Best Practices for Automation Capability and Organizational Assessment

By Peter Reynolds

Category:
ARC Report Abstract

Executive Overview

Today’s industrial organizations are embracing technological change related to digital transformation.  This often introduces new organizational and cybersecurity-related challenges and requires a thorough assessment and re-evaluation of the skills and capabilities of technical roles within their automation groups.  ARC Advisory Group recently completed a research project to review global process automation and engineering roles and how industry leaders are aligning skills and training requirements with the technological challenges. 

In recent years, technology change has forged a variety of new advanced manufacturing trends such as data science, artificial intelligence, and distributed computing.  The skills needed to support these technologies tend not to be readily available within process automation groups at the plant or site levels.  Process automation groups often consider domain expertise, plant knowledge, and effective technology application to be the most valued skills and qualities.  At the same time, many companies strive to simplify technology whenever possible.  This often involves shifting more complex legacy server architecture and applications (such as manufacturing execution systems) to internal or external IT organizations and being largely self-sufficient when it comes to man-aging industrial control system (ICS) cybersecurity. Strong ICS cybersecurity competence is necessary to sustain plant systems and provide a resilient foundation for emerging technologies within plant networks or at the network edge. 

As part of this research, ARC Advisory Group surveyed more than one hundred process manufacturers and other industrial organizations.  As with most industrial companies, those surveyed recognized key distinctions between their information technology (IT) group and their operational technology (OT) group, which encompasses automation engineering.

IT covers the spectrum of systems that support corporate functions like finance, procurement, supply chain, order management, sales, and computing infrastructure (laptops, desktops, and server architecture).

OT, in contrast, covers the spectrum of systems that deal with the physical transformation of products and services.  These task-specific systems are often highly customized for industrial applications and considered mission-critical.

ARC research indicates that, regardless of company size, the organizational models between OT and IT (where separate) tend to work jointly in two key areas: technology planning/portfolio management and cybersecurity auditing. Enterprise IT will, in some cases, provide external auditing and governance over the networked process automation assets and automation cybersecurity practices and procedures.

For industrial users, the predominant method for structuring a technical organization is to build ICS cybersecurity capability and competency within the automation department.  Most industrial end user organizations develop chemical and electrical engineering capabilities through internal professional development and/or vendor-managed services.  Many believe it is far easier to train process control professionals with IT skills than to train IT professionals with the requirements needed for the real-time process automation environment.  Enterprise and corporate IT groups usually have a limited understanding of the restrictions vendors place on their automation systems.  Security patching and firmware updates, for example, should not be installed until the automation vendor has fully tested and vetted them.

Research Methodology

ARC Advisory Group completed this research between November 2018 and January 2019.  The research reviewed process automation organizational effectiveness among industry leaders and compared the current skills, activities, capabilities, training requirements, and organizational interfaces of these peer organizations.

The research included a web survey targeted at ARC’s global network of subject matter experts across multiple process industries.  The survey produced 108 responses, mainly from the automation, engineering ser-vices, and IT groups at end user organizations, plus a handful of technology suppliers and system integrators.  Additionally, ARC conducted in-depth interviews with subject matter experts and managers at industry peer organizations in the oil & gas, refining, and petrochemical industries.  ARC has a high degree of confidence in the participants who provided data in the survey or agreed to be interviewed.   ARC vetted all data to ensure those who responded were either directly involved in managing and supporting process automation engineering, or in a position to oversee this function.

In recent years, ARC has developed maturity models for both OT organizations and plant-centric IT organizations.  These organizational models and the associated human aspects incorporate ideas developed at the Carnegie Mellon University, Capability Maturity Model Institute, and Microsoft, plus the PROSCI Change Management models.  These models also reflect much of the knowledge and insights gained from ARC Advisory Group’s ongoing digital transformation-related consulting engagements with multiple clients in the upstream and downstream oil & gas and other heavy process industries.

The research reveals how leading companies are preparing their organizations for digital transformation, closing the organizational maturity gaps that impact manufacturing performance and profitability, and their respective abilities to leverage emerging technology and practices.

New Technologies Impact Process Automation

Today’s manufacturers and other industrial organizations are becoming increasingly aware of the business opportunity presented by digitalization.  What is not so clear, however, is how these industrial organizations can make best use of these new technologies and approaches to transform their businesses to gain more value from their data, assets, people, and value chains. 

