Blog

7 Questions Every Security and Risk Management Leader Should Ask When Choosing an OT Security Solution

Colby Proffitt | April 8, 2019

There’s no shortage of headline news about the latest cyberattacks, data breaches, threats or vulnerabilities. Although some industries may be targeted more often than others, every organization across every major industry—from utilities and manufacturing to oil and gas and the public sector—must take necessary security precautions and make cybersecurity a top priority and investment.

But, making the best investment with a potentially limited security budget can be a daunting task for security and risk management (SRM) leaders. Here are just a few reasons why the decision-making process is often difficult:

  1. No two organizations are identical—not only in terms of network infrastructure design, size and complexity, but also in the core business objectives and organizational mission. Even within the same industry, similar businesses may operate very differently and as a result, may have a fundamentally different mindset towards security. Just as budgets differ, so too may risk appetite.
  2. Threats evolve at a remarkable pace. As an example, we recently saw Norsk Hydro, one of the largest aluminum producers in the world, fall victim to the ransomware LockerGoga, illustrating the reality of the malware threat. It can be challenging to not only understand whether a product can defend against the latest threats but also how the solution enables that defense.
  3. In addition to evolving threats, the cyber terrain or landscape is also changing rapidly. Traditional IT networks and infrastructure are becoming increasingly intertwined and connected to Operational Technology (OT) networks and infrastructure. Consequently, devices typically limited to the IT environment—if unsecure—can put entire OT networks at risk. Each device expands the attack surface, giving bad actors more opportunities to access the network.
  4. The number of security vendors has exploded dramatically in recent years, with some estimates suggesting there are more than 1,200 vendors competing for a slice of the current global cybersecurity market value of more than $120 billion.

Overcoming these challenges in decision making is critical not only to the defense of individual organizations, but also to the defense of entire industries and our country as a whole. As we’ve seen time and again, cyber adversaries are quick to capitalize on singular weaknesses to gain a foothold elsewhere.

To help businesses and organizations simplify the decision-making process and also minimize the time to deployment—and ultimately a more secured network environment—we’ve assembled a list of seven key questions, based on key research from Gartner, that every SRM leader should ask before deciding which security product is the best one for their organization.

  1. Is the Solution Vendor-Agnostic?
    Too often, organizations identify what they think will be a security silver bullet, only to discover after purchase and implementation that the product is not compatible with other products or applications on their network. More than a poor investment, those organizations also suffer the headache of frustrated end users, wasted resources—and, their organization is ultimately no more secure than before the purchase was made. It is critical that products are vetted to ensure they are compatible and vendor agnostic.
  2. Does the Solution Provide Asset Discovery to Enable Operational Continuity and System Integrity?
    Asset discovery is absolutely critical for the best defense possible. Some organizations, even those with good asset inventory and asset management practices in place, still fail to account for every device that’s on their network. A good security solution will enable organizations to identify and inventory every connected device on their network in real time, regardless of device type.
  3. Does the Solution Detect and Alert on Known Common Vulnerabilities and Exposures (CVEs)?
    Whitelisting and generic anomaly detection are common ways of detecting vulnerabilities. Although important, the best detection approach should also include CVE discovery for faster detection. In today’s cyber terrain, early exposure can mean the difference between headline news and swift remediation and mitigation.
  4. Can the Solution Evolve from Mirror Mode to In-Line Security?
    Active prevention may be a desired, long-term goal when it comes to monitoring and detection, but many organizations lack either the security maturity or necessary resources to enable such features as part of initial deployment. However, as the organization matures, it’s important to have the option to switch from passive detection to active prevention. Ensuring this feature is available up front will also prevent the need for additional expenses down the road.
  5. Does Your Solution Provide IT Support in Addition to OT?
    This question is especially important to ask when seeking to protect an OT environment. Because OT attacks have historically started in the IT environment, then stealthily maneuvered into the OT environment, it’s important to detect OT-targeted attacks before they reach the intended target. In short, decision makers should ensure the product is effective in both IT and OT environments.
  6. Does Your Solution Support Secure IT/OT Alignment?
    Related to Question #5, IT-OT convergence is on the rise; yet, the supporting infrastructure and networks differ significantly and cannot be treated the same when it comes to cyber defense. In other words, the security best practices and technologies that work in an IT environment cannot always be expected to provide the same level of security in an OT environment. It’s critical, then, that decision makers evaluate a product not only on its ability to protect both environments, but also on its ability to integrate with other security solutions, protocols, software and hardware.
  7. Is the Solution Designed to Live in an OT Environment from a Hardware or Operating Environment Perspective?
    Many solutions are designed to function within the comfort of a temperature-regulated server room with a backup power supply or generator—the type of room often provided in IT environments. OT environments, on the other hand, do not always afford such luxuries, and as a result, can test the limits of many solutions. It’s important to account for the environmental conditions where the product will be used.

Choosing the security solution that’s best for your organization isn’t easy. Many would agree that it’s incredibly difficult, simply because when evaluating different vendors, the true value of one solution versus the other can be difficult to quantify. But, investing in the evaluation criteria and asking vendors the tough questions will not only help you find the right solution, but also help you arrive at that conclusion faster. If a vendor can’t answer any of these seven questions completely, or they have to get back to you with an answer, chances are, they’re not the vendor that will provide you with the most value.

To learn more about the 7 questions that SRM leaders should be asking OT security providers during technology selection, download the complete Gartner research paper.

Download the Report