Over the past few years, the demand for cybersecurity inside the industrial space has become increasingly prevalent. With that, many industrial decision-makers have interacted with this knowledge area for the first time. As a result, it is inevitable that several questions emerge about how to select the best suitable solutions and suppliers. The objective of this article is to give an impartial view about those common questions and help to guide good decision-making when selecting industrial networking solution providers for cybersecurity measures.
1. What are good indicators of maturity in an industrial cybersecurity company?
There are many important factors to consider depending on industry and application. As the literature usually does not distinguish suppliers from users, these factors may reference both.
As a starting point, cybersecurity is not just a feature or a product. It is a complex relationship among many different actors in different phases. It is fundamental to establish the pillars of “People,” “Processes,” and “Technologies”1 on both sides—supplier and customer—passing through the lifecycle, including integration and maintenance of the cybersecurity solution.2
Although it is quite difficult to measure a maturity of a company, it is possible to identify some good indicators on this matter. The answers to the next questions go into more detail about these indicators, such as a threat intelligence process, a response team (CSRT) to incidents, solutions based on solid and worldwide-recognized frameworks, receiving notifications of vulnerabilities from external parties, and experience on industrial applications, pre- and post-services. 3, 4, 5, 9,13, 14, 16
2. How do I measure maturity in the cybersecurity level of a provider?
It is a complex task to establish a maturity baseline for disparate companies that may use different frameworks and measures. According to the ARC Cybersecurity Maturity Model, a mature company should have one established threat intelligence management process, including a full-time cybersecurity team to respond to found threats, the ability to detect anomalies and breaches, and the most difficult, the ability to anticipate potential threats instead of only responding to them.3
The ARC Cybersecurity Maturity Model tries to define some key aspects that can, on the average, be good indicators of cybersecurity maturity. Based on this model, among other aspects, a company presents a higher maturity level in cybersecurity when it has implemented a solid threat intelligence process and (as an inherent subsequent logical item) how effectively the team responds to the found threats and mapped vulnerabilities.4
The closer a company gets to the anticipation of threats, the (theoretically) more mature it is. To reach this capability, previous steps and other axes (People and Process) need to set a corresponding maturity to support it. There are some additional methodologies to measure the maturity of a team on how they handles threats, such as the Detection Maturity Level Model (DML) and the Cyber Threat Intelligence Model (CTI),5 that are outside the scope of this paper. However, it is reasonable to state that, to consider a company as “mature” on the cybersecurity matter, it should have an established threat intelligence process and a team to quickly respond to the potential threats detected from internal or external organizations.
3. Is there any independent method to compare solutions?
Yes. In the industrial space, there are some recognized frameworks, such as NIST and ISA/IEC 62443, that give practical suggestions of what product characteristics and general industrial recommendations should be considered.6, 7
It is also important to point out the hybrid adoption of standards (vertical and horizontal). Horizontal standards embrace a broader range of industrial applications, such as ISA/IEC 62443, and vertical standards are more narrowed by sector, such as the NERC CIP for the electrical sector, for example.8 Based on the sector, there may be additional vertical standards that can be used as reference and guidance.
Lastly, if your solution provider follows solid frameworks as a foundation to develop their solutions, that is another important indicator of its cybersecurity maturity. The usage of recognized frameworks guarantees an independent method to compare solutions.9
4. How can I calculate the ROI of a cybersecurity investment?
There is still an open debate about how to measure a cybersecurity investment, usually called ROI (return on investment) or RoSI (return on security investment). Although there is not a single agreed formula that can be easily shared,10 it is plausible to consider a correlation between cybersecurity investments and safety, with production stability being one among many benefits.11 As cybersecurity, in a simple manner, is a combination of availability, confidentiality, and integrity (the CIA triangle),12 it is possible to infer that investments in cybersecurity directly minimize potential threats to industrial control systems and, as a consequence, increase production and safety levels. In other words, cybersecurity is always the balance between the cost you can afford and the risk you can accept.
5. Does the industrial cybersecurity solution provider receive vulnerability information from external parties?
Another important factor to consider when evaluating a potential solution is to verify whether the provider has an open channel to receive potential vulnerability information from external parties. Definitely, an open posture is fundamental to bringing about maturity and to increasing the reliability of a solution.
Although this capability is still new in the industrial control system space, this open posture and an open exchange environment are fundamental to establishing reliable solutions.13 Those who have already adopted this attitude present an important indicator of maturity on the cybersecurity management matter.
6. Does the solution provider have references of industrial applications running that are similar to what I need?
Because an industrial application typically has unique requirements, most of the time it is important to understand if the supplier has already developed a solution for a similar application. This minimizes, or at least anticipates, potential operational problems because industrial solutions differ from corporate solutions in many aspects.14
Although it is quite difficult to measure the industrial cybersecurity maturity of a company, some key indicators discussed on the previous questions may be helpful on this journey. Lastly, whenever possible, it is paramount to request proof of concepts (PoC) in order to make sure that what you are requesting can actually be delivered. It never hurts to emphasize, as recommended by important industrial frameworks such as NIST and ISA/IEC 62443, that any test should not be performed on a live system, but on an isolated external system first, to verify possible unpredictable behaviors.6, 13
7. Does the company have experience deploying solutions inside OT environments?
A complementary discussion is whether the company has the industrial knowledge needed to support you. It is undeniable that enterprise and industrial cybersecurity disciplines have a lot in common, but they are not 100% equal. An industrial application has specific requirements necessary to obtain a tailored industrial solution.14
One example is the importance of the time passed before data can be received. Unpredictability or latency is extremely harmful to the majority of industrial applications, which is not necessarily true for the majority of enterprise applications.
