Why OT security products should require no changes to the ICS

Courtesy: Brett Sayles

OT security products insights

  • The growth in the OT security product market has been steady.
  • If your company is looking to sell security products or services to the OT market, it would be best if they required no changes to the ICS and had no impact on the ICS or physical process.

The first operational technology (OT) security products segment to have a company, actually multiple companies, valued over $1 billion is OT detection. The next OT security products segment that is seeing multiple early stage investments and has the same look of fast market cap growth in the next 1 to 3 years is the software/firmware analysis space. The main feature driving this segment’s growth is the software bill of materials (SBOM) and vulnerability management component.

What do these two product segments have in common? It’s not that these are the most pressing product needs from an OT cyber risk reduction and management perspective. For example, neither addresses the insecure by design/lack of authentication problem for most industrial control system (ICS) protocols and Level 1 devices today.

So what do these two product segments have in common? They both can be deployed and used without making any changes to the ICS or the physical system being monitored and controlled. Detection got its foothold by being passive, only listening to the network. Even listening only had some serious pushback in the early years as operations was skeptical that that cable into a switch span port was not putting traffic on the network.

SW/FW analysis is an offline process not even taking place on the ICS. The input comes from the vendor or from an asset owner providing a vendor package. The output from the analysis is some sort of human or machine readable file. These files can drive changes to an active ICS, primarily patching and secondarily configuration changes, but only if the changes are approved by the team doing cyber maintenance on the ICS.

Useful additions to OT security

While they are not the most pressing absences from ICS security programs, almost all would agree they are a worthwhile and necessary additions, at some point, to the ICS security program. They also are in line with what information technology (IT) is doing (detection) and beginning to focus on (SW/FW analysis). This makes them easier wins for programs trying to show OT security progress without impacting operations. Think of the questions:

  • Do you have an asset inventory?
  • Do you have an SBOM?
  • Do you know what vulnerabilities exist and have not been patched?
  • Are you monitoring your OT environment for cyberattacks?

It would be natural to want to answer “yes” to these questions, and you can without changing one thing in your ICS.

OT is about as far away from DevOps as almost any technology. The still prevalent attitude is “Don’t touch if it is working unless absolutely necessary,” and even then typically wait until there is a planned outage. The idea of making changes to your programmable logic controllers (PLCs)/controllers to require user and data authentication, add role based access control, or have endpoint detection and response running on new logic/programs are typically nonstarters for operations. This would require changes to the Level 1 device and typically anything that communicates with it. These changes may introduce problems.

There is also the challenge of add-on boxes versus the integrated solution. Tofino was the first industrial firewall/gateway with ICS DPI. Tofino and its competitors have been deployed and continue to sell, but the investors have voted with their wallets that this is a small space. Tofino founder Eric Byres and I spoke more than 10 years ago that this capability would only be widely deployed when it was integrated in the PLC/controller and at a minimal cost as a percentage of the PLC. All but the most security conscious asset owners are loath to put another box in the communications line with the lifecycle costs and additional potential failures.

OT security products should not change the ICS

It bears watching how the security features now available in the Rockwell Automation Logix line (CIP Security) and Schneider Electric PLC’s (Modbus Security) are used. Forget legacy, brown field sites. What percentage of new projects are using these security features? This will tell us a lot about the true appetite to secure OT.

Going back to the main point of this article: If your company is looking to sell a security product or service to a large portion of the OT market, it would be best if it required no changes to the ICS and had no impact on the ICS or physical process.

Original content can be found at Dale Peterson.




Keep your finger on the pulse of top industry news