The Misrepresentation of ICS Cybersecurity: Interoperability, Intelligence, and Third-Party Dependence

Research interviews with established vendors, startups, and new market entrants spanning the course of various digital security and Internet of Things (IoT) projects over the past few months have revealed that a surprising portion of vendors market their digital security products erroneously or even deceptively in some cases. A healthy dose of marketing and related advertising materials can, indeed, be misinterpreted at times, covertly make reference to non-existent Artificial Intelligence (AI) technologies, or subtly suggest that an organization’s security offerings are not only far superior to the competition’s, but also that the competition’s deployment strategies may actually prove harmful to a prospective client.

At first glance this seemed an acceptable and standard marketing practice and one that is prevalent in virtually every single technology market and advertising strategy to gain a better foothold in their respective target verticals. While this might be more tolerable in certain markets (e.g., consumer electronics, where branding and marketing play a much bigger role than hardware specifications in some cases) it is not, however, the same with certain high-risk verticals like industrial cybersecurity, as was recently discovered.

ABI Research recently discovered that the industrial cybersecurity market, and the Industrial Control Systems (ICS) market in particular, is rife with confusing, misleading, and highly contradictory technological practices, predictions, and inaccurate marketing materials. While there are many examples that these inconsistencies manifest in a way that actually harms customers and implementers, there are two major instances where this phenomenon is more prevalent: interoperability and AI-based intelligence.

One-size-fits all cybersecurity: For starters, certain cybersecurity products are often erroneously advertised as interoperable enough to work under multiple market verticals, from commercial and enterprise to industrial settings, or even in sub-markets within the latter (e.g., water, oil and gas, critical infrastructure, manufacturing, chemical, etc.). This includes everything from the most basic solutions, like antivirus systems and firewalls, all the way to System Information and Event Management Systems (SIEMs), or sophisticated machine learning, automation, and security orchestration products. Under no circumstances should any product that has been developed and tested in a corporate environment be applied to an industrial network with just a few minor alterations. The network architecture, data traffic, connected devices, users and user privileges, cyber-threats, access management, identity provisioning, and cryptographic requirements among many other crucial variables are dissimilar and in need of a vertical-specific (and, in some cases, even application-specific) solution. In some cases, potential implementers might be better off partnering with a third party offering professional services in order to help them filter out infrastructure, software, and application security providers.

Everything is AI-ready: There’s no better way to illustrate how prevalent the use of tech lingo like AI and machine learning is across multiple verticals then the fact that even household coffee machines have moved from being “smart” (a.k.a. internet connected with smartphone or web-plugin functionality) to being “powered by AI and machine learning” (e.g., the Mugsy startup). As expected, the ICS cybersecurity market is no different, although one would expect that marketing materials that reference AI would actually have some sort of intelligent semi-automation system behind them (as fully automating security alerts could prove detrimental for ICS). Rather, they often feature a typical glorification of dashboard analytics and the only form of “intelligence” in some cases is a standard correlational analysis performed by certain Security Information and Event Management (SIEM) integrations when available. For some implementations the access to cloud-based threat intelligence is not available and certain vendors require weeks or even months to train their products to a customer’s network in order to obtain a baseline and proceed with deep learning anomaly detection for cyber threats.

This insight’s main objective is not only to outline the deceptive misuse of certain technological terms by some vendors in a manner that, unfortunately, makes said legitimate terms virtually unrecognizable from buzzwords. Rather, it is also aimed at providing valuable feedback for implementers to further probe and examine the solutions offered by their future partners in ICS cybersecurity. On top of verticals like manufacturing and processing, ICS is literally powering the world’s key industries like critical infrastructure, manufacturing, transportation, energy, oil, water, and nuclear power.

Implementers should note that there are many instances where additional costs might emerge down the line, raising the TCO significantly. Some security vendors also fail to note that they are not able to address certain key elements in their proposed solution or subtly suggest that another third party might be needed in some cases (costing additional charges over time). This additional support from other parties can include anything from a particular type of middleware (like those, for example, used for industrial automation); multiprotocol support for different communication protocols; the use of Cloud Access Security Brokers (CASBs) to gather, filter, and manage certain data types; or the use of specific types of gateways, cloud platforms, SIEMs, Security Operations Centers (SOCs) and other dependencies.

What’s even worse is that in other cases these dependencies are not even mentioned or not mentioned until it is too late. It would be far better for a vendor to acknowledge a gap in its offerings and admit that other external technologies or partners might be required than to leave its customers in the dark with security holes in their infrastructure. ABI Research also recommends that implementers either have a holistic understanding of the type of security protocols they are attempting to implement into their operations, partner with organizations that offer professional consulting services, or at the very least spend some energy researching a specific area. A few key aspects vendors should keep in mind include the IT-OT convergence, optimizing industrial networks, interoperability services, and integrating IT security products in a meaningful way.