Ann, vendors from companies like Rockwell and Siemens say that this arrangement has effectively solved the problem of the conflict between control and IT. The goal apparently is for everyone to take the side of the company and not the side of control or IT.
Sometimes it is important to install patches in a timely manner, particularly if a new expoit is a zero day. So it boils down to this: A hacker or an exploit takes down your plant. Who are the executives and shareholders going to lynch, IS or the plant management? I can tell you it will be IS, and the argument will be that IS didn't explain the urgency clearly enough (which they did, but were ignored), and that IS is ultimately responsible for computer security.
Cabe, this problem will grow as plants continue to shift to wireless devices. It's one thing to protect a wired network, but a wireless network is even more vulnerable. Wireless is attractive because is costs less and you can put a device in places where it's hard to run wire.
One of the clashes between control and IT is that IT wants to update the patches more often than control has scheduled downtime. So, to meet IT's desired updating, control would have to shut down the plant more often.
I see your point, AnandY. The mandates of IT and control are absolute. For IT, no security breaches. For control, no downtime. I've heard vendors talk of peace between the two when a committee is set up to solve these issues and both IT and control are represented on the committee.
At least when IT takes down services to install patches, it should be a scheduled maintenance period. Hackers don't care about schedules. I'd rather have a scheduled downtime to install patches than unscheduled downtime because I couldn't. But as I read the article it emphasizes the trend that users are pushing technology into the work environment without understanding the implications. IT must have time to evaluate the risk and do what they can to minimize it. If it cannot be eliminated completely, IT needs to communicate their concerns to management. Then, if management decides to sign off on the risks, IT has done their due dlilgence and responsibility now rests on management. But again, IT must have time to research and test the technology in their environment. This is no different than the standards of good manufacturing and design: R&D and QC.
Working a truce between the IT and control department seems logical but I think it is more theoretical than practically possible. If the teams couldn't work out an understanding on their own I don't see how they will when sat down together on a round table. Their mantras dangle on the opposite sides of the seesaw thus for the prosperity of one the other will have to take a blow in the neck.
Point well taken, Digerati Ohm. But it works both ways. IT has to understand the plant can't shut down in order for IT to install a patch at 2:00 am. That works for the office PCs, but not for the plant PCs if the plant runs 24/7. I think both conrol and IT have an issue with outside devices. But often the clash between IT and control doesn't have anything to do woth outside devices. it has to do with conflicting mandates.
Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.