This GigaOm Research Reprint Expires May 30, 2024

GigaOm Radar for Operational Technology (OT) Securityv1.02

1. Summary

The unification of operational technology (OT) and information technology (IT) brings a range of benefits to sophisticated technology systems in industries such as manufacturing, logistics, energy and utilities, automotive, healthcare, and agriculture. However, this convergence also poses a challenge, as it increases the complexity of the network with its large number of connected devices, sensors, measuring stations, robots, and plants that use mostly proprietary programs and protocols.

Such an environment is more difficult to secure and is vulnerable to cyberattacks, which can lead to the theft or manipulation of sensitive data. OT devices are seldom powered off, which amplifies risk, as any disruption in software, data, or communication channels can cause production shutdowns, leading to significant economic losses as well as damage to company reputation. Attacks on critical infrastructure like energy and water supply systems pose a threat to public safety. Fortunately, operational technology security solutions have emerged to provide protection for OT infrastructures.

Before diving into the focus of this report, let’s take a minute to review the differences between OT equipment and internet of things (IoT) equipment. Both involve connected physical devices that are embedded with electronics, software, sensors, and network connectivity, enabling them to exchange data. Today’s homes may include many IoT devices, such as doorbells, refrigerators, coffee machines, and other home appliances. In contrast, OT devices include industrial control systems, precision sensors, environmental controls responsible for human safety, and so forth. In a nutshell, IoT can be thought of as the consumer side of the house, while OT is its industrial or more robust counterpart. This report will focus on technologies and services that secure OT equipment.

Although IT and OT security have been around for nearly the same amount of time, IT security benefited from receiving the lion’s share of attention from organizations and vendors up until the early 2000s. For this reason, many IT security solutions were used as a basis for retrofitting into the OT arena. This was met with limited success, as the elements that define the OT environment make it significantly different from the IT arena.

OT security solutions should be selected and implemented as an additional and preferably transparent layer to mitigate the potential risks posed by cyberattacks. There are three main attack vectors to consider: the visibility of OT and IoT devices and assets on the internet, remote access for remote maintenance, and the privileges of users and devices. Effective security solutions need to address each of these areas to ensure adequate protection.

This GigaOm Radar report highlights key OT security vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report, “Key Criteria for Evaluating OT Security Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well OT security solutions are positioned to serve specific market segments and deployment models.

For this report, we recognize the following market segments:

  • Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
  • Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features that improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
  • Manufacturers: Some OT solution providers work with vendors of industrial equipment and manufacturing machinery. This makes it easier for users because the security of the equipment is monitored and guaranteed. However, it also limits the choices or increases the complexity if additional, separate solutions are installed. Still, this approach is ideal for smaller companies or less security-savvy users.
  • Managed or cloud service provider (MSP/CSP)/system integrator (SI): Some solutions mandate the involvement of service or integration partners. This requirement increases supply chain complexity and can easily lead to finger pointing. Nevertheless, for many users, being able to rely on existing expertise and knowledge is a good way to go. Especially in production plants, the focus is often more on safety than IT security.

In addition, we recognize three deployment models for solutions in this report:.

  • Physical appliance (on-premises): This is the most traditional form, where the manufacturer supplies hardware pre-installed with its software.
  • Public cloud service (SaaS): These solutions are available only in the cloud and are often designed, deployed, and managed by the service provider. Sometimes availability is limited to one or a few specific providers. The advantage of this type of solution is the integration with other services offered by the cloud service provider (functions, for example) and its simplicity. However, it is often a disadvantage at the same time, since no other third-party services and providers are supported.
  • Software/virtual machine (VM): Here, we include VM images as well as cloud images and ready-to-deploy containers. In our opinion, virtualization and cloud computing will completely replace classic appliances in the short term. In the long term, it will even come down to pure SaaS or platform offerings.

