- By Felipe Sabino Costa
- May 25, 2021
- Moxa Technologies Inc
Consider these key questions to help ensure you choose a qualified solution provider. This article comes from the Ebook Automation 2021: OT/ICS Cybersecurity.
The past few years have seen an increased demand for cybersecurity in industrial applications. As a result of this, many decision makers for industrial applications are interacting with cybersecurity for the first time. While many companies hope to invest more in ramping up network security, it is essential to make informed decisions when selecting a suitable supplier or solution provider. Industrial cybersecurity is a complex topic that must include considerations about industrial operations. It is highly recommended that decision makers do not just look at the specifications shown on fact sheets or datasheets, but also consider key questions that can help ensure they choose a qualified solution provider.
This article will provide answers to these important questions and help to guide decision makers when selecting an industrial networking solution provider for cybersecurity.
1. What are the indicators that I am selecting a company with a mature industrial cybersecurity solution?
There are many important factors to consider depending on the industry and application. As the literature usually does not distinguish suppliers from users, the factors mentioned below can be used as a reference for both.
As a starting point, cybersecurity is not only a feature or product. In fact, it is a complex process that involves many different factors during different phases. It is fundamental to establish the pillars of “people,” “processes,” and “technologies” on both sides—supplier and customer—as they pass through the life cycle, including integration and maintenance of the cybersecurity solution.
Although measuring the maturity of a company can be difficult, there are some indicators that can be used to determine how mature the company is. These indicators are explored in more details in later questions and include topics such as threat intelligence processes, quickness in responding to incidents, solutions based on solid and internationally recognized frameworks, whether the company receives vulnerability notifications from external parties, experience working on industrial applications, as well as services and support before and after purchase.
2. How do I measure the maturity of a cybersecurity solution provider?
It is quite difficult to define a maturity baseline for different companies that may have different frameworks and measurements. However, if we consider the ARC Cybersecurity Maturity Model, a mature company should have established a threat intelligence management process, including a full-time cybersecurity team to respond to any cyberthreats. In addition, it should be able to detect anomalies and breaches. Finally, it should also be able to anticipate potential threats instead of only responding to them, which is the most difficult to achieve. This maturity model considers some key aspects, which can be good indicators of the maturity of a cybersecurity solution provider.
In addition to the factors mentioned above, a company has a higher cybersecurity maturity level when it has implemented a solid threat intelligence process and the team effectively responds to any threats found and maps vulnerabilities. Companies that are able to anticipate threats can offer better solutions.
There are also some additional methodologies, such as the Detection Maturity Level Model (DML) and the Cyberthreat Intelligence Model (CTI), which measure the maturity of a company based on how it handles threats (although they fall outside the scope of this article). For a company to be considered mature with regard to its approach to cybersecurity, it should have established threat intelligence processes and have a dedicated team to quickly respond to any potential threats internally or externally.
3. Are there any independent methods to compare solutions?
Yes, inside specific industries there are some recognized frameworks such as the National Institute of Standards and Technology (NIST) and IEC 62443, which give practical and impartial suggestions for product characteristics and general recommendations that businesses operating inside these industries should consider.
It is also important to consider the adoption of both vertical and horizontal standards. Horizontal standards tend to embrace a broader range of industrial applications, such as the ISA/IEC 62443 series of standards, and vertical standards often represent a smaller sector, such as NERC CIP for the power sector. Depending on the requirements of each individual sector, there may be additional vertical industry standards that can be used for reference and guidance.
Last, another important indicator to determine the maturity of a provider’s offering is if it follows proven frameworks. Using recognized frameworks provides an independent way to compare solutions.
4. How can I calculate the return on investment for a cybersecurity investment?
There is still an ongoing debate about how to measure a cybersecurity investment, usually termed return on investment (ROI) or return on security investment (ROSI). Although there is not a single agreed upon formula that can be easily shared, it is plausible to consider the correlation between cybersecurity investments and the benefits of enhanced safety, increased production stability, and other elements.