For technology subject matter experts, efforts now center on Industry 4.0, Industrial IoT, and associated outcomes. While the process automation systems and associated hardware and infrastructure remain important to sustain operations, the discussion no longer centers on them. End user conversations have shifted from the technology itself to the outcomes and new value that it can deliver.  There is focus on shortened technology planning horizons and increased speed in deployment, value, and agility while solving complex business and operational challenges.

End user companies across the heavy process industries still ask trusted suppliers and advisors for help on how to leverage technology better, but now the focus has shifted to business improvement imperatives.  End users need to be better positioned to implement new technologies such as IIoT-connected devices, advanced analytics, and mobility - without compromising cybersecurity.  Initially, at least, digital trans-formation efforts will take better advantage of the existing infrastructure using the massive amount of data already being gathered.  Here, the goal will be to squeeze more value from existing process control systems, sensors, databases, and applications before progressing to the next level. 

While many suppliers are talking about developing new business models such as product as a service (PaaS); many end user companies are embarking on transformation programs that address age-old problems such as improving profit margins and safety and managing risk.  Most end users could care less about new business models.  Instead, owner-operators seek suppliers with a deep understanding of the intricacies of how equipment, plants, and other facilities should be run as a fundamental basis to digitally enhance current processes, reduce manual effort and errors, and – only if needed - create new work processes.  This industry operating domain knowledge and know-how around business value drivers is critical to drive change on the front line and ensure digitalization efforts deliver the desired outcomes.

Industrial organizations around the world are entering a period in which new digital technologies can augment people and processes to an unprecedented degree.  New commoditized computing resources in the cloud and at the network edge and artificial intelligence (AI) are changing how people work.  Approaches such as the Industrial Internet of Things (IIoT) and Industry 4.0 have helped pave the way for digital transformation across a broad swath of industrial sectors.

Digital transformation spans industrial products, operations, value chains, and aftermarket services. It augments people and knowledge through expanded use of sensors, data, and analytics.  ARC Advisory Group believes that most industrial process companies globally will soon undergo a digital transformation.  Many are already actively piloting advanced approaches such as operator flare monitoring and prediction using predictive analytics and machine learning.

However, many companies today tend to focus their efforts on technology, without considering the full organizational impact.  ARC research shows that only a small percentage (5 to 8 percent) of industrial organizations consider themselves ready for a digital transformation program.  Many others are not prepared to scale up the pilot programs currently in progress.

Key Technologies Require a Shift from Digitization to Digitalization

While asset owners consider the impact of emerging technologies, ARC is aware of the confusion many in industry have about the distinction between the terms “digitization” and “digitalization.”

One way to look at it is that digitization involves creating digital versions of previously analog data such as replacing paper-based work orders with digital work orders.  Replacing legacy analog technology with digital technology - such as the transition from analog field instrumentation and control systems to digital instrumentation and control systems - would be another example.   Digitization focuses on technology and infrastructure and typically impacts a relatively small number of stakeholders within a company.

Digitalization, on the other hand, involves making use of digital data and technologies to improve a business or work process.  For example, utilizing data from a digital work order to improve maintenance work processes and execution, or using digital twins to improve asset information and/or engineering processes.  In other words, digitalization utilizes digital technologies and data to improve the way people work, collaborate, and get things done within a plant or across a company or even an entire value chain. 

Successful digital transformation involves both digitization and digitalization: digitization makes it easier to capture, organize, and manage a wide variety of data; digitalization makes it possible to gain more value from all those data.  It focuses on multi-process disruptive change and how to implement these changes throughout an organization. It engages the entire company and its people, rather than just processes and data.   Usually executed with C-level support, digital transformation will involve a multitude of stakeholders and require a well-thought-out plan to address the people element, organizational change, change leadership, and educational aspects. Digitalization strategy follows a normal business definition methodology and investment planning and is generally accepted by the decision makers.

Key Technologies Impacting Automation Engineering Organizations

Digital technologies and approaches – from advanced data analytics and digital twins to procedural automation and autonomous operations – are transforming the energy, chemicals, and other process industries to a significant degree.  This helps companies improve their margins, productivity, and safety.

However, organizational barriers have slowed progress.  These include the process industry’s traditionally conservative approach toward adopting new technology; lack of skills; poor data quality due to poor data management systems and assets that have changed ownership; and cultural gaps between operations, engineers, and IT professionals.

