The OT security market is expanding, which is certainly a good thing as for so many years asset owners had been left with just a handful of vendors and products. Over the last two or three years, one could see well over thirty viable products hitting the marketplace. The downside is that some confusion resulted about how products are different. In this article we’ll untangle two major technical approaches that often get confused because of imprecise terminology.
ICS detection is not a product category
You may have heard about the product category “ICS detection” (or “OT detection”) more than once, and most likely have an understanding of what it means. Problem is, “ICS detection” is often used in respect to two fundamentally different types of products.
In order to understand the difference, simply ask yourself: What does a given product actually detect? In the case of network anomaly detection (NAD) products, the answer is: Anomalies in network traffic that might indicate a cyber attack, and traffic patterns that suggest vulnerable configurations — such as the usage of default passwords.
In the case of asset management systems such as our OT-BASE software product, the answer is: OT-BASE discovers the identity and configuration of OT devices and networks. Asset management products usually don’t rely on passive network scanning, they extract a whole lot of configuration detail from devices besides their mere presence. Hence, the term “detection” is a bit misplaced, and “discovery” is used more often.
…but there is an overlap between NAD and asset management products
It’s true though that both approaches do overlap in respect to results shown. Passive scanning (NAD) products do deliver some device configuration details, and active probing (asset management) solutions can point out abnormal or potentially malicious network traffic. But while this is true on the surface, the differences in the details are profound.
Let’s first look at the traffic anomaly detection in our OT-BASE product. OT-BASE does not constantly monitor network traffic in real time. What it does, however, is to collect and analyze Netflow/SFlow data from your switches and routers. Think of Netflow and SFlow as data flow information without the deep packet inspection. The network device simply tells you about communication counterparts and protocols used.
OT-BASE allows you to match this data against policies. For example, once that you have defined legitimate data flow for a given PLC or network, OT-BASE can easily tell you about all the other traffic that it has seen. While it won’t tell you about any specific packet content, chances are that the fact alone that illegitimate stations have been accessing your PLC or other devices in a critical network is “good enough” for you to act.
In a similar way, NAD products can tell you about device identity and configuration. But they only go so far, since both need to be inferred when relying on passive scanning. As an example, when detecting a device that is accessed on TCP port 502 (Modbus), and matching the device’s MAC address against a Schneider entry in the OUI database, it is fair to assume that this device is a Schneider PLC.
If the NAD solution then also intercepts a Modbus function 43 call (device identification), it may even use the return message, as intercepted from packet content, to be more specific on model and firmware version. But here’s the irony: An active probing product such as OT-BASE would simply query the device directly using the same, legitimate function call, rather than waiting for another endpoint to do just that and pick up the information as it flies by.
The bottom line is: Whenever hearing concerns about how much safer passive scanning products would be compared to active probing, keep in mind that when it comes to configuration details, NAD products are more or less exploiting data from active queries that have been generated by other endpoints. Were those active queries unsafe? Probably not.
Value propositions, target users and use cases differ even more
Now that we know how the technology and its results are different, let’s look at use cases and target users. Guess what, the differences become even bigger.
The prototypical user of a NAD product is an OT security analyst sitting in a security operations center (SOC), no matter if that SOC is the responsibility of IT and OT. It’s probably fair to say that the activities of this user may not be totally different from an IT security person working a SIEM system, and one shouldn’t be surprised if terms of the trade such as threat hunting, forensics, and incident management are common in the job description.
What a contrast to an OT asset management system such as our OT-BASE! The core value of such a system is more in arriving at resilient and robust OT infrastructures, while providing value to other use cases in engineering, maintenance, plant planning, and audit. Think about lifecycle management, problem management, FAT/SAT approval as examples on how asset management extends well beyond cyber security.
Single product or best of breed?
For some customers, this leads to the question of whether a single, unified product is preferable, or whether it is better to use multiple products combined. From our experience with several hundred thousand devices under license, the answer is clear. It is based on the fact that large asset owners already have an existing infrastructure of SIEM products, service management platforms, established workflows, and an IT dominance (which usually is both good and bad).
If you are in this crowd, you will most likely not be looking for an all-in-one solution, but for a product that integrates well with your existing infrastructure. That’s what we deliver with OT-BASE. Guess what, even though we haven’t seen it yet, one could easily imagine OT-BASE integrate well with a NAD product.