Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Hey Securing Things Community,
After providing consulting/advisory services to asset owners related to OT security solutions for visibility, spanning multiple continents (except for Africa) on:
β reviews / assessments, vendor evaluation / comparison, POCs, planning and deployment and or post deployment advisory/review.
Hereβs what I found out:
my observations from field,
some input from other experts from the field, related resources and reference few interesting talks/presentations on the subject.
in addition, my most viewed posts, and
optionally - but highly recommended and useful podcast β adding a new non-security, well actually itβs about securing your financial future - so still kinda securing things ;-). Have shared within close circle and now sharing with this great community here.
Securing Things Offering:
Having advice few global manufacturing / Critical infrastructure organization on evaluating and selecting OT Anomaly Detection or OT IDS or OT Threat Detection solutions
Checkout the offer here β OT Behavioural Anomaly Detection Security Solutions Comparison Toolkit.
Offer Valid for: Asset Owners / End Use Organisations Only!
A structured framework to make an informed decision for comparison and selection of an OT IDS/AD solution for your production environment.
But before we begin, do me a favour and make sure you hit the βSubscribeβ button to let me know that you care or liked and keep me motivated to publish more. Thanks!
Kung Hei Fa Choi - For all those who observe CNY celebration and holidays - its the year of snake and the 1st day of time off with your friends and family. Wishing all a prosperous and healthy year ahead.
OT Security Solutions for Visibility
There are different types of OT security solutions on the market that provides or promise to provide you with full visibility of your OT environments and do more. But not all solutions are equal and or have full end-to-end coverage.
Only handful of niche OT security visibility solution specific vendors left out there and many of such have been acquired by OEMs and or other big technology players.
Below is a list of OT visibility security solutions providers, acquisitions and market insights, in no particular order:
Verve β acquired by β Rockwell Automation. Keeping the name so far.
SCADAfense β acquired by β Honeywell.
Indegy β acquired by β Tenable. Changed it to Tenable OT.
CyberX β acquired by β Microsoft. Changed it to Azure Defender for IOT.
Securitymatters SilentDefense β acquired by β Forescout. Changed it to
Sentryo β acquired by β Cisco β Changed it to Cyber vision.
Mission Secure β acquired by β Service Now.
Besides these players and acquisitions thereβs a handful of other providers:
Dragos, Nozomi, Claroty and Armis remains to name a few leading ones in this space (in no particular order), they have acquired some significant funding as well in the recent past.
OTBase are another interesting product focused on asset management.
Darktrace, Industrial defender, Opswat, TxOne and others have similar solutions.
We also have few new niche players in the mix with some interesting offerings like Exalens, Phosphorous, EmberOT and more.
Few other technology players like PA, Fortinet etc. do offer visibility through a portfolio of their solution stack but not a single product.
Some of the above solutions only provide passive capabilities for network level visibility and deep packet inspection, some also offer add-ons for active capabilities and endpoint visibility at an additional cost. Some are unique in a sense that they are endpoint / agent driven. Only few have capability released for wireless etc.
While most of these offer vulnerability identification, vulnerability management is an add-on and limited to only a few among the mix.
There are claims for all having AI features now (as buzz word), but there are use of some Machine Learning detection capabilities which would differ significantly.
Most of the top ones now seems to have come up with almost similar functionality or features in the last one year or so and compete against each other.
Some of these solutions have lost market share, changed product directions and or have a uncertain future ahead.
So choosing the right one would be essential for your specific OT security objective, use case and for your specific environment needs.
I wrote an article on OT IDS evaluation/selection and implementation as part of OT security dozen / program series. Check that out β here.
The same was published on ISAGCA website and LinkedIn and continue to receive a number of views monthly.
<Note: I am not endorsing any of the above listed vendors or product or service depicted and nor advising to select any vendors here>.
Drop in your best email address to subscribe and continue reading the rest of the newsletter edition for free.
Key Observations / Lessons Learned
Here are several of them, am sharing a few of the common ones Iβve seen:
Incorrect understanding and or expectations on the type of solution selected and the outcome.
