If you are reading this, I’m betting that you work for a large manufacturing or industrial firm and you are looking for an operational technology (OT) cyber security company to help protect your OT devices from cyber attack. Perhaps you have just read Alert AA20-205A published by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). It warns that attackers are actively targeting OT assets, and it urges owners to take immediate actions to mitigate their risks.
Perhaps you’ve glanced at NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, which has 247 pages of advice.
You’ve probably done a Google search. You’ve identified a few OT cyber security company names (I hope Armis is one of them). Now you are busy researching what each company can do, and you are mapping how each company’s product compares to the suggestions from NSA, CISA, and NIST.
So here, just in time, is my list of 6 things you should look for in an OT cyber security company. This isn’t boiling the ocean. It’s just a few high-priority things that provide maximum bang-for-your-buck.
1. Asset inventory. It’s impossible to defend your OT assets — whether by deploying patches or running security audits — if you do not have a complete understanding of your OT environment. To quote NIST SP 800-82, section 4.5.1, your OT cyber security vendor should help you “define, inventory, and categorize the applications and computer systems within the ICS, as well as the networks within and interfacing to the ICS.”
Your inventory should include details such as physical location, software/firmware version, vendor name and model number. In addition, you should have network information and a history of communication flows, and protocols. And you should know where the device sits in your network architecture. Which brings us to ...
2. Network segmentation. Here again, NIST SP 800-82 is very clear when it says in section 5.1 that “network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect its ICS.” This is well-known among security practitioners, and the practice has been applied for years. But working against this is the recent trend of un-doing the segregation, driven by the dual desires to allow IT systems to consume data from the OT environment and to allow OT system vendors to remotely monitor their equipment.
As I said in a previous blog about vulnerable industrial control devices, when Armis customers first deploy our product, they routinely find much more network connectivity than they expected. And as NSA/CISA Alert AA20-205A just confirmed, this connectivity is being leveraged by threat actors to attack ICS systems (read our CISOs summary of the alert).
Look for your OT cyber security vendor to help you, in the words of NSA and CISA,
“create an accurate ‘as-operated’ OT network map”. Even better, expect these cyber security products to draw the map automatically and put red flags on the connections that are risky. Do you follow the Purdue reference architecture? Look for OT cyber security products that automatically associate each device with its respective location in the Purdue reference architecture.
One important caution — You need to be careful to avoid (or use with extreme caution) any security system that uses active scanning or probing techniques. These techniques have been known to disrupt OT devices. An unexpected plant shut-down is the last thing that you want to have associated with your name!
4. Threat detection. Your OT cyber security vendor should continuously monitor your OT environment to detect anomalous activity. There are a wide variety of attack techniques that are documented in the MITRE ATT&CK for ICS knowledgebase. Look for broad and deep coverage of the ATT&CK techniques. Especially look for products that can detect unauthorized attempts to reprogram your PLCs.
5. Cast a wide scope. Do you really want to buy another limited-scope security product? One that focuses myopically on just one small portion of your environment?
It’s a leading question, but the fact is, quite a few of the OT security products on the market are limited to just the OT environment. Given that your OT systems are probably connected to, or at least in the vicinity of, other networks and other devices, you really need a cyber security product that covers more than just the OT environment.
It’s not just me saying this. In a report titled Market Guide for Operational Technology Security, Gartner says enterprises should “elevate OT security requirements into their enterprise risk management efforts by adopting an integrated security strategy across IT, OT and CPS.”2 The authors of that report go on to say: “Most enterprises are starting to realize that security — whether IT, OT, physical or supply chain — needs a whole-of-enterprise focus. Historical IT and OT functional differences are becoming a liability when security is involved.”
One final suggestion. Look for an OT cyber security company that has a solid business plan, strong market traction, and the financial wherewithal to stick around for a long time. According to Gartner: “The OT security market is ‘in transition….’ By year-end 2023, security and risk management (SRM) leaders will need to adjust their OT security solutions, because 60% of today’s point solution OT security providers will have been rebranded, repositioned or bought, or will have disappeared.”2 You don’t want to be left with a dead-end product.
Do you have other ideas? I’d love to hear from you. Send a note to firstname.lastname@example.org.
- Gartner, OT Security Best Practices, 5 March 2020, Ruggero Contu and Lawrence Orans.
- Gartner, Market Guide for Operational Technology Security, 5 November 2019, Katell Thielemann, Ruggero Contu, Wam Voster, Barika Pace