ICS Security: No Time Like The Present
Acknowledging fully up front that network security is only one piece of a very large ICS security puzzle and that products/technology are not a cure-all, I still think it’s worthwhile to step back and appreciate the growth and evolution of product offerings, specific to ICS environments, that aim to address various challenges.
I spent from 2009 through most of 2017 at a distributor. When I started there, they carried a single industrial security appliance. I recall writing a blog post around 2015 covering the growth in that product category (up from that single product to 10+ across five vendors and counting). In the last five years, it has become clear that growth was just the beginning.
I’ve put together this living list — which is far from exhaustive in both category and category entries — of vendors/series/models across various ICS Security solutions. In each, I list simply by manufacturer alphabetical order since I don’t believe in any general good/better/best ranking.
Industrial Security Appliances / Firewalls
These are available in all kinds of flavors from traditional/routed to layer 2/transparent, with features ranges including traditional packet filtering, industrial protocol-specific deep packet inspection, learning modes to enable easier firewall rule creation, all variations of NAT and VPN, NGFW features ported from IT, and centralized management.
Bayshore Networks OTfuse
Belden/Hirschmann EAGLE One, 20, 30, 40, Tofino Xenon
Check Point 1200R, 1570R
Cisco ISA3000
Dynics ICS-Defender
Endian 4i Edge 112, 515, X
Fortinet FortiGate Rugged 60F, 70F
Moxa EDR-810, EDR-G902/3, EDR-G9010
Palo Alto Networks PA-220R
Phoenix Contact mGuard
Westermo Lynx/RedFox (L3 switches with Firewall functionality atpyical of other vendors L3 switches)
Data Diodes
For the longest time, I was only aware of one name in this space. Now not only is it clear there are more players but also new and wider applications of the technology. Previously reserved only for high-end, larger throughput applications in a rack-mount form factor, higher horsepower, and associated higher costs, you’ll find some on this list potentially able to reach more customers including targeting edge low throughput applications sitting directly on the DIN-rail.
Bayshore Networks NetWall
Hirschmann Rail Data Diode
Owl Cyber Defense Owl Perimeter Defense Solution, DiOTa
Waterfall Unidirectional Security Gateways
Secure Remote Access (SRA)
I’ve written a lot on this category already here, and this is just a sampling of the vendors whose solutions we’ve used or researched that helped fuel the questions in that post. These vendors make specific SRA solutions for ICS targeting different customer types (OEM vs. asset owner), vertical markets, and offering various deployment types from software-only to hardware appliances, entirely customer-owned to partially vendor-hosted, etc. Certainly no shortage of options here.
Bayshore Networks
ClarOTy
Cyolo
Dispel
eWON
Ixon (and Automation Direct white label)
Moxa (Remote Connect)
Phoenix Contact (mGuard Secure Cloud)
RedLion (RLConnect24)
Secomea
Siemens (Sinema Remote Connect)
Tosibox
Xage
Xona
Asset Inventory / Visibility / Anomaly Detection / Behavioral Analytics
I can never settle on what the heck to label this solution category, but it’s been a fun one to watch for the last few years. There are plenty of related topics for discussion here, but at a high level, these vendors were some of the first to perform a mix of passive and active network monitoring on horizontal/east-west traffic on ICS networks, allowing customers to collect asset inventory information, automatically correlate deployed firmware of said inventory against vulnerability databases, baseline system-specific “normal” network traffic (who is talking to who, via what protocol, and at what intervals/frequency) to enable alerting of anomalous traffic conditions, etc. Some of these vendors also have free/community solutions covering some portion of the aforementioned functionality.
Bayshore Networks
Cisco (acquired Sentryo)
Dragos
Forescout (acquired SecurityMatters)
Microsoft (acquired CyberX)
Nozomi Networks
Radiflow
SCADAFence
Tenable (acquired Indegy)
ICS security expert Pascal Ackerman in his fantastic book “Industrial Cybersecurity” comments, that due to their very nature of not changing often with more stagnant configurations and traffic patterns “The ICS is extremely defendable.” In this chapter on defense-in-depth he describes further how by “layering protective measures, gaps in the security of one layer can be closed by controls on another layer, creating a holistic security posture.”
ICS security expert Robert M. Lee stated in a 2019 training that ICS systems are “some of the most defensible systems on the planet.” He went on to say, “There are simply more steps an adversary has to take to reach the kind of effects we are worried about most in our environments. There are more opportunities to detect, prevent, and respond than any normal systems.” He further reminds, “They’re not necessarily defended systems” and you can’t sit idly by doing nothing and assume you won’t have problems. However, “With the right care and feeding and the right people on top of it you can move defensible to well-defended.”
So while again acknowledging that the above categories and solutions will only be a part of an overall security posture and certainly that caution should be exercised to avoid shiny object syndrome, I still believe there has never been a better time than the present to take one step forward. Appreciating that it’s easy to become overwhelmed by the seemingly daunting task of securing ICS, freezing into inaction is often the result. While some might see the myriad of choice as an obstacle or path to analysis paralysis, I see the glass half-full — an opportunity to select a category, add another layer of visibility or protection where you have nothing today, pushing your system closer toward well-defended. And if you’d like help in the selection process, we’re always here to help.