By Refilwe Buthelezi PrEng, President – Engineering Council of South Africa
The engineering sector has been experiencing a rapid transformation in recent years, with the convergence of Operational Technology (OT) and Information Technology (IT). While this convergence has the potential to unlock significant benefits, it also presents several challenges, particularly in terms of cybersecurity and the need for specialised engineering skills. This opinion piece aims to provide a comprehensive overview of industrial transformation in the engineering sector, with a particular focus on the role of OT in leading this transformation.
Industrial transformation in the engineering sector is a crucial issue that has gained significant attention off late. The rapid advancement of technology and the growing need for more efficient and sustainable solutions have led to a convergence focus between operational technology (OT) and information technology (IT). However, it is important to understand the differences between these two technologies before discussing their convergence.
Distinguishing OT and IT
IT and OT are often used interchangeably, but they are distinct areas of expertise with different goals and requirements. IT focuses on the collection, storage, processing, and sharing of data and information using computing systems and networks. IT is typically concerned with systems that are designed to be secure, reliable, and scalable, as well as to integrate with other systems. IT is governed by a range of industry standards and regulations, including ISO 27001, Control Objectives for Information Technologies (COBIT), and the General Data Protection Regulation (GDPR).
OT, on the other hand, is concerned with the control and automation of physical processes in industrial environments. It involves the use of specialised hardware and software, such as programmable logic controllers (PLCs), sensors, and human-machine interfaces (HMIs), to monitor and control the physical systems that drive industry. OT is mission-critical and requires specialised engineering skills and technical know-how to operate and maintain effectively. It is governed by industry-specific standards and regulations, such as ISA-95, IEC 62443, and the NIST Cybersecurity Framework.
IT-OT convergence refers to the integration of IT and OT systems and technologies with a view to achieve improved performance, efficiency, and flexibility in industrial environments. The convergence of IT and OT allows for the collection, storage, and analysis of real-time data from OT systems, which can then be used to optimise operations, reduce downtime, and improve overall efficiency. To some extent, IT-OT convergence has been embraced by supporters and proponents in various engineering industries. Supporters of IT-OT convergence argue that it offers significant benefits, including increased visibility into industrial processes, improved operational efficiency, and enhanced decision-making capabilities. Proponents also cite the potential for cost savings and reduced downtime through predictive maintenance and more effective asset management.
However, there are also concerns around the security and reliability of IT-OT systems, as well as the potential for increased complexity and risk associated with their integration. There are also challenges around the integration of legacy systems and the need for specialised skills and expertise to manage and operate IT-OT systems effectively.
Regulatory Framework for IT-OT Convergence in South Africa
The engineering industry in South Africa is regulated by the Engineering Profession Act (EPA) and governed in tandem with public interest guidelines from the Council for the Built Environment Act (CBEA). These acts provide a regulatory framework for the engineering profession in South Africa, as well as the ethical and professional conduct expected of engineers. In March 2021, the Engineering Council of South Africa (ECSA) published on the Government Gazette, the Identification of Engineering Work (IDoEW). The IDoEW and the enabling provisions enshrined in the EPA seek to promote safety, professionalism and compliance with both the Codes of Conduct for Registered Persons and the Overarching Code of Practice for the Performance of Engineering Work.
Currently, however, there is no specific regulatory framework governing IT-OT convergence in the engineering sector. This is a concern, as the integration of IT and OT systems can create new vulnerabilities and increase the risk of cyber-attacks, which the world can ill-afford in critical infrastructure installations and service facilities in sectors such as: manufacturing, mining, transportation, oil, gas, water, and electricity. The lack of regulatory guidance on IT-OT convergence leaves the engineering industry in South Africa vulnerable to potential risks and challenges associated with this convergence. In the United States, from about 2020, water utility entities have been targeted for cyber-attacks because of how decentralised their systems are nationally, making the IT-OT convergence an area of policy focus countrywide.
Nonetheless, it is important to be critical of the IT-OT convergence ideal and recognise the importance of OT's autonomy as a regulated mission-critical engineering environment charged with the safety of plant, humans, animals and the environment. Engineers design with safety in mind. Key parameters such as network availability and least latency are critical for emergency preparedness and disaster recovery. Performance characteristics such as systems reliability, redundancy, longevity and maintainability are key design considerations and take centre stage in OT operations. OT systems require specialised knowledge and expertise that cannot be easily replaced by IT personnel.
Best Practices for IT-OT Convergence
Global best practices around IT-OT convergence in engineering industries highlight the importance of a risk-based approach to IT-OT integration. This approach involves identifying and assessing the potential risks associated with IT-OT convergence and implementing appropriate controls to mitigate these risks. Furthermore, best practices emphasise the importance of having a clear understanding of the roles and responsibilities of IT and OT personnel in managing and maintaining integrated systems.
While both IT and OT functions play important roles in an organisation, the OT functions should lead the industrial transformation of utilities for several reasons. Firstly, OT connects, monitors, manages, and secures an organisation's industrial operations, making it a critical component of the industrial transformation process. OT systems are designed to interact with physical equipment, such as generators, transformers, and other machinery, making them well-suited to lead the transformation of industrial utilities. Secondly, an OT service delivery transformation enables engineering companies to respond to the changing industry landscape and acquire the necessary technical capabilities to meet the evolving demands of the market.
The OT functions have a deep understanding of the industrial processes and operations of the utilities, making them better equipped to make informed decisions about the transformation process. Lastly, while IT serves as the connectivity technology backbone of an organisation, it primarily deals with data-centric systems such as databases, networks, and software applications. Therefore, the IT functions may not possess the same level of understanding of the operational technology systems and processes that are essential for the transformation of industrial companies. Additionally, engineering work is regulated and thus, compliance to the relevant Acts of legislation is mandatory.
Industrial transformation in the engineering sector is a complex issue that requires a risk-based approach to IT-OT convergence. While there are potential benefits to integrating IT and OT systems, there are also significant risks that must be managed appropriately. IT and OT functions should work collaboratively, with OT functions leading the industrial transformation due to their specialised engineering skills and technical expertise, and IT functions serving to support these engineering functions. The engineering industry associations such as the South African Council for Automation and Control (SACAC), the Africa Utilities Technology Council (AUTC), and voluntary associations recognised by ECSA such as the South African Institute of Electrical Engineers (SAIEE) and the Society for Automation, Instrumentation, Mechatronics and Control (SAIMC), must ensure that appropriate standards and regulations are in place to govern IT-OT convergence in member engineering companies, and that OT functions lead the industrial transformation effort in compliance with the spirit, letter and intent of the law.