Because cybersecurity, in a simple manner, is a combination of availability, confidentiality, and integrity (CIA triangle), it is possible to infer that investments in cybersecurity directly minimize potential threats to industrial control systems and, as a consequence, increase levels of production and enhance safety. In other words, cybersecurity is the balance between the financial cost you can afford and the risk you can accept.
5. Does the solution provider receive information regarding vulnerabilities from external parties?
Another important factor to consider when evaluating a potential offering is to verify if the solution provider has an open channel to receive information about potential vulnerabilities from external parties. Being receptive to this information is fundamental to developing a more mature solution as well as increasing the reliability of the solution being offered.
For industrial control systems, this capability is still relatively new, but this openness and willingness to improve is vital to ensure the company is able to provide reliable solutions. Those who have already embraced this approach are demonstrating that they are well on their way to offering a mature cybersecurity solution.
6. Does the solution provider have success stories for industrial applications that are similar to my own requirements?
The majority of the time, any given industrial application will have unique aspects. Therefore, it is important to understand if the supplier has already developed solutions for a relatively similar application. This minimizes, or at least anticipates, potential operational problems, because industrial solutions differ from enterprise solutions in many respects.
Whenever possible, decision makers should request a proof of concept (PoC) in order to make sure that what you are requesting can be delivered. It never hurts to emphasize, as recommended by important industrial frameworks such as NIST and ISA/IEC 62443, that any test should not be performed on a live system, but on an isolated external system first, to avoid disrupting live operations.
7. Does the solution provider have experience deploying solutions inside OT environments?
It is very important to determine whether the solution provider has enough knowledge of industrial environments to be able to support you. While it is true that enterprise and industrial cybersecurity solutions have a lot in common, it should not be forgotten that they are not 100 percent equal. In order to obtain a tailored industrial solution, different specific requirements have to be considered for each industrial application.
For industrial environments, data must be passed from one device to another very quickly. For the majority of industrial applications, latency is detrimental to the system and is therefore not acceptable. In contrast to this, some latency is acceptable for the majority of enterprise applications.
The environment also has an important role. For products being developed for industrial environments, the hardware should be built to withstand wide temperature ranges, vibration, dust, and other environmental factors. In contrast to this, an enterprise product is not normally required to go through such a rigorous testing process.
Another important capability is if the software has the ability to detect and filter industrial protocols such as PROFINET, EtherNet/IP, and Modbus/TCP, which are widely used in industrial applications.
From all of the points that have been considered, it is apparent how complex it is to implement an industrial cybersecurity solution. Thus, it is essential that the companies providing cybersecurity solutions really understand this demanding sector.
8. Will the solution provider be committed to my business?
When selecting a solution provider, it is important to not just consider the equipment datasheets. It is important to understand whether the security solutions are connected to an overall cybersecurity strategy and how much the solution provider understands your needs.
During the past few years, there has been an increased demand and appreciation for pre- and post-sales services for the majority of cybersecurity customers.
Before you purchase the solution, ensure that your solution provider is aware of your framework and that it has a good understanding of where the proposed solution fits in. The company offering the solution should act like a consultant, and be able to give you good advice for your solution. A vendor who is serious about cybersecurity needs to understand each application and suggest a specific solution for each case. The “one solution fits all” model is definitely not recommended for industrial cybersecurity.
If your company does not have its own framework, a possible starting point is the Cybersecurity and Infrastructure Security Agency (CISA), which is based in the U.S. It uses solid industrial frameworks within its Cyber Security Evaluation Tool (CSET) and uses this as a foundation to evaluate industrial control systems, including frameworks such as NIST and ISA/IEC 62443. As each country may have its own regulatory agency, we suggest checking your country’s agency framework recommendations if you live outside the U.S.
Finally, after you have purchased the solution, you should list which services are available, such as warranty, troubleshooting, SLA, and others. From here, you can decide which services are more important and consider the total cost of ownership based on the needs of your company.
Two points to remember
In conclusion, it is worth remembering the following two points. The first is that there is an optimal point between the financial cost and level of protection required. Second, IT cybersecurity may not be suitable for an OT environment, so selecting an experienced industrial networking solution provider should be a requirement.
This article comes from the Ebook Automation 2021: OT/ICS Cybersecurity.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe