The Industrial Defender team is built of long-time industrial control systems executives. Many of us have worked at utilities and have been asset owners. Earlier in 2020, when we sat down as a team to talk about our roadmap, we started by putting ourselves in our customers shoes. Having worked for many industrial companies between us, this was an exercise full of nostalgia for projects and integrations we had run over the last several years. Going through the ICS landscape, we realized how many vendors our customers have to work with for ICS cyber security. It is so complex, and at every point there can be different rules of engagement with each vendor. There are many critical components involved when trying to make control systems secure and compliant. Figuring out where they overlap, or where they need to be connected is always a challenge. For this reason, we are still very much in the early days for ICS Security.

After a few months of deliberation, we eventually ended up with the breakdown seen in the graphic above. I’ll explain each section briefly below.

OEMs

This is where it all starts. These are the solutions our customers are looking to buy to solve their needs. This collection makes or integrates the most basic components that are assembled to form the basics of “modern” control systems (“modern” meaning from the last 30 years). This is why they are at the center of the circle. These are the crown jewels you are protecting. The rest is meant to add additional protections in what we call the DefenderSphere.

Foundational Technologies

A lot of people might question why foundational technologies aren’t in the center. It’s because they are only part of the solution, and because the OEMs bring them in to solve a particular problem. Most OEMs don’t even fully disclose exactly what they pull in from this section and the components will be obfuscated as “firmware” or whiteboxed with the OEMs’ name. This isn’t a judgement or even a bad thing, it just is what it is. As the industry has evolved to ask better questions, the OEMs are becoming more transparent. However, as the foundation is updated, the asset owners need to know what they are up against, and so finding a solution that peels back the layers to get at the foundational components is required to help manage this piece of the pie.

Network Infrastructure

This is often a complex discussion between the OEM, VAR, integrator, and/or the customer. As we have some former asset owners and OEM members on our team, and often have to dance between these groups as we do Industrial Defender implementations, we are all too familiar with the complicated dance that can happen here. It is also why it is its own category and not under Foundational Technology. This space is often complicated by the most basic question — “who’s responsibility is it?”. This can range from anyone I’ve already mentioned or even 3^rd party service providers. To make matters even more complicated, it is often handled through a combination of responsibilities, where the system builder will furnish and manage the “weird stuff” that runs the industrial protocols, the customer will manage the edge switching infrastructure, and a 3^rd party will manage all the routers and firewalls. Getting a complete understanding of your risk profile in this situation is very hard to manage, and really requires the ability to get them all into single console to keep up with them, and for the asset owner to hold everyone accountable.

Services

These providers often play a critical role in the intermix between the previous three sections and those that follow. Asset owners often rely on them to fill in the blanks and guide them through these complex integrations. They can be valuable partners to help reduce complexity, but again the asset owner is always ultimately accountable for the risk at the end of the day and finding solutions that create transparency is critical in having meaningful conversations with these partners.

The rest of the categories we are going to go through in order of the CIS Top 20 Critical Security Controls. We’ve long been supporters of this methodology to “get security done”.

Asset Visibility

Simply put, asset visibility is the beginning of any well run security program. There is not a complete control frame work on earth that does not agree this is a must, and a very early must. You simply can’t manage what you can’t see. Passive is not enough. Agents are not enough. Python scripts of ping sweeps are not enough. It also doesn’t end with just an IP address or the hardware device itself. You need to understand the software on the device. One without the other is just half a solution. That is why when you are looking at solutions, finding one that has the most comprehensive asset identification technology is key.

Vulnerability Management

This is about being able to help identify known vulnerabilities. A good solution addresses vulnerabilities and not just patches. In the ICS world it also needs to do this passively and support technology that is much older than most commercial IT vendors are willing to support. It’s even harder when they bring a cloud requirement that is violating your hard fought ISA-99 implementation and are initiating layer 5 connections down into layer 2. This isn’t just a patch management discussion either, as often that’s a no-go. It’s about understanding your total risk picture and making sense of it in a straightforward way. Again, the goal here is to find a partner that understands these complexities, has the trust of the OEMs or the ability to gain it, and can give the asset owner transparency into what’s really there and what’s available.

Asset Management

Some might argue there is no difference between asset visibility and asset management. But there is, and it’s about setting standards and monitoring against them. Asset Management means you can easily run reports to see your progress or lack of it. Asset Management also means assigning ownership, maintaining it, and making it easily accessible. You’ll need asset management when your SOC (internal or 3^rd party) gets an alert they don’t understand or need to take action on so they can easily identify who and how to contact the right people as quickly as possible.

Endpoint Security & Access Control

Some might argue that these are two different things, and they wouldn’t be incorrect. At this point, however, these controls need to be running in parallel. Again, this can be really complex to manage between all the different players in the ICS world. It’s also a place where traditional vendors struggle to support ICS in the long run. One example is still having to support Windows XP in today’s environments. Understanding true long-term support performance vs promises and breadth of coverage for both endpoints and account management systems is important. Also, when it comes to access management, breadth of integration support is very important.

Security

It might seem weird that security hasn’t been mentioned until now, but it’s an order of operations thing. The power of these solutions is only unlocked when you’ve done the basics. Having intel without the ability to apply it makes little sense. If you can’t search your environment for the existence of the indicators, you haven’t really accomplished much.

IT Service Management

ITSM will see a lot of overlap from a vendor perspective. However, this is more about the other features of the IT Service Management than just Asset Management. It’s about the next phase of leveraging the Asset Management data and then tying into other systems from patching to change management to work tickets. Rightsizing and ecosystem integration are key values here. Why force yet another tool into your plants or risk a vendor issue when you can use a tool that’s already there, and then have it integrate up as needed.

Reporting, Standards, Research, Events

These vendors can really help you take your program to the next level. They play an important if tangential role and will really help close any of the loose ends in your program.

It is impossible for any one vendor to fulfill all the spots on this space. It is our belief at Industrial Defender that starting at the core with an “eat your vegetables” approach and a strong platform that can be used locally and integrated across the enterprise is the right way to proceed.

We believe local management mixed with a sound standard and centralized policy enforcement gives everyone the tools and responsibility to do security together.

Industrial Defender will be there with the most experienced team in the business to build that base. We have over 200 integrations to gain the most comprehensive view of your assets, in the most complicated deployment environments. This includes offshore bandwidth-limited scenarios to data diodes and even air-gapped networks.

On top of that we have the workflow and reporting tools built right into the tool to help you define and manage a standards-based approach to securing your environment. When the regulator or customer shows up and demands to audit your program, you will be ready with information and reports to give them not just confidence but proof you are doing the right things. These are reports built with the limited resources and training you are given in today’s market. You don’t need to be a Ph.D. in Data Analytics since what you need is already built, and when it’s not, it pretty straightforward to build it yourself. Our customers can attest that we have the best reporting in the industry.

When you are ready to take it to the next level, we are an open book to build the remaining connections. When your SOC needs to contact plant personnel, it can be right there at their fingertips in the tool you’ve already invested in. You’ll know it’s accurate because it’s updated by the team you are trying to contact. When you want to allow your operators to view hardware, account and security events in your SCADA management HMI, so they can more quickly determine the actual situation at hand, you can rest easy knowing they’ve got that information from one of the most trusted names.

Have comments or questions about the DefenderSphere? Let us know at info@industrialdefender.com