Many of the newer technologies require changing the way technology leaders think about people, technology architecture, and process.  Historically, plant-level operational technology (OT) systems (including relevant plant-centric IT infrastructure such as servers and networks), have been procured and installed by plant process automation engineering staffs.   But with newer information technology (IT)-based systems, either internal IT staff or cloud service providers could potentially manage and host the platform infrastructure. Simplifying the underlying infrastructure provides opportunities for process automation engineering to better support operational customers by defining a wide range of operational and supply chain outcomes.  ICS cybersecurity technology and practices, for example, are expanding skills beyond process control and safety to derive new value from advanced analytics and application of domain expertise.

Clearly, the digital transformation of industry has the potential to con-tribute significantly to global economic growth.  The World Economic Forum estimates that Industry 4.0 alone could contribute more than $20 trillion to global gross domestic product by 2020.  For process automation engineering organizations, their share in driving any growth is fueled by the ability to quickly adapt and adopt to emerging technologies. 

However, this will require a well-focused effort that includes preparing the workforce, implementing the appropriate IT infrastructure, and adjusting business processes.  ARC research indicates that many management systems currently in place create barriers to digital progress.  Often, hierarchical management structure, weak employee change management leadership, and organizational silos create artificial barriers to information, impeding decision making, and - ultimately - hampering business performance.

Many in industry believe that organizational and human elements are the biggest challenge when implementing a digital strategy.  However, while some of the barriers may indeed relate to company culture, ARC research finds gaps in how digital programs address change and in the change leadership skills of the company’s digital advocates.  These gaps will impact progress, but this depends on where companies are on their digital journey and experience in areas of digitization and digitalization.

Industrial Control System (ICS) Cybersecurity Technologies

Industrial control system cybersecurity continues to evolve.  New developments like cloud applications and IIoT force companies to expand their practices and address issues like IT/OT convergence.  ICS cybersecurity is also gaining a foothold in new areas like smart cities and building management systems.  ARC developed the Industrial Cybersecurity Maturity Model to help industrial managers understand their cybersecurity challenges (without having to become cybersecurity experts), while helping ensure that cybersecurity investments align with their actual needs and risk tolerance.

Practices for Automation Capability ARC%20Industrial%20Cybersecurity%20Maturity%20Model.JPG

ARC’s model breaks cybersecurity into a set of steps that reduce cyber risks incrementally.  Each step addresses a specific, easily understandable security issue like securing individual devices, defending plants from external attacks, containing malware that may still get into a control system, monitoring systems for suspicious activity, and actively managing sophisticated threats and cyber incidents.  Each step has an associated set of actions and technologies that can be used to accomplish its goals.  The model also shows the human resources and tools required to sustain and utilize the technology investments at each step.  

To minimize cyber risks, industrial companies should ideally implement each step in this model.  However, ARC’s research indicates that most companies are operating with significant technology and resource gaps.  From a cybersecurity technology perspective, most facilities only have the passive, defensive technologies shown in the first three steps.  This may be adequate for companies that can tolerate process disruptions, but operators of critical infrastructure need to be more prudent and in-vest in the active defense measures shown in steps four and five.  This would help ensure rapid detection, identification, and response to more sophisticated cyber-attacks and minimize the mean time to recover from any incidents.

The gap in cybersecurity resources is even larger.  Most facilities lack the people and expertise to even maintain the technologies in the first three steps.  This generally means that the effectiveness of defenses in every step are being undermined, leaving industrial managers with a false sense of security regarding their real risks of a serious cyber incident.  Every company needs to recognize and address resource issues.  The extreme shortage of ICS cybersecurity expertise requires new approaches to triaging tasks and integrating additional resources from central groups and third parties.

Organizational and Skills Analysis

To understand trends in process automation performance, ARC first examined key organizational characteristics of peer end user companies in the process industries.  These are:

  • Mission: An organization's purpose, identifying the goal of its operations, the kind of product or service it provides, its primary customers or market, and its geographical region of operation.  This may include short statements about the company’s values or philosophies, its main competitive advantages, or a desired future state.
  • Activities: The activities performed by each department.
  • Capabilities: The main capabilities of each department.  Capability is comprised of the unique combination of skills, processes, technologies, and human abilities that differentiate an organization.
  • Skills: The skills that have been defined for each functional department or division.
  • Training Requirements: The training requirements that have been identified for each functional area or division.
  • Development of Talent: How peers develop technical and non-technical skills.
  • Organizational Interface Points: Which internal or external organizations contribute to the execution of the technology strategy.

Demographics of Survey Respondents

The chart and table that follow indicate the respective industry affiliations and titles and responsibilities of the professionals who responded to ARC’s survey and/or that ARC interviewed directly.  While the industries skew heavily toward the chemical, oil, and gas industries; ARC believes that most of our conclusions apply equally across the heavy process industries.

