Ilan Barda, CEO, Radiflow, looks at the relatively untapped market of MSSPs, including technological constraints, required skills and how service providers can tap into this potential for more profitable and sustained growth.
The managed security services market is growing rapidly with global revenues of US$18bn in 2018, experiencing a massive 15% surge from 2017. However, the number of providers is also rocketing and overall profitability is slowly dropping as rivals compete heavily on price. The core enterprise market is reaching saturation point and many MSSPs are adopting a reseller approach by rebranding third party services that offer little value – leading to further margin erosion.
As an antidote to this decline, a number or progressive MSSPs are expanding into under-served areas that provide better returns due to specialisation. One such area is security for the industrial sector.
Critical infrastructure operators have been the victim of high-profile attacks including Stuxnet in Iran, the Ukraine power shut-down and Triton in Aramco that are just the visible tip of a larger problem. In recent years, attack tools and methods are becoming readily available and are now targeting private industrial facilities for financial gain.
For critical national infrastructure operators, the main challenge is selecting and deploying the proper technology throughout their facilities. For mid-size private industrial facilities, another issue is having the competence to operate such technology. To address the needs of the latter group, several managed security solutions are entering the market with offerings that are designed specifically to help MSSPs protect industrial networks and facilities.
Rising threats and opportunities
In the last couple of years, several major incidents highlight the potential damage. Norsk Hydro, one of the world’s largest producers of light-weight metals, was a victim of a cyberattack in 2019 that forced it to halt some production and switch to manual operation resulting in costs of US$52 million.
In 2018, TSMC, one of the largest manufacturers in Taiwan, was hit by a cyberattack that forced production to be halted in three plant locations resulting in estimated losses of US$170 million; the attack was the largest information security incident in Taiwanese history.
However, industrial customers with operational technology (OT) networks still lag behind other sectors in terms of adoption of cybersecurity. This is in part due to the specialist nature of the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) platforms within this sector used to monitor and control a plant or equipment. The technology is present across a wide range of industries including manufacturing, water treatment, mining, oil refining, transportation and power distribution, among many others.
And the opportunity for the IT channel is also significant. According to IDC, managed security services will be the largest technology category in 2019. However, the number of MSSPs with experience of the industrial sector is still slim compared to the enterprise space. This gap between demand and availability offers a massive opportunity for progressive MSSPs keen to break into the market and win new customers across Europe. Furthermore MSSPs that will offer this unique value-add will have a competitive edge when addressing customers that want to outsource both IT and OT security.
SCADA used for industrial applications are systems with lifespans measured in decades and were designed with closed networks in mind that paid more consideration to physical protection rather than cybersecurity. Every SCADA system also has a human to machine interface (HMI) that allows for operators to issue commands, examine alerts and generate reports. Unlike information technology systems used in corporate environments, most SCADA networks rely on highly specialist and often vendor-specific propriety protocols for flows of data and commands. This offers some level of protection but networks have become more interconnected and cyberattackers are creating bespoke attacks that target these specialist systems which traditional off the shelf anti-malware, Intrusion Detection Systems or Network Access Control (NAC) are struggling to stop. The situation is made more challenging by the infosec skills shortage and is also more acute in the industrial sector.
Industrial MSSP
Several vendors are now offering tools to help MSSPs to deliver services to the industrial sector. In most cases, these solutions will have three elements. The first part is a data collection and monitoring layer that feeds real-time information used for threat detection and remediation. This data is used by the second part, a security operation centre (SoC) that will maintain software systems and specialist operators with infosec and ICS/SCADA expertise to evaluate the flow of data, generate alerts and potentially respond to attacks. The third element is the ongoing service to proactively look for weaknesses within systems and to monitor threat intelligence feeds for new vulnerabilities and exploits that impact the specific customer assets.
Security tools vendors will normally provide the MSSP with monthly updates to its traffic signature and CVE databases. This ongoing update will allow an MSSP to detect newly emerged threats and issue emergency updates in the event of the discovery of a vulnerability or software change to a key SCADA technology supplier’s product. With the MSSP model, such updates are done centrally at the managed SoC and not at each customer site. This continual service-led approach to security is vital as the threat landscape is constantly evolving. Even stable production systems that may have been deployed for a decade or more can have new vulnerabilities uncovered that can be exploited by a skilled attacker.
Managing realtime risks
The MSSP model has several significant benefits for industrial customers including the ability to outsource IT security to an external expert that monitors multiple similar customers. However, the architecture also allows the end-customer to gain a simultaneous view of the current security state to provide assurance and accountability that security best practice is being implemented as expected.
The deep integration with SCADA systems for correlation to the operational processes ensures that security posture always matches the current environmental state and evolves in line with the needs of the client in real time. In the same way that many large enterprises have adopted this approach, MSSPs for the industrial sector reduce the cost and complexity of internal staffing and provide an expert team on hand for incident response.
However, one of the most critical issues for manufacturers, that can’t stop production to apply large scale patches, is the ability to apply industry specific threat analysis. These systems allow an organisation to better understand which risks are critical and need to be immediately patched – and in some cases, where potential threats are mitigated by other security controls. MSSPs, especially providers that have aggregated knowledge from hundreds, and potentially thousands, of discrete manufacturing sites, can help manufacturers to design a remediation plan that can be enacted without production downtime.
Although a relatively new concept, the MSSP model for the industrial sector offers undeniable potential. The combination of increased adoption of digital technologies along with the skills shortage makes for an ideal marketplace for sustained growth for the IT channel.
Click below to share this article
