From broadband IP to security on factory systems

With 2005 just around the metaphorical corner, what should be on your IT agenda? Not which production applications, which CAD, which engineering management IT, what kind of MES (manufacturing execution system): for our take on all that, see page 36. Here we're concerned about the IT and network infrastructure. Issues that need to be in the mix include, in no particular order, portals, middleware, legacy systems, security, consolidation, broadband, LAN and WAN technologies and services, storage, servers, thin clients, wireless and mobile systems, instant messaging, security again, business productivity and analysis tools, the services orientated architecture (SOA), web services, infrastructure management tools and outsourcing. Many of us are also going to have to tighten up on auditing, at least at the business process level, as the corporate regulatory environment tightens up. It's a long list, and there's inevitably more. It's also an important list, in varying degrees, because all of our businesses depend so heavily on our IT, which, after years of piecemeal growth, patching and customising, is invariably more complex than we would like. So which, in a fast-changing (business, geopolitics and technology) world should be your priorities? Given our networks' criticality, security has to be right up there – and this is no longer just about Microsoft; Linux systems are also being attacked. So it's particularly worth considering management, but also the implications for wireless and plant and factory systems. Tony Martin, managing director of infrastructure, security and storage management giant Computer Associates, is one that reckons manufacturers will soon be looking for packaged systems. "We're developing what SMEs will see as total protection solutions," he says. And who knows, we could be witnessing the birth of Microsoft-like 'out of the box' security. There would be value in that: anti virus, spam and content filters, firewalls and the rest at several levels, all consolidated and service-based instead of the 'best of breed' approach supported by Google. The point: it's time to get away from decisions around security done in departmental and functional silos. Security needs to be treated at a business process and service level, and for 2005 it makes sense to look for systems and suppliers that can perform full asset discovery and management, with logical reporting on, and management of, all your IT assets – everything that is currently quite difficult for organisations running complex infrastructures with large inventories of applications, machines and physical and virtual networks. Business continuity And while we're on the subject, remember also business continuity and disaster recovery. How good are your systems and procedures? How rapidly, and with what certainty could you get back up and running? There are plenty of low cost systems and services now that can take the pain and risk out of all that: just as there are tools to automate help desk, admin and application roll-out delivery and management. Thinking of day-to-day security, consider also your storage. Yes, with modern NAS (network attached storage) boxes and SANs (storage area networks) it's cheap, flexible and utilisation can be good, but as data proliferates and languishes on corporate networks unused and unmanaged, it can open a back door to attack. Recent surveys demonstrate that most companies are falling foul of this one. Then we come to wireless: Ian Hughes, wireless and security consultant with BT Exact, reckons 2005 will be the year wireless takes off. "Costs are falling fast, the hardware is now stable, the technology itself reliable and the IEEE standards are robust, with all remaining developments now about firmware upgrades. So companies won't be investing in something that's about to change." And you get all the benefits of mobility, flexibility and convenience – both for office and some factory operations – with real meg rates, even taking into account the relatively high packet losses, at least as good as 10 Base T (80211 'b' runs at 6–8Mbps, 'g' at low to mid 20s Mbps, and 'a' at 20–30Mbps). That's great but there's a flip side: security is a real issue – actually, whether you think you have a wireless network or not. "Any PC or PDA bought in the last two years is likely to have wireless interfaces built-in, whether that's Bluetooth, infrared, whatever; and if the interface is active you're vulnerable. Most corporate security policies just don't recognise that, and it means companies are leaving themselves open to problems wherever employees plug in." The key message: "Manufacturers with a 'fortress mentality' to security aren't controlling the risks from wireless. For example, users logging on in the morning don't ask the network for proof that it is what it should be: they could be giving away their login and password." The security model has to change and we all need to understand that wireless is pervasive – particularly with equipment so cheap on the High Street. Security is, however, also no longer just about business systems. It's becoming a serious issue for plant and factory IT, including production management and automation systems hitherto considered immune due to their isolation and proprietary design. This year there has been at least a tenfold increase in number of recorded successful cyber attacks on process control and SCADA (supervisory control and data acquisition) systems since 2000. Why? Because manufacturers are using web connections with factory systems to enable remote monitoring and control. We're also using more mainstream IT such as Ethernet, TCP/IP and web technologies with which hackers are familiar; we're deploying more wireless systems for plant instrumentation; and we're integrating our (more vulnerable) business systems with factory systems for good, solid business reasons. A report released last month by the British Columbia Institute of Technology (BCIT) and PA Consulting, on attacks on utilities, is genuinely shocking. Recent examples of attack include the Slammer Worm infiltration of an Ohio nuclear plant and several power utilities, and a wireless attack on a sewage system in Australia. In the latter, a disgruntled consultant managed to hack into the utility's control systems from a laptop and release thousands of gallons of raw sewage. Factory issues too There are serious problems to resolve here. Sadly, corporate IT security measures often cannot be applied directly to factory systems. We can't just lob in best-of-breed filtering and protection systems, with active patching over the web, for example: that too could spell catastrophe for factory systems. Plant managers, IT vendors and regulatory authorities are going to insist on testing and accreditation first. But all that takes time – not a luxury usually afforded by hackers. Meanwhile, most control system vendors don't currently provide much cover – even though the instrumentation they connect to increasingly has wireless options, like Bluetooth. PA principal consultant Justin Lowe says it all: "All organisations that are reliant on process control and automation systems need to sit up and listen. Organisations need to engage with both their engineering and IT employees now to undertake security risk assessments … and ensure effective protection measures are developed and deployed." Moving to a less worrying, but just as essential and potentially expensive matter – integration – the big issues for 2005 are middleware, its management, the emergence of web services and maybe the SOA. Chris Horn, CEO of middleware company Iona, makes the point: "Middleware, connecting different applications, databases and servers, has paradoxically become more complex than it was 10 years ago." Proprietary solutions, like IBM's MQ Series and Tibco, are out there, along with systems based on standards like CORBA, J2E (Java) and now web services. "But if it's mission critical, companies aren't going to replace all that stuff. So they now need middleware for their middleware!" And it's not just about providing bridges between middleware systems that in turn connect your legacy applications and systems: it's also about ensuring good operational management, security again and the rest – by linking into infrastructure management systems from the likes of Computer Associates and Tivoli. But there's good news: "With the kind of middleware available now, you don't have to replace what you've already got to achieve the integration you might need – any more than you have to replace your legacy systems," says Horn. "But if you do decide to do it, you can do so piecemeal." He calls it 'pragmatic integration', which is kind of encouraging. Service orientated architecture What about web services? Yes, Horn sees standards-based re-usable component applications and the integration technologies that underpin web services as the way to go, but he's not so sure about timing. "Maybe in the second half of the decade," he suggests. "The web services technology stack is not yet sufficiently mature to scale up to mission critical, large scale use." He's equally cautious about industry's adoption of the much-vaunted SOA concept, which treats business functions as the key components, not your major applications – effectively defining a loosely coupled architecture that delivers your business processes from the existing applications, infrastructure, integration, desktops, security, governance – the whole piece. "The model is one of decomposing monolithic applications into re-usable components – but you need to think carefully about the granularity of those and their operational management," says Horn. The technology and the benefits are there in terms of providing a more dynamic infrastructure with which to handle faster changing business needs, but the issues are first creating an SOA in those terms and then managing it, with security, failover, fault tolerance etc. "The puddle may be deeper than many realise," he adds. That said, SOA will see more uptake, and Carl Bate, head of enterprise architecture for Cap Gemini, reckons sooner rather than later. He believes that larger businesses certainly have to go the SOA route, at least piecemeal, for two reasons: much needed IT agility, aligning IT closely and quickly with changing business process needs; and reduced IT project costs as departmental applications and functionality become re-usable. "The SOA is about establishing an end-to-end vision of business services," he says – and incidentally he specifically distances it from web services' fortunes. "If you focus on web services only, the benefits of business agility are hard to realise. It's like focusing on 4GL or client/server technology." Ron Grevink, director of strategy at integration specialist WRQ, agrees, explaining that web services are the preferred SOA technology because they're open, standards-based and provide standard ways of defining business processes – but you can also create an SOA using Microsoft .Net or Java. Grevink's point: "It's becoming increasingly difficult to keep up with business cycles – the way businesses need to provide information to, and receive information from customers, suppliers and partners to maintain competitive edge. If they need to change every six months, you need to implement change within three. IT developers didn't have that kind of pressure before… If you don't do it the SOA way, you have to keep on investing in new packaged or custom systems. With an SOA, you don't do that." Top tips for 2005: start your SOA thinking at the business level – how you want to streamline your company, where you need to create competitive advantage. Then, with a business analyst, define your required business processes. As Grevink puts it: "Look at what business processes do I have and where are they. If some are missing, how do I get them out of my packaged or legacy applications, or develop them from scratch?" And for those wondering how to expose business processes as services, ERP systems are increasingly coming with web services interfaces: the issue is more with legacy systems, like mainframe Cobol systems, AS/400 RPG and Unix systems, which can't directly co-operate. "For these you need to build an API or use 'wrappering' tools that expose the business functionality they contain and make it re-usable," says Grevink. Integration If that's all sounding difficult, it needn't be, even if, like most, you don't know the detail of your business functions inventory. First, there are your power users, who have a great deal of knowledge about their systems. Go and mine them. Second, there are excellent discovery software tools that (with well known caveats around what runs when and how frequently) can develop a model of much of your functionality for you. Thereafter you have options as to the level at which functionality is connected – integrate at the data level (not recommended as inflexible), screen-scrape (ditto and too tightly coupled) and programmatic integration (loosely coupled and genuinely re-usable). No-one is saying all this is cheap: it's not. Sorting out and understanding your architecture costs money and time, but as Cap Gemini's Bate puts it: "Ultimately, if you don't do the architecture piece, then you're going to add complexity and you could also be adding costs. Moving on to network communications, the advice is go broadband and IP for everything. More than that though, David Harrington, head of regulatory affairs at the CMA (Communications Management Association), reckons we should be preparing to rethink our wired and non-wired ICT frameworks. "Prices for DSL are now about an order of magnitude down on leased lines," he observes, "and larger companies are saving tens of thousands of pounds on their enterprise networks. If you partner with design companies, for example, you can get 10Mb and 4Mb each way from companies like Bulldog." He makes the point that the choices around symmetric and asymmetric links now cover virtually all data and business transactions, and adds: "BT is offering 1Mb as standard now in urban areas." The only caveat: as we go to press, the situation is looking somewhat fluid, with BT preparing to change its pricing structure to DSL service providers – moving from capacity-based to usage-based pricing for the BT Central products that link IPStream-based ISPs to the BT Wholesale network. Broadband everywhere As for the internal picture, Harrington suggests that again IP is the only sensible way forward. "Voice over IP, multi-media over IP: if you're looking to upgrade your systems, then it's time to get rid of your telephone switch and replace it with an IP switch for everything. The savings are considerable and the payback can be from just a few months to a couple of years, depending on what you already have." Interestingly, he extends the thinking to broadband wireless, which he describes as a "disruptive technology," threatening to take on the 3G mobile market. "Within the next 12 months we can expect IP on mobile. There will be multi-purpose phones with, say, Bluetooth for access points in the home, and WiFi and broadband externally and on the move. There is already a trial at Belfast running 802.20 and achieving mobility at up to 80mph. Business users will be able to have their laptops live throughout their journeys." Just space for a few more thoughts for 2005. First, grid computing may be more applicable than you think – beyond high performance technical computing, CAE (computer aided engineering) and the like. Increasingly, best advice is that 'cycle stealing' should be being considered by any larger company looking at consolidation and/or virtualisation of their IT infrastructure. Jeff Ishii, Platform Computing's director of services for manufacturing, says: "Companies are already using grid in various ways, but executives aren't aware. Business applications on mainframes, for example, are moving to Unix and Linux clusters." What's missing is a good understanding of the cost/benefits outside engineering, and we can expect answers to that next year, with the publication of Platform's 'Economics of Grid' study. In the meantime, Ishii points out that his company has analytical tools that can help establish where grid would make sense, and insists that grid systems, once implemented, are now more easy for users to access and for IT departments to manage. It's still early days, but worth putting on your agenda if you like the sound of savings of 20–40% in terms of compute capex deferral, and the opportunity to improve utilisation. Finally, spare a thought for your client infrastructure. More companies are now going for server-based architectures with the modern equivalent of mainframe terminals – thin clients that run from Citrix, Microsoft Terminal Services and the like. Market leader Wyse Technology's systems also run Java and web material, and can access legacy systems. Client server Stephen Yeo, Wyse director of marketing, notes several benefits. "There's no risk of viruses, no local data to lose or steal. They're robust, reliable; they can be supported remotely, so in distributed factory environments, everything can be handled without ever visiting the site. Also, if they're attached to equipment like CNC machines, robots or merely SFDC [shopfloor data collection] stations, all the device drivers are embedded in flash memory – so again, more manageable and more reliable." The limits: they're not for graphics hungry applications, nor for power users on the move who (obviously) still need laptops. Interestingly, Wyse recently ran it's own version of the Pepsi challenge, pitting powerful PCs with Office applications against thin clients – and seven out of 10 users, who didn't know which they were using, plumped for the thin client. All of us have an infrastructure anyway, but Yeo insists that moving over time to thin clients is a doddle. "You don't have to beef up your network: you may need to invest in the server back-end and you may want to roll out thin clients as your PCs come up for renewal, but that's it." Those anti the approach, however, say the cost of the more powerful server base outweighs any client savings. Maybe worth taking another look though.