ICS Vendor Security Strategies

11 Jan 2010 | 2011

A recent ARC Advisory Group analysis of the ABB / Industrial Defender security partnership has me thinking about the different ICS vendor security strategies. I can think of at least four different strategies and will blog on them this week. Let’s start with the Emerson Ovation team’s approach.

Anyone doing DCS security assessments of US power plants has surely run into Emerson’s Ovation. Like most ICS there are security pro’s and con’s of the DCS, but what is interesting is Emerson’s “Let Us Do It All” approach to cyber security. Emerson calls this the Ovation Security Center and it includes:

  • Anti-Virus / Malware
  • Firewall / Perimeter Security Device
  • Host IDS/IPS
  • Security Incident & Event Management
  • Security Patch Management
  • Vulnerability Scanning

Sounds great, and many owner/operators are thrilled to hear of the Ovation Security Center offering even if the price is six figures. Let the DCS vendor take care of all of the cyber security technical controls and even better have all of this managed under a single management console. Depending on the documentation version or presentation there is also talk of backup/recovery management, network IDS/IPS management, and other capabilities

The flaw in this strategy is the difficulty in achieving and maintaining it. There is a significant risk to Emerson of underperforming and to owner/operators of investing significant $$$ and security responsibility in a model that has failed many times perform. There are many examples of security companies trying to be a one-stop shop buying up all different technical solutions, with the best example being the failed Network Associates / McAfee effort.

Is the Emerson Ovation team really going to be able to support all these OEMed security solutions? How many people would be required to do this properly? 15? 25? And remember all these customers are running power plants and have paid big money for the security solution so expectations are high. What happens when a vendor upgrades a product or even worse drops a product? It is one thing to get a solution up and running at a point in time with no installed base, but it is much harder to deal with lifecycle issues across a deployed base with five or more products cobbled together in a service offering.

It is hard enough to be a VAR of this many security products when you are also responsible for installation and support, but trying to put things under a common management platform is the holy grail and about as difficult to find/achieve. Large vendors such as Cisco with large installed bases to spread the costs over and large pools of security and software development have struggled mightily with this, or failed depending on how kind you want to be. The idea that any vendor with a small installed base, as compared to Cisco firewalls/IDS/VPN’s, is going to have a quality management console for all these products is hard to believe and even harder to support over time. And remember that Emerson is a DCS vendor, not a security vendor, so this is not what the company excels at or is built for.

We predict the “Let Us Do It All” strategy is likely to fail or lead to dissatisfaction over time. Ovation Security Center was delayed many times from the original planned introduction date, but this happens to many products. Once it is out the key factors to watch will be if more customers make the total solution better or worse and how Emerson deals with changes to the products included in the Ovation Security Center. If Emerson is able to pull this off over the medium to long haul it will be very impressive and worth that price tag.

[FD: Digital Bond has worked with the Emerson Ovation team on a Bandolier Security Audit File for Ovation.]

Industrial Defender to provide cyber security for ABB customers.

The IT security world is filled with partnership announcements like this that most often end up as little more than a marketing burst, and I have actually lived through a few of these in my Racal days. Occasionally one or both sides is really only interested in the publicity, but more often than not the partnership is entered with the best of intentions and just does not result in sales. It is very difficult for the company providing security products and services to get mindshare with the larger vendors sales and marketing teams. These teams have a full product line to sell, and they focus on what is easiest to sell and make their numbers. Security is a complex sale for relatively small money compared to the overall system, and so the sales team does whatever it can close the bigger sale rather than try to upsell. It is the financially smart thing for them to do.

This type of partnership really only works when security is the difference between making or losing a sale. So far in the ICS world, security rarely is this difference. It is slowly becoming more important so perhaps this will change. So let’s assume that security is a key sales factor, and the customers want a full set of security products and services. How will a partnership strategy like this work?

The ARC Advisory Group published their analysis of this partnership in December, and it is worth a read. They interviewed both parties and talk about what both sides see as the benefits. Mainly that ABB can focus on their core business and Industrial Defender has access to potential customers. These could be significant benefits and ABB lessens the large downside risk of the Emerson approach. However, I think it ignores two big potential downsides if this partnership is successful and actually involves many ABB customers using Industrial Defender suite of security products. These downsides relate to the sustainability product line itself which is a combination of Industrial Defender and OEM products:

  • Firewall – Fortigate
  • Host Intrusion Prevention – CoreTrace
  • Network IDS – Snort
  • Security Information and Event Management (SIEM) – Industrial Defender
  • Compliance Manager – Industrial Defender
  • Access Manager – Industrial Defender [Teltone Acquisition]
  • Device Interfaces – Industrial Defender
  • Dial-Up Gateway – Industrial Defender [Teltone Acquisition]

The first downside is ABB would become very dependent on a relatively small company if this partnership is successful. If they convince their customers that Industrial Defender is the security solution then they have to stand behind this company.

