Industrial control systems market map
This DefenderSphere provides an overview of the various industrial control system (ICS) and operational technology (OT) vendors to help you visualize where your systems may overlap and where they should be connected to get the most out of your ICS cybersecurity investments. For our second iteration of the DefenderSphere, we’ve made some important modifications based on how the industrial control systems market is progressing. Please note that the OT security market continues to rapidly evolve, and this is not an exhaustive list. We For this current version, we considered recent acquisitions, new operational technology vendors in the space, and certain categories that are converging and evolving over time. We hope that this is a helpful starting place for those looking to understand how different OT security companies may serve their tech stack.
We’ll explain each section briefly below.
This is where it all starts. These are the operational technology solutions that make or integrate the most basic components that are assembled to form an entire industrial control systemindustrial control systems. Beyond ICS and programmable logic controllers (PLC), OT assets also include remote terminal units (RTU), supervisory and control and data acquisition (SCADA), human machine interfaces (HMI) and other digital technologies that help drive operations. This is why they are at the center of the circle. These are the crown jewels you are protecting. The rest is meant to add additional protections or efficiencies. Not too much has changed in 2021 for this category, other than the removal of OSI and OSIsoft, which were acquired by Emerson and Aveva, respectively.
Many people might question why foundational technologies aren’t in the center, as they are very embedded in our OEM solutions. It’s because they are only part of the solution, and because the OEMs bring them in to solve a particular problem. Most OEMs don’t even fully disclose exactly what they pull in from this section, and the components will be obfuscated as “firmware” or whiteboxed with the OEM’s name. This isn’t a judgement or even a bad thing; it just is what it is. As the industry has evolved to ask better questions, the OEMs are becoming more transparent. However, as the foundation is updated, the asset owners need to know what they are up against, so finding solutions that can peel back the layers to get at the foundational components is required to help manage this piece of the pie. Enhanced Software Bills of Material (SBOMs) can be a useful tool to provide better data on the vendor components in this category.
Network infrastructure refers to the hardware and software systems that enable communication between devices, systems, and operators in industrial environments. This is often a complex discussion between the OEM, VAR, integrator, and/or the customer. As we have some former asset owners and OEM members on our team, and often have to dance between these groups as we do Industrial Defender implementations, we are all too familiar with the complications that can happen here. This includes switches, routers, gateways, firewalls, network taps, data dioes, etc. It is also why it is its own category and not under Foundational Technology. This space is often complicated by the most basic question — “who’s responsible for it?”. This can range from anyone I’ve already mentioned to even third-party service providersOEMs to third-party providers. To make matters even more complicated, it is often handled through a combination of responsibilities, where the system builder will furnish and manage the “weird stuff” that runs the industrial protocols, the customer will manage the edge switching infrastructure, and a third party will manage all the routers and firewalls. Getting a complete understanding of your risk profile in this situation is very hard to manage, and really requires the ability to get all of this data into single console to keep up with them, and for the asset owner to hold everyone accountable.
There are a wide variety of service providers out there that can offer multiple types of services, and we didn’t want to limit any of them to one category or another. These providers often play a critical role in the intermix between the previous three sections and those that follow. Asset owners often rely on them to fill in the blanks and guide them through these complex integrations. They can be valuable partners to help reduce complexity, but again, the asset owner is always ultimately accountable for the risk at the end of the day. Finding ICS cybersecurity solutions that create transparency is critical in having meaningful conversations with these partners.
ICS asset management is all about assigning ownership to assets, maintaining them, and making asset data easily accessible. You’ll need asset management when your SOC (internal or third party) gets an alert they don’t understand or need to take action on. If you have a solid asset management program in place, your SOC analysts can easily identify who and how to contact the right people as quickly as possible. To run an effective asset management program, you first need visibility into your assets. There is not a complete control framework on earth that does not agree this is a must, and a very early must.
