I’ve made three predictions to date in my analysis of the ICS detection market, and now I’m adding a fourth. The first three are:

  1. The ‘we only do passive, active is dangerous’ mantra will be replaced as asset owners realize adding legitimate ICS active requests provides more information and more accurate information. (Predicted: 2016, Status: Proven as most ICS detection solutions now have active and say it is important.)
  2. Detection and Asset Management will be two separate products/solutions, although they will pass information between each other. (Predicted: 2019, Status: TBD. Today, asset owners often have x money to buy a product, and they are still accepting the sales pitches that one product can do both. So one year in, the prediction has not come true.)
  3. ICS Detection Products Management consoles will go away except for configuration as asset owners insist these events be handled in their enterprise SOC solution. The detection engines will be in switches (Cisco buys Sentryo), and this will put big downward price pressure. (Predicted: 2019, Status: Not TBD. Market leaders Claroty, Dragos and Nozomi remain evidence against this prediction. Forescout acquiring SecurityMatters, Cisco acquiring Sentryo, and to a lesser extent Tenable acquiring Indegy are a hint that it could be true)

New Prediction: ICS Incident Response services, coordinated with ICS detection products, will be the key decision criteria for ICS focused detection products.

This fourth prediction builds on the previous three. Asset owners will be using their asset management system for asset inventory, not a detection product. For the vast majority of asset owners, their analysts will be looking at ICS alerts in their Enterprise solutions. (Asset owners with a large number (100+) of plants / ICS may develop an OT SOC and in house incident response). And the integration of the ICS detection engines into switches coupled with the decreased use of the ICS detection management application will drive prices significantly down, albeit at a greater volume. 

Question: Is there a place for anything more than a very small, almost semi-custom, ICS security player to be in the ICS detection market in three years? 

Answer: Yes … if this detection ‘product’ is used to provide incident response services.

For almost all but the largest asset owners it does not make sense to develop and maintain a highly skilled OT / ICS Incident Response capability for two reasons. One, if the asset owner’s OT security program is mature enough to consider this in-house capability, then OT cyber incidents should be rare. And two, while there is some overlap with IT incident response skillsets, you would need the team to be skilled in ICS protocols, PLC forensics, automation, safety systems and other areas. It is an ongoing expenditure of resources that make a lot more sense outsourcing.

Detection and incident response are intertwined. The value of detecting an attack is greatly reduced if the asset owner is not in a position to respond to the attack. We are increasingly finding the next thing asset owners who have been working on ICS security for years should be doing, from an effective risk reduction perspective, is getting a retainer with an ICS incident response company. Having that company come in periodically so they know the ICS, the data sources available in an incident, the people, and the potential high consequence events. ICS incident response help can be brought in after detection, but this is at a greater cost, and it is less effective and less timely.

What is driving this new prediction is the best company to do incident response must be highly skilled in the product(s) where the best information on the incident will be available. For example, if you have deployed a Claroty detection solution, you want the incident response team to be experts on using Claroty. You probably want them to be able to look at the Claroty data remotely to support OT or provide OT knowledgeable help to your Enterprise SOC. This is even more important today where SIEM / OT detection product integration is weak (just dumping ICS data into the SIEM) and in one-direction.

Most of the ICS detection product vendors are currently pushing ‘partners’ as the incident response service provider, with Dragos being the most notable exception with their incident response service being a main sales offering. This partner approach could work, in theory, but I’m not recommending it until I know the third party partner is dealing with a lot of incident response cases related to the ICS detection product so they have a deep, consistent and always improving skill set. The vendors through product development, proof-of-concepts, installs and support have this skill set today and are well positioned to be best in world in knowing how to use their own product.

Conclusion

The ICS detection product vendors that remain independent, not acquired by a company focused on the enterprise and looking to add OT, will be pushed by customer demand and a desire to see their solution price not erode to commodity pricing will:

  • Sell based on a combined detection product and incident response service, with the service actually being more important than the product.
  • Yes, the product will continue to detect events, alerts, cyber incidents and send this information to whatever is being used in the enterprise SOC.
  • It also will be available remotely, either full time or when support is requested, to provide immediate phone incident response support for Operations or the Enterprise SOC. (of course there is the possibility of offering detection services, threat intel services and others on top of this)
  • And importantly the independent ICS detection product vendor will provide on retainer ICS incident response services.

Services will drive the product sale.