Most of those responding to the survey were process automation and IT professionals. An important aspect of this survey was to obtain input from people with expertise in both automation and ICS cybersecurity.  In total, 108 professionals (from across a relative narrow range of industrial sectors) responded to the survey.

Unique Value Contribution and Core Objectives

Most respondents believe that process automation should focus on the technology aspects of control and safety; with emphasis on security, reliability, and fulfilling business goals.  Survey responses included:

  • Provide security for the automation
  • Provide guidance/planning/delivery/support/secure/ reliable for control and safety
  • Provide solutions for business needs
  • Provide experts to troubleshoot and improve the process
  • Provide reliable, transparent, and seamless service to operations
  • Facilitate compliance with regulatory requirements
  • Research and screen new technologies
  • Provide information confidentiality and integrity
  • Provide consistent architecture designs

The related activities included:

  • Apply know-how and best work practices
  • Evaluate system lifecycle/reliability
  • Evaluate, select and implement new technologies for a competitive advantage
  • Troubleshoot operations and minimize abnormal situations
  • Influence and implement common standards
  • Educate and training technology users
  • Solution lifecycle support
  • Manage cybersecurity threats
  • Design and install highly reliable hardware and infrastructure based on business needs
  • Facilitate technology identification, evaluation, and selection

Unique Skills and Capabilities

Each organization must have certain capabilities to perform the as-signed tasks.  Companies we interviewed expressed their belief that, to be successful, a technical organization must possess the following basic capabilities:

  • Know-how
  • Human elements
  • Relationship management
  • Work process discipline, and
  • Geographical presence

These capabilities may be assembled through internal development or external acquisition.  This will depend on the organization’s core competences, its desire to develop and retain additional competencies, and its approach to portfolio management.   Capability is the unique combination of skills, processes, technologies, and human abilities that differentiate an organization.

Technical knowledge and skills are required to qualify the vendors’ automation systems. These skills relate to managing the automation system on both vendor-proprietary hardware and software and open systems (Cisco, Microsoft, etc.) and other networking and security solutions. These skills also include awareness of current cyber-threats and mitigation technologies.  However, as we learned, automation engineering organizations also benefit from additional skills such as those as indicated in the following table:

Training Requirements

With so much IT embedded in today’s industrial automation systems and networks, the specific type of training now needed for process automation roles is subject to significant debate.  The control and custody of control system security is often challenged, with many arguing that IT organizations are better positioned to manage and support the IT portion of automation.  The unique requirements of OT lead many to believe otherwise.  Many survey respondents and people we inter-viewed believe it is easier to develop and equip degreed professional engineers with the necessary IT skills, rather than attempt to equip IT professionals with the needed OT skills.  In other words, among survey respondents, the preferred method of evolving these skills is to develop automation engineers in cybersecurity, data science, and networking.  This necessitates a career development plan to provide automation engineers with adequate IT skills.  ARC research indicates that a successful ICS cybersecurity program includes each of the major solution areas for technologies and services used to protect industrial plants and critical infrastructure.  These are:

  • Network security
  • Endpoint protection
  • Industrial cybersecurity management, and
  • Intrusion and breach detection

In addition to technology-specific training, most industry peer survey respondents also believe vendor-provided technical training is also critical. This training spanned DCS, SIS, PLC, and other plant-level systems.

Relevant training, certification, and skills areas mentioned by industry peers among survey respondents included:

  • Training on ICS cybersecurity standards (IEC/ISA 62443) provided by SANS and other organizations
  • Risk modeling training such as provided by the Applied Information Economics (AIE)
  • Certifications in areas such as Cisco Certified Network Associate Routing & Switching (CCNA), Certified Information Systems Security Professional (CISSP) plus Certified in Risk and Information Systems Control (CRISC)
  • Knowledge of other applicable international standards and best practices

Significantly, most respondents indicated that creating and managing the training and development programs for process automation engineers are the responsibility of the process automation department.

 

Table of Contents

  • Executive Overview
  • Research Methodology
  • New Technologies Impact Process Automation
  • Organizational and Skills Analysis
  • Conclusions and Recommendations
  • Appendix – Survey Questions

 

ARC Advisory Group clients can view the complete report at ARC Client Portal   

If you would like to buy this report or obtain information about how to become a client, please Contact Us     

Engage with ARC Advisory Group