Why shadow IT is a risky bet for OT departments
Shadow IT has a bad rap. The phenomenon occurs when line of business (LoB) departments unilaterally make IT decisions and use their own budgets to make IT purchases. Thirty years ago, the shadow IT concept was practically unheard of, as central IT controlled access to enterprise-grade digital technologies and served as gatekeepers of the knowledge necessary to use them. Fast-forward to today, and LoB departments—including operations technology (OT) groups responsible for production, maintenance, and other industrial processes—are more empowered to do IT on their own, often with no central IT input or oversight.
Lots of things can go wrong, as OT groups consider new technologies such as Industrial IoT and artificial intelligence to boost automation, increase efficiency, and gain new insights into operations. Unsecured IoT devices or unpatched servers become attack vectors and potentially turn into staging points for distributed denial-of-service (DDoS) or ransomware attacks. Systems that are poorly implemented may create headaches down the road or shutdowns on the shop floor. And even if the shadow IT project is well-planned and does what it's supposed to do, when it comes time to scale the system or extend it to other facilities or use cases, it may need to be ripped up because it hasn't been architected to work with other systems.
Growth of shadow IT
Shadow IT is not just a buzzword or fad. It's a real trend, along with the rise of other IT implementation models controlled by LoB departments. Some LoB managers spend more than 30 percent of their time making IT-related decisions, according to a C Space report. This includes identifying IT needs, researching solutions, and keeping up to date on new technology. Scenarios may involve client departments demanding central IT resources (and getting them) as well as LoB departments hosting embedded IT, with database administrators or technologists coordinating with central IT on new projects. However, the report also pointed to the growing prominence of shadow IT.
"Shadow IT comes up, because it's easier and faster to get things done," says Colleen Schulz, a senior C Space consultant who co-authored the report. "It could involve getting an application onto a phone or a large application for the department."
IDC predicted IT spending funded by non-IT business units to reach $609 billion in 2017 and be nearly equal to funding by IT departments by 2020. In discrete manufacturing, IT spending by LoB groups was expected to exceed IT organization spending, the IDC report says. LoB spending on IT will often be coordinated with or approved by central IT, but IDC says that its estimates include shadow IT as well.
The classic shadow IT example is the sales department installing Salesforce on its own, or the website team signing up for Stripe to accept online and mobile payments. Databases, banking services, and even industrial applications at one time required knowledgeable IT staff to implement and maintain them. Nowadays, such systems are much easier to activate and use by LoB employees or IT specialists working under LoB managers.
Problems can arise, though, when a system goes down or can't be configured. That's when the IT cavalry must be called in to save the day—or mop up the mess.
C Space co-author and senior consultant Jon Strobel says that in many respects, shadow IT is connected with a generational shift as more millennials enter the workforce with the expectation that workplace technologies will be as sophisticated and easy to use as what they encounter in their personal lives. There is also the bring your own device (BYOD) trend, in which a worker may prefer to use their own phone or tablet instead of the one supplied by central IT.
When IT intersects with OT, it's not just smartphones and customer lists that are involved. OT handles the core activities undertaken by industrial companies, whether it's manufacturing or energy production or exploring for oil and gas. The engineers, operators, and managers are responsible for the heavy machinery, industrial robots, and vehicles and equipment on the shop floor or out in the field.
In recent years, industry has accelerated the pace of digital transformation, thanks to the rise of sophisticated applications, robust networks and connectivity, and the IoT. According to Dr. Tom Bradicich, vice president and general manager, IoT and Converged Edge Systems, at Hewlett Packard Enterprise, the "things" in IoT greatly increase demand on IT systems and become remote IT systems themselves.
"One way they become smarter and more intelligent is to embrace and manifest IT characteristics," Bradicich says. "There was a day when an industrial pump had no computer on it. Today, it can have a computer and sensors on it."
Spending on IoT will grow at double-digit rates over the next three years, according to IDC, and is predicted to reach $1.1 trillion in 2021. Approximately $239 billion of that figure will be hardware spending, dominated by spending on modules and sensors. When broken down by vertical, manufacturing is forecast to make the largest IoT investments, followed by transportation and utilities, IDC says.
