During periods of high investment in plant automation and digital transformation, Security Leaders should transition to a platform approach to cybersecurity to achieve unified visibility across their assets, and to implement and manage security policies and procedures across OT environments. Further, the blurring of OT and IT operations and growing collaboration between teams require Security Leaders to consider how future investment in OT will align with wider IT cybersecurity policy and procurement decisions. WA’s IT/OT Cybersecurity Navigator is an assessment of the leading vendors, benchmarking competitors relative to current capability and strategic direction and is available from July 2023.
Evolving Cybersecurity Requirements
The responsibility for OT cybersecurity differs between organisations. It may be the Operations team, the Engineering Director or the CISO who hold OT cybersecurity responsibility. For simplicity we refer to the team responsible for OT cybersecurity as OT Security Leaders.
The primary goal of OT Security Leaders is to ensure that the risk of a cyber incident impacting the Reliability, Availability and Safety of operations is minimised. This requires identification and management of vulnerabilities, and a layer of controls to prevent threat actors from accessing networks. The logical starting point is to identify and classify all assets though this is rarely a simple task. Plants may be thirty years old with no official asset register and rely on a patchwork of different OEM systems and sensors. Security Leaders need to have visibility of the assets they manage, the firmware and patch status of those assets, and what they are connecting to. Once the security team is established, Security Leaders should start with Discovery.
Once assets are identified and logged, OT Security Leaders should address vulnerabilities that are known and understood and implement processes to continually monitor and manage them. This may include changing default passwords, implementing patch management, and monitoring access controls.
A strong OT program will be based on a suite of security technologies. Defence-in-Depth (DiD) is the traditional layered security model applied to OT environments and comprises of a series of technical and administrative controls to protect data, applications, endpoints, and the network. This makes it more difficult for adversaries to move laterally, preventing them from exploiting vulnerabilities. Technical controls include firewalls at the IT/OT network boundary and between zones to ensure appropriate segmentation, endpoint protection, and access control. OT network monitoring provides an additional layer of security by detecting anomalies and automating response.
However, as networks converge and data exchange between the factory floor and the cloud expands, so does the scope of the threat. DiD alone is not sufficient to protect OT operations. Modern organisations require a security approach that enforces policy, monitors, and orchestrates across a complex network of digital infrastructure, entities, and physical assets.
The principle of Attack Surface Management (ASM) helps to address the challenge of identifying, assessing, and mitigating the vulnerabilities that exist within an organisation’s digital and physical infrastructure, and between external entities including the organisation’s supply chain and OEM partners.
ASM focusses on identifying and managing risks through a proactive approach to security management, whereas DiD is focused on the layering of controls to protect against threats. The approaches are entirely complementary as noted in NIST 800-53 and ASM is increasingly being implemented by OT Security Leaders. This includes asset discovery, risk assessment and remediation. It should also include OT specific response plans built on an understanding of the Tactics, Techniques and Procedures (TTPs) that can be unique to the industrial sector.
A strong OT security posture requires technical controls to be interoperable. The firewalls, IDS, antivirus, and access control solutions deployed in the DiD framework should integrate and exchange data, enabling orchestration of security processes and workflows to improve threat detection and incident response. This also includes the components of ASM, providing OT Security Leaders with a unified and automated security operation.
Security Vendor Selection
There is no single vendor that provides native capabilities covering all technical security controls. OT Security Leaders planning to implement a new security program, consolidate vendors, or refresh its security program, should look towards a platform approach, ensuring that vendor solutions can integrate. An advantage of using a single platform is that it shifts the integration burden to the platform vendor. The platform vendor becomes responsible for making sure that their products interoperate, thereby reducing the burden of technology debt that the Asset Owner takes on.
The ecosystem consists of two main vendor categories. OT Network Protection vendors typically provide firewalls, including coverage of industrial protocols, and a range of additional capabilities from endpoint protection to access controls. The main use cases include network protection, segmentation, and access management, but many also offer visibility solutions. Most vendors also have a strong IT security platform, enabling industrial enterprises to manage IT and OT security operations separately or to merge some of the security operations.
Asset Visibility and Threat Management vendors provide visibility, vulnerability management, and threat detection tools supported by OT specific threat intelligence. These vendors typically provide products for OT ASM though each vendor has its own unique strength or capability. This may include risk analytics, remote access management or incident response.
The following is a list of the vendors reviewed in WA’s latest analysis of the OT Cybersecurity Industry following a review of over 100 vendors. Each provide platform solutions and integrations and should be considered by Security Leaders.
Security Leaders will rely on at least two vendors to achieve Defence-in-Depth and to implement its Attack Surface Management. When evaluating capabilities, Security Leaders should look beyond evaluating only technical performance. Platform integrations, interoperability, strategic partnerships, ICS expertise, and customer service are other important considerations.
Equally, OT Security Leaders should also consider a vendors’ strategic direction. WA analysts noted significant innovation across the industry over the last 18 months, and the technical roadmaps of some vendors are particularly strong, including improvements to platform usability, new integrations, refinements to risk analytics, and new OT use cases. WA’s IT/OT Cybersecurity Navigator, and related Insight, ‘Industrial Cybersecurity Industry Analysis’, is available today.
If you would like more information on our process for the Navigator please visit: www.navigator.westlandsadvisory.com/
Or send us an email: firstname.lastname@example.org