Continuous operational technology (OT) network monitoring has become an essential part of every industrial/OT cybersecurity strategy. Users recognize the value of up-to-date asset inventories and rapid notification of anomalous system behavior. But product evaluations need to consider how a solution will also support future needs.
Three major developments are already changing the fundamental nature of OT cybersecurity:
- Deeper CISO involvement in OT security and convergence of IT/OT cybersecurity
- Broader use of corporate SOCs (Security Operations Centers), and external security service providers such as MSSPs (Managed Security Service Providers)
- Accelerating adoption of digital transformation programs
Let’s look at how each of these developments impacts the things that users should consider when selecting a continuous OT network monitoring solution.
1. CISO involvement and IT/OT Cybersecurity Convergence Require Deeper OT Security Visibility
Reports of costly ransomware attacks and nation-state cyber activity have raised cybersecurity concerns among top managers of industrial companies. This is increasing CISO involvement in OT cybersecurity management and demands for more visibility into OT cyber risks and compliance support. This is also fueling efforts to converge IT and OT cybersecurity programs to ensure end-to-end governance of security across all business processes.
While continuous ICS network monitoring solutions already collect asset inventory information through passive network monitoring, this isn’t enough to satisfy emerging visibility requirements. CISOs want the same level of detail and coverage provided by IT network scanning tools.
To meet these demands, ICS networking monitoring solutions need to include controlled, active scanning that can detect dormant devices and provide detailed asset information like active ports, software versions, etc. Ideally, the solution would also support CISO and IT security team’s interest in detailed OT cyber risk assessments that include information on OT vulnerabilities and policy violations.
2. Corporate SOCs and Service Providers Need Integrated IT/OT Solutions
Cybersecurity program management is an ongoing challenge for industrial/OT security leaders. Overwhelmed staff lack the time and expertise to stay on top of security updates and system alerts. Limited budgets and a shortage of OT cybersecurity professionals is compelling OT security managers to tap into corporate SOCs and MSSPs for support.
“Future developments will require continuous OT network monitoring that includes active scanning, OT cyber risk visibility, integration with IT and SOC cybersecurity platforms, advanced alert filtering, scalable IoT device support and flexible network monitoring options.”
ARC VIEW: Users Need Enhanced OT Network Monitoring Capabilities to Support Future Requirements
3. Digital Transformation Makes OT Security Monitoring a Must
Industrial companies continuously strive to reduce costs and improve performance. So, it’s not surprising that many are launching digital transformation initiatives to gain more information about their operations. These programs include connections of OT systems with enterprise and cloud apps, and deployment of new, potentially insecure IoT devices within OT system perimeters.
These developments create new requirements for continuous OT network monitoring solutions. Wide deployment of new devices significantly expands the scalability needed to support security in OT systems. New IoT devices also require deep packet inspection (DPI) that supports a wide range of operating systems and communication protocols that are not commonly found in OT environments.
More complex architectures and new network appliances will require flexible monitoring options, including appliances for small networks, active collectors for networks lacking mirroring capabilities, virtual collectors, and containerized solutions that can be embedded in smart switches and edge gateways.
How Nozomi Networks Addresses the New Market Forces
I recently discussed these market forces, and their impact with Nozomi Networks CEO Edgard Capdevielle.
The company’s OT and IoT visibility and security platform consists of three key components: Guardian, Remote Collectors and the Central Management console.
- Guardian: This product performs the bulk of the network monitoring activities. It includes functionality for message parsing, DPI, asset discovery, threat detection, and anomaly detection. It also supports local users with network visualization, vulnerability assessment, risk monitoring, and security reporting.
- Remote Collectors: Guardian acquires network traffic information through Remote Collectors that passively extract messages from control system networks. Nozomi Networks offers a range of remote collectors in a variety of physical and virtual forms, as well as an active scanning option, Smart Polling. This enables Guardian to acquire additional asset information and support assets in networks lacking managed switches.
- Central Management Console: The CMC aggregates data from multiple Guardian instances and enables centralized and remote cybersecurity management. According to Nozomi Networks, the Central Management Console can support thousands of sites and various deployment options. It can also be used as a multi-tenancy solution for shared or MSSP deployments and very large-scale enterprise deployments.
As I learned, Nozomi Networks continuous OT network monitoring platform supports all three of the trends I mention above. Visibility and integration have always been key focus areas for the team’s development efforts. They have interfaces for a wide range of OT products, networking devices, SIEMs, popular IT security management tools, and access control products, as well as an open API for sharing data with external applications. Other recent solution enhancements give organizations a safe way to expand their security footprint to include OT and IoT assets, without disrupting critical networks.
OT Cybersecurity Solutions Must Address New Business Needs
While many organizations already benefit from the improved asset inventories and anomaly detection provided by continuous OT network monitoring, adoption of the trends mentioned in this blog will be easier when visibility and security solutions include capabilities such as: active scanning, compliance support, integration with SOC and IT applications, advanced alert filtering, and IoT device support.
Furthermore, IT/OT convergence, third-party security support and digital transformation will impact every business that uses automation systems in some way. In a rapidly changing world, we encourage operators to evaluate how their security solution provider supports current and future needs.