I recently watched Dale Peterson’s talk on the evolution of ICS security products, delivered to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Working Group. (For those that don’t know Dale, he’s been involved in the OT/ICS cybersecurity space for about as long as anyone – starting with writing some of the first proof-of-concept network detection signatures for industrial environments back in the early 2000s.)
As Dale covers in his talk, much of the initial focus for industrial cybersecurity was on detection – is someone on my process control network (PCN)? Firewalls and network segmentation also played early leading roles for prevention (keeping the bad actors out in the first place). What many really wanted, though, wasn’t detection but to build and maintain their asset inventory, which they could then use to understand which devices from Level 3 to Level 0 of the Purdue Model were connected to corporate and external networks (and each other) and, hence, might have the greatest risk exposure.
IT security people have a lot of familiarity with using network packet sniffing tools to build inventories so it should be no surprise that many looked to leverage network detection tools to try to build their inventories – first using passive detection and then active polling. These can be of help, but they often fall short of the needed details and can pose risks to devices on PCNs if not carefully tuned (read more here in this ARC Advisory Group Insight).
Interestingly, there are historical parallels from the IT security market that are starting to play out in the OT security market. 10 to 15 years ago, end owner operators often turned to a network-based packet inspection tool to build an inventory – an inventory that was to become the foundation for an asset management solution. As the market evolved and consolidation occurred, asset management (which includes a robust inventory) emerged as a separate category from network-based security tools. Many of the network tools in IT were absorbed into other solution sets, such as adaptive firewalls. We are on the cusp of a similar evolution in the OT cybersecurity market.
That’s why we use a fundamentally different approach at PAS to help our customers build their OT/ICS inventories. It’s a method we’ve used for industrial automation asset management for over 20 years and works with more than 120 different control systems and vendors. It’s proven technology in many of the world’s largest oil & gas, petrochemicals, pulp & paper, mining & metals, power generation, and other industrial companies. On this solid foundation, we have added a wide-range of cybersecurity-specific capabilities for vulnerability and patch management, configuration management, compliance and reporting, risk propagation analytics, backup and recovery, and workflows. Collectively, these capabilities aid with adopting the NIST cybersecurity framework steps of identify, protect (risk identification and reduction), respond, and recover.
Our customer engagements (both recent ones and over the last several years) align closely with what Dale outlines in his recommendation for asset owners in his talk: it’s best to start with asset management to build your inventory. After all, you can’t secure what you can’t see. With a solid OT/ICS asset inventory, good segmentation and firewall configurations, then adding a detection tool is useful to help feed your inventory and aid in forensics. After that an incident response retainer and SOC-tool integration are logical next steps. That’s a solid prescription for industrial companies to get a handle on and reduce their cyber risk.
After evolving over many years, the OT/ICS security market is coalescing on this as the best approach. We are sure to see further evolution in the future, though, as there is one thing that holds true in security is that you have to stay a step ahead.