Table 1. Vendor Positioning

Market Segment

Deployment Models

SMB Large Enterprises Manufacturers MSP/CSP/SI Physical Appliance (On-Premises) Public-Cloud Service (SaaS) Software/VM
Acalvio
Armis
Claroty
Darktrace
Dragos
Microsoft
Nozomi
OTORIO
Palo Alto Networks
Rhebo
SCADAfence
Shield-IoT
Tenable
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Building on the findings from the GigaOm report “Key Criteria for Evaluating OT Security Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Deception Technology Rendezvous Capabilities Dynamic Network Segmentation AI Technologies for Threat Detection Protocol & Application Decoding
Acalvio 3 2 0 3 2
Armis 0 3 2 3 2
Claroty 0 2 3 2 3
Darktrace 0 2 2 3 2
Dragos 0 2 2 3 3
Microsoft 0 3 2 3 2
Nozomi 0 2 1 3 3
OTORIO 0 2 0 3 2
Palo Alto Networks 1 2 3 3 3
Rhebo 0 2 0 1 2
SCADAfence 0 2 2 3 2
Shield-IoT 0 2 0 3 2
Tenable 1 2 2 3 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Compliance Performance Scalability User Experience
Acalvio 3 2 3 3
Armis 3 2 3 2
Claroty 0 2 3 3
Darktrace 1 2 3 3
Dragos 2 3 3 3
Microsoft 2 3 3 3
Nozomi 2 3 3 3
OTORIO 2 3 2 3
Palo Alto Networks 3 3 3 3
Rhebo 1 2 2 3
SCADAfence 1 2 3 3
Shield-IoT 2 3 3 2
Tenable 3 3 3 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for OT Security

As you can see in the Radar chart in Figure 1, this market is a mixture of household names in security along with some that are less familiar. Regardless, this is a space that has had to mature rapidly to meet the demands of the market.

The upper left Maturity/Feature Play quadrant holds Acalvio and Rhebo. Acalvio, an established name in the IT security space due to its deception technology, lands just inside the Leaders ring because of its ability to effectively identify risks and reduce the operational burden on security teams. Rhebo provides a simple, intuitive solution for this space but lacks a few key features that are becoming popular, such as integrated AI for threat detection.

In the upper right Maturity/Platform Play quadrant, Claroty and Darktrace fall solidly inside the Challenger ring. Claroty’s xDome platform integrates zero-trust network access (ZTNA) features with continuous threat detection. Darktrace leverages AI technologies in its robust solution, along with strong inventory features. The Leaders ring in this quadrant includes Dragos, Microsoft, Palo Alto Networks, and Tenable, each of which delivers OT security via a platform, though they all deliver a variety of capabilities that suit different use cases and industries.

The lower right Innovation/Platform Play quadrant houses several vendors. Armis is another highly scalable platform that is in the Leaders ring because of strong vulnerability management features, practical AI, and dynamic segmentation. Nozomi is a Leader and offers an easy-to-use UI, flexible licensing models, powerful asset inventory capabilities, and strong threat detection features. OTORIO is a Leader and combines many strong capabilities, like AI, digital twinning, IEC compliance, and ZTNA capabilities, for a powerful OT security solution. SCADAfence is a Challenger and brings a comprehensive, innovative approach to the space but is missing compliance certifications that others have. Shield-IoT is a Challenger and has a SaaS-powered, highly scalable, and performant solution.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Acalvio

Acalvio’s ShadowPlex Advanced Threat Defense (ATD) is a proactive defense solution that uses cyber deception to identify OT network intrusions. Leveraging Acalvio’s 26 patents—a fundamental architectural innovation—it streamlines the dynamic, intelligent, and scalable dissemination of deceptions throughout distributed OT networks and delivers high-scalability, low-risk, automated authenticity.

The key differentiator between ShadowPlex ATDand other OT security solutions is the focus on using deception technologies, similar to honey pots but tuned for OT. Acalvio brings its depth of experience in the IT realm to OT environments. The deception technologies are projected into OT environments from a central controller, which can be hosted on-premises or delivered by a SaaS offering.

The deception technologies lure attackers into taking action, which is then analyzed via the robust AI technologies that Acalvio has been using for years. These deception technologies can be dynamically updated (or respond in a dynamic way) based on attacker behaviors using the solution’s AI capabilities.