You simply can’t manage what you can’t see. Using a passive asset visibility tool is one method to do this. Active industrial control system endpoint monitoring is another method to do this. Neither one on its own is enough. One without the other is just half a solution. Visibility doesn’t end with just an IP address or the hardware device itself. You need to understand the software on the device. That is why when you are looking at solutions, finding one that has the most comprehensive asset identification methods is key.
We added a new sub-category for Configuration & Change Management. We are seeing more demand in the market for solutions like these as ICS security teams mature their cybersecurity programs and begin to understand the importance of tracking changes in an endpoint to detect potential cybersecurity or operational issues while they’re happening, rather than later when an asset starts exhibiting abnormal communication patterns over the network.
We’ve also added a new sub-category for updated Vulnerability Detection to Vulnerability and Risk Management. This includes vulnerability assessment, patch management, and risk-based prioritization. A good asset management solution can also help you manage your risk exposure from vulnerabilities. In the ICS world, it also needs to do this passively and support technology that is much older than most commercial IT vendors are willing to support. It’s even harder when they bring a cloud requirement that is violating your hard fought ISA-99 implementation and are initiating layer 5 connections down into layer 2. Again, the goal here is to find partners that understand these complexities, have the trust of the OEMs or the ability to gain it, and can give the asset owner transparency into the vulnerability data, as well as what patches are available.
These tools for monitoring, detection, response, and protection in alignment with security operations centers (SOCs). Sub-categories include Security information and Event Management (SIEM), Threat Intelligence & Some of the changes to this category for 2021 include changing Threat Intelligence to Threat Hunting, Security Orchestration, Automation and Response (SOAR), and and bringing in the Endpoint Protection. technologies sub-category. The power of these industrial cybersecurity solutions is only unlocked when you’ve done the basics. Having intelligence without the ability to apply it makes little sense. If you can’t search your environment for the existence of the indicators, you haven’t really accomplished much. It’s very difficult and costly to detect and respond to a threat when you have no data on what assets are affected or where it came from, so before going all in on threat intelligence tools in ICS environments, make sure you have foundational cybersecurity controls covered first.
This includes true access control solutions, such as Secure Remote Access software, Physical Access Control software, and IAM/PAM tools. Having these types of user access protections in place within an industrial control system environment is critical, especially with remote work looking like it’s here to stay.
This covers. IT Service Management was added as a sub-category. This includes tools such as ServiceNow, BMC, IBM and Broadcom. The Enterprise Reporting category was also moved over from IT also covers Enterprise Reporting, different from our Reporting & Standards category since these solutions can deliver so much more data for an organization than just regulatory or standards reporting.
Choosing a standard to measure your progress by is incredibly important when building an industrial cybersecurity program. The Compliance Reporting solutions in this category make it easy to benchmark your progress within a standard or framework so that when a regulator or customer shows up and demands to audit your program, you will be ready with the data to give them not just confidence, but proof you are doing the right things.
It’s impossible for any one vendor to fulfill all the spots on this space. It is our belief at Industrial Defender that starting at the core with an “eat your vegetables” approach and a strong platform that can be used locally and integrated across the enterprise is the right way to proceed. Trustworthy OT asset data is the bedrock of security and compliance. We believe local management mixed with a sound standard and centralized policy enforcement gives everyone the tools and responsibility to manage industrial cybersecurity together. Industrial Defender can help you build that base. While we offer complete coverage in the Asset Management and Standards & Reporting categories, we can also feed operational technology cybersecurity data to your other ICS vendors via our 200+ integrations to give your teams a comprehensive view of your assets, in the most complicated deployment environments. When your SOC needs to contact plant personnel, Industrial Defender provides them with that data right there at their fingertips in the tool you’ve already invested in. On top of that, we have the workflow and reporting tools built right into our tool to help you define and manage a standards-based approach to cybersecurity. Our customers can attest that we have the best reporting capabilities in the industry.
Contact usLet our team help you understand your organization’s industrial control systems environment by putting together a customized DefenderSphere.
