With cybersecurity so much in the news, I found myself in a heated discussion the other day about whether IT should take over SCADA, and in particular SCADA security, or whether it should not. SCADA (System Control And Data Acquisition) refers to the technologies that run large processes. In common use, it refers primarily to the large distribution systems, such as those for electricity, water, and gas. SCADA systems were usually designed to operate with the extreme resource constraints of last generation technology. SCADA systems have traditionally been secured primarily through isolation. Any signal that breached the outer shell was considered trusted.
It is an interesting characteristic of technology that when it is everywhere, it is no longer anywhere. Take timekeeping, one of the oldest automated technologies. Modern time technology sprang from the monastic orders of the middle ages, wherein it was important to track the time for prayer and the ordered life. As time tracking technology improved, it was moved into the clock tower or cathedral in the center of town, and used to order the economic life of the townsfolk.
Time was later brought into the homes of the wealthy, and then adopted, in the form of mantle clocks by the middle classes as a luxury. This was followed by personal time, as pocket watches which were a sign of wealth or awarded, at retirement, as thanks for long service. Time kept growing cheaper until digital time arrived in accurate wrist watches at disposable prices. Today, time is everywhere, in ovens and in coffee-makers. Time is more important than ever, as very precise time-keeping is at the heart of telecommunications and the internet. Precise centrally managed is in every cell phone—yet time is nowhere, and watches and mantle clocks are becoming scarce.
There is a common meme in management circles that IT is becoming pervasive, and therefore beginning to fade as a separate department within companies. We have central management of network communications as a critical facility. There may even be central operating system and hardware management within a data center; that data center may instead be outsourced and no longer part of the corporate skill-set. In the service oriented world, there is central technology governance to describe how technology from each division fits together. Subject to that guidance, the divisions and department are free to manage their own development, and their own decisions.
At the beginning of the 20th century, it was not uncommon for manufacturing corporations to have people with titles like Vice President of Electricity. The person who held this title had all sorts of strategic responsibilities. As electricity became pervasive, this role became less important. As everyone grew to understand, more or less, how to use electricity (Use the plug. Don’t drop a paperclip on the leads), the need for specialists at every step of the process became less. I have seen hotel wiring for lights installed by Edison own hand; none of us can imagine the CEO of a large research and engineering doing that contract today.
Today, electricity is everywhere and it is nowhere. Outside of those businesses that are directly involved with the production and distribution, the strategic use of electricity has vanished. Oh, you still need an electrician or two on the maintenance staff; he may also be a plumber. Electrical engineers are needed to design systems for factories or buildings. Electricity as a profession in each organization is gone. Plug in your own lamp and computer!
In a similar way, IT is becoming everywhere and nowhere. I have a computer far more powerful than any available in 1970, and with more networking bandwidth than any in 1990 sitting in pocket. It is also able to create and process video and has a display capability greater than any but the highest end computers of two decades ago. I carry it everywhere, it may be company issued, but it is never touched by company IT. Sometimes I make phone calls with it.
A decade ago, every resume claimed some experience as a webmaster. Now very few do, although they have Facebook pages and a facile familiarity with HTML. Every salesman and every factory quality team performs computerized statistical analysis as part of their work, although none of them claim to work in IT. The specialized staff who install the physical infrastructure of networking have fused with those doing analog telephony.
Much of IT is gone. Security policy staff are rising in visibility, but growing fewer in number as they use policy based tools. Software installation staff, necessary as policy locks out most users from modifying system configurations, grow closer to electricians in education and in perspective. The CIO becomes a specialized sort of efficiency expert. From this perspective, either control systems staff and the accounting staff are both IT, or are both “not IT”.
IT security offers a set of disciplines and mind-sets useful to those building their current systems with today’s tools. Knowing IT Security assists the control system engineer in the same way that knowing accounting is the path to advancement for the accounting clerk. Knowledge of auditing principles makes a better manager just as other IT-security skills make a better SCADA system architect.
I think most organizations will not have IT functions per se in the future, unless they are designing electronics, or creating new graphics systems. I think SCADA and control systems will not be run by IT, but will be perfused by the pervasive IT all around. System design, and system architecture will still matter. IT Security, with the newly popular moniker cybersecurity, will be everywhere. But IT will be gone.