DevOps implementations within IT are near universal, however, that's not been the case with operational technology (OT) and industrial control systems (ICS) environments. But that's not to say certain tenets of DevOps have not made their way into OT and ICS, and won't do so increasingly in the future.
Experts contend there are many good reasons DevOps practices have yet to make headway into OT/ICS environments. Industrial environments have stringent safety and reliability standards that make rapid iteration difficult and are thereby averse to DevOps practices, and there's traditionally been a significant gap between IT and OT teams and systems management. Many safety and reliability concerns also stem from the fact OT/ICS technology operate on systems that have been in the field for decades and may not fit well within DevOps practices and tools and create life threatening disruption risks.
Says Chris Sistrunk, an ICS and SCADA expert and technical leader at Mandiant: "While DevOps is common in IT organizations, it is not common at all in ICS/OT environments. Some ICS/OT sectors with mature security practices have implemented some features of DevOps like strict change management controls, test procedures, and implementation processes," he says.
Michael Farnum, advisory CISO at IT services provider Trace3, says most of this experience in OT environments is within oil and gas, and to date, there have not been a lot of DevOps practices adopted there. "Tolerances are pretty tight in those spaces, and a fast-paced DevOps environment would be pretty risky for them. Cloud is becoming somewhat more of an option, but it is still a slow adoption," Farnum says.
However, the trend for increased digitization in OT/ICS environments is under way as organizations seek increased efficiencies. According to a survey conducted by Omdia Research and telecommunications services provider Telstra, in North Asia, for instance, 85% of those surveyed expect business benefits from IT/OT convergence, 54% see Industry 4.0 and advanced digital technologies as primary reasons for convergence, and 46% are converging IT/OT systems to improve their data analytics capabilities.
Similarly, Cisco's 2024 State of Industrial Networking Report found that 41% of organizations surveyed are attempting to "futureproof" their environments through digital transformation, and 53% of OT systems are projected to be connected to IT systems by 2025, up from 38% currently.
With increased digitization, there will undoubtedly be increased collaboration between IT and OT teams, some instances out of efficiency and some out of need, such as securing converged IT/OT systems. There will be increased use of infrastructure as code (IaC); for instance, IaC practices will be applied to OT environments to improve manageability and reduce configuration mistakes. While traditionally the domain of IT, IaC practices are being adapted to enhance efficiency and security in industrial settings.
The hope is that IaC can reduce human error in critical infrastructure configurations and setups, and help facilitate the successful convergence among OT and IT systems. As the trend to progressively complex and interconnected critical infrastructure and industrial systems shows no signs of abating, IaC can potentially bring more scalable, reliable, and secure critical infrastructure management.
Consider how data analytics and AI help OT/ICS organizations to improve predictive maintenance. There are many examples. For instance, BMW Group Plant Regensburg has been using AI systems to monitor conveyor technology during assembly. The learning maintenance system identifies potential faults early and helps avoid more than 500 minutes of vehicle assembly disruption annually.
Consider building materials maker Holcim recently announced its scaling up its use of AI in manufacturing, deploying AI to more than 100 of its plants globally to monitor equipment critical to its cement manufacturing operations and to predict failures in advance so they can be avoided, and equipping maintenance teams with real-time asset management and optimization tools.
While automation in OT/ICS in critical infrastructure remains relatively novel, experts see increased collaboration tools used in DevOps environments, such as Confluence and Jira, increasingly in OT/ICS environments and closing the communication gap between field techs and IT teams.
Farnum says he sees more collaboration between OT/ICS and IT and collaboration tools, but primarily in security operations centers as their customers push to consolidate the alerting, triaging, and response for IT and OT environments. Within operations, Farnum says identity and access management tools and processes are being used to manage and control access to resources. "Companies want to have secure remote access on the same identity tools as IT," says Farnum.
As IT and OT systems continue their convergence and critical infrastructure and industrial processes become increasingly digitized, expect DevOps practices to continue to make headway. And, as Sistrunk points out, for those OT asset owners with constant updates and changes, "DevOps may offer some lessons learned that may be valuable for OT teams."
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.