Industrial Defender’s security product business has been around for years, but for many of those years consulting carried the lagging product business. They do not publish numbers because they are a private company, but the total size of the ICS security market is tiny compared to the IT security market. Small security product vendors struggle with a single product, and Industrial Defender has developed a number of software intensive products that will need continued R&D to support and grow to remain a credible offering.

If ABB encourages and assists its customers in relying on these Industrial Defender made products then ABB will have to deal with the product lifecycle issues as if they were the vendor. If the partnership is successful then ABB cannot let Industrial Defender fail and may even need to acquire them if it is an issue. The worst thing for an ABB customer is if they are one of only a small number of ABB customers that select Industrial Defender. This may not be compelling enough for ABB to prevent a product or company from going away.

The second potential downside is: are the products going to be the best security solution for ABB customers? A small number are private labeled from other security vendors, such as the Fortigate firewall and CoreTrace HIDS. While the CoreTrace HIDS appears to be a fine choice so far, the Fortigate firewall would not likely be on most peoples’ firewall short list because of its small market share. Also, Industrial Defender has little influence on what these vendors chose to do with their products.

There also is the issue of how competitive the Industrial Defender developed security products are with the market leaders in the applicable product category. They will have more control system intelligence than some of their counterparts, but they also will have many man-year less of engineering time in them across the development lifecycle. The SIEM is a good example where Industrial Defender does not even appear in the competition against SIEM vendors except in the ICS space. The real question is: is the control system intelligence in Industrial Defender solutions worth more than the full featured, market leading competition. I can see occasions where the answer would be yes, but it will be an ongoing issue as the products evolve.

All that said, this is a major opportunity for Industrial Defender. If they can successfully launch their products with the ABB salesforce, provide the service and support, and make their products competitive against other point solutions, it could be a major new source of business. This is why these security company / big company partnerships continue to happen. The upside for the security vendor is significant.

The announcement is very careful to point out that ABB and their customers are not tied to Industrial Defender. They can select different security solutions. It does give ABB flexibility, but they will need to take a position with their customers and prospects. Does a sales team recommend and try to sell Industrial Defender security products or do they just have it as another possibility in a big catalog they can provide. It is a low risk approach by ABB until they put a lot of their clout behind it, and their customers into Industrial Defender products.

It will be interesting to see if other ICS vendors emulate the ABB partnership approach.

Defense in depth is an important security concept, but the end goal and last line of defense is the SCADA or DCS application or application component itself. This is what is delivered by the ICS vendor, who also happens to know the application better than anyone else and have control of the application. So what I want from an ICS vendor is security capabilities built in and integrated into their product.

Invensys took this approach last year when they integrated McAfee’s Host Intrusion Prevention System (HIPS) into the Invensys DCS. It has whitelists for applications that are allowed to run, which the vendor knows and can configure at installation. It has a host based firewall limiting incoming and outgoing traffic, again the vendor knows and can configure. And it also has signature and behavior based protection and alerts.

It would be difficult and a bit scary for an owner/operator to deploy HIDS/HIPS on a ICS workstation or server without a vendor’s blessing or support. Invensys has gone one step further than approving and providing information on HIPS; they actually deploy it with their system. I asked Ernie Rakaczky last year at S4 if he thought a customer could deploy HIPS without affecting operation, and he said it would be difficult. The Invensys team spent a lot of time looking at HIPS products and configuring and testing the one selected. This is what I want my vendor to focus their security efforts on, the application elements that they develop and know best.

As I side note this integrated HIPS also reduces the risk of the longer security patching cycle necessitated by ICS compatibility testing and phased deployments.

Another example of an ICS vendor integrating security software is Telvent’s OASyS DNA with integrated encryption from Apani. It is a product option that encrypts and authenticates information sent between the SCADA Server, Historian, HMI, EWS and other Telvent components in the SCADA control centers. Again this would have been risky to reliable operations for owner/operators to install on their own. Telvent’s engineers can integrate and deliver this because they know their system and can put it through rigorous testing in their lab.

Of course there are also requirements to provide information on what network communication is required so a customer selected firewall can be configured, security patch compatibility information so a customer selected patch management solution can be successful, information on key directories requiring backup, … With that information an owner/operator can put together their security solutions. It avoids the vendor spending cycles trying to sell and support all those disparate security technologies, and focus on that part of security that only what the vendor can do.