Is IT/OT Convergence's Momentum Unstoppable?
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
My interview last week with Nozomi Networks CEO Edgard Capdevielle dug deep into the OT visibility and detection market today and more importantly where it was heading in the next 1-3 years. Lots of candor and interesting comments from Edgard, and Edgard’s thoughts of convergence have stuck in my mind.
Based on his past experience in storage, he actively sought out a segment undergoing convergence and stressed that convergence, once started, goes in only one direction.
Key excerpts from Edgard in this clip:
Convergence is an incredible force ... here we go IT/OT convergence ... All security markets eventually go to the CIO/CISO. Convergence is a one-way street ... OT makes it go at a different pace ... the path is the path that many other industries have walked before.
This led to the follow up question if convergence, once started, is a powerful force in one direction, then why wouldn’t most of the functionality of the OT visibility/detection management platforms be converged into their enterprise equivalents, such as Splunk or ServiceNow. Edgard, like Dragos’ CEO Rob Lee, doesn’t believe this will happen because OT is different, and they are betting on this with their time, sweat and equity.
I’ve conveniently taken both sides of this issue. In OT visibility / detection market predictions I wrote in Oct 2019:
领英推荐
Passive Detection GUI’s will be used for configuration only. Those great demos the ICS passive detection security vendors provide on how an analyst can use their GUI’s to detect and analyze incidents … not important. They will go away. An analyst doesn’t want to look at this screen. The analyst wants the screen that all of the potential detection data feeds into.
And then an article I wrote last month had me pointing out that what most are calling convergence is integration, and that IT / OT integration, not convergence is what is currently happening.
This conversation with Edgard has made me wonder if that recent Integration v. Convergence article underestimated the power of convergence. I think it is still dead on that we should not conflate integration and convergence. Connecting and passing information and even commands between OT systems and IT systems is integration, while having a single system handle a function for both OT and IT is convergence.
Today, at best we can say there is increased integration. Data has been sent to the enterprise for decades, but more is being sent. This data is being stored and used in more systems for more purposes. Detection events and asset inventory from the OT visibility / detection solutions are being integrated with their enterprise equivalents.
It’s hard to think of convergence examples (beyond technology convergence, e.g. Windows, application whitelisting, managed switches, which is something else). Perhaps you could say OT perimeter firewalls are converged with enterprise firewalls or anti-virus updates and management are IT/OT converged into a single system.
OT visibility and detection are great solution categories to watch because they can be truly converged into a single system with minimal impact on the IT/OT separation or risk to OT. The argument Edgard, and I believe Rob Lee, make against this convergence is that OT requires special knowledge and skill to be of use. And this will be why the OT visibility / detection solutions will not be converged into the enterprise solution.
The conversation with Edgard makes me wonder again if I, along with most of the ICS/OT community, is underestimating the power of convergence. In an early draft of this article I wrote “we may end up with a world where the OT sensors in the OT visibility/detection solution will be all that remain”, as I’ve also predicted in 2019. If convergence is this powerful force, then why would we have an OT specialized sensor. Looking at Cisco and other switch manufacturers, why wouldn’t they integrate the IT and OT sensor code into a single container in the networking device?
And to finish with a real blue sky thought, what if the OT specialized business model is selling an OT specific update feed to all the vendors offering these sensors. Looking back to 2006 - 2009 timeframe, Digital Bond had the large network and IDS companies trying to buy a frequently updated ICS IDS signature feed from us. We passed on the opportunity, and it was unlikely it was a viable business model back then.
How much true OT convergence with the enterprise will there be? In five years, the market will have decided and shown us the answer.
Leading ICS-OT-IIOT Cyber Security Expert, Consultant, Workshops Lecturer, International Keynote Speaker
3 年Dale Peterson and @Edgar Capdevielle Indeed interesting discussion with many opinions, But we must admit that the term "IT-OT Convergence was never defined and never accepted by experts". In such environment that term is creating severe cyber security risks, because non-experts might taking a wrong action: a) Do we mean that the data from ICS and IT are converging in the SOC? b) Do we mean that IT and ICS networks are using similar networking components? c) Do we mean that IT and ICS team must co9llaborate and help each other? d) Or do we mean that IT and ICS networks may converge into one zone? I do believe that we must adhere to system solutions which absolutely assure operating safety. If anyone is proposing a solution that no comply with that request !! I rather not consider that. Please note that one of the Microlearning modules of ISA 62443 will refer to that topic and make it clear to all.
Global OT / IoT Security Services Business Development Leader at IBM
3 年Excellent topic Dale. What I'm seeing is confusion around this topic because many seem to confuse IT/OT convergence with integration. In fact, because of this I have started using a different way to describe these different environments as "Corporate Enterprise" vs "Industrial Operations". Corporate Enterprise IT technologies are not merging or converging with operational technologies. Both of these environments are going through their own digital transformations and we are seeing lots more integration and sharing of information. However, what is happening is that OT products are being designed with modern technology concepts and techniques similar to IT products. These OT products are still focused on the cyber physical function in an industrial environment. This is the market for the OT product companies. Now from a #cybersecurity perspective we all know that having the broadest and deepest visibility across both environments to monitor if controls are operating effectively or if new vulnerabilities have been introduced or exploited is the objective. This requires integration and orchestration of lots of logs from IT and OT products and is a process conducted in the SOC.
Founder & CEO at DeNexus, Inc.
3 年Excellent interview. Congratulations Edgard Capdevielle and Dale Peterson. When it comes to overall cybersecurity risk understanding and management we are not seeing the difference between OT and IT at the board or executive level. They merge at some point and are another enterprise level risk that demands similar attention that any other type of risk, as recent unfortunate events such as Colonial have highlighted.
Industrial Security Champion
3 年Can't fault an ICS SIEM vendor for having the position that you will always need a specialized ICS SIEM. It's the walled garden they are selling and there's some intrinsic value in being in that garden. With every integration, splunk app, etc created is just more writing on the wall. At some point why have the middle man. Makes sense for early adopters in a maturing market but not for much longer. My own biased opinion of course =)