The landscape of cyber security vendors and solutions is crowded. As the number of attacks climbs, so do the technologies available to try to help stop the attacks from having an effect on industrial control systems. Simply said, there are too many vendors with too many point solutions. As an operator in the power generation or oil & gas industries, it can be difficult to know which vendor to use and which solution is right for your operations.
First, it’s important to recognize that there is no silver bullet when it comes to cyber security. There is not a single technology that can mitigate all vulnerabilities. There is also a great difference between IT and OT, or operational technology, spaces. The documentation of these differences is vast, but a quick read on the subject can be found here.
When evaluating a cyber security vendor, there are several questions I recommend to start with to make sure the solution is a right fit for an industrial control system environment.
1. What product and process certifications has your organization achieved?
You may be aligning to NERC CIP, NEI 08-09, IEC 62443, ISO 27001/2, NIST 800 series, or an internal standard. An effective ICS vendor should be able to show alignment or certifications to these regulations and your internal specifications, showing that their solutions and processes for implementation have met rigorous best practice standards and testing.
2. How has your cyber security solution been designed to integrate with critical infrastructure devices, or more simply, an OT environment?
It’s one thing to supply a product that will help to improve your cyber security posture. But, will the product itself pose any threat to your operations? Cyber security solutions should be purpose-built to specifically protect process control networks, also known as OT environments. An example of a critical area in which OT experience matters is patch management. You should ensure patches are fully validated and tested for your environment before deploying to ensure no break in process and operations occurs. Having a partner who is knowledgeable on industrial controls as well as cyber security can go a long way in not only elevating your cyber posture but protecting your critical assets.
3. What efforts have been made to secure the supply chain to ensure the secure procurement of products, software and firmware?
An area of risk that needs to be addressed is supply chain. This can range from who can access manufacturing areas, how software, hardware and firmware identities & integrity are verified, to ensuring third-party sources and are free of malicious code. Again, the area of patch management is one in which a secure supply chain process needs to be tested, validated and documented. Requiring tamper evident packaging, digital signatures and encryption like secure hash files can assure contents are from the intended recipient, tamper free and safe to install.
4. Is your company prepared to be a long-term strategic cyber security partner, providing continuous communication and proactive cyber security support?
I strongly believe CEOs, CISOs and Plant Managers need to approach ICS cyber security vendors as long-term strategic partners. You want to ensure your operations are not negatively impacted simply because of the very dynamic nature of the cyber security market, including disruption due to frequent product reintroduction and drops of service due to vendor acquisitions. Your partners should approach cyber security with an industrial mindset, concerned not only for protecting against the latest attacks but also can provide holistic solutions and support that endure for the lifecycle of a plant. Again, experience and expertise in OT security means your vendor is orientated toward safety, optimized production, zero downtime, and process integrity.