Introduction to Containerization: Bridging IT and OT

Containerization is a virtualization technique that has existed since at least 2008. It is a type of software deployment that bundles together everything needed to run in a single package. This includes an application and all its dependencies. While historically it’s been used in IT environments, it has recently been gaining traction in OT. Modern containerization, popularized by Docker® since 2013, enables efficient, portable application deployment across diverse environments. Industry standards focusing on user experience with containerization have been formed by the Open Container Initiative (OCI). Containerization gives the ability to run applications that would have otherwise been limited by device or operating system. The goal of this post is to demonstrate containerization’s power to streamline application deployment across IT and OT environments, transforming efficiency in modern Industrial Control Systems (ICS).

Containers vs. Virtual Machines

The easiest comparison with containers is virtual machines (VMs), as both are types of virtualizations. A key difference is that containers don’t require an entire Guest Operating System to run, while VMs do and virtualize everything down to the abstract physical layer. VMs demand significant CPU and memory, limiting scalability in resource-constrained settings. Containers share the host OS kernel, making them lightweight and fast, with startup times in seconds compared to minutes for VMs. This efficiency stems from packaging only the application, libraries, and configurations. For example, a containerized app runs identically on a developer’s laptop or a cloud server, ensuring consistency across development, testing, and most importantly for industrial control systems: production.

Infrastructure: The physical hardware, such as servers, storage, and networking equipment, that provides the foundational resources for virtualization.

Host OS: The primary operating system installed directly on the physical hardware, managing resources and running the hypervisor.  

Hypervisor: A software layer that creates and manages virtual machines, allocating resources between the host and guest operating systems. 

Guest OS: An operating system running within a virtual machine, isolated from the host OS, used to execute applications. It relies on the hypervisor for access to virtualized hardware resources.

Containers in Industrial Control Systems

A key benefit to containers, especially in the ICS space, is the amount of space that a container requires—as Industrial Internet of Things (IIOT) devices typically have smaller amounts of memory and less processing power. Containers can be important for ICS systems as they are so lightweight and flexible that they can be used by many IIOT devices. In ICS, containers enable edge computing for real-time analytics, such as monitoring SCADA systems or processing sensor data on IIoT devices. Containers also support OT-IT convergence by enabling consistent deployments across hybrid environments.

Additionally, containers offer scalability, allowing deployment of lightweight services on small edge devices or larger, orchestrated setups on server clusters, supporting distributed architectures from edge to cloud. Compatibility is enhanced since containers bundle dependencies, simplifying installation and ensuring consistent execution across diverse environments without dependency conflicts. Security is also improved, as containers can be built following published best practices, requiring authentication for deployment to runtime hosts without needing administrative privileges, unlike traditional software installations on Windows systems. Containers also enable quick recovery and migration, facilitating rapid upgrades or system restoration by redeploying containerized applications with minimal downtime. Finally, containers are here for the foreseeable future, since they align with modern IT development trends, ensuring ICS systems remain adaptable to evolving technological demands.

An example of using containers at Rockwell Automation has been in the FactoryTalk® line. FactoryTalk Analytics GuardianAI is only delivered in a container. It is an application that can run predictive maintenance algorithms on a factory floor edge device, using minimal resources and needing no coding skills.

ThinManager® and FactoryTalk® Optix™  

Another containerized solution has been recently added to the FactoryTalk line. It is now possible to deploy a FactoryTalk Optix Application Container with ThinManager in versions 1.6 and 14.1 respectively. FactoryTalk Optix is a software platform that enhances HMI and data visualization experience and augments capabilities in edge computing and data management. ThinManager devices use thin clients (devices with lightweight hardware and little-to-no OS requirements) to simplify Industrial Control Systems in part by running containers. This means it’s possible for the infrastructure requirements of an HMI to be significantly reduced. ThinManager’s centralized management allows for scalable, consistent deployment, minimizing hardware costs and simplifying updates, while enhancing security. A more thorough breakdown can be found in this video or in a future dedicated post.