#pAutomator: Eric Cosman, OIT Concepts LLC
For the #pAutomator this time, we spoke to Eric Cosman, Principal Consultant, OIT Concepts LLC (Texas). Cosman has been involved across various areas of Industrial Automation Systems security and is also the founding member and current co-chair of the ISA99 committee on industrial automation and control systems security that is responsible for the development of the ISA-62443 standards.
In this interaction, he explains the challenges faced while executing an automation project and points out the industry transformation in the upcoming years.
If you have a similar story you’d like to share, write to us and we’ll get in touch!
How has your journey been in this industry? What were your highs and lows?
My “journey” goes back over 40 years, and I remember each of them very vividly. Although my degree is in chemical engineering, early in my career, I had the opportunity to develop software for a custom process information system to use in a variety of chemical plants.
Through this, I combined my engineering training with a strong interest in software development and systems design. This eventually led me to a role as engineering solutions systems architect. I was responsible for managing an IT portfolio for the entire range of engineering disciplines. Along the way, I took assignments ranging from local and wide area network design to software project management.
Some of the major milestones include:
- Developing and implementing a human-machine interface (HMI) to direct supervisory control systems before such products were commercially available.
- Implementing Ethernet-based local area networks (LAN’s) in an industrial operations environment (c. 1984) well before this became common technology.
- Developing a comprehensive system and technical architecture for the entire portfolio of automation solutions for a global company with well over 400 manufacturing sites globally.
- Designing and implementing an operations cybersecurity management system for a global enterprise.
- Founding member, contributor and current co-chair to the ISA99 committee on industrial automation and control systems cybersecurity.
You have been actively involved in process control and manufacturing execution solutions. What are the challenges you face in your industry?
First, the challenge that those responsible for owning, operating and supporting manufacturing IT solutions face is the disparity between the life cycle of these solutions and that of the underlying technology. For example, information technology products and solutions (e.g., operating systems, networks, etc.) can have a half-life of 18-24 months.
However, asset owners expect their manufacturing IT systems to last for anywhere from 5-15 years. Most, if not all, of the more specific challenges, derive from this simple reality. Consequently, the practical implication is that asset owners must take a “systems portfolio approach” to managing this technology. It’s essential that they understand all the interactions and dependencies between the system components to make the most appropriate decisions.
You are also a part of the ISA team, where you focus on industrial automation and control systems security. Can you walk us through the developments of this?
I am one of the charter members and current co-chair of the ISA99 committee. We are responsible for developing the ISA-62443 and IEC 62443 standards, thus addressing industrial automation and control systems security. This committee was formed in 2002 and has developed a suite of 14 standards and technical reports on the subject.
The standards in the series collectively define several hundred normative requirements. These apply to suppliers, integrators, asset owners and support providers. Several of these standards have been published, with several more completed and ready for issue.
What are the primary factors for executing an automation project? What challenges do you usually face here?
Earlier, I commented on the need for a systems portfolio perspective. Also, it is essential to understand the natural life cycle, from conception, development and delivery to implementation, operation and support. Each of the stakeholders has specific responsibilities in each phase of this life cycle, as well as expectations of other roles.
In cases where a project involves the addition of new system components or upgrades to existing systems, it is essential to have a detailed understanding of what is already installed. Unfortunately, this information is often not readily available in cases where a system may have been in place for many years.
Today, digital transformation involves more than an investment in new technology. It needs to evaluate its value potential, ROI, and the risk of investing in these technologies, while at the same time, maximize the outcome. How do you see this scenario?
Because value is typically not attached to specific elements or components, the starting point is the “systems portfolio view.” Objective value assessments are essential in the initial stages to justify the investment. However, it is just as important to define clear metrics for measuring achieved value after implementation. This is the only practical way to confirm benefits achieved.
Also, digital technology is not only transforming how companies in every industry go to the market but re-structuring interactions with customers. What is your view on this?
Delivering the products and services required and expected by customers is the essence of delivering value. Increasingly, this requires much closer interaction through the use of connected supply chains, etc. This, in turn, requires the sharing and exchange of much more information, often automatically and in real time. This – more than any other individual factor – is what is driving fundamental change.
Moving ahead, how do you see the industry transformation ahead in the upcoming years? Any advice for the next-generation engineers…
Perhaps the most important trend and development is the “blurring of the lines” between disciplines such as automation, information technology, systems design, networks and security. This means that experts in these disciplines must be able to look beyond their immediate perspective and form effective collaborative relationships with those in other disciplines.
A specific example of this is the need for collaboration between automation engineers, safety engineers, network designers and cybersecurity experts to design systems that are secure from attack and compromise.