How ExxonMobil Balances IT/OT Convergence and Business Value with Cybersecurity

By Peter Reynolds

ARC Report Abstract


At the recent ARC Industry Forum in Orlando, Florida, ExxonMobil's Ricky Eckhart gave an impressive overview of his organization's plans to re-think technology architecture.  Mr. Eckhart is ExxonMobil’s IT/OT Enterprise Architect and presented the company’s next-generation IT/OT journey and blueprint for success. This journey is converging technology and people with evolution in cybersecurity to help ensure the company is prepared for tomorrow's threats. Recognizing the inherent value of emerging technologies and deployment approaches, ExxonMobil takes a balanced approach that considers business value and improvement in the context of cybersecurity.  Considerations include:

  • As cybersecurity is an important element of the company’s license to operate, balance potential cybersecurity risks of new technology with potential business value.
  • Business ambitions depend on extending digital enablement into the industrial control systems (ICS) environment to secure access to rich plant data.
  • Respect for the fundamental differences between the IT and OT cybersecurity environments.
  • ExxonMobil is building a new network design that challenges some of the historical paradigms of the Purdue model.

Developing Architecture to Balance Cybersecurity with Business Value

In January 2019, ExxonMobil created an IT/OT architect role focused on enabling business value while maintaining the company’s strong focus on cybersecurity.  Like other industrial companies, it found it easy to be caught up in the hype of digital transformation and IT/OT convergence and thus slip into a mindset of looking at technology for technology's sake.  Mr. Eckhart believes technology must be balanced with a strong focus on cybersecurity, as "table stakes" and part of the company’s license to operate.

IT/OT Convergence

ExxonMobil looks at technology through multiple lenses.  Each considers improving earnings and growing the business, improving the top line, bottom line, and ultimate potential value to the company.  Business ambitions depend on extending digital enablement into the ICS environment to secure access to rich plant data.  New cloud-enabled technologies can provide flexibility in using capital and support third-party collaboration. Edge computing artificial intelligence and machine learning will provide value within and adjacent to the ICS environment.  The company must also consider how to leverage the data collected and archived within automation and control systems.  These data can enhance optimization opportunities and drive real value.

The company must balance the business need with cybersecurity concerns, with the understanding that  business benefits and value can be lost if cybersecurity is not considered at the same time.

Respecting the Differences Between IT and OT Cybersecurity

As we learned, ExxonMobil respects the fundamental differences between the IT and OT cybersecurity environments when building architectures that integrate technology between the domains.  Unlike the IT domain, the company will limit connectivity to OT environments.  IT systems are classified as external network connections that require limiting the pathways at the level 4 environment into the level 3 environment or below.  At the business level, the current ambition is to increase the flow of data between the control system and enterprise levels. From the  perspectives of both cybersecurity operations integrity, however, the company wants to limit that as much as possible to maintain the integrity of that environment, especially with legacy systems.

Legacy Systems Don't “Play Well” with Modern IT Systems

The current OT environments include a significant number of legacy systems. While promising, IT technology doesn't always “play well” when deployed within these OT environments.   Thus, any technology pilot must ensure secure deployment and scale effectively with a sustainable support model.

Principles for Building Technology Architectures

According to Mr.  Eckhart, ExxonMobil decided to start building some architecture and technology by initiating pilots and proofs of concept to try to understand how the company could grow earnings and deliver value to the business, but do so through that lens of cybersecurity and not create residual weakness by introducing a lot of new interconnectivity within its environments.


ARC Advisory Group clients can view the complete report at ARC Client Portal   

If you would like to buy this report or obtain information about how to become a client, please Contact Us

Keywords: IT/OT Convergence, Cybersecurity, Digital Transformation, Edge Computing, ExxonMobil, ARC Advisory Group.

Engage with ARC Advisory Group