However, the solution does not support dynamic network segmentation. Protocol and application identification and decoding are on par with other OT security solutions and are quite capable.

The compliance level of the solution is outstanding, with Acalvio obtaining FedRAMP Ready status and landing on CISA’s CDM Approved Products List. The solution is also SOC 2 Type II compliant and adheres to NIST 800-171 standards.

Another standout feature for Acalvio is the user experience (UX). The admin UI is intuitive, enabling users to easily identify high priority events, perform analysis, run queries, and view historical information to aid root cause analysis and forensic investigations. And for customers who want to centralize their telemetry sources, the Acalvio solution integrates with many popular security operations tools like security information and event management (SIEM) or extended detection and response (XDR) solutions.

Because the heart of ATD is its projected deception technology, performance is quite good. With the projection method, local environmental issues (like heat, for example) have zero impact on the projections because the projections are hosted within ATD at a remote location. Scaling the solution is a straightforward affair, using a client-server architecture where sensors are deployed, which then report to a manager device. For large deployments, a “manager of manager” device can be deployed to streamline operations.

Strengths: Acalvio’s ATD solution takes a notable approach that leverages deception-based OT security at its core. It integrates AI technologies for threat detection, offers flexible deployment options, and has minimal impact on OT environments.

Challenges: The solution does not offer dynamic network segmentation.

Armis

Founded in 2015, Armis is one of the newer players in the industrial internet of things (IIoT) security market. Its OT security solution, the Asset Intelligence and Security Platform, provides a depth of visibility and insights into OT environments that are uncommon in this space. This is primarily a result of its approach to asset discovery, which starts with network-based forensic analysis, then adds information from sources like a customer’s configuration management database (CMDB) with threat intelligence. The result is a comprehensive view of OT assets and their correlated (known) vulnerabilities.

Armis is a SaaS platform that operates in the cloud. Its modern GUI showcases a clean and organized design, making information clear and easily accessible, though the visual language used in the menu may not be immediately intuitive for new users. The platform’s documentation and onboarding processes are exemplary, however, and received high marks on our UX evaluation metric.

Dynamic network segmentation is a hot button issue, with some customers wanting it and others seeing it as a wild agent of change within their sensitive OT environment. The Armis OT security solution offers deep visibility into the existing network segments where OT assets reside and where they communicate, and is able to provide automated network segmentation based on detected threats or anomalies. This is a feature that can be toggled on or off.

This solution doesn’t offer a deception-based component or feature set, though it does offer a fully managed platform whereby all maintenance activities are performed by Armis with the customer’s consent. Patching, upgrading, and troubleshooting are all performed via communications encrypted in transit and data encryption at rest.

AI, specifically machine learning (ML), is used throughout the platform. Armis uses ML to continuously join together often disparate pieces of data that seem unrelated but, when combined, are able to provide deep visibility into attacker TTPs. ML is also used to define a “known good” baseline for OT environments. Together, this baseline and the deep visibility into TTPs allows the Armis platform to detect anomalies at scale.

All data processing is completely independent and performed in the cloud, making this solution performant and scalable. Additionally, Armis is the only OT vendor with FedRAMP Moderate ATO, ISO 27001, ISO 28018 Best Practices, and SOC 2 Type II certifications.

A key differentiator for Armis is its excellent knowledge base, which contains critical information about the billions of devices under its monitoring umbrella, including both the device profile and the expected behaviors of that device. This solution is able to leverage that information to quickly identify unusual or abnormal conditions that legacy security tools (like an intrusion detection system, or IDS) would not be able to detect.

Armis has a strong focus on healthcare, manufacturing, and the public sector. From our point of view, the product complements existing OT security solutions. Interested parties should definitely take a look at the list of integrations and do a proof of concept (PoC).

Strengths: This solution provides robust vulnerability and threat detection capabilities, is highly scalable and performant, uses AI to amplify its impact, and is managed via its shared management model and friendly UX.

Challenges: This solution does not offer any deception-based capabilities for threat detection.

Claroty

Founded in 2015, Claroty’s list of investors includes well-known industry giants, such as BMW i Ventures, LG, Schneider Electric, Rockwell Automation, and Siemens.

