There’s no argument that the operational technology (OT) security market is officially in transition. Acquisitions are accelerating, venture capital investment is slowing, and strategic partnerships are becoming critically important. OT systems themselves are also in a transitional state, as traditional, isolated legacy systems turn into fully IP-connected, cyber-physical systems. To stay relevant in the OT world, the cybersecurity market is evolving alongside them.
According to Gartner, by year-end 2023, organizations will need to adjust their OT security solutions, because 60% of today’s point solution OT security providers will have been rebranded, repositioned or bought, or will have disappeared. While this statistic may cause anxiety for OT security stakeholders out there, the good news is that there are things you can do now to help prepare yourself for the imminent changes in the OT security market.
Here are 4 tips to help future-proof your OT security strategy:
- Proactively Identify, Classify and Monitor OT Network Assets
The first step to managing cyber and operational risk for any OT system is to figure out what’s in it. Almost every security framework, including NIST CSF, NERC CIP and CIS Critical Security Controls, requires identifying and classifying hardware as a prerequisite. If you haven’t implemented some form of real-time OT asset inventory tracking, make it a priority for 2020.
OT systems are rapidly morphing into cyber-physical systems that are connected to vast corporate and operational networks via the internet. Not only does this open them up to new internet-based threats, but it also increases the potential for misconfiguration and malfunction of these assets. More moving parts plus more connections equals a higher risk of operational problems.
Proactively identifying, classifying and monitoring OT network assets can help you discover what risks they face in the present, and also plan how you will reduce future risks to them. Not only will you see cyberthreats like malware coming your way, but you’ll also be able to confirm whether assets in a cyber-physical system are performing as they should and take steps to remediate any issues before they cause downtime. Implementing an OT network monitoring technology is one of the fastest ways to create and monitor an accurate asset inventory. Look for a mature vendor with an extensive library of built-in checks for OT-specific cyber and operational threats developed from experience in the field.
- Align IT and OT Teams to Execute Integrated Cybersecurity Initiatives
We’ve all heard the term “IT-OT convergence”. We know it’s happening. So how can you move with the times and implement a strong cybersecurity program while also maintaining the top priority of availability for OT systems? There are many elements that must align, but the foundation of any integrated security project comes down to people. There are definitely certain areas where IT is the expert and certain areas where OT is the expert, but everyone needs to be playing for the same team.
Clearly defining roles and common goals, designating subject matter experts, and conducting cross-training are great ways to kick off an alignment initiative. Additionally, empowering teams with mature platform security solutions that have strong cross-functional capabilities can greatly streamline security activities and improve team cohesion. According to the 2019 SANS State of OT/ICS Cybersecurity Survey, 29% of companies stated they would be investing in more trainings for IT, OT, and hybrid IT-OT personnel. This is a positive development, but total IT-OT alignment is still far from the norm.
- Use Proof-of-Value (PoV) Requirements That Will Accurately Assess a Vendor’s Suitability for Your Business
This ties into the above recommendation on aligning IT and OT teams because when undertaking any security PoV, all relevant teams, including security, engineering and operations, should be consulted for input. Ensuring that solution requirements meet everyone’s needs is vital to the success of any OT security investment.
Elements to consider include how a vendor is collecting OT data (passive, active, blend), the strength of a vendor’s threat intelligence database (including CVEs, IoCs, operational problems, etc.), and how comprehensive their orchestration and integration capabilities are. Some additional food for thought on this topic can be found in the Gartner report, “7 Questions SRM Leaders Aren’t Asking OT Security Providers”.
Whatever PoV requirements you decide to include, the most important thing is to ensure that they accurately assess a vendor’s maturity and suitability for your business, as well as try to weed out companies that won’t be around in 2-3 years.
- Align with Emerging Market Dynamics by Reassessing Your OT Security Vendor Landscape
Acquisitions and partnerships in OT security products are accelerating, making the market landscape more volatile. As this market matures, narrow scope point solutions will be challenged by vendors offering organization-wide platforms that traverse IT, OT, IoT and the cloud. This year is an ideal time to take a good look at your current security suite and think about which tools are providing the most value and whether any of your current vendors are at risk of becoming obsolete or going out of business.
Ask vendors pointed questions like1:
- Where is your technology roadmap heading?
- Are you excelling in specific verticals? Why?
- What strategic partnerships are you pursuing?
- Are you actively investing in research that benefits the cybersecurity community?
- If a startup, what stage are you in? “Convince investors” mode, “Build capability” mode, or “Develop an exit strategy” mode?
The answers provided to these questions should give you a pretty clear idea of where a vendor is headed and if they will still be around in 2-3 years. If a vendor gives you answers that create doubts about their longevity, don’t hesitate to re-evaluate others. You might be pleasantly surprised to find that the maturity of the OT security market has greatly increased since you last evaluated solutions and discover products with features that add more value for you.
Since the future of the OT security market isn’t set in stone, it’s important to stay up to date on the latest trends and emerging technologies in the market. We’ll be doing just that at S4x20 in Miami. Connect with us during the Cabana sessions or attend our presentation, “Drinking the ICS Jolt Cola: Jumpstart Your NIST CSF Maturity” on January 23 at 2 PM EST. S4 attracts some of the best and brightest talent in the OT world, and we look forward to seeing you there!
1 Questions adapted from Gartner Market Guide for OT Security, 2019 https://www.forescout.com/gartner-market-guide-for-operational-technology-ot-cybersecurity