Making Sense of the ICS Cybersecurity Market

Feb. 15, 2018
Attacks on industrial control systems are accelerating, threatening grave fallout. Because sorting through the flood of ICS cybersecurity products and services can be daunting, we offer some help.

Not long ago, the prospect of a cyber attack on an industrial control system (ICS) was frightening, but speculative. No more. The hoof beats of looming public-safety disaster have grown ever louder after the 2010 wake-up call of the notorious Stuxnet worm attack on the control systems that ran Iran’s nuclear program. The 2016 Industroyer attack deploying CIA-created malware to take down the Ukrainian power grid raised the stakes. The message is clear: Burying your head on the subject of ICS cybersecurity is no longer an option.

“The bad guys are showing they have learned enough about these control systems,” says David Zahn, chief marketing officer and general manager of the cybersecurity division for PAS Global. “Now they know what they are doing. The Ukrainian attack took advantage of no vulnerability. Legacy protocols do not have any security controls built in. The command came in and was executed.” It’s enough to keep anyone up at night.

An ICS security consultant for nearly 20 years, Dale Peterson is finding it a lot easier these days to drum up business. “We have noticed sectors that didn’t use to care at all [about ICS cybersecurity] suddenly starting to care. The control system is the reason the company exists—companies are starting to wake up to that,” says Peterson, founder and CEO of consulting company Digital Bond. “Folks are beginning to care about security at the board level and the executive management level. They realize they have been accepting this risk all these years.”

Though the real and perceived risks are higher than ever, the good news is that a slew of cybersecurity products has hit the market, designed from the ground up specifically to protect control networks. But with so many companies and products rushing into the market, it can be a daunting task, to say the least, to sift through the hype and understand what’s really needed to protect your operations. This article will help you sort through the cybersecurity offerings that together help to create a defense-in-depth strategy.

Though cybersecurity tools differ for IT and OT environments, they do overlap in the areas of endpoint detection, firewalls and network segmentation. Source: Claroty

OT/IT convergence gets real

The convergence of industrial control networks and operational technology (OT) with traditional information technology (IT) has been a “coming attraction” for years. But the growth in ICS cyber attacks is a sign that convergence is finally here. In the past, securing control systems was not a major concern because they were air gapped—isolated from IT and the rest of the enterprise—running on proprietary protocols, embedded operating systems and specialized hardware.

These days, ICSs are connected with corporate networks, riding on common Internet protocols and running mainstream IT operating systems on general-purpose hardware. Increasingly, they are connected to wireless technologies and feature USB ports. Typical supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs) and remote terminal units (RTUs) are vulnerable. They communicate with proprietary protocols that are prone to tailored attacks. For many of these systems, no authentication is required—if the command comes in, it will be executed.

But even with convergence upon us, the OT side of the house often still prefers to go its own way. As an industry analyst, Patrick McBride remembers chatting with the chief information security officer of a major energy company a few years ago. “I asked what he was doing to secure the industrial network,” says McBride, now chief marketing officer for industrial cybersecurity provider Claroty. “He just shook his head: ‘The engineering guys don’t want me messing with their environment.’” Pushing traditional IT cybersecurity tools onto the OT side of the house was then—as it often is now—a non-starter.

IT security tools were not designed for use in the OT world, McBride says. They often proactively block flagged processes from taking place. That approach doesn’t work in an industrial setting, where processes are business-critical and any disruption could be dire. Also, IT tools do not provide visibility into the versions of the protocols being used, where they are connected, or the nature of the communications. IT/OT cybersecurity tools do overlap in the area of endpoint protection, firewalls and network segmentation (see diagram below), he adds.

Designed for ICS, the Indegy Industrial Cyber Security Platform provides only alerts to changed network conditions. “We don’t block anything. It’s too risky,” says Dana Tamir, vice president of market strategy for Indegy. “Industrial environments are so sensitive, you don’t want to cause any disruptions.”

Lack of visibility into control systems—the exact hardware, operating system and protocol versions—is the biggest fundamental ICS cybersecurity problem, according to Tamir. After all, you can’t secure what you don't know you have. “The security operations staff need to understand what they actually have,” she says. “These systems have been in place so long no one knows what’s out there.”

