Industrial Control Systems: An Emerging Security Market for MSPs?
There has been growing a concern over the security of industrial control systems, embedded systems that help run power utilities and wastewater treatment plants and other facilities. Managed security services providers could find a role in this space as companies look to shore up weaknesses. Here’s some background.
The vulnerability of industrial control systems (ICS), also called supervisory control and data acquisition (SCADA) systems, has endured as an IT security topic for more than a decade. Lately, however, the discussions have moved beyond the theoretical-possibility stage. Late last year, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned of increasing activity involving the use of search tools to locate Internet-facing control systems.
“The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems,” the ICS-CERT alert stated. “In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack.”
The alert also noted that ICS-CERT has been helping control system owners analyze system and firewall data in cases where unauthorized access has been identified.
And, of course, the Stuxnet virus and Duqu trojan both target industrial control systems.
“Stuxnet and Duqu have made the theoretical concerns over ICS/SCADA become real,” said Brian Ahern, president and chief executive officer of Industrial Defender, a company that focuses on security and compliance management for automation systems. “The discussions of these threats and risks have shifted up into the C-Suite.”
Industrial Defender offers a mix of security products and services, including managed services.
Role for Managed Services
The rationale for managed security services in the control systems segment is the same one found in less specialized markets: companies may lack the time or personnel to operate an IT security shop.
Organizations running control systems “have limited expertise and resource bandwidth to deal with the complexities of security and compliance,” Ahern noted.
“Unfortunately, advances in security technology have not eliminated the need for expertise or resources to sustain security on an ICS.”
Managed security services providers with the ability to monitor, manage and protect control systems fill that cyber security gap, Ahern said. A security technology’s effectiveness is proportional to the effort put into monitoring and managing its information and configuration, he added.
In addition to keeping tabs on security systems, MSPs can also help customers with compliance duties. In the ICS field, the North American Electric Reliability Corp.’s Critical Infrastructure Protection (NERC CIP) standard is a key requirement. The standard may apply to smaller energy producers as well as large utilities.
“NERC CIP affects electric utilities that are responsible for the production and transmission of electricity regardless of their size,” Ahern said, noting that NERC CIP uses specific, risk-based criteria to determine who must meet its requirements.
At this point at least, MSPs don’t appear to be overcrowding the industrial control market.
There are a few managed services participants in addition to Industrial Defender. For example, IBM Security Services offers SCADA Security Solutions that include assessment, intrusion prevention systems, and managed security services. Dell/SecureWorks, meanwhile, provides NERC CIP compliance services.
Any room for more MSPs? As awareness grows, SCADA could emerge as an active market for managed security. But the breadth of the market will depend on how many smaller independent power producers and rural co-ops view security as a pressing issue and/or face NERC CIP compliance duties.
MSPs that get involved in this space will have a challenging security problem to unravel. Industrial Defender released released a report that cites the growing complexity of control systems. The report, which Industrial Defender commissioned Pike Research to compile, noted that most automation environments have evolved over decades without a master plan, making them difficult to manage.