Most of the activity in the ICS security product market has been around passive solutions that create asset inventories and detect cyber incidents. It is a bit astounding that the market and solutions will look almost completely different in two to five years than they do today. The current products have value and will be around and much more widely deployed in the future. Just in a very different product than today.
Here is what you can expect. Mark it down.
1. Passive monitoring will not be used to create and maintain an asset inventory
This may be hard to believe since creating an asset inventory is a top reason why passive ICS security products are being piloted and purchased now. These purchases are due to the fact many asset owners have no asset inventory now. The allure is obvious. Plug the solution into a switch span port, and it will create and maintain an asset inventory for you.
Unfortunately it does not provide the comprehensive, detailed and accurate information that is required. Approaches like PAS dissection of the DCS project files and/or Langner’s active communication with the devices, combined with manual entry and adjustment, is what will lead to the single source of truth asset inventory.
These passive solutions, if deployed, will communicate with the single source of truth asset inventory to provide information when something new or unknown is communicating on the OT network. It is unlikely they will be used primarily for this purpose because this information can be obtained from NetFlow and similar. Rather if you have one of these solutions for detection, it is also detecting new cyber assets on the OT network and reporting them to the asset inventory for action.
Asset inventory will also be part of an asset management solution, not a detection solution. Which leads to:
2. Asset Management and Detection are separate solutions
Let’s start with the fact that very different people and teams are responsible for Asset Management and Detection. This alone would lead to the two functions not being combined in a single product.
The current group of ICS security products come from very talented packet junkies, who can quickly learn and dissect ICS protocol packets, and threat intel types. This is very different from supporting a change control process that works for Operations and a configuration management data base.
Asset Management will communicate with Detection solutions. Primarily with the Asset Management providing detailed asset information so the Detection solution and analysts can do a better job identifying, understanding the associated risks, and determining the responsive actions to take.
The Detection solution will provide notification of new or changed assets, see Prediction 1. As both solutions get more advanced the Detection solution could send response remediation tickets to the Asset Management solution (see Prediction 6).
3. Passive Detection GUI’s will be used for configuration only
Those great demos the ICS passive detection security vendors provide on how an analyst can use their GUI’s to detect and analyze incidents … not important. They will go away. An analyst doesn’t want to look at this screen. The analyst wants the screen that all of the potential detection data feeds into.
We heard this first hand from an asset owner on the S4x19 Sponsor Stage. CyberX had a client on stage telling the audience how great the solution was. (they really were big CyberX fans and had deployed the solution) They then said (paraphrasing), “we really never look at the CyberX screen. Our analysts only look at QRadar, and we send all the CyberX alerts there.”
I’m sure many vendors, and some asset owners, are saying they love and need the GUI from the passive ICS Detection solutions. It is much like the passive asset inventory situation. If you have nothing today, this looks great. It is not what you will want as your detection capability matures.
4. Passive Detection collection and initial analysis will reside in switches
This is already happening. Nozomi in RuggedCom. Cisco buying Sentryo. Why deploy separate boxes when you can just use a container or other switch provided computing platform.
5. Passive Detection solutions will face significant pricing pressure
If the GUI isn’t looked at by the analyst (3) and the collection and initial analysis is in the switch (4), then it will not be possible to maintain a premium price. We have seen this before with IDS/IPS.
This is not all bad. First, the reduced price point will be easier to sell to asset owners. Mr. asset owner, for this small incremental price you can add ICS detection to your switch. And second, many of the solutions today are already highly discounted to get deals that the vendors have not become reliant on temporarily high prices. (Although it will hit hard the projections for investors)
6. Two-way contextual communication with the enterprise solution (asset management – asset management) (detection to SIEM) will be key
Today the communication between the ICS solutions and enterprise solutions is almost all trivial. The ICS solution will send detection alert data or simple server asset inventory with minimal context to the enterprise solution. A lot more context is needed for automated analysis and correlation, and two way communication is needed.
For example, if the ICS detection solution is sending alerts to the SIEM, the SIEM will want to be able to say send be more or less of that to affect the collection, analysis and forwarding of data. There is a large wish list of what an analyst on the SIEM or ServiceNow Asset Management would want to be able to ask for and do with the ICS solution.
This item, along with the previous 5, are a real challenge for the ICS security product vendors. What is selling today is not what is needed. How much sales, marketing and positioning, and R&D do you put on where the market is going if it takes away from the growth the company must show to investors and prospects? This is where it is much easier to be a market analyst than a vendor. Get this wrong either way and you could be out of business. To make it even harder, this prediction is may not really impact the market for 4 to 5 years given the conservative nature of ICS.
7. Potential Pivots
Which means the ~25 companies almost all need to pivot to one of the following:
- an asset management solution (not easy given the assembled team in most of the product vendors)
- a detection component that resides in a switch and feeds a SIEM. Not really much of a pivot technically, but very different price point, partnerships, marketing and sales.
- an OT/ICS SIEM. If you believe some of the market will want to keep OT separate from IT, then you need to feed many other very useful detection feeds, such as firewall logs, endpoint protection logs, Active Directory logs, enterprise SIEM alerts, …, into your new OT SIEM solution. This puts the solution back up on the higher end of the price point since the analyst looks at this screen.
- Your pivot here … there are likely others and would welcome any suggestions in the comments.
- and one more in less certain pivot Prediction 8.
8. A Hybrid Product / Services Model comes to ICS/OT
I’ve struggled with the concept of Dragos being a product company despite Rob Lee very strongly telling me they are. It’s been my belief that the largest factor in their success is based on customers wanting access to that quite amazing team they have put together and that continues to grow. As much as I believe a company needs to decide if they are a product or services company, there is possibly a hybrid model happening and being selected by more vendors than Dragos.
The hybrid model is a combination of a detection engine on the asset owners site, relevant threat intel being provided through that GUI of the detection engine (making the GUI worth looking at), and on-demand incident response services provided by access to the data on the detection engine. This is going even a step further where the vendor is doing the primary monitoring of the detection engine.
Is this a product or services company? It probably doesn’t matter, but I’d lean toward a services company. The services … our people and tech in the cloud can help you understand threat, detect incidents and respond to incidents … require you to deploy the product.
Many of the other vendors in the ICS detection category appear to have picked up on this as well. Claroty just announced their Continuous Thread Detection in the cloud. Indegy announced their Cirrus service this June. Many more have and will. Of course, announcing and successfully providing the level of expertise to analyze and assist in response are two very different things. Doing it well at scale is even harder. The battle to acquire and retain talent is still fierce, and Dragos is not the only company that has built an impressive team and could attempt this hybrid model.
So that is the future looking out 2 to 5 years. Next week I’ll update the market and market participants as they exist now. It’s been almost two years since I did an update. Some things have changed and others have proven to be what was asserted and predicted back then.