Say you were in need of open-heart surgery, would you let a neurologist perform it?
Probably not - no matter how many brain surgeries a neurologist has performed or how skilled he or she is, they do not possess the necessary expertise to perform cardiac procedures.
The same rule applies to cybersecurity; there is simply no substitute to deep-domain expertise.
In the world of manufacturing, production floors are the heart of the business and require the highest level of sensitivity and therefore protecting ICS networks should be performed with the utmost competence.
The medical analogy is helpful to exemplify an increasing problem we are witnessing from various cyber-security vendors. Many of the security tools, methodologies, and services in the OT/ICS market today are “information-natives”; extended versions of IT solutions, altered to fit OT environments and often lacking critical components. Conversely, there are a few industrial security vendors that developed their entire offering to address the specific complexity of OT, also known as “industrial-native”.
There are several differences between types of security vendors that every security person in an industrial company should be aware of, especially if he or she is responsible for choosing vendors and suppliers.
Often, some of the most popular IT methods are unsuitable for OT environments. In the IT world, confidentiality is the highest security principle. However, in the OT world - safety and availability come first. This calls for the use of different security practices.
Example. In access controls, IT countermeasures such as stronger physical security to an entrance of a computer room will be implemented in case security controls like multi-factor authentication (MFA) cannot be applied at the OS level. This, in the OT environment, becomes a “best practice” since extending the login time to a system might have severe ramifications on the production process. Auto-login is, in fact, a common practice in the OT industry and must be addressed properly without endangering the process.
Aside from the products that must be OT-oriented, many industrial cybersecurity vendors offer services to complement their offerings. For obvious reasons services get the most out of the network when they are familiar with every aspect of it and should be tailored to the specific environment they operate on. Since OT environments are so different from IT environments, services performed on the network should have their own OT-dedicated approach, methodology, tools, and more.
Example. Penetration Testing teams need to operate in a completely different manner depending on whether they are operating on an IT or an OT network. Incident Response teams need to be familiar with OT components to know what breach indications will appear on which asset. IT services will not be as efficient in OT environments as they are in their natural habitat, and in many cases prove less valuable, or even damaging to the network.
There are millions of different assets and industrial systems, and firmware changes greatly across different vendors and even regions. It is quite a challenge for non-Industrial-native vendors will to know these systems and their attributes. This is where the familiarity comes into play. Being familiar with OT components can allow vendors to dynamic mechanisms to deploy their solutions on a network.
Example. Take asset management for instance. When “classic” discovery methods cannot be used, Industrial-native vendors focus their efforts on alternative data collection methods, e.g. through the use of operational historian. Since historian already performs data collection from the network, connecting to it and siphoning its data may prove as a suitable alternative to active scanning.
Region- or country-specific regulations and standards are a major cause of confusion for OT vendors and customers. Each OT utility needs to conduct its own risk-based assessment process to make sure it addresses the standards and complies with required regulations on the one hand but addresses its specific risks and critical production needs on the other
Example. Industrial standards come in many flavors; industry-wide standards like IEC 62443 and NIST CSF and industry-specific standards like NERC-CIP which addresses the electrical industry in North America and IMO standards and regulations which address the maritime industry.
Lastly and perhaps most importantly, considering the particularity of the industrial business. The resolution of security tasks requires resources. Assessing the digital risks’ impact on productivity enables efficient prioritization of security tasks which saves considerable resources. In other words, context-based processes allow teams to choose cost-efficient steps to mitigate risks, according to their impact on the production process.
Example. Security patching requires shutting down production, and In industrial businesses, the tolerance for downtime is extremely low because of its direct impact on productivity which carries major financial repercussions. Industrial cybersecurity vendors take into consideration the industrial business context and avoid patching whenever possible.
Legacy systems were not designed for today’s expanding connectivity and automation, making them ‘insecure by design’. Fluency in the OT network is imperative for effective industrial cyber-security.
Security solutions must be tailored to the delicate industrial environment. The lack of OT sensitivity in some IT solutions put the entire production-floor at risk. Industrial-native cybersecurity is one that efficiently deals with the complexity of the industrial environment.
Other than learning about the company's market focus (e.g. clients: enterprise or industrial), it is recommended to look into the following:
Has the vendor completed various testing of a real-life production environment in different sectors?
Information security follows the CIA model: Confidentiality, Integrity, Availability, while in engineering the RAMS model prevails: Reliability, Availability, Maintainability, Safety. Make sure safety is a top priority, for example, does the vendor use an OT lab for testing?
As stated, understanding of OT assets, products, and specific OT protocols in addition to cyber-security expertise is crucial. You speak OT, your vendor should, too.