Not the Whole Fruit Basket
Some thoughts on Dale Peterson’s “Insanely Crowded ICS Anomaly Detection Market” blog
If you follow Dale Peterson’s ICS Security blogs here on LinkedIn and on his Digital Bond website, you know that he has been writing a lot recently about the market for ICS Anomaly Detection software. Most recently he posted the blog entitled “Insanely Crowded ICS Anomaly Detection Market”. In it Dale commented on just how many companies say they are in this market and how difficult it is to sort out all the competing claims.
I love the point Dale is making. The number of companies chasing this market seems insane, especially considering that this is just one of many technological solutions ICS world needs.
And in my personal experience, it is hard to really pin down what these products can and can not do. Too often I hear something that sounds an awful lot like “we do everything and we do it better than everyone”. That is neither realistic nor helpful.
Love the list but...
Now to help, Dale has also created a table of the companies in this space. I really like the concept of the table. However I think it needs a bit of fine tuning to be useful. I’m concerned that Dale's not comparing apples to apples when he calls this a list of anomaly detection companies.
Certainly all the products on Dale's list will report some anomalies. Heck, firewalls offer syslog reporting of dropped packets, but Tofino was never promoted as an anomaly detection product.
The same applies to many of the companies on the list – reporting is a feature, not their main job. Bayshore seems more like perimeter protection with DPI. Radiflow makes DPI firewalls and VPNs. PAS and Verve Industrial are end-point management solutions, providing the device hygiene Tyler Williams is asking for in his comments.
When Dale uses the words “Anomaly Detection Market” I think he is actually referring to those companies that focus on collecting and analyzing network traffic flows (or process variables in the case of Aperio and ICS2). These companies use some sort of analytics engine to process the patterns and then report anomalies. They don’t drop packets if there is something suspicious. They don’t do emergency backups if ransomware is detected on the ICS network. They just analyze and report.
Sorting out priorities
This is certainly useful technology, but it is far from the whole ICS Security “fruit basket”. I think Dale and I both agree that it’s not even the most important fruit in the basket. As many people have commented on his blog, most companies running ICS have basic security issues that need to be addressed before we get excited about detecting strange packets on the ICS network.
Tyler mentioned ICS patching as an unsolved need and that is a great example. Patching is still hard to do, especially once you include devices like PLCs and RTUs that are both mission critical and not Windows based. Reliable, verified backups are also a challenge. Managing white listing across a plant is still more art than science. Finding your assets by watching traffic flows is cool. Securing them is what matters.
Consider the past few weeks of WannaCry silliness. Detecting the worm in network flows wasn’t at the top of any prevention list that I saw. Instead patching, back-ups, segregation and staff training seemed to be most expert’s top priorities. These are priorities that I agree with. Fortunately some of the tools on Dale's list can really help with those tasks. People just need to know that they are available.
Please add a column or two...
To be clear, I completely agree with Dale's premise. And I’m not suggesting he remove any companies from his list. It’s not just because I’ll get murdered by the marketing managers if he does (no company wants to be removed from a list of suppliers, even if it is wrong). I think it is a great list of resources for ICS security practitioners. Just add a column or two to highlight what the product really does. For example, Network Traffic Analysis, End-Point Management, Network Segregation, etc., etc.
And maybe add “Active vs. Passive” as a column. A number of the vendors on the list make a big deal of the fact that they are 100% passive. That is a cool feature, but sometimes a tool just has to talk to the ICS device to get the job done. For example, passive backups are possible in theory, but will probably never be a reality.
So I hope Dale keeps the list. I just want him to point out the “oranges” and “avocados” and not call them “apples”. The industry needs a balanced diet, not just a single fruit.
Cyber Security Partner at Deloitte
7yIt's almost as if security is something that needs be considered as part of the architecture (in the true sense of the word, covering both technical and organisational) rather than something that can be bolted on as a bit of Capex. I have to agree with Tyler that hygiene is the most pressing issue in the space right now. But we didn't improve a child's personal hygiene by saying they smell and throwing a bucket of soapy water over them. You improve it by embedding good washing practices into their daily routine and by living in a house that has been built to include bathrooms into its fabric so it is easy to wash and clean oneself regularly. I find this whole idea that there are point solutions to be toxic to good security. Pretending that any one piece of technology is THE answer is never going to improve the situation globally. We are in danger of replicating the "design by Gardner MQ" problem that has plagued IT for years. Of course there are people that are innovators and finding new and better ways of solving problems but they should be viewed as interesting science experiments until they can prove they can be integrated into a broader approach.
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
7yAhh, my friend and old sparring partner. I define the anomaly detection product category as: A solution that learns normal network, application/device, process and user behavior for an ICS and then identifies variances from this normal behavior that is likely a cyber attack. This excludes perimeter/gateway protection devices, IDS/IPS signatures, or threat intelligence. One other comment on the list ... it is a list of companies claiming to address the product category as defined above. Some have been at it for 3 years, others like the Bayshore that Eric mentions are just introducing solutions. Hopefully the panel I have in Vienna at S4xEurope with Claroty, Security Matters and Nozomi Networks will provide some steps forward on how an owner/operator should evaluate and select a product from this category (if their ICSsec program is mature enough to handle it).