How To Do IT/OT Assessment

1st  August, 2024.

In this post, we will see the concept of IT/OT assessment. The post is divided in two parts and this is the second part.

In the earlier post, we had seen the basic concept of IT/OT assessment and understood it's importance. Next, in this post, we will see how to perform this assessment. That is important because you cannot then validate the system or even give prerequisites to a vendor for creating RFQ. RFQ has all the necessary work to be done, and if you are not sure with how your current infrastructure of OT and IT is, then you cannot give full requirements to the vendor. In this post, we will see how to do IT/OT assessment.

1. Define your scope and objective:

Suppose you have a plant where there are existing 10 machines and 4 new machines are to be installed. Particularly for those 4 machines, you need to perform an assessment. For that, the very first step will be to collect all photographs, documents of the system, and determine which existing systems have completed their assessment. This clears your scope and also tells exactly how many systems need to be assessed. You must also be clear with an objective that as you are assessing the system for IT/OT operations, you will then clear all security, network and data requirements properly. Determining how many systems are required to be assessed clears the first goal of assessment, because it is not only about one system but the whole plant.

2. Firmware revision:

The next step is to analyze the firmware version of the software installed and to be installed. Both of them should be compatible with each other. The software can be SCADA, DCS or any other IT / automation software.

3. IP address allocation:

Because you are networking the whole plant, you need to define the number of IP addresses that will be used. Accordingly, you need to order network switches as well as their types (L1 or L2). This assessment step ensures that your upcoming system is ready with IP addresses which can be assigned to them.

4. Network location:

Deciding where your network switches will be installed is an important criteria for assessment. You cannot just randomly install them in areas where there is safety hazard or exposure to the outside environment or is prone to pollution or where cables cannot reach easily for access. Accordingly, the length of cables and remaining civil work can be decided.

5. Identifying and relating hardware:

You need to identify which type of model number of hardware and software will be installed in the plant. For example, you have 10 systems as discussed earlier, and 4 new systems will be installed. If you need to merge them with an existing network, then you need to know earlier model numbers, communication protocol supported and types of cables used. Accordingly, you can decide the next type of hardware and software to select. Choosing inappropriate types cannot either establish communication or cause some lags in it.

6. Conducting a risk assessment:

The next step is to review the risks involved in setting up the network. First, check whether your previous systems have been affected by cybersecurity or network failures. If yes, then note it down for passing the same to the new systems for solutions. If not, then try to analyze the possible risks that can occur according to existing security policies and technologies. This will affect the RFQ, because you have to give the requirement for additional security features in the software, redundant network switches, redundant network ports in the hardware, or firmware update requirements.

7. Decide network questions to be asked before preparing RFQ:

Because you are integrating the whole plant, you have to decide which PC’s which will have a shared network, which systems need to be updated for matching the latest versions, are the new and old systems to be physically separated or logically separated, and which OT networks will have web gate access or internet access. 

8. Data flow restrictions:

Some data is critical to share in the network. Depending on that factor, you have to decide the data flow restrictions in the network. Accordingly, the memory of hardware devices, bandwidth of the network and data handling speed of software devices will be decided. 

9. Which instruments will have communication protocol requirements?

Sensors, actuators and other instruments nowadays have communication ports embedded in it with supporting protocols like Ethernet, Modbus, CAN Open, Fieldbus etc. Also, they support advanced connectivity for IoT. Depending on what data you want from them, which instruments will be shared and what security layer will be applied to them, the appropriate instruments need to be selected. Because in an IoT network, instruments can directly talk with cloud layers, without the need of a controller like PLC in between.

I have covered a general theory related to IT/OT assessment for industrial applications. I have also not attempted to cover each and every topic, as it can vary from systems to systems. Once you are familiar with this engineering, you can easily tackle all types of problems in it. 

Thank you for reading the post. I hope you liked it and will find a new way in this type of technology.