Industrial control systems market map
The DefenderSphere: An Overview of the ICS Vendor Landscape
by Jeremy Morgan, Principal Solutions Engineer
This DefenderSphere provides an overview of the various industrial control system (ICS) vendors to help you visualize where your systems may overlap and where they should be connected to get the most out of your ICS cybersecurity investments. For our second iteration of the DefenderSphere, we’ve made some important modifications based on how the industrial control systems market is progressing. We considered recent acquisitions, new operational technology vendors in the space, and certain categories that are converging and evolving over time.
What ICS Vendor Categories Have Changed in 2021?
After some deliberation, we ended up with the breakdown seen in the graphic above. Some of the major changes to note in 2021 include:
- The Asset Visibility category is now the Emerging Technologies category, as many of the passive asset visibility solutions in that category are quickly becoming acquired and commoditized.
- The IT Service Management category is now the Enterprise Tools category to better reflect the wide range of administrative technologies used by enterprise teams.
- Endpoint Security & Access Control has become Access Control
What hasn’t changed in the 2021 ICS vendor landscape, however, is the complexity. At every point there can be different rules of engagement with each vendor. There are many critical components involved when trying to create and maintain secure industrial control systems. Figuring out where ICS vendors overlap, or where they need to be connected is always a challenge.
We’ll explain each section briefly below.
For 2021, we’ve consolidated service providers into one main category, rather than sub-categorizing them by type. There are a wide variety of service providers out there that can offer multiple types of services, and we didn’t want to limit any of them to one category or another. These providers often play a critical role in the intermix between the previous three sections and those that follow. Asset owners often rely on them to fill in the blanks and guide them through these complex integrations. They can be valuable partners to help reduce complexity, but again, the asset owner is always ultimately accountable for the risk at the end of the day. Finding ICS cybersecurity solutions that create transparency is critical in having meaningful conversations with these partners.
This new category for 2021 replaces the old Asset Visibility category, which has moved underneath Asset Management (we will explain why in the next section). We did this to introduce you to the next generation of industrial control system cybersecurity solutions, from supply chain cybersecurity to automated risk quantification tools to vertical-specific applications, there are a wide range of innovative emerging technologies out there, and we encourage you to check them out.
ICS asset management is all about assigning ownership to assets, maintaining them, and making asset data easily accessible. You’ll need asset management when your SOC (internal or third party) gets an alert they don’t understand or need to take action on. If you have a solid asset management program in place, your SOC analysts can easily identify who and how to contact the right people as quickly as possible. To run an effective asset management program, you first need visibility into your assets. There is not a complete control framework on earth that does not agree this is a must, and a very early must.
You simply can’t manage what you can’t see. Using a passive asset visibility tool is one method to do this. Active industrial control system endpoint monitoring is another method to do this. Neither one on its own is enough. One without the other is just half a solution. Visibility doesn’t end with just an IP address or the hardware device itself. You need to understand the software on the device. That is why when you are looking at solutions, finding one that has the most comprehensive asset identification methods is key.
This year, we added a new sub-category for Configuration & Change Management. We are seeing more demand in the market for solutions like these as ICS security teams mature their cybersecurity programs and begin to understand the importance of tracking changes in an endpoint to detect potential cybersecurity or operational issues while they’re happening, rather than later when an asset starts exhibiting abnormal communication patterns over the network.
We’ve also added a new sub-category for Vulnerability Detection. A good asset management solution can also help you manage your risk exposure from vulnerabilities. In the ICS world, it also needs to do this passively and support technology that is much older than most commercial IT vendors are willing to support. It’s even harder when they bring a cloud requirement that is violating your hard fought ISA-99 implementation and are initiating layer 5 connections down into layer 2. Again, the goal here is to find partners that understand these complexities, have the trust of the OEMs or the ability to gain it, and can give the asset owner transparency into the vulnerability data, as well as what patches are available.
Some of the changes to this category for 2021 include changing Threat Intelligence to Threat Hunting and bringing in the Endpoint Protection technologies sub-category. The power of these industrial cybersecurity solutions is only unlocked when you’ve done the basics. Having intelligence without the ability to apply it makes little sense. If you can’t search your environment for the existence of the indicators, you haven’t really accomplished much. It’s very difficult and costly to detect and respond to a threat when you have no data on what assets are affected or where it came from, so before going all in on threat intelligence tools in ICS environments, make sure you have foundational cybersecurity controls covered first.
This year, we’ve pared down this category to include only true access control solutions, such as Secure Remote Access software, Physical Access Control software, and IAM/PAM tools. Having these types of user access protections in place within an industrial control system environment is critical, especially with remote work looking like it’s here to stay.
This new category replaced the IT Service Management category for 2021. IT Service Management was added as a sub-category. This includes tools such as ServiceNow, BMC, IBM and Broadcom. The Enterprise Reporting category was also moved over from Reporting & Standards since these solutions can deliver so much more data for an organization than just regulatory or standards reporting.
Reporting & Standards
For 2021, we did a bit of streamlining in this category, including removing Events and Research, combining Standards and Governance into one sub-category, and replacing Enterprise Reporting with Compliance Reporting. Choosing a standard to measure your progress by is incredibly important when building an industrial cybersecurity program. The Compliance Reporting solutions in this category make it easy to benchmark your progress within a standard or framework so that when a regulator or customer shows up and demands to audit your program, you will be ready with the data to give them not just confidence, but proof you are doing the right things.
How Critical Infrastructure Teams Can Use This ICS Vendor Information
It’s impossible for any one vendor to fulfill all the spots on this space. It is our belief at Industrial Defender that starting at the core with an “eat your vegetables” approach and a strong platform that can be used locally and integrated across the enterprise is the right way to proceed. We believe local management mixed with a sound standard and centralized policy enforcement gives everyone the tools and responsibility to manage industrial cybersecurity together.
Industrial Defender can help you build that base. While we offer complete coverage in the Asset Management and Standards & Reporting categories, we can also feed operational technology cybersecurity data to your other ICS vendors via our 200+ integrations to give your teams a comprehensive view of your assets, in the most complicated deployment environments. When your SOC needs to contact plant personnel, Industrial Defender provides them with that data right there at their fingertips in the tool you’ve already invested in. On top of that, we have the workflow and reporting tools built right into our tool to help you define and manage a standards-based approach to cybersecurity. Our customers can attest that we have the best reporting capabilities in the industry.
Have comments or questions about the DefenderSphere? Let us know here: https://www.industrialdefender.com/contact-us/