Mind the gap
As control systems increasingly link up with corporate IT networks, control engineers need to learn extra skills, reports E&T.
You can't dispute that the control engineer's job has changed radically over the past few years. Not long ago, anyone joining the profession would have found themselves on an island of proprietary and highly customised systems, with little if any contact with the wider world.
All that is changing, though, as Ethernet and other commercial off-the-shelf (COTS) IT technologies find their way into factory-floor control systems, which in turn are increasingly being connected to corporate-wide IT networks.
The advantages are clear. COTS offers proven and stable technology, such as Windows-based human-machine interfaces and soft programmable logic controllers, that can be implemented across all of an enterprise's control systems. Connecting them to the IT network allows the control function to be dovetailed with those such as production and resource planning - but it also brings new risks and needs new skills.
So when is the time ripe for control engineers to start beefing up their IT skills? Justin Lowe, a managing consultant at PA Consulting who focuses on SCADA security, says: "The trigger would be anything where IT comes into play in the control environment - whether it be implementing a new control system, changing or upgrading an existing one or linking it to an IT network."
The driver is security, he says, because control engineers now have to contend with the risk of their networks being hacked into via corporate IT systems and the Internet. IT professionals are used to this threat; control engineers aren't.
Bridging the skills gap between control and IT can be accomplished in broadly two ways - job swaps and training courses. Lowe says there's a place for both: "You also need to bring about closer engagement, by bringing the IT people more into your environment.
"For example, if you want to install a firewall or network connection, then bring the IT people in on its set-up. This will help foster closer working on a day-to-day level. But remember also to include them in projects. IT tends to be involved at too late a stage, so early engagement is important. It's all about building bridges, and promoting cultural change in the organisation."
He says job swaps are good because they build this engagement, helping IT people and control engineers to understand their differences and similarities - with the focus being on the latter. He also says: "A drawback with job swaps is that once they're over, people tend to revert back to their original comfort zone. One week is not enough, which is why there's a need for ongoing engagement."
There's also a need for some proper, accredited training. But where do you start?
"The first step is to look at the training needs," says Lowe. "Carry out a training needs analysis by looking at a person's role, what skills they already have and what skills they need.
"Also, look at who needs which skills, as they won't all be the same. Once you have a good understanding of these training needs it will be easy to identify the right training courses or other capability development methods," he says.
It's not as simple as it sounds. As Lowe warns: "There are courses out there but some of the straight IT courses are a bit 'vanilla', in that they don't focus on engineers' needs." In fact, he says, there's a gap in the market in this respect, as he's not aware of any UK providers of IT courses for control engineers.
So you'll have to look further afield, for example to the US. "The International Society of Automation [ISA] is one of the few organisations that runs courses in this area," says Lowe. "It's important in this field because it's leading the drive for training standards."
The ISA offers online training from its North Carolina base as well as lab-based courses at locations around the world. For Europe, ISA courses are held at TWP Training in the Netherlands. As the ISA's director of convention, education and certification services Dale Lee explains: "Broadly, the online or distance learning option tends to be better for software-based courses, and could be the better option at the moment for engineers in the UK. But the lab-based courses are instructor-led, so they're better for the hands-on type of course.
"Security and wireless are particularly important areas, but we've also seen a rise in courses in subjects such as Manufacturing Execution Systems, Open Control Systems and data comms," she says. "To put this rise in perspective, we've taken on 25 per cent more students across the board in the past year alone."
ISA students are mostly from larger organisations - utilities, multinationals and so on - but with fees running to thousands of dollars, how can hard-pressed small and medium enterprises access such training? Justin Lowe says they can either go it alone or consider approaching his company, for example.
"PA Consulting is not really a training provider but we have developed awareness and training programmes as part of our broader consultancy work," Lowe says. "They're mostly on security, but because they cover aspects such as networking, Internet protocols and so on, they embrace the wider IT issues."
Continuing professional development
But Lowe is also keen to point out that training is just the start. "Going on a course is a one-off or tick-box exercise," he says. "There's the wider development issue, because we're talking about a field where the nature of security threats and the technology itself are changing so quickly.
"It's all about continuing professional development [CPD] - keeping up with industry developments, closer working with IT, attending conferences and keeping up with blogs, newsgroups and so on."
One person who's gone through the initial training and is now at this CPD stage is Ian Henderson at BP. Originally a control engineer at the company, he's now BP's digital security adviser and a member of its digital security team, which provides cyber-security guidance and standards for the company's process control community. He's been in this role since 2002.
"I'd witnessed the migration to the modern, COTS-based technologies, so as part of my work I had to start learning more about the IT side," he recalls. "On the IT side of the organisation, meanwhile, they had begun looking at the control systems and wanted to bring control engineering into the digital security community. There was also a perceived need within BP's digital security team to bring in engineers to provide a tailored IT service.
"When the job was specified there were two possible routes in - bring an engineer on board and develop their IT skills, or develop an IT person's engineering skills," he says. "I think it was felt it would be easier to bring in an engineer, but that's not necessarily because engineering skills were felt to be harder to learn, it just happened to be the case with BP. It might be different in other organisations."
He adds: "I saw in the job the chance to exert influence over all BP's control systems, to play a more strategic role - a chance engineers don't get often enough. In a sense, I'm a kind of ambassador between the two functions. The IT and control engineering worlds are much closer together in their objectives than either of them would perhaps care to admit.
So what's it like for a control engineer to take on an IT role? "First of all, the learning curve was extremely steep - much steeper than I'd imagined. This was partly because of the sheer scope of my new role, as I was moving from local to global," Henderson says.
"The other reason was that, at the time, the field of SCADA security was still so new that there were no manuals or peers in other organisations to refer to or approach for advice. So, in terms of support, I felt rather as though I was blazing my own trail. I must say, however, that I did get a lot of support from the leadership of the IT security team."
He initially gained his IT skills through the US-based SANS Institute, which runs intensive six-day 'boot camps' around the world (his was in Amsterdam) on security essentials, aimed not just at control engineers. He then took an exam through Global Information Assurance Certification.
"This kickstarted my learning," he says. "But I also picked up many of my skills from mainstream IT security people, who were incredibly helpful."
And he agrees that CPD is very important - in IT as well as control engineering. "In our security team we require formal accreditation, and to maintain that accreditation we need to show we've done so many hours of CPD each year, rather like a pilot who has to put in the flying hours in order to keep their licence," he says.
"So, to this end, I've also recently become a member of the Institute of Information Security Professionals, which looks to promote and professionalise the IT security industry and is very much into CPD."
Henderson says he's very keen to make the engineering and IT worlds work together better. "The two are not really that far apart - they have common objectives but there's still a gulf between them, and I see my role as bridging that gulf. And I'd like to see others do that too.
"Engineers should consider a move into IT as a positive career step."