The fact that high-tech industrial equipment and processes are more and more likely to be connected to an IT network or require additional customization and systems work means that IT staff are now needed in OT settings. In many cases, this is not a challenge. OT engineers and their IT colleagues at a power plant or factory will be able to work together on the converged architecture. There may be challenges getting OT and IT on the same page, but those challenges can be overcome. The end result of such convergence can generate real business value (see The Intelligent Edge: What it is, what it's not, and why it's useful).
In some cases, however, OT teams may turn to a shadow IT solution. According to Bradicich, various factors may contribute, starting with IT's insistence on a stricter regimen for connected OT systems.
"The traditional IT-CIO role was to protect the mothership and create a secure network that handles mission-critical applications such as email or payroll, or conducts the business of medicine, the business of insurance, the business of sales, whatever the business is," Bradicich says. "When OT begins to hook up to that network, it poses a threat because it's a foreign body or a foreign node connected to the network and may not have the practices of firewalls, virus protections, cybersecurity, and hacking protection that IT has."
IT's concerns are well-founded. Gartner predicts that by 2020, more than 25 percent of known enterprise security attacks will involve IoT. The IoT botnet known as Mirai leveraged vulnerable IoT systems including network-connected cameras, home routers, and enterprise web servers to launch DDoS attacks against a DNS provider, a European ISP, and an African country's connection to the Internet.
"From what we've seen, LoB [groups] have a limited sense of security, largely defined by the requirements of their function," C Space's Strobel says. "IT has a much broader view which extends beyond the specific needs of the business units and encompasses the organization's entire IT environment. IT also knows that any breaches will be on them, not the business unit, so they manage security."
Nevertheless, OT may decide that it doesn't need IT or IT's rules to manage controllers, factory systems, or other industrial machinery that is critical to keeping operations running. IT may slow down OT, or IT staff may even insist on drastic action, such as shutting down production systems until security capabilities have been enabled.
Bradicich says OT's concerns about IT interfering with operations drive some industrial teams to turn to shadow IT. "You can go out to an OT facility such as a manufacturing site for jet engines, and you'll find IT there," he says. "It's just not run, managed, or sometimes even known by IT. I've actually had OT customers tell me, 'please don't tell the IT organization what I'm doing.'"
According to Bradicich, moving in a rogue manner may be understandable and even sanctioned by IT, in a limited number of cases, such as an operations group seeking to innovate quickly in order to preserve a first-mover advantage.
However, he adds that shadow IT in an OT setting is not sustainable. It's not just the increased risk of a security breach or a systems failure from an unpatched or misconfigured system. Bradicich believes OT-IT convergence will be necessary to realize better efficiencies and lower costs, and to achieve better synergies. "Cooperation is going to be necessary to scale to get to the best outcomes," he says.
Besides working to get OT and IT departments on the same page, Bradicich says companies can turn to third-party vendors that offer integrated solutions that marry OT and IT for industrial customers.
The products serve specific industrial use cases, such as a QA system that analyzes video feeds for anomalies on an assembly line or a smart electricity grid that can not only predict demand, but also manage individual customers' usage and adjust recharging stations and appliances to consume power during cheaper off-peak periods.
Bradicich notes that one of the less obvious benefits of such convergence is that IT staff is more flexible, enabling them to manage OT systems using proven best practices from IT. Even advanced OT technologies such as industrial robots and precision instruments have not been easy to configure or operate, compared with the open systems and tools available to manage a modern server in a data center. Convergence brings that ease of management—and transferable skills—to OT environments.
"If I need to send someone out to work on an open converged OT-IT system, it could be the same person that's working the data center," Bradicich says. "And if they are sick, I can send out someone else who has the same fungible skills, because they've all learned the same technology and standards."
Shadow IT in OT departments: Lessons for leaders
- Shadow IT is real. It may be present in your organization or in OT departments across your supply chain.
- Even though central IT is usually kept in the dark about shadow IT, it may have to take over when problems crop up. IT may also have to take the blame when a true crisis arises because of a poorly planned or implemented shadow IT solution.
- Moving beyond shadow IT to OT-IT convergence can lead to better efficiencies, lower costs, and real business benefits, including innovative new processes and new opportunities in primary marketplaces and adjacent categories.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.