6 questions to ask before buying an ICS / OT security monitoring tool

Most factories and utilities run industrial control system (ICS) equipment that was never intended to be plugged into the internet, and whose original deployment may well date to the 1970s or 1980s. More modern systems run — you guessed it — Windows XP.

Insecure by design and intended for local access only, these control systems offer greater efficiencies but come bundled with potentially catastrophic risk. Non-targeted malware like NotPetya caused hundreds of millions of dollars in losses to manufacturing concerns around the world. Unless you plan to unplug your factory or utility from the internet and go back to the Stone Age, it’s time to ratchet up the security of your operational technology (OT) environments.

That might mean acquiring an ICS / OT monitoring tool. You have both commercial and open source options. In either case, here are some questions you need to ask before and during your evaluation process.

1. Does the ICS monitoring tool offer the functionality you need?

The top ICS monitoring vendors, Indegy, CyberX, Nozomi Networks and Claroty, all offer varying degrees of asset discovery, network monitoring capability and SOC integration. They focus less on any given vertical and more on the job of analyzing specialized, often ancient, protocols like modbus and identifying specialized types of devices, like programmable logic controllers (PLCs). Industrial control system network traffic looks very different than typical corporate IT network traffic, and monitoring machine-to-machine communication is sui generis.

All vendors offer asset discovery, for instance; you can’t defend what you don’t know you have. “Most organizations don’t know the answer to this question,” Phil Neray, vice president of marketing at CyberX, tells CSO. “They might know what devices were installed when the factory was first built 15 to 20 years ago. How has the environment changed over time? What devices do I have? How are they talking to each other?”

Continuous threat monitoring is also baseline functionality you can expect from a vendor. Identifying suspicious traffic, unauthorized devices connected to the OT network, and in general using machine learning to flag anomalous activity are must-haves. This is where an open API to enable integration with your SIEM matters — where are those alerts going, and who’s going to look at them? SOC integration is quickly becoming another must-have baseline functionality all these vendors offer or will soon.

One differentiator to consider when shopping for an ICS monitoring solution is how many false positives, or low-priority true positives, a vendor solution flags. Your SOC probably doesn’t have the resources to run every single incident to the ground, and in many cases may choose to ignore lower priority issues to ensure 24/7 uptime. A flood of alerts will consume staff resources and draw attention from more serious threats.

Unlike other ICS tool vendors, Dragos focuses instead on intrusion detection and the playbooks behind it. The company offers that research as a form of threat intel as a service.

“Our perspective is taking an intelligence-driven approach via threat hunting… [buyers receive] a subscription to codified experience that gets delivered on a regular basis,” Ben Miller, vice president of threat operations at Dragos, tells CSO.

Municipal utilities take note: One thing that differentiates Dragos from the competition is that it offers free/cheap community tools for under-resourced waterworks and power companies. Most of the other vendors focus on chasing big contracts from the Global 2000 — which Dragos does, too — but to help defend critical infrastructure Dragos also offers several alternatives that are probably not very profitable but do perform a public service.

2. Will the ICS tool vendor offer a free trial?

Whether Dragos or any other solution is right for your enterprise is, again, about hammering out those evaluation criteria and taking a few vendors out for a spin. Until then it’s impossible to say which vendor is the right fit for your factory or utility.

“What are [the buyers’] business imperatives? There is no ‘best tool’,” Robert Caldwell, senior manager, ICS and OT consulting at Mandiant, tells CSO. “Tools are rapidly evolving and are leapfrogging each other.”

Since every ICS deployment is different, there’s no cookie cutter solution, no one-size-fits-all answer to enterprise ICS monitoring needs. Therefore, any acquisition should involve a free trial install of a vendor’s solution in your environment. It’s the only way to tell if the solution you’re being sold is a good fit for you.

3. How well will the ICS tool play with your SIEM and SOC?

Security managers will also want their vendor’s solution to interoperate with their existing security information and event management (SIEM) system and have visibility across IT and OT from one dashboard. These are just some of the key questions manufacturing concerns and utilities ought to consider when evaluating their options.

4. Is an open-source ICS monitoring tool an option?

At this point you might ask yourself, why not just roll your own? A large enterprise could build out the same in-house capabilities as one of the commercial vendors using open-source options. There’s Security Onion, the ELK stack, Suricata and even some open-source Snort rules.

Caldwell, who consults for many enterprise buyers, counsels against this strategy. “We’ve seen companies really feel like they are going to go out and build out their own security practice,” he says. “It’s incredibly hard and expensive to do.”

With great effort and a deep bench of security talent working in-house, an enterprise could duplicate the effort of one of the ICS security vendors, however the severe security talent shortage means that acquiring and keeping that talent may be very difficult, especially when VC-funded startups are snapping up the best and paying them top dollar.

The open-source tools enable limited asset discovery and network monitoring, and naturally have open APIs that can be integrated into a SOC. However, development of cutting-edge features continues to lag behind commercial offerings.

5. What can I do before acquiring an ICS monitoring tool?

That doesn’t mean you should just hand the keys to a commercial vendor,  though. Passing the buck is not a successful security strategy, and there are plenty of security basics — call it due diligence or security hygiene — that enterprises can perform to secure their IT and OT systems, and ensure successful integration with an ICS monitoring system. “Implementation and configuration [of existing systems] can make a big difference to the security of these systems, not just these high-dollar tools,” Caldwell says.

Greater collaboration between IT security staff and ICS engineers can also yield dividends. Swapping roles for a few weeks or months can foster greater understanding across the IT/OT cultural divide.

6. Where will ICS monitoring tools be in the near future?

The last few years have seen a ton of VC funding pour into ICS / OT monitoring solutions, and a handful of companies have emerged as aggressive players in this critical, but niche, field. Many offer similar products and services, and some consolidation in the market may be inevitable — something to consider when evaluating a vendor and signing a contract. What happens if your vendor is acquired or goes out of business?

Cybersecurity solutions don’t have the longevity of a factory deployment that might be useful for 20 years and more.The ICS / OT monitoring space is a vital but small vertical, and the Global 2000 contains only, well, 2,000 companies. Once contracts are signed, and tools deployed across potentially hundreds of installations across the country or around the world, high rates of vendor churn seem unlikely.

That means most of these vendors face a choice — get acquired or broaden their scope beyond just ICS/OT into the broader cybersecurity market. “We’re going to see a couple different trends,” Caldwell says. “Some of these companies will have to be acquired or run out of venture capital funding. Some companies have the long-term view to be a little bit more of a security product, not just OT.”

That means any of these top vendors could go out of business in the next year. Buyers should demand vendors be transparent about their financial position before signing on the dotted line. Buyers could also find their vendor acquired by a competitor before the ink is dry. “I think because [these vendors] are so similar I don’t know they would consolidate for feature and function,” Caldwell says. “If there’s any consolidation it’s a strategic buy to take somebody out of the market.”