Blog / 7 min read
As cyber threats evolve, organizations are increasingly requiring more robust cyber-physical systems (CPS) security solutions tailored to meet their unique needs. We feel that’s why Gartner has published a “Market Guide for CPS Protection Platforms”, outlining their recommendations for security and risk management (SRM) leaders when evaluating a CPS security provider. With emerging cybersecurity challenges that span beyond the capabilities of traditional security tools, Gartner understands that leaders must evaluate solutions with additional functionalities. Throughout this blog, we will break down the most important criteria Gartner outlines and how the right CPS protection platform can help on your journey to cyber and operational resilience.
Before we dive into the evaluation criteria, it is important to first understand what cyber-physical systems are. Gartner defines CPS as “engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). When secure, they enable safe, real-time, reliable, resilient and adaptable performance.” Essentially, cyber-physical systems encompass OT assets and systems along with a proliferation of connection devices — including IoT, IIoT, IoMT, and BMS. Key examples of CPS include patient monitoring in hospitals, intelligent buildings, smart electric grids, and autonomous vehicles. These smart networked systems interact with the physical world to support real-time, guaranteed performance in safety-critical applications. Although these devices help to sustain our lives, they also greatly increase cybersecurity risks and attack surfaces. CPS protection platforms were built to ensure the safety and security of these critical devices as the consequences of unintentional faults or malicious attacks could have a severe impact on human lives.
The CPS protection platforms market is defined by Gartner as “products and services that use knowledge of industrial protocols, operational/production network packets or traffic metadata, and physical process asset behavior to discover, categorize, map and protect CPS in production or mission-critical environments outside of enterprise IT environments.” CPS protection platforms in this category include the following attributes:
Per our understanding, some CPS protection platforms only focus on passive port mirroring and deep packet inspection, however, no single collection method is a silver bullet. That’s why Gartner has emphasized the importance of evaluating vendors with a variety of additional techniques, including native protocol active queries. Recognizing how crucial it is for customers to have 100% visibility into the assets that underpin their operations, Claroty offers five distinct collection methods — giving organizations the opportunity to mix-and-match methods to meet the needs of their unique environment. In-depth asset discovery is a key driver of overall success, and Gartner advises performing due diligence to find the right match.
A truly complete inventory of an industrial environment is dependent not only on finding all of its unknown components, but also on having an understanding of the features and activities of those components. We believe, that’s why Gartner has emphasized the evaluation of ability to display asset attributes. Claroty, for example, supports 450+ proprietary protocols and offers five highly flexible collection methods, which allows us to harness in-depth communication and behavioral profiles for all XIoT assets — including granular device details. Without these key details — including OS, serial number, embedded software, and more —- threats and vulnerabilities cannot be accurately correlated.
The process of gaining full visibility into the industrial environment is often challenging due to a variety of factors ranging from antiquated equipment sets that use a multitude of often-proprietary communication protocols, to complex and inherently insecure network configuration. We feel this is the reason Gartner classifies the number of industrial communication protocols supported as such a large differentiation between solutions — because they understand that comprehensive visibility is achieved through the right balance of protocols and collection methods. At Claroty, our in-house researchers work tirelessly to ensure our portfolio is compatible with all protocols spanning all of your OT, BMS, IoT, and other XIoT assets. Claroty has long been the industry leader in protocol coverage, and our current tally is more than 450 and counting. Our multi-spectral approach helps to uncover parts of the network that are not suitable for a single discovery method and results in unmatched visibility into CPS environments.
Many CPS protection platforms offer visualizations of linkages and data flows between all assets, which is crucial to strengthening your industrial network architecture. Without detailed network diagrams and data flows, there is no benchmark or baseline to serve as a comparison to help identify misconfigurations, traffic overloads, and other issues which may pose risks to reliability, availability, and safety. Claroty addresses this need by not only revealing your industrial network architecture, but also leveraging AI to segment your entire network into Virtual Zones, which are policy-defined groups of assets that communicate with one other under normal circumstances.
The majority of CPS security solutions correlate the outputs from asset discovery with common vulnerability and exposures (CVE) and third-party vulnerability repositories, prioritize for known exploited vulnerabilities, flag unsecure application usage and default passwords, provide remediation guidance including alternative compensating controls, and provide a ticketing mechanism to track actions. Gartner states, “more advanced solutions include: a mechanism to prevent IT scanners from touching CPS, provide a contextualized risk score based on asset criticality and likelihood of exploitability, and enhance findings and risk score with real world knowledge of their research teams”.
Claroty recognizes the need to safely uncover risk blindspots, and integrates with various third-party vulnerability tools that arm IT and industrial practitioners alike with enterprise-wide visibility into their risk posture without endangering operations. We also enrich XIoT assets with over 90 attributes, which are then correlated against our database of CVEs, misconfigurations, findings from our acclaimed Team82 researchers, and other flaws. We then optimize prioritization with custom risk scoring, which not only empowers you to easily understand the risk each vulnerability poses to your environment and how to prioritize your remediation efforts accordingly — but it is also fully customizable and forecastable, enabling you to model and refine your risk scoring based on your needs.
Detecting all manner of threats that can impact industrial environments requires multiple approaches. More sophisticated CPS solutions have threat intelligence related features and functionalities according to Gartner, “More advanced solutions include: ability to deliver raw telemetry for analytics deep dives, attack simulations maps, industry-specific threat intelligence curated by research teams; ability to ingest unique/customized threat intelligence feeds; USB port monitoring”. Claroty’s Continuous Threat Detection (CTD) is equipped with known signatures of indicators of compromise (IoCs), as well as proprietary threat signature research from Claroty's own Team82 research & development arm. CTD also performs operational event alerting by continuously monitoring critical change operations in the industry environment to help ensure your process integrity and uptime. Incoming alerts are also mapped to the MITRE ATT&CK for ICS Framework to help increase the context surrounding the event and assist in identifying known remediation measures.
Since most CPS use proprietary protocols and legacy systems, they are simply incompatible with traditional IT solutions — but that doesn’t mean they have no place in OT. Rather than expanding your already-extensive tech stack, you should evaluate a CPS security solution that integrates with them. By extending your existing tools and workflows from IT to OT, you can safely uncover risk blindspots without endangering operations by integrating their already extensive tech stacks with a purpose-built OT security solution. This approach, which is taken by Claroty, will help organizations to take control of their risk environment and create further visibility across traditionally siloed teams by simply extending existing tools and workflows from IT to OT.
Selecting a CPS protection platform for your unique needs requires evaluating the right criteria to ensure your mission-critical environments are protected against emerging cyber threats. As the CPS protection platform market continues to grow, additional functionalities are developing, making it more difficult to discern which CPS protection platforms align with your cybersecurity journey. By reviewing Gartner’s Market Guide for CPS Protection Platforms, SRM leaders can efficiently assess CPS security solutions, like Claroty, to help them maintain cyber and operational resilience.
Gartner, Market Guide for CPS Protection Platforms, 29 June 2023, Katell Thielemann, Wam Voster
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.