How to Choose an NIS2-Compliant OT Security Vendor

Summary

In a recent survey conducted by ABI Research, three-quarters of industrial organizations reported that they had detected malicious activity within their OT network, and 24% were forced to shut down OT operations within the last year due to a successful attack.

If that’s not enough to have OT companies looking for new cybersecurity solutions, European Union companies have the added pressure of NIS2’s looming October deadline. Essential and Important entities are on the hunt for cybersecurity solutions that will meet their security needs while boosting their compliance.
 
OT security is complicated. Manufacturing plants and critical infrastructure facilities frequently maintain components that are so old they haven’t been manufactured in decades, working alongside modern connected machinery. An effective OT security regimen must be able to secure the entire environment–legacy as well as the latest devices.
 
The good news is there are a lot of OT cybersecurity solutions on the market delivering parts of the security solution. However, not all OT security tools were created equal. Some products may deliver network visibility but lack threat-detection capabilities, while others are strong in threat detection but unwieldy and difficult to manage. In this article, we’ll look at the capabilities your OT cybersecurity platform should have to put you on the path to NIS2 compliance.

Start with full network visibility

OT cybersecurity begins with network visibility. After all, you can’t secure network connections, zones and devices that you aren’t aware of. Your OT security solution should include non-intrusive monitoring capabilities that allow it to automatically create a visual model of all devices, protocols and links. Active scanning, where acceptable, is a great supplement.
 
Your monitoring tool should automatically establish a baseline of normal behaviors. Anomalous behaviors should be detected as potential indicators of compromise (IOC). For example, if one machine transmits a message to the network at 20 minute intervals, and the message is now being sent every 60 minutes, there is cause for investigation. The monitoring tool should keep up with the latest threat intelligence, so it can identify new publicly known vulnerabilities (CVEs) and recommend patches and work-arounds to secure those issues.
 
Monitoring should feed into your alert management system or have one of its own. The most effective OT monitoring tool will not only send alerts on IOCs and potential cyber attacks, but will let you know about business policy violations, abnormal topology changes, new device connections and other changes to the network. Each alert should be prioritized automatically based on perceived severity.
 
Look for a solution that offers active scanning in addition to passive scanning. Active scanners are useful in discovering additional assets and data collection from components that are silent on the network. They also can help detect vulnerabilities in firmware and other components. 
 
These capabilities help boost operational resilience against cybersecurity risks and threats, helping to bolster operational security posture and compliance with directives, security requirements and frameworks, and industry best practices.

Add in OT risk management

Monitoring your OT network is a major function of a healthy OT security program. Another is risk management. Risk management tools help you proactively manage risk and build resilient operations. Look for a data-driven solution that conducts automated risk assessments through breach simulations to detect vulnerabilities in your network and to advise you on what to do about them.
 
This tool should help you measure the gaps between your existing security controls and compliance with NIS and/or other standards. Running frequent assessments makes it easy for security teams to stay on top of risk while measuring their progress over time.
 
Look for a risk management tool that not only offers recommendations for securing vulnerabilities, but takes budget into account. It’s easy for a simulator to find a vulnerability and give a laundry list of network change recommendations. However, leading tools include budget information for each change, and quantifies the reduction in risk for full and partial fixes.
 
For example, if a simulation detects vulnerabilities that lower a manufacturing site’s risk score to 43, it should also include multiple mitigation options to drop it even further. Replacing a machine, which might cost millions of dollars, could improve the risk score a lot, but installing a free patch would improve the risk score most of the way. Each option should include associated costs, allowing stakeholders to make budget-based risk assessments.

Multi-site management

Organizations that operate multiple sites should look for solutions that include central monitoring and management for the entire OT estate. The convenience of these platforms is invaluable, providing visibility into OT networks regardless of their location.
 
Centralized platforms are cost-effective. Rather than having multiple security teams monitoring the network at each sites, a single security team at the SOC can oversee and manage the entire security regime. Alerts generated at any of the sites come to the central management location where they can be investigated and remediated.
 
Centralized platforms also improve security effectiveness. Organizations can implement policies across their sites from a central point, ensuring consistency.

Finding a suitable OT vendor

OT security is critical for the continued operations of manufacturing plants, critical infrastructure and other OT environments. To be effective, organizations should look for a solution that provides full visibility into their network and applies data-driven risk management tools automatically. Organizations with multiple sites should require a solution that provides a central security monitoring and management.
 
While some organizations might prefer mixing and matching solutions from different vendors, this best-of-breed approach often leads to security gaps and complications in interoperability. A security platform from a single vendor–as long as it meets all requirements–is typically the best approach.