CyberCompare

Higher Security through OT Monitoring

Background

The term “operational technology” (OT) refers to technology used in production, automation, and operations. Most business processes depend on OT, so protecting these systems is important to ensure that production processes can continue without disruption.

One major challenge in doing so is the convergence of IT and OT. These areas have become increasingly entangled in recent years, and this trend is expected to continue. As a result, the connections between IT and OT security are growing, too: by 2025, 75 percent of all OT security solutions will be interoperable with their IT security counterparts (Gartner).   

This situation confronts administrators with a host of challenges. Taking center stage is the threat of attacks: 80 percent of those responsible for OT at their companies have dealt with an infrastructure breach in just the last two years. And only 10 percent report that they have never experienced a breach. Correspondingly, requirements are increasing as government authorities impose more regulations and other stakeholders expect companies to obtain certifications (for example, under IEC 62443 standards).

Data leaks generate high costs as well. In 2020, an average data leak at an industrial company cost its victims EUR 3.4 billion. One reason that these costs add up is the amount of time that passes before such leaks are discovered – 220 days on average in 2020, plus another 82 days to fix the problem. Clearly, better production security means finding leaks earlier. And the key to finding leaks is detecting anomalies. It’s therefore no surprise that numerous OT monitoring solutions are available.

In our recent market study, we took a closer look at the providers of OT monitoring solutions. Our goal was to identify the most promising solutions from the range of options.

OT monitoring versus IT monitoring

Unlike IT monitoring, OT monitoring supports special protocols for automation technology (such as ModBUS). In practice, many OT monitoring solutions can interpret IP protocols as well.

The Purdue reference model classifies companies‘ IT/OT assets into five increasingly abstract levels. OT consists of levels 0 to 3.5 and IT covers levels 3.5 to 5.

Because OT monitoring requires high investment, opinion is divided on whether just using it in the DMZ (for example, with a SIEM like Splunk) is enough. Others argue that detailed detection is only possible with special OT monitoring at the underlying levels – an approach that requires additional hardware.

In addition to OT monitoring itself, solutions also provide a host of additional functionalities such as asset management, backup capabilities, and threat intelligence. Our market study provides an overview of these additional functionalities.

Our best-practice approach to selecting a provider

Our approach to finding the optimal solution involves three steps: identifying potential providers, selecting a provider, and then identifying the best solution that this provider offers.

We started by getting a sense of the overall market for OT monitoring and specifying seven criteria for choosing the best solution. To do so, we read publications in the field, asked our network of experts, and talked with the providers themselves.

Based on our criteria, we narrowed down the pool of providers to ten for a closer look. To find the optimal solution, we analyzed concrete offers that we received in response to our standard catalog of questions.

We especially focused on three criteria: visibility, ease of implementation, and additional functionalities. When it comes to monitoring infrastructure, visibility is key. It was important to us to identify the providers whose solutions could identify and analyze as many machines and devices as possible. In some cases, solutions actively look for devices, while others simply track the existing traffic. We prioritized active detection because it can discover “silent” devices that may have been installed secretly.

Since OT is closely integrated into business processes, another relevant criterion is simple, secure implementation. Production should continue without disruptions during both solution installation and operation. The solutions we analyzed all meet this requirement. 

Conversely, we found large differences when we looked at additional functionalities, our third focus criterion. Many solutions offered asset management and threat intelligence capabilities, while features such as vulnerability scanning were less common.

Beyond our top three criteria, we also considered how well the solutions could be integrated into existing systems. The spectrum ranged from interfaces for standard solutions (like Splunk) to specially developed APIs. The differences in user friendliness were less pronounced – most have modern, intuitive user interfaces. The method for calculating the price can be an interesting point of distinction, since some providers base prices on the number of employees and others on the number of devices. Depending on the how company is structured, the resulting prices can be quite different.

In the last step, we applied these criteria to select three providers who offer solutions we consider especially attractive.

Summary

All companies with OT infrastructure face significant challenges. If they want to ensure that their business processes run reliably, they have to think about OT security – and OT monitoring is an important part of such efforts. The provider market is large and the question of which solution fits best always requires an individual answer.

For individual access our comprehensive analysis, please share your contact information with us here. Alternatively, you can use our diagnostic tool for an initial assessment of your cyber risk profile.

Our upcoming virtual roundtable provides another opportunity to learn more. Join us on September 16 from 4 to 5:30 pm for a discussion of OT monitoring with Wolfgang Barthel and Dave Weinstein. We will also share more about how we conducted our market study and talk about our experiences with the providers we analyzed. 

Sources:

https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/

https://www.gartner.com/doc/reprints?id=1-254F1YLR&ct=210201&st