Expect reduced risk due to protection assumption, sparking executive debates on the solution's ROI in risk reduction.
Not thinking about the operational cost of monitoring, running and or managing OT sec solution.
Not factoring in or evaluating the vendor cybersecurity processes / practices at the procurement stage.
At procurement or evaluation stage, most asset owners are comparing different products with a view, or focus, based on product features and or UI/UX experience only and not evaluating vendor practices or direction. This is not a good idea, and may cause lots of headaches.
Not factoring in the technical debt (e.g. EOL assets) within their environment.
CISO organisations, not spending time to talk to OT or ops teams to understand and define the baseline, as it requires significant time and effort.
Generates too many alerts that are simply ignored because of shared volume.
Have no defined SOPs, criteria, policy and governance (roles and responsibilities) established prior to implementation of such a solution, causing confusion and chaos post implementation.
Lack of ownership to take action on the issues identified by the solution.
And many more.
Market Insights
According to Gartner, βby 2027, 75% of security teams will have on-boarded at least five tools to manage cyber-physical systems (CPS) security in operational, production or mission-critical environments, which is a major increase compared with one or two they might use today.β
According to grand view report, APAC OT Security market is ready to grow due to an increased awareness of implementing security controls across industrial operations.
Per the report - the global OT security market, valued at USD 16.32 billion in 2022, is projected to grow at a CAGR of 18.2% from 2023 to 2030. This growth is fuelled by the digitization of industrial control systems, increasing cyberattack vulnerabilities, and stringent government regulations driving demand for security solutions.
source: Grand View Research report
Traditionally most of such OT security visibility solutions started with an on-prem offering, however most have started to or moving towards cloud capabilities for scale and high-availability and are moving towards a SaaS based subscription model.
source: Grand View Research report
Solutions Dashboard and KPIβs
There are lots of great solutions and great technical and functional metrics you can drive through the help of some of these solutions. Some solutions would have these out of the box, some you might rely on queries to be run to extract the information. Reliability or accuracy of these have remained a bit of a concern for CISOs but things have improved in the last one year or so for several of them.
The dashboard arrangements may differ for different persona type. Its really not a one size fits all and different CISOs and organisations many a times have varying thought processes.
My recommendations from a past example engagement on the arrangement of the dashboard below for the Security team.
1st layer widgets = Total Assets | Assets by Risks/Criticality | Top Vulnerabilities | Top Threats/Events | Top Incidents | Top Risks
2nd layer widgets = Baseline Deviations / Assets traversing defined boundaries | In/Out OT to IT/Internet traffic | Wireless etc.
3rd layer widgets = Top Configuration issues | Authentication issues | Weak Passwords | EOL/EOS etc.
4th layer widgets = Top changes (PLC config upload/downloads etc.) | Compliance Issues (if any)
5th layer widgets = Top performance issues (traffic anomalies, bursts,) | port scan type activities can come here as well.
The metrics of interest (or outcome driven metrics) can be grouped into following categories or types:
OT Network
OT Devices/Assets
OT Applications
OT Users / Identities
OT Data.
which most execs will understand easily. Anything that shows progress in readiness, outcome driven actions/results and their impact on consequences.
Traditional Metrics
IT and security teams have often focused on technical metrics meaningful to them but not to executives or the board, such as the number of security patches applied or alerts processed. These are like daily activities, not the final outcome.
Examples may include:
Number of Alerts, Alert count reduction over time, time to action/close alerts, false positive vs true positive alerts, Vulnerability count reduction over time, asset End of life and End of Support to prioritise capital expenditure etc..
Outcome Driven Metrics (ODMs)
Outcome-Driven Metrics (ODMs) focus on tangible cybersecurity results, such as reduced successful attacks or faster incident response, offering a clearer view of an organization's security posture by emphasizing outcomes over processes.
According to Gartner β Outcome-driven metrics have a direct line of sight to the operational outcomes of investment and to the level of protection delivered in a business context.
According to Gartner β In a security context, outcomes are fundamentally a consequence of an investment that is made in the implementation and operation of a control. ODMs for security fall into two broad categories that can be measured in a business context: operational and benefit outcomes. where:
Operational outcomes reflect the proper operation of a control.
