The cyber threat landscape for operational technology environments in critical infrastructure and industrial sectors such as manufacturing, energy & utilities, and water treatment has become significantly more hostile over the last decade. Legacy control systems that were built to be reliable and uptime-driven but not specifically secure, are now networked out into wider networks, expanding the attack surface in ways their original engineers never imagined. As plant operators react to this new reality the demand for OT security solutions that are purpose-built has grown even stronger and a short list of clear vendors has formed as the one stop shop options across the industry.
OT security meaning for plant operators, lies in the recognition that industrial environments demand a fundamentally different approach from standard Information Technology (IT) environments. The consequences of a successful cyberattack can extend beyond data loss or business disruption, resulting in physical damage, safety incidents, and the disruption of critical infrastructure services. Vendors that capture the most attention from plant security teams are those who have tailored their offerings to address these realities.
Contents
- 1 Fortinet
- 2 Claroty
- 3 Dragos
- 4 Nozomi Networks
- 5 Things to take into account as you select an OT security vendor
- 6 Frequently Asked Questions
Fortinet
With the platform approach, Fortinet leads in OT security by delivering secure networking, threat intelligence and zero trust across IT and OT environments. This includes ruggedized firewall appliances for extreme industrial environments, support for OT DMZ architecture and deep integration with SCADA and ICS protocols in their OT-specific security portfolio.
Platform-focused Security Architecture
What distinguishes Fortinet in the OT space is the breadth of its integrated portfolio. Instead of deploying a patchwork of point solutions from various vendors, one of the major pain points for plant security teams that manage limited resources is that Fortinet will help organizations consolidate visibility and policy enforcement across their networks under one management interface. This is especially useful in the industrial space where security staff are often responsible for both IT and OT security but not with the depth of specialist resources that larger organizations may be able to leverage.
Fortinet also releases its annual State of Operational Technology and Cybersecurity research, which has established itself as a leading source on OT threat trends. Its threat intelligence capabilities can help mitigate OT-specific attack patterns and enable the context-aware detection required by plant operators to identify normal industrial traffic from early indicators of compromise.
Claroty
Claroty has established their name on the ability to deliver deep visibility into OT, IoT, and Industrial IoT environments with a platform built to discover, monitor + protect assets across the entire breadth of industrial network environments. It is very much loved for its asset discovery capabilities, tackling one of the most basic problems in OT security that is knowing what exactly there is in your network before you secure it.
The data on OT security adoption in manufacturing shows that many facilities are only beginning to build formal security programs, often starting from a baseline of limited visibility into their own environments. Claroty’s platform targets this entry point, providing the asset inventory and network monitoring foundation that more advanced security capabilities depend on.
Additionally, Claroty offers integrations with enterprise security platforms that enable plant operators to easily share OT visibility data with IT security teams and centralized security operations centers. The ability to integrate with these tools is all the more critical as companies look to build integrated IT/OT security programs rather than completely isolated ones.
Dragos
Dragos was founded from the ground up to focus on cybersecurity in industrial environments and has built a unique brand around OT-specific threat intelligence. The bulk of its platform revolves around industrial protocols and environments, and its threat intelligence team operates one of the most comprehensive repositories of research on adversary groups targeting critical infrastructure.
It is this primary focus on threat intelligence that positions Dragos to stand out when you hear plant security teams talk. Unlike their IT counterparts, industrial threat actors working in OT have specific attack fundamentals such as targeting a limited number of control system vendors, leveraging widely used but insecure industrial protocols and timing their activities to coincide with periods where the operational impact would be maximized. Information about these specific adversaries is tracked by Dragos and their knowledge is embedded in the detection capabilities of its platform.
Dragos also runs OT-CERT, a critical infrastructure community service for operators in need of threat intelligence and resources but not able to fund commercial security platforms. It is as an indication of a wider commitment towards the OT security community and something that strikes a chord with plant operators, further establishing Dragos among those in industrial security as a trusted voice.
The ICS security evaluation questions that plant operators should be asking when assessing any OT security vendor include not just whether a platform provides detection capability, but whether the vendor understands the specific protocols, devices, and threat actors relevant to that organization’s industrial environment. This is an area where Dragos has invested deeply through its threat intelligence research.
Nozomi Networks
Nozomi Networks has established an umbrella platform that covers OT security monitoring and IoT visibility solutions, among others — excelling in complex, hybrid environments where industrial control systems converge with internet-connected devices. It is both passive in approach and active querying, where the environment allows, providing operators with holistic device visibility, which exceeds passive-only solutions.
Its platform, which supports a wide range of industrial protocols, also adopts Nozomi solutions across manufacturing, energy, transportation and utilities worldwide. Its Vantage platform was developed for the cloud and is designed for organizations seeking an OT-security-as-a-service delivery model while also providing the protocol-level visibility needed in industrial environments.
Nozomi also added some machine learning prowess with a tech for finding anomalies that can flag suspicious activity in very predictable traffic environments. In field environments (industrial networks) communication flow between assigned devices is based on patterns that change infrequently, so divergence from baseline behavior seen is commonly an early and reliable indicator of either a configuration error or security incident. The predictability of the defender’s response to different attack scenarios is exploited in-counted within Nozomi’s detection capabilities.
Things to take into account as you select an OT security vendor
For those plant operators evaluating these vendors, the decision on selection should rest on the characteristics of the industrial environment and not by a vendor feature list. Important factors such as whether the vendor has a history for operating with control system vendors and industrial protocols in the facility, how the platform integrates with existing IT security investments, if on-premises/deployment model or a cloud-based is best, may be mutually exclusive to operational constraints presented by the environment.
Organizations unable to tolerate any active scanning of their OT networks should specifically verify that a vendor’s monitoring methodology is wholly passive, as lightweight network queries can exhibit unintended behavior in older generations of industrial controller infrastructure. Firms with numerous distributed destinations should likewise consider whether centralized visibility capacity is appropriate and if the organizations could be dampening policy over numerous locales from a solitary opportunity.
Frequently Asked Questions
Why do plant operators need OT-specific security vendors rather than standard IT security tools?
OT environments run under constraints for which traditional IT security tools were never intended. Unlike the PC world, where you can reboot the box before executing a security scan, or protocols that authenticate and encrypt every packet such as SSH/HTTPS, legacy industrial protocols do not have these capabilities[4], nor are they typically maintained to satisfy availability as long as confidentiality is guaranteed. Given this tendency toward continuous operation, OT-specific vendors build their platforms with these constraints in mind, providing monitoring and protection that are not meant to interrupt the stable, continuous operation that industrial processes demand.
What is the most critical starting point for OT security in a plant environment?
We saw a common trend here as comprehensive asset discovery and inventory is consistently cited as the critical first step. Since many devices in industrial environments are not formally documented, plant operators cannot protect assets they cannot see. Visibility by place: Visibility into all devices on the OT network, legacy controllers, remote terminal units and IIoT sensors provides visibility to build on for it after security control.
While vetting an OT security vendor, how should plant operators assess the capabilities of its threat intelligence function?
The point is that if the threat intelligence you want to get involves industrial adversaries or certain protocols and devices found in industrial environments, its quality will depend on it being very OT-specific. Generic cyberthreat intelligence has little value in OT contexts. Operators can be asked whether the vendor tracks specific APT groups that target industrial sectors, if their intelligence is in detection rules and if they give context on adversary tactics relevant to those industries a facility works in.
View More