Very few companies have robust asset management systems in place, Tamir also notes. “They sometimes have manual processes—the guys walking around with clipboards,” she says. “It’s error-prone, tedious and leads to burnout.” Getting a handle on exactly what is out there is a necessary first step.

In the ICS realm, asset management and cybersecurity are not all that different, adds Mike Petitti, vice president of cybersecurity for Uptake. “You’re looking for great uptime, reliability and safety from an asset,” he says. “That is the goal.” Uptake’s security platform maps all the assets in the ICS environment, collects the information that emanates from those assets, and provides predictive insights.

Mitigation without interruption

McBride says this market has taken off faster than anything he’s seen in his career. In his experience, new ICS technologies usually start becoming popular in North America, migrate into Europe and then move into Asia. But Claroty’s biggest customer is actually a large electric operator in Asia.

The Claroty platform provides continuous threat and vulnerability detection, plugging into the SPAN port or COPY port and providing a picture of all the ICS devices present—heterogeneous or not. “‘Do no harm’ was our design principle,” McBride says, so the system does not inject any packets onto the network. “IT cybersecurity tools are blind. They may know there are networking devices sitting there, but they don’t know what they’re saying. We are the magic headphones. We know what all those devices are in the network and we know how they are communicating and what they are saying.”

Changes to the network are immediately spotlighted, with identification of network hygiene issues that could cause plant downtime such as ports that are open to the Internet. Having a snapshot of key information then leads to risk assessment and mitigation strategies, McBride says. “We can show the known vulnerabilities and they can use that information to segment the environment,” he says. “They can decide how to mitigate without breaking the process.”

Similar to Claroty’s technology, PAS’s Cyber Integrity platform first discovers the assets on the ICS network and how they are connected. “We have Day 1 visibility into assets and their configurations,” Zahn says. “The engineers want the full picture. They don’t want to wait years or months.”

The key is to strike the right balance between management of change—alerting operators about important alterations to the environment—and flooding the operator with too much data. “We have at times turned on all the alerts to show you all the change that happens. It’s too much,” Zahn says. “We allow you to filter what change is detected.”

Full-coverage approach

Venerable ICS vendors have recently acquired ICS cybersecurity technologies to shore up their offerings. Honeywell Process Solutions has had a group focused on cybersecurity for more than 15 years, according to Marty Israels, director of product for industry cybersecurity. “We’ve invested heavily in ICS cybersecurity,” he says. “We have products and services—everything from field professional consulting services to managed security services to third-party end-to-end services. Our products and services help customers identify the assets they need to protect, protect them, prevent cybersecurity events, respond when they happen and then recover.”

Honeywell recently acquired its ICS Shield technology via its purchase of Nextnine. With 6,000 installations of ICS Shield, this move has boosted its standing in the ICS cybersecurity arena. Honeywell offers other tools, including dashboard software called Risk Manager that depicts the level of risk at a particular site. The company also launched a product called Secure Media Exchange (SMX) that safeguards the use of USBs in the ICS environment.

Like Honeywell, many vendors are taking a full-coverage approach to the market. Nozomi Networks, for example, offers a full stack: operating system, hardware, software and services.

Its SCADAguardian anomaly-detection appliance is backed by support from managed service providers. Its Central Management Console (CMC) does deep network-packet inspection and protocol analysis.

“We listen from Level 1 to Level 7 on the OSI stack,” says Thomas Nuth, director of product management at Nozomi Networks. “We use [artificial intelligence] and machine-learning techniques to provide real-time anomaly and threat detection. SCADAguardian automatically learns the network devices, topology and connections and establishes a baseline of normalcy.”

What distinguishes Nozomi’s system is that it visualizes data in a way that allows system operators to quickly address threats as they come in, Nuth says. “We have a geospatial representation of the threats, with color-coded alerts showing affected equipment like a pump or a meter,” he says, noting that the system aggregates alerts to show a representational view of the complete threat picture.

The days of ignoring cybersecurity in the industrial environment are over. With the plethora of systems now on the market, there are no more excuses for not facing up to securing your control systems.

“You have to make the decision to do it right,” Peterson says.