industrial networks, and how do they improve performance and reliability?

FC: Key industrial network software includes: network management systems (NMSs), which offer centralized monitoring, diagnostics and configuration; real-time monitoring tools, such as SCADA (supervisory control and data acquisition) that provide operational visibility and process optimization; security software, such as firewalls and intrusion detection/prevention systems (IDS/IPS) that guard against cyberthreats; and asset management systems that track the health of devices, firmware updates and lifecycle management. These tools improve performance by identifying issues proactively and securing networks against threats.

MM: The convergence of IT and OT is enabling OT professionals to consider using IT tools within OT networks. For example, domain controllers using Active Directory can centrally manage PCs and servers on a process control network using group policy objects. And servers can use the Windows Server Update Service with Active Directory to centrally deploy patches.