Industrial control systems market map
This DefenderSphere provides an overview of the various industrial control system (ICS) vendors to help you visualize where your systems may overlap and where they should be connected to get the most out of your ICS cybersecurity investments. For our second iteration of the DefenderSphere, we’ve made some important modifications based on how the industrial control systems market is progressing. We considered recent acquisitions, new operational technology vendors in the space, and certain categories that are converging and evolving over time.
After some deliberation, we ended up with the breakdown seen in the graphic above. Some of the major changes to note in 2021 include:
What hasn’t changed in the 2021 ICS vendor landscape, however, is the complexity. At every point there can be different rules of engagement with each vendor. There are many critical components involved when trying to create and maintain secure industrial control systems. Figuring out where ICS vendors overlap, or where they need to be connected is always a challenge.
We’ll explain each section briefly below.
This is where it all starts. These are the operational technology solutions that make or integrate the most basic components that are assembled to form an entire industrial control system. This is why they are at the center of the circle. These are the crown jewels you are protecting. The rest is meant to add additional protections or efficiencies. Not too much has changed in 2021 for this category, other than the removal of OSI and OSIsoft, which were acquired by Emerson and Aveva, respectively.
Many people might question why foundational technologies aren’t in the center. It’s because they are only part of the solution, and because the OEMs bring them in to solve a particular problem. Most OEMs don’t even fully disclose exactly what they pull in from this section, and the components will be obfuscated as “firmware” or whiteboxed with the OEM’s name. This isn’t a judgement or even a bad thing; it just is what it is. As the industry has evolved to ask better questions, the OEMs are becoming more transparent. However, as the foundation is updated, the asset owners need to know what they are up against, so finding solutions that can peel back the layers to get at the foundational components is required to help manage this piece of the pie. Enhanced Software Bills of Material (SBOMs) can be a useful tool to provide better data on the vendor components in this category.
This is often a complex discussion between the OEM, VAR, integrator, and/or the customer. As we have some former asset owners and OEM members on our team, and often have to dance between these groups as we do Industrial Defender implementations, we are all too familiar with the complications that can happen here. It is also why it is its own category and not under Foundational Technology. This space is often complicated by the most basic question — “who’s responsible for it?”. This can range from anyone I’ve already mentioned to even third-party service providers. To make matters even more complicated, it is often handled through a combination of responsibilities, where the system builder will furnish and manage the “weird stuff” that runs the industrial protocols, the customer will manage the edge switching infrastructure, and a third party will manage all the routers and firewalls. Getting a complete understanding of your risk profile in this situation is very hard to manage, and really requires the ability to get all of this data into single console to keep up with them, and for the asset owner to hold everyone accountable.
For 2021, we’ve consolidated service providers into one main category, rather than sub-categorizing them by type. There are a wide variety of service providers out there that can offer multiple types of services, and we didn’t want to limit any of them to one category or another. These providers often play a critical role in the intermix between the previous three sections and those that follow. Asset owners often rely on them to fill in the blanks and guide them through these complex integrations. They can be valuable partners to help reduce complexity, but again, the asset owner is always ultimately accountable for the risk at the end of the day. Finding ICS cybersecurity solutions that create transparency is critical in having meaningful conversations with these partners.
This new category for 2021 replaces the old Asset Visibility category, which has moved underneath Asset Management (we will explain why in the next section). We did this to introduce you to the next generation of industrial control system cybersecurity solutions, from supply chain cybersecurity to automated risk quantification tools to vertical-specific applications, there are a wide range of innovative emerging technologies out there, and we encourage you to check them out.
ICS asset management is all about assigning ownership to assets, maintaining them, and making asset data easily accessible. You’ll need asset management when your SOC (internal or third party) gets an alert they don’t understand or need to take action on. If you have a solid asset management program in place, your SOC analysts can easily identify who and how to contact the right people as quickly as possible. To run an effective asset management program, you first need visibility into your assets. There is not a complete control framework on earth that does not agree this is a must, and a very early must.