The environment also plays an important role, where temperature, vibration, and dust, among other challenges, should be considered differently in the development of hardware than for an enterprise application that does not usually go through this.15 Another important capability to determine is whether technology measures can filter and detect industrial protocols such as PROFINET, EtherNet/IP, and Modbus/TCP, among others, which are widely used in industrial applications.
Combining all the external factors with the already-complex equation of cybersecurity, it is complex to implement an industrial cybersecurity solution, what requires suppliers that really understand this demanding sector.
8. Will this solution provider be committed to my company?
When selecting a solution provider, it is important to go beyond the datasheets of the equipment. It is fundamental to understand whether the security solutions are connected to an overall cybersecurity strategy and how deeply the solution provider understands your needs. Make sure they have already “walked a mile in your shoes.”
Over the past few years, there has been an increase in demand and appreciation of post- and pre-sales services.16 On pre-sales, ensure that your solution provider is aware of your framework and that it understands where the proposed solution fits, modeling a consulting interaction. A serious vendor needs to understand each application and suggest a specific solution for each case; the “one solution fits all” model is not recommended because it is definitely not the case in the industrial sector.
If your company does not have its own framework, one possible start point of reference is the Cybersecurity and Infrastructure Security Agency (CISA) in the United States. It considers solid industrial frameworks on its Cyber Security Evaluation Tool (CSET) as a foundation to evaluate industrial control systems, including such frameworks as NIST and ISA/IEC 62443 among others.17
Each country may have its own regulatory agency. If you are outside the United States, check your country’s agency framework recommendations. Finally, you should establish which services are offered on post-sales, such as warranty, troubleshooting, and SLA, among others. Based on your company’s needs, validate which services are more important and the associated costs, considering the total cost of ownership (TCO).
Considering the importance of cybersecurity in today’s world, it is inevitable that business owners will eventually consider how to select a reliable industrial networking solution provider. We highly recommend going through the key questions above to check whether a company can not only provide solutions, but is also committed to its offerings—whether it’s the cybersecurity response team or the cybersecurity intelligence. Remember that cost and level of protection is always a balance. IT cybersecurity may not be fit for the OT environment, so selecting an experienced industrial networking solution provider is the rule of thumb.
Thanks first to God for giving me this opportunity. Thanks to my family, mother, brother, and my future wife Camila for always supporting me. Special thanks to my good friend, family member, and expert Mr. José Roberto Moscatelli and Mrs. Veronica Y.F. Yu for helping me review and for providing insights for this article. Thank you to the International Society of Automation (ISA) for providing different ways to improve my knowledge and networking; Moxa Inc., the company where I have been working for the past few years; and lastly, Joel Kelsen, another great friend and professional who has helped me do what I am passionate about.
1“IEC Cyber Security Brochure Overview.” International Electrotechnical Commission, 2018. https://www.iec.ch/cybersecurity/?ref=extfooter.
2“Call to Action: Mobilizing Community Discussion to Improve Information-Sharing About vulnerabilities in Industrial Control Systems and Critical Infrastructure.” Daniel Kapellmann, Rhyner Washburn, 2019.
3“Cybersecurity Maturity Model,” ARC, Advisory Group, 2019. https://www.arcweb.com/industry-concepts/cybersecurity-maturity-model.
4“A survey on technical threat intelligence in the age of sophisticated cyber attacks.” Wiem Tounsi, Helmi Rais, 2018.
5“Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence.” Vasileios Mavroeidis, Siri Bromander, 2017.
6NIST Special Publication 800-82 Revision 2.
7“IEC 62443-4-2:2019 Security for industrial automation and control systems -Part 4-2: Technical security requirements for IACS components.” International Electrotechnical Commission, 2019.
8“Systematic cybersecurity checking approach for critical infrastructures including IEC-61850 power substation conforming ISA/IEC-62443.” Felipe Sabino Costa, 2019.
9“Cybersecurity In Distribution Automation: Approach For Common Referential Leveraging Standardization”. Jean-Luc Batard, Mathieu Salles, Eric Suptitz, 2019.
10“Cyber KPI for Return on Security Investment.” Cyril Onwubiko, Austine Onwubiko, 2019.
11“Buenas prácticas para el diagnóstico de ciberseguridad en entornos industriales.” Centro de Ciberseguridad Industrial, 2014.
12“From information security to cyber security.” Rossouw von Solms, Johan van Niekerk, 2013.
13ANSI/ISA‑62443‑2‑4 (99.02.04), Security for industrial automation and control systems: Part 2-4, Installation and maintenance requirements for IACS suppliers.
14“SCADA System Cyber Security – A Comparison of Standards.” Teodor Sommestad, Göran N. Ericsson, Jakob Nordlander, 2010.
15“Introduction to Industrial Control Networks.” Brendan Galloway, Gerhard P. Hancke, 2012.
16“Critical success factors for supplier selection: an update.” Cheraghi, S. H.; Dadashzadeh M.; Subramanian M.; Demantra, 2004.
17Cybersecurity and Infrastructure Security Agency (CISA) CSET 9.2.0 Release Notes. 2019.