How to Avoid 5 Pitfalls of IDS-Only OT Security Solutions

16 Aug 2022

For industrial manufacturers to truly have ransomware-ready operations, you need full visibility of all digital assets in your OT–IT–IIoT network. Relying solely on an intrusion detection system (IDS) leaves gaps in your OT security because it provides only limited asset visibility. 

Being mainly reactive, IDS solutions collect asset information with passive network monitoring and active querying. As a siloed security tool, they don’t provide you with a full 360° view with central extended visibility of all OT and OT–IT–IIoT network resources. This makes it impossible for your teams to properly manage risk, for they can’t fix what they can’t see.

According to TechTarget, “An IDS can be contrasted with an intrusion prevention system (IPS).” The latter “monitors network packets for potentially damaging network traffic, like an IDS, but has the primary goal of preventing threats once detected, as opposed to primarily detecting and recording threats.”

Moreover, IDS solutions create a huge volume of unprioritized event alerts. Reducing low-priority and false alerts is essential in mitigating actual critical events in a timely manner. 

And too much noise is known to cause alert fatigue for SOC analysts and teams, many of whom decide to take a position somewhere else that has a more holistic security approach. Given ongoing staffing shortages, hiring their replacements is both costly and time consuming—if you can even find available candidates. 

“A much more serious IDS mistake is a false negative…when the IDS misses a threat and mistakes it for legitimate traffic,” says TechTarget. In [such] a scenario, “IT teams have no indication that an attack is taking place and often don't discover [it] until after the network has been affected in some way.

“False negatives are becoming a bigger issue for IDSes… since malware is evolving and becoming more sophisticated. It’s hard to detect a suspected intrusion because new malware [might] not display the previously detected patterns of suspicious behavior that IDSes are typically designed to detect. As a result, there is an increasing need for IDSes to detect new behavior and proactively identify novel threats and their evasion techniques as soon as possible.”

When OT-IT-IIoT security and industrial data sources aren’t analyzed together, the result is a series of gaps in your risk-based situational awareness due to a lack of business context and impact on operations. So with respect to developing and maintaining a robust security posture, CISOs, SOC analysts, and operational teams need to look further than IDS alone. 

How can you effectively monitor and mitigate OT security risks if you have blind spots in your network? OTORIO’s RAM2 aggregates information from diverse operational and security systems to create a digital representation of your operational environment. It then utilizes digital twinning to apply a powerful, non-intrusive breach and attack simulation engine, thus enabling your teams to quickly understand your security posture and proactively address vulnerabilities and exposures—before they become breaches. 

Download our free eBook to learn why false negatives and four other major IDS pitfalls continue to leave your systems vulnerable to attack. You’ll also learn how OTORIO’s RAM2 solution helps you close the gaps in your OT-IT-IIoT security.