Benefit outcomes reflect occurrences of actual harm related to the specific value proposition of the control.
Example benefit: Your organization implements an ODM to reduce threat detection and response time from 12 to 4 hours through advanced technologies and refined protocols, showcasing the value of cybersecurity investments to the board.
Other examples may include, Ransomware Readiness, # of days to Patch.
Securing Things Offering:
Having advice few global manufacturing / Critical infrastructure organization on evaluating and selecting OT Anomaly Detection or OT IDS or OT Threat Detection solutions
Checkout the offer here β OT Behavioural Anomaly Detection Security Solutions Comparison Toolkit.
Offer Valid for: Asset Owners / End Use Organisations Only!
A structured framework to make an informed decision for comparison and selection of an OT IDS/AD solution for your production environment.
Conclusion
While planning donβt forget to account for the budget / resources requirements (both internal / external) for post implementation or operational efforts - e.g., monitoring and managing such a solutions.
Since every organization has unique people, culture, technology, and processes, a metric that works for one company may not be valuable or easy to validate for another.
Outcome-Driven Metrics represent a fundamental shift in cybersecurity, emphasizing actual results to strategically manage and measure performance. This approach enhances resilience and fosters better communication and support from business leaders. Showing reduction in terms of average of 12 hours to mitigate a threat down to 4 hours, thatβs real progress.
Begin your journey with ODMs by consulting with your security team about outcome-based metrics. Focusing on results ensures your cybersecurity efforts effectively protect your business.
Iβd love to know what have you seen works for:
your Industrial environment β if working as an asset owner.
your Industrial customers β If you are consultant / vendor / solutions provider.
Non-Security - Misc. Productivity, Finance & Life
At the start of each new year, we see loads of future predictions of all sorts and or setting yearly goals or resolutions - much of which would have started to fade away as we progresses into the end of 1st month.
So hereβs my β¦.. well .β¦. no, I am not going to make any predictions and or setting any resolutions here (well at-least not for this post ;-) canβt guarantee that in future).
Hereβs an interesting podcast that I shared with my family and I hope you also find this useful.
My Recent Most Viewed Social Posts
In case youβve missed - here are some of my recent most viewed social posts.
Tip to remember ISA/IEC 62443 Standards Group & Overview Part 2.
Continue to be the most viewed post with more than 4.3K views at the time of writing this.
π’ π° Secure by 3Ds (Demand | Design | Default) π’ π° β The trifecta reshaping IT & OT cybersecurity industry!
This is it - Good Bye. Happy New Year! Recap on 2024 and the Future of Securing Things in 2025.
Cybersecurity (IT, OT/ICS, AI, Open source) Insights from Q4 2024
What the heck is ITDR - A crash course on Identity Threat Detection & Response.
IT & OT/ICS Cybersecurity Policy(/ies) - Deciding on the Policy Route for your industrial environments.
Digital Manufacturing at Risk - Start with Cybersecurity and Digital Transformation Maturity Assessment Reviews Now!
"Boost Your Defense Game - IT & OT/ICS Cybersecurity Training [Securing Things by M. Yousuf Faisal]"
IT & OT/ICS CySEAT - only on Securing Things Academy (40% off) - Training course brief introduction.
Securing Things Academy:
IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list β here.
Checkout a brief overview below:
Ways in which I can help?
Whenever you are ready - I can help you with:
A - IT & OT Cybersecurity Advisory / Consulting servicesΒ - for securing your business and or its digital transformation journey.
B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program subscription based service.
C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.
Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.
D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.
Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.
βοΈ Wrapping Up - How are we doing?
I invite you as part of #SecuringThings community to share your feedback.
Rate the newsletter content
Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society.
Let us know how we can improve this and or what youβd like to see in future?
Thank you for your trust and continued support.
Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.
Thanks for reading - until the next edition!
Itβs a Great Day to Start Securing Things for a Smart & Safer Society.
Take care and Best Regards,
M. Yousuf Faisal. (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy).
