1 Management Summary
The KuppingerCole Market Compass provides an overview of a market segment and the main vendors in the segment. It covers the trends that are influencing that market segment, how it is subdivided, and the capabilities required in vendor solutions. It also provides information on how well these solutions meet client requirements.
This Market Compass covers solutions that allow organizations to manage, monitor and protect their Operational Technology infrastructure and/or IoT devices.
Managers of operational technology environments have not typically had the tools and resources they need to effectively detect and respond to cybersecurity events. This Market Compass investigates the current state of the Operational Technology (OT) and Industrial Control Systems (ICS) sectors and documents the ability of the main industry players to support a coordinated approach to detecting, responding to, and recovering from, cybersecurity attacks and intrusions.
To do this, companies with OT environments require assistance in the following steps:
- Inventory of OT infrastructure assets
- Protection of OT environment
- Monitoring supervisory and control systems
- Detection of cybersecurity events
- Response to a cybersecurity compromise
Inventorying OT infrastructure means that the systems and devices must be discoverable. The predominant requirement is for controllers to respond to a query with details on the manufacturer, the operating system version, and the attached devices, preferably with terminal assignments. This allows managers to maintain an asset registry for governance and system planning. A less effective approach is for OT security solutions to passively listen on the network and determine device detail based on traffic protocols and packet inspection.
Protecting OT devices requires taking steps to frustrate and prevent anyone wanting to compromise the equipment. Devices should not be deployed with generic usernames and passwords. The management interface should make it easy to rotate passwords and possibly defer password management to an IAM and Privileged Access Management (PAM) solution. Over-The-Air (OTA) updates should be appropriately protected via advanced strong authentication mechanisms. The use of edge computing that minimizes the need to log into OT infrastructure should be supported.
Monitoring the OT environment requires the ability to communicate with controllers to determine the state of the equipment and to receive alarms and notifications. PLCs should advise when 'run' mode is stopped to ensure it's a result of a planned outage and not an unsanctioned firmware update that might be used to inject malware. Supervisory systems should, if possible, be integrated with the organization's Security Operations Center (SOC). Logs of events such as authentication failures, unusual traffic, protocol errors, etc. should. should be collected, analyzed, and stored.
Detection requires the ability to analyze data from logs and determine if an attack is likely to have occurred. Detection is increasingly employing behavioral analysis. Since OT traffic is extremely consistent, anomalies that indicate a possible compromise are typically easy to detect with the appropriate tools. Detection software significantly reduces false-positive alarms.
Response to a compromise must be quick and decisive. It should have been pre-planned as part of the organization's Disaster Recovery Plan (DRP) and include pre-authorization for containment action. Tools range from the generation of automated alarms for investigative action, to suggested containment procedures, configuration rollback, and potentially, to offensive action. Tools to accommodate isolation of compromised devices, immutable log storage, removal of malware, and the restoration from backup facilities, will assist in the response activity. Logs should provide the data for forensic analysis to enable post-event review.
Digital transformation has exposed OT environments to vulnerability. In some cases, OT systems have been inappropriately migrated to cloud platforms. In other cases, previously isolated OT environments have been integrated without appropriate access controls on OT system accounts. An attack vector for sensitive air-gapped OT environments is the use of secured USB storage devices to transfer IT files for IT integration.
Another attack vector is remote access devices. Often OT/ICS hardware and software is maintained by the vendor or their authorized system integrator via remote network access. In prior generations of hardware, this meant specialized modems attached to some nodes on ICS networks. More recently, vendors use an "enclave" approach, putting OT and ICS devices on separate LANs or VLANs, and installing dedicated VPNs and proxies (sometimes called jump boxes). Support personnel then VPN into the customer OT environment and traverse the network in order to access specific nodes. There are a myriad of potential security issues with this:
- VPN access may not require strong authentication
- VPN access may be based on group accounts without individual tracing and activity auditing
- Routes beyond the VPN may not be segmented, allowing greater access than needed
- OT networks may not be secured against APT reconnaissance and DDoS attacks
- Nodes on OT networks may not be protected by a consistent IAM system
- Nodes on OT networks may not deploy strong authentication or fine-grained authorization
Common security management concerns for OT ecosystems include:
- Access control: OT environments may not share consistent policy enforcement with the IT environment due to solution constraints.
- Asset visibility: tools that perform enterprise asset discovery and classification are not proficient at discovering and classifying devices in the OT environment. There are many systems in the OT realm that do run standard operating systems and devices that use telemetry protocols. They may not support a software agent or communicate frequently enough to allow a baseline profile to be developed.
- Cybersecurity skills gap: there is a chronic shortage of proficient OT/ICS operations staff. Many OT environments are managed by external resources, typically associated with the legacy equipment supplier.
Highlights:
- There is now unprecedented ability to discover systems, controllers, sensors, interfaces, actuators, and other components on the OT network allowing organizations to properly protect their assets
- Administrative tools to monitor OT assets, and control user and service accounts assessing OT/ICS/IIoT equipment are readily available
- Federated authentication and integration with enterprise IT and OT environments for secure Single Sign-On (SSO) for users and administrators
- Support for standard communication protocols for interoperability with enterprise IT Service Management (ITSM) and SIEM solutions is available with pre-packaged connectors
- Notification of device operational status in real-time and detection tools to identify possible intrusion events are available
- Automated intelligence processing to identify 'likely' intrusion events is available using known attack vectors and vulnerabilities
- Administrative tools for controller/device isolation in the event of a compromise, and backup and restore facilities for controllers and other devices can assist in the detection and response task.