You simply can’t manage what you can’t see. Using a passive asset visibility tool is one method to do this. Active industrial control system endpoint monitoring is another method to do this. Neither one on its own is enough. One without the other is just half a solution. Visibility doesn’t end with just an IP address or the hardware device itself. You need to understand the software on the device. That is why when you are looking at solutions, finding one that has the most comprehensive asset identification methods is key.
This year, we added a new sub-category for Configuration & Change Management. We are seeing more demand in the market for solutions like these as ICS security teams mature their cybersecurity programs and begin to understand the importance of tracking changes in an endpoint to detect potential cybersecurity or operational issues while they’re happening, rather than later when an asset starts exhibiting abnormal communication patterns over the network.
We’ve also added a new sub-category for Vulnerability Detection. A good asset management solution can also help you manage your risk exposure from vulnerabilities. In the ICS world, it also needs to do this passively and support technology that is much older than most commercial IT vendors are willing to support. It’s even harder when they bring a cloud requirement that is violating your hard fought ISA-99 implementation and are initiating layer 5 connections down into layer 2. Again, the goal here is to find partners that understand these complexities, have the trust of the OEMs or the ability to gain it, and can give the asset owner transparency into the vulnerability data, as well as what patches are available.
Some of the changes to this category for 2021 include changing Threat Intelligence to Threat Hunting and bringing in the Endpoint Protection technologies sub-category. The power of these industrial cybersecurity solutions is only unlocked when you’ve done the basics. Having intelligence without the ability to apply it makes little sense. If you can’t search your environment for the existence of the indicators, you haven’t really accomplished much. It’s very difficult and costly to detect and respond to a threat when you have no data on what assets are affected or where it came from, so before going all in on threat intelligence tools in ICS environments, make sure you have foundational cybersecurity controls covered first.
This year, we’ve pared down this category to include only true access control solutions, such as Secure Remote Access software, Physical Access Control software, and IAM/PAM tools. Having these types of user access protections in place within an industrial control system environment is critical, especially with remote work looking like it’s here to stay.
This new category replaced the IT Service Management category for 2021. IT Service Management was added as a sub-category. This includes tools such as ServiceNow, BMC, IBM and Broadcom. The Enterprise Reporting category was also moved over from Reporting & Standards since these solutions can deliver so much more data for an organization than just regulatory or standards reporting.
For 2021, we did a bit of streamlining in this category, including removing Events and Research, combining Standards and Governance into one sub-category, and replacing Enterprise Reporting with Compliance Reporting. Choosing a standard to measure your progress by is incredibly important when building an industrial cybersecurity program. The Compliance Reporting solutions in this category make it easy to benchmark your progress within a standard or framework so that when a regulator or customer shows up and demands to audit your program, you will be ready with the data to give them not just confidence, but proof you are doing the right things.
It’s impossible for any one vendor to fulfill all the spots on this space. It is our belief at Industrial Defender that starting at the core with an “eat your vegetables” approach and a strong platform that can be used locally and integrated across the enterprise is the right way to proceed. We believe local management mixed with a sound standard and centralized policy enforcement gives everyone the tools and responsibility to manage industrial cybersecurity together.
Industrial Defender can help you build that base. While we offer complete coverage in the Asset Management and Standards & Reporting categories, we can also feed operational technology cybersecurity data to your other ICS vendors via our 200+ integrations to give your teams a comprehensive view of your assets, in the most complicated deployment environments. When your SOC needs to contact plant personnel, Industrial Defender provides them with that data right there at their fingertips in the tool you’ve already invested in. On top of that, we have the workflow and reporting tools built right into our tool to help you define and manage a standards-based approach to cybersecurity. Our customers can attest that we have the best reporting capabilities in the industry.
Have comments or questions about the DefenderSphere? Contact us.
Contact usLet our team help you understand your organization’s industrial control systems environment by putting together a customized DefenderSphere.
