How IT and OT can team up on cybersecurity in manufacturing: PMMI

Information technology and operational technology teams often have different focuses and constraints, but PMMI says it’s important to bridge the gap to create more secure manufacturing environments.

IT involves technologies, hardware and software for information processing, while OT detects or causes a change through monitoring or control of equipment or processes. The middle of the Venn diagram involves deployment of IoT devices like sensors, explained Andy Lomasky, senior director of IT for PMMI, during a presentation at Pack Expo East.

Historically, and still today, these functions can be somewhat disjointed, Lomasky said. IT, for instance, would prioritize protecting company and customer data, even if it required downtime. Conversely, OT would be focused on protecting product operations to ensure order fulfillment.

IT constraints center on vulnerability management like patching, cybersecurity and connectivity, while OT’s revolve around production scheduling and equipment status, Lomasky showed.

“If we were to distill all these constraints and all these priorities down, IT and OT are actually concerned with exactly the same priorities. They're very, very closely aligned. But what those priorities are in terms of order— they're actually reversed,” Lomasky said.

IT is most concerned with confidentiality, system integrity and availability of systems — in that order. “But OT is the exact opposite ... they want to keep that line running no matter what,” Lomasky said. Those in food and beverage especially want to ensure product integrity, and confidentiality ultimately is not viewed as being as important as availability, he explained.

Greater collaboration between CPGs and original equipment manufacturers and IT and OT groups — such as through testing contingency plans when things are working well — can strengthen cybersecurity, Lomasky’s presentation showed. Some strategies to bridge the gap include regular communication, having a master list of equipment and assets across IT and OT, defining who is responsible for patching, and testing patches on low-volume lines.

“The bottom line of all this is that IT and OT — they need each other's help. They shouldn't be operating in silos,” Lomasky said.

A separate presentation at Pack Expo East highlighted cybersecurity concerns in using remote services. Although the pandemic was a boon for remote services adoption, investment has continued to rise since then, driven also by industry skills shortages, said George Blunt, consulting analyst at Interact Analysis. He presented on a report produced for PMMI on 2024 trends in remote services and monitoring. The research involved surveying 172 CPGs, contract packers and OEMs.

Both CPGs and OEMs are continuing to invest in remote services, a category that includes virtual factory acceptance tests, predictive maintenance and remote support, commissioning or monitoring. Remote training is another, which could include the use of augmented reality, wherein operators or technicians can learn through wearing a headset or goggles that plays video for immersive training.

Survey responses indicated CPGs are most seeking reduced machinery downtime, the ability to optimize machine and operation performance, and increased speed of support. And half of CPGs plan to implement predictive maintenance within the next three years, Blunt shared.

At this point, top barriers to the adoption of remote services are cost — including with retrofitting existing equipment — and limited IT skills. Cybersecurity risks are another key concern, but the industry appears to be progressing. Whereas 100% of CPGs noted cybersecurity as a “major barrier” in 2020, 43% did so in 2023. Blunt reported that CPGs are moving toward more secure methods of remote access.