In this article we point out that all current products can be put into one of three categories. While there are some functional overlaps between categories, it is fair to say that these are pretty insignificant. In some cases, it even makes sense for a customer to use different products from different categories simultaneously.
Network anomaly detection (NAD)
OT network anomaly detection products have been popping up all over the place in the last two years, and still seem to be loved by venture capital. Due to the accompanying hype produced by marketing dollars at work, you will most likely have heard about more than one product in this category already.
The vendors: Choose between round about thirty different product offerings from as many vendors. One third of them have their roots in Israel, claiming background in the IDF’s cyber forces (which already had us humourously speculate if Unit 8200 is actually a startup incubator disguised as a military organization). Examples include Claroty, CyberX, Indegy. Another third are European corporations, at least in respect to heritage. Think about Nozomi, SecurityMatters, and Kaspersky. A handful of genuine US companies participate in the mix, including NexDefense and Dragos. And since recently, you can even install a freeware solution by South Korean Russian vendor Positive Technologies.
The technology: NAD inspects the content of OT network traffic (data in motion), also called deep packet inspection or DPI for short. This is accomplished by realtime monitoring of all network packets (“passive scanning”) via SPAN ports, using network appliances and various analytic algorithms, some labeled as artificial intelligence and machine learning. Alerts are then issued for traffic anomalies, and also for traffic patterns that are categorized as potentially malicious, or pointing to vulnerable configurations. An example for the latter would be successful logon attempts to ICS with no or default passwords.
The value proposition: Network anomaly detection promises to detect network-based cyber attacks, and to spot vulnerable configurations. As an added value, vendors claim to present better visibility into OT networks, as asset identity (hardware make, model, and category) can sometimes be infered from network traffic.
The prototypical users: Cyber security experts, SOC staff
The drawbacks: NAD solutions can produce a substantial number of false-positive alerts, putting workload on the human analyst. The foundational assumption that all cyber attacks worth detecting manifest as anomalies in network traffic can also be questioned (the first version of Stuxnet would be a prime piece of evidence) — sophisticated attackers ride trust chains. When considering the projected life span of an OT security solution, which may be in the decades, also keep in mind that within that timeframe, the move to encrypted protocols may render most of the deep packet inspection technology useless. Vulnerability management may be limited because the exact software configuration of endpoints (including things like installed security patches) is usually not known to NAD. Finally, relying on realtime analysis of network traffic comes with a substantial platform cost in terms of processing power and network re-configuration (administering SPAN ports and discovery networks).
ICS configuration control
ICS version control is around for quite some time. While it used to be considered a product area that would only be interesting to engineers, two or three years ago vendors started to realize that the category has some solid cyber security value. For one, sophisticated cyber attacks will result violations of ICS configuration integrity, which is detected by the solutions in this category. Second, starting to use a rigid change management process which is part of these solutions will often raise security posture.
The vendors: PAS, MDT (both US corporations). Auvesy, a German vendor. Also, several automation vendors offer proprietary products.
The technology: Similar to NAD, ICS configuration control solutions focus on content, but content of data at rest (configuration files). ICS configuration control software interprets the configuration files of distributed control systems, allowing engineers to understand the meaning (impact) of configuration changes.
The value proposition: Enhanced reliability and security by tightly controlled ICS configuration integrity.
The prototypical users: Engineers
The drawbacks: To our best knowledge, the capability of solutions in this category to control configurations of systems other than DCS is limited, and so is the support for use cases outside of engineering. When it comes to vulnerability management keep in mind that the results you can achieve will be limited if you don’t have a complete software inventory, and that you will need to deal with a lot of false positives if the solution you choose will not use Common Platform Enumerators (CPEs) to link identified software/firmware version and CVE.
OT asset management
Asset management is an interesting case because it was around for decades in IT but so far was underrepresented in OT. This despite the fact that all OT security standards mandate a comprehensive asset inventory.
The vendors: Langner, and various automation vendors that offer proprietary solutions
The technology: OT asset management solutions focus on metadata (both about data at rest and data in motion) which is obtained by direct device query using legitimate protocols and enhanced with data provided by users (such as user-defined tags, file attachments etc.) and third parties (such as CVE definitions and product metadata contained in GSDML files). Network topology is discovered and visualized automatically, down to the physical layer, using SNMP queries of network gear. Network traffic is captured using Netflow and similar services, which means that you can see data flow relationships including counterparts and protocols, but not the exact meaning or impact of any given packet.
The value proposition: Enhance the productivity of various different OT stakeholders by establishing an OT system model that can be visualized, analyzed, searched, and shared. Similar to ICS configuration control, OT asset management is not only focusing on cyber security use cases. Different from ICS configuration control, OT asset management supports a broader range of use cases unrelated to security.
The prototypical users: Engineers, cyber security experts, administrators, plant planners, auditors. It should be noted that for the OT-BASE Asset Management Platform, use cases extend into IT.
The drawbacks: The classic problem for solutions in this category is that due to the active probing (which is used for asset discovery), some rather old or non-resilient devices may freeze. This can be fixed easily by configuration settings in the discovery engine, but you have to be aware that it may happen during commissioning. (For modern technology such as Ethernet/IP or Profinet the situation is different because controllers themselves actively probe components all the time.) As far as configuration integrity checking is concerned, an asset management solution will tell you THAT the configuration of a device was changed, but it will not necessarily tell you what those changes MEAN (what an ICS configuration control solution would tell you). In a similar way, while you can see THAT a given endpoint such as a PLC was accessed over the network by an unauthorized endpoint, you cannot see the exact content and MEANING of the interaction.
the market Beyond 2019
In respect to the future development of the market we have a couple of predictions that certainly also influence our own product strategy:
– Products that provide no measurable business value besides the claim to detect cyber attacks will become difficult to sell outside of regulated industries.
– Scale will become a bigger issue due to rising component density (a.k.a. Digitanl Transition, or IIoT). That will impact solutions which rely on network appliances and/or lack the capability of centralized processing. (Think unit cost.)
– IT and OT will converge at higher pace, making OT-only solutions a tougher sell. Products that integrate well with enterprise SIEMs, IT asset management systems etc. will have an advantage. So do products which natively support both sides of the house.
– We will see innovation and diversity not just in respect to technology but also in respect to business models. Think about SaaS solutions. Think about creating opportunities for market forces which weren’t well addressed by existing product offerings, such as integrators and consultants.
To sum it up, it looks like it’s going to be an interesting ride — for customers, vendors, and venture capital alike.