ICS Security: No Time Like The Present

Acknowledging fully up front that network security is only one piece of a very large ICS security puzzle and that products/technology are not a cure-all, I still think it’s worthwhile to step back and appreciate the growth and evolution of product offerings, specific to ICS environments, that aim to address various challenges.

I spent from 2009 through most of 2017 at a distributor. When I started there, they carried a single industrial security appliance. I recall writing a blog post around 2015 covering the growth in that product category (up from that single product to 10+ across five vendors and counting). In the last five years, it has become clear that growth was just the beginning.

I’ve put together this living list — which is far from exhaustive in both category and category entries — of vendors/series/models across various ICS Security solutions. In each, I list simply by manufacturer alphabetical order since I don’t believe in any general good/better/best ranking.

Industrial Security Appliances / Firewalls

These are available in all kinds of flavors from traditional/routed to layer 2/transparent, with features ranges including traditional packet filtering, industrial protocol-specific deep packet inspection, learning modes to enable easier firewall rule creation, all variations of NAT and VPN, NGFW features ported from IT, and centralized management.

  • Bayshore Networks OTfuse

  • Belden/Hirschmann EAGLE One, 20, 30, 40, Tofino Xenon

  • Check Point 1200R, 1570R

  • Cisco ISA3000

  • Dynics ICS-Defender

  • Endian 4i Edge 112, 515, X

  • Fortinet FortiGate Rugged 60F, 70F

  • Moxa EDR-810, EDR-G902/3, EDR-G9010

  • Palo Alto Networks PA-220R

  • Phoenix Contact mGuard

  • Westermo Lynx/RedFox (L3 switches with Firewall functionality atpyical of other vendors L3 switches)

Data Diodes

For the longest time, I was only aware of one name in this space. Now not only is it clear there are more players but also new and wider applications of the technology. Previously reserved only for high-end, larger throughput applications in a rack-mount form factor, higher horsepower, and associated higher costs, you’ll find some on this list potentially able to reach more customers including targeting edge low throughput applications sitting directly on the DIN-rail.

  • Bayshore Networks NetWall

  • Hirschmann Rail Data Diode

  • Owl Cyber Defense Owl Perimeter Defense Solution, DiOTa

  • Waterfall Unidirectional Security Gateways

Secure Remote Access (SRA)

I’ve written a lot on this category already here, and this is just a sampling of the vendors whose solutions we’ve used or researched that helped fuel the questions in that post. These vendors make specific SRA solutions for ICS targeting different customer types (OEM vs. asset owner), vertical markets, and offering various deployment types from software-only to hardware appliances, entirely customer-owned to partially vendor-hosted, etc. Certainly no shortage of options here.

  • Bayshore Networks

  • ClarOTy

  • Cyolo

  • Dispel

  • eWON

  • Ixon (and Automation Direct white label)

  • Moxa (Remote Connect)

  • Phoenix Contact (mGuard Secure Cloud)

  • RedLion (RLConnect24)

  • Secomea

  • Siemens (Sinema Remote Connect)

  • Tosibox

  • Xage

  • Xona

Asset Inventory / Visibility / Anomaly Detection / Behavioral Analytics

I can never settle on what the heck to label this solution category, but it’s been a fun one to watch for the last few years. There are plenty of related topics for discussion here, but at a high level, these vendors were some of the first to perform a mix of passive and active network monitoring on horizontal/east-west traffic on ICS networks, allowing customers to collect asset inventory information, automatically correlate deployed firmware of said inventory against vulnerability databases, baseline system-specific “normal” network traffic (who is talking to who, via what protocol, and at what intervals/frequency) to enable alerting of anomalous traffic conditions, etc. Some of these vendors also have free/community solutions covering some portion of the aforementioned functionality.

  • Bayshore Networks

  • Cisco (acquired Sentryo)

  • Dragos

  • Forescout (acquired SecurityMatters)

  • Microsoft (acquired CyberX)

  • Nozomi Networks

  • Radiflow

  • SCADAFence

  • Tenable (acquired Indegy)

ICS security expert Pascal Ackerman in his fantastic book “Industrial Cybersecurity” comments, that due to their very nature of not changing often with more stagnant configurations and traffic patterns “The ICS is extremely defendable.” In this chapter on defense-in-depth he describes further how by “layering protective measures, gaps in the security of one layer can be closed by controls on another layer, creating a holistic security posture.”

ICS security expert Robert M. Lee stated in a 2019 training that ICS systems are “some of the most defensible systems on the planet.” He went on to say, “There are simply more steps an adversary has to take to reach the kind of effects we are worried about most in our environments. There are more opportunities to detect, prevent, and respond than any normal systems.” He further reminds, “They’re not necessarily defended systems” and you can’t sit idly by doing nothing and assume you won’t have problems. However, “With the right care and feeding and the right people on top of it you can move defensible to well-defended.”

So while again acknowledging that the above categories and solutions will only be a part of an overall security posture and certainly that caution should be exercised to avoid shiny object syndrome, I still believe there has never been a better time than the present to take one step forward. Appreciating that it’s easy to become overwhelmed by the seemingly daunting task of securing ICS, freezing into inaction is often the result. While some might see the myriad of choice as an obstacle or path to analysis paralysis, I see the glass half-full — an opportunity to select a category, add another layer of visibility or protection where you have nothing today, pushing your system closer toward well-defended. And if you’d like help in the selection process, we’re always here to help.

Previous
Previous

Nothing But NAT - Part 1

Next
Next

Remote Access for ICS - Part 2