Simplifying the ICS Cyber Security Vendor Selection Process

Simplifying the ICS Cyber Security Vendor Selection Process

We often hear that defining ICS cyber security needs and selecting a trusted partner can be challenging for industrial operators, so I sat down with ARC Advisory Group VP Research Larry O’Brien to see if he could help simplify the process.

I asked Larry what critical infrastructure organizations need to consider when selecting an ICS cyber security partner. Here are his thoughts on the topic:


Well Kim, given the complexity of the environment manufacturing and other heavy process industries operate under, it’s not surprising that they find it tough to go though a cyber security vendor selection process. When things go wrong in areas like oil & gas, chemicals and refining, the impact could be extremely serious — from significant loss of life and environmental and community damage, to disruption of the hydrocarbon supply chain that drives a large portion of the global economy. So, the pressure to choose the right security vendor is high.

The ICS Landscape: Cyber Security in the Process Industries

Let’s consider for a minute the market forces coming into play here. Threat actors have shifted focus beyond ransomware and spear phishing to compromising manufacturing processes in the physical world. For example, recent malicious attacks like TRITON/TRISIS, the malware that interacted directly with a gas plant’s safety instrument system (SIS), zero in on the operational technology that helps run these facilities. This demonstrates how urgent it is for operators to put processes in place to ensure the safety of their plants.

The oil & gas supply chain is yet another target. It fuels a large portion of the global hydrocarbon economy – including upstream exploration and production to midstream and downstream processes that feed many other industries. Unfortunately, integration across this supply chain has not been great, so cyber security risks are high here too.

In fact, critical systems in need of protection span the entire breadth of operations – from sensors and actuators to supervisory control and operations management.

ICS Cyber Security Solution Considerations

In thinking about ICS cyber security vendor selection, the convergence of IT and OT is an important consideration. While we still have isolated realms of operating technology with proprietary controls systems on the OT side, we’re beginning to see IT and purpose-built IoT solutions that are forcing the removal of traditional IT / OT barriers. For example, some commercial off-the-shelf IIoT products are finding their way into critical manufacturing processes on the OT side – components like ethernet switches, routers and wireless access points, right down to the sensor level.

Process safety systems also typically contain undocumented devices and other operational systems that exist outside the DCSs and PLCs – things like fire & gas protection and turbine control systems. All of these factors create new challenges – so it’s important to choose a cyber security solution that supports increasing IT / OT integration and the vulnerability of related operational systems.

The Vendor Selection Process

To simplify the complexity of vendor selection, the ARC team follows a four-phase process that can be thought of as a continuous improvement cycle based on a long-term commitment with the chosen supplier.

It begins with the formation of a cross functional team comprised of key executive, IT, OT, purchasing and other stakeholders. This team is responsible for determining the business, technical and functional requirements of the cyber security solution, of which there could be many. Based on weighted decision criteria, a vendor Request for Information (RFI) list is created, including questions the vendor is required to respond to.

Vendor selection criteria and questions could include topics such as:

  • Your own cyber security program maturity – is the foundation in place and what are you ready for?
  • Vendor viability – is the vendor well established (client base, funding, roadmap, etc.)?
  • Functionality: agent-based vs agentless, policy-based, behavior based?
  • Technology/architecture: cloud-based, server based, hardware, etc.
  • Breach detection and anomalous message detection capabilities
  • Asset discovery and management capabilities
  • Support features & capabilities
  • Integration with other cyber security products
  • Deployment speed and impact, time to value
  • Strategic partnerships (process automation, service providers, etc.)


Thanks Larry. I agree that what’s going on in the market is creating a real sense of urgency around cyber security.

And, we’ve seen that while there are varying levels of cyber security preparedness maturity among ICS asset owners, they’re all struggling with a similar situation. As you noted, IT and OT are converging as part of the modernization of our industrial and critical infrastructure. In this environment, resilience and uptime are essential to protecting against reputational damage and loss of revenue, and ensuring personal and environmental safety.

At Nozomi Networks, we believe that an industrial cyber security solution requirements list should include:

  • Gaining complete, real-time visibility into the OT network
  • The ability to rapidly detect vulnerabilities, threats and incidents
  • The minimization of troubleshooting and remediation efforts
  • The ability to successfully deploy within large, distributed environments
  • An agile vendor development and integration process that also offers rapid support for emerging protocols
  • The ability to centrally monitor and control a widely distributed network

We simplify the cyber security selection process for organizations by addressing all those issues under three areas of functionality: operational visibility, threat detection and global deployment.

To begin with, operational visibility involves the automated identification of assets and network attributes that allow you to improve situational awareness, risk management and system availability. Those are foundational in our mind – we always say that you can’t protect what you don’t know you have.

Secondly, asset owners should look at ICS cyber security through the lens of threat detection. We think detection should be managed in two ways – through what we call hybrid threat detection. It’s important to protect against known threats, plus anomalies at the process level. This allows operators to not only detect cyber risks that could impact resiliency, but also receive alerts when processes are operating outside their normal parameters. A critical state anomaly could indicate a maintenance problem with the device itself, as well as a cyber threat.

Thirdly, thinking about the complex nature of industrial deployment environment, operators require visibility across all their sub-networks and geographies.

Nozomi Networks’ advanced cyber security solution achieves this through the use of artificial intelligence and machine learning – leveraging techniques like deep packet inspection and particle analysis to provide the deep insight required. Integrations are another consideration – it’s important to make sure your cyber security solution can talk to other business process and IT systems, and share OT systems information in a meaningful way.