Industrial control systems market map
How and why did we create the DefenderSphere?
by Jeremy Morgan, Principal Solutions Engineer
The Industrial Defender team is built of long-time industrial control systems executives. Many of us have worked at utilities and have been asset owners. Earlier in 2020, when we sat down as a team to talk about our roadmap, we started by putting ourselves in our customers shoes. Having worked for many industrial companies between us, this was an exercise full of nostalgia for projects and integrations we had run over the last several years. Going through the ICS landscape, we realized how many vendors our customers have to work with for ICS cyber security. It is so complex, and at every point there can be different rules of engagement with each vendor. There are many critical components involved when trying to make control systems secure and compliant. Figuring out where they overlap, or where they need to be connected is always a challenge. For this reason, we are still very much in the early days for ICS Security.
After a few months of deliberation, we eventually ended up with the breakdown seen in the graphic above. I’ll explain each section briefly below.
These providers often play a critical role in the intermix between the previous three sections and those that follow. Asset owners often rely on them to fill in the blanks and guide them through these complex integrations. They can be valuable partners to help reduce complexity, but again the asset owner is always ultimately accountable for the risk at the end of the day and finding solutions that create transparency is critical in having meaningful conversations with these partners.
The rest of the categories we are going to go through in order of the CIS Top 20 Critical Security Controls. We’ve long been supporters of this methodology to “get security done”.
Simply put, asset visibility is the beginning of any well run security program. There is not a complete control frame work on earth that does not agree this is a must, and a very early must. You simply can’t manage what you can’t see. Passive is not enough. Agents are not enough. Python scripts of ping sweeps are not enough. It also doesn’t end with just an IP address or the hardware device itself. You need to understand the software on the device. One without the other is just half a solution. That is why when you are looking at solutions, finding one that has the most comprehensive asset identification technology is key.
This is about being able to help identify known vulnerabilities. A good solution addresses vulnerabilities and not just patches. In the ICS world it also needs to do this passively and support technology that is much older than most commercial IT vendors are willing to support. It’s even harder when they bring a cloud requirement that is violating your hard fought ISA-99 implementation and are initiating layer 5 connections down into layer 2. This isn’t just a patch management discussion either, as often that’s a no-go. It’s about understanding your total risk picture and making sense of it in a straightforward way. Again, the goal here is to find a partner that understands these complexities, has the trust of the OEMs or the ability to gain it, and can give the asset owner transparency into what’s really there and what’s available.
Some might argue there is no difference between asset visibility and asset management. But there is, and it’s about setting standards and monitoring against them. Asset Management means you can easily run reports to see your progress or lack of it. Asset Management also means assigning ownership, maintaining it, and making it easily accessible. You’ll need asset management when your SOC (internal or 3rd party) gets an alert they don’t understand or need to take action on so they can easily identify who and how to contact the right people as quickly as possible.
Some might argue that these are two different things, and they wouldn’t be incorrect. At this point, however, these controls need to be running in parallel. Again, this can be really complex to manage between all the different players in the ICS world. It’s also a place where traditional vendors struggle to support ICS in the long run. One example is still having to support Windows XP in today’s environments. Understanding true long-term support performance vs promises and breadth of coverage for both endpoints and account management systems is important. Also, when it comes to access management, breadth of integration support is very important.
It might seem weird that security hasn’t been mentioned until now, but it’s an order of operations thing. The power of these solutions is only unlocked when you’ve done the basics. Having intel without the ability to apply it makes little sense. If you can’t search your environment for the existence of the indicators, you haven’t really accomplished much.
ITSM will see a lot of overlap from a vendor perspective. However, this is more about the other features of the IT Service Management than just Asset Management. It’s about the next phase of leveraging the Asset Management data and then tying into other systems from patching to change management to work tickets. Rightsizing and ecosystem integration are key values here. Why force yet another tool into your plants or risk a vendor issue when you can use a tool that’s already there, and then have it integrate up as needed.
These vendors can really help you take your program to the next level. They play an important if tangential role and will really help close any of the loose ends in your program.
It is impossible for any one vendor to fulfill all the spots on this space. It is our belief at Industrial Defender that starting at the core with an “eat your vegetables” approach and a strong platform that can be used locally and integrated across the enterprise is the right way to proceed.We believe local management mixed with a sound standard and centralized policy enforcement gives everyone the tools and responsibility to do security together.
Industrial Defender will be there with the most experienced team in the business to build that base. We have over 200 integrations to gain the most comprehensive view of your assets, in the most complicated deployment environments. This includes offshore bandwidth-limited scenarios to data diodes and even air-gapped networks.
On top of that we have the workflow and reporting tools built right into the tool to help you define and manage a standards-based approach to securing your environment. When the regulator or customer shows up and demands to audit your program, you will be ready with information and reports to give them not just confidence but proof you are doing the right things. These are reports built with the limited resources and training you are given in today’s market. You don’t need to be a Ph.D. in Data Analytics since what you need is already built, and when it’s not, it pretty straightforward to build it yourself. Our customers can attest that we have the best reporting in the industry.
When you are ready to take it to the next level, we are an open book to build the remaining connections. When your SOC needs to contact plant personnel, it can be right there at their fingertips in the tool you’ve already invested in. You’ll know it’s accurate because it’s updated by the team you are trying to contact. When you want to allow your operators to view hardware, account and security events in your SCADA management HMI, so they can more quickly determine the actual situation at hand, you can rest easy knowing they’ve got that information from one of the most trusted names.
Have comments or questions about the DefenderSphere? Let us know at email@example.com