Claroty’s xDome is a scalable and modular industrial cybersecurity platform powered by SaaS, which helps an organization meet its cybersecurity objectives as it evolves. Claroty’s Continuous Threat Detection (CTD) solution aids both IT and OT teams in addressing digital transformation challenges and the concerns of a unified IT and OT network environment. Its Secure Remote Access (SRA) solution is an optimal choice for customers seeking seamless, reliable, and highly secure industrial network access for their internal or third-party personnel.

The xDome platform, CTD, and SRA technologies comprise the solution reviewed here. Maintaining the solution is left to the customer to decide how to carry out, selecting to support it themselves or opting to leverage professional services for a variety of tasks from patching to report generation and even assistance with incident response activities.

Claroty xDome analyzes all device communication over the network to appraise its nature and mode. The standard communication patterns thus derived become the definition of what constitutes “normal” behavior on the network. Profiling device communication in this way allows xDome to generate recommended communication policies that are closely aligned with industry best practices and the network context. Policies can be monitored for a period to ensure their stability before they are customized to fit the specific needs of the organization. Once customized, the policies can be efficiently pushed to third-party tools, such as those for firewalls and network access control (NAC). In contrast, most of the competitors in this domain do not provide suggestions for communication policies or automatically generate relevant access control list (ACL) policies for enforcement.

With its own research team, Claroty continuously evaluates potential vulnerabilities and attack vectors, thus improving the quality of its own products and the security of its customers’ industrial assets. Deception technologies are not integrated into this solution, but xDome embraces a detection model that continuously monitors customer environments for early indicators of compromise (IoCs) of both known and unknown attacks.

Claroty is one of the few vendors in this report with mature ZTNA capabilities available within the platform (via SRA). With SRA, customers are able to securely broker access to OT environments, which are often air gapped because of the difficulties presented by vulnerable systems and protocols. Support for operational technology/industrial control systems (OT/ICS) protocol identification and decoding is good for the space, with support for over 450 protocols (and growing).

Strengths: Claroty offers a scalable, modular approach to OT security. The ZTNA delivered via the SRA module is a feature that’s difficult to find natively available within OT security platforms.

Challenges: This solution is missing deception capabilities for threat detection.

Darktrace

Founded in 2013, Darktrace is an established player headquartered in Cambridge, UK, and listed on the London Stock Exchange. Darktrace was one of the first providers to recognize the potential of AI and leverage it to enhance IT and network security, leading the company to then launch its OT focused Industrial Immune System in 2014.

The platform is founded on patented self-learning AI technology that employs mathematical models to acquire insights into the idiosyncratic behaviors of an organization’s OT environments. This, coupled with the deployment of Darktrace’s proprietary AI to identify anomalous activity and threats, resulted in its high scores for the AI for threat detection key criterion.

Darktrace’s AI uses behavioral analytics and deep learning mechanisms to detect deviations from self-learned patterns. Behavior can be automatically detected and classified by the ML algorithm. In this way, even the tiniest anomaly can be detected, which makes the platform extremely accurate. This is based on many years of implementation in a wide range of industries.

Darktrace takes a surgical approach to dynamic network segmentation. Instead of wholesale changing of network segments based on threat data, a single IP or OT device (or source) can be cut off from network traffic. However, Darktrace does not include deception technology.

The high quality of the platform’s analytics capabilities is the basis for its ability to respond autonomously to attacks or threats. Automation reduces complexity, which in turn improves usability and the UX. Enterprises can respond to threats earlier and faster, avoiding errors and increasing their resilience and security. Usability is better than in other products available on the market, which is reflected in its high score for this evaluation metric.

However, Darktrace doesn’t have its own firewall functions or access management capabilities. Consequently, the platform can be used only to supplement existing SSA or firewall solutions and not as a standalone system. The ability to integrate into existing IT services landscapes is very important. Darktrace has fewer integrations than others do, so its interoperability capabilities are limited, although it does integrate natively with Palo Alto Networks, Cisco, Fortinet, Juniper Networks, and Checkