Like many technologies in the industrial automation sphere, networking technologies are generally installed for the long haul. In essence, if it ain’t broke, don’t fix it.
 
But with the advance of Industry 4.0 and Industrial Internet of Things initiatives bringing IT and OT (operational technologies) closer together, a move toward more regular upgrades of industrial network technologies looks to be underway - at least in some verticals.
 
According to Schaffer, the frequency of network upgrades across industries does, of course, tend to deviate - due to “the nature of the work in a particular vertical and the amount of capex involved. On the low end, it tends to be every five years, but typically ranges from 10-20 years. In the IT space, where I’ve spent much of my career, the standard is to upgrade every 3-5 years to keep up with technology changes.”
 
Speaking about upgrade practices in particular industry verticals, Schaffer said the water/wastewater and electric power industries tend to have longest intervals between upgrades cycles. In these industries, going “20 years between upgrades is not uncommon due to specialized network design” and the relevant attitude around NTAR, i.e., never touch a running system.
 
On the contrary, the oil and gas industry refreshes a lot more regularly, particularly over the past a few years with the upsurge in this industry’s profits. “They’re also embracing a much more data centric model of operation,” said Schaffer. “To get access to that data, they need to upgrade more frequently. They’ve also seen crippling effects of cybersecurity attacks - like the one impacting Saudi Aramco (in 2012), which is making them much more proactive. On the discrete side of industry, automotive is leading the charge because they’ve been actively embedding IT into their OT ranks. So, they have more of that three- to five-year upgrade mentality.”
 
Beyond the technological benefits, Schaffer said one of the biggest business advantages of a network upgrade is that it provides the perfect excuse to update, validate, and clean up documentation. “Too many times I’ve been in plants asking about what devices are connected to the network and what they’re connected to on the network only to find that the documentation is out of date. No one knows the answer—so it’s difficult to manage the network from an operational and cybersecurity vantage point. I’m a big believer in knowing your network. Whenever you do an update, it gives you the perfect opportunity to re-acquaint yourself with the infrastructure that makes your plant tick.”
 
The biggest impacts to be obtained from a network upgrade will take place on the higher end, where IT and OT meet, said Schaffer. “The closer you are to the high end of network - where data is going to edge or cloud - that’s where you see a change in the mindset in the past couple of years. If you want to take advantage of these new capabilities, you need to upgrade regularly here.”
 
Schaffer also suggests taking security into account as part of your network upgrade. He suggests three best practices here:
 

• Follow the principle of least privilege (or least authority). A device should only be allowed to communicate with what it needs to communicate with. Give it the connections and access rights it needs and nothing more.
• Proactive defense in depth.Layer your defenses with different and various techniques and technologies. Having just one firewall with no defenses behind it is not ideal.
• Know your network. Logging, auditing, monitoring, performing baselines, and understanding what your network should look like normally is a huge benefit when something goes wrong. For example, if your network normally sees 7 mbps traffic levels and you see it spike to 27 mpbs, you can focus on the devices generating the extra traffic.

 
When it's about answering the reader question about how often industrial networks should be upgraded, Schaffer noted that, “while mileage may vary, I suggest patching once per year at least, with once per quarter being best, and doing a full technology refresh every 5-7 years.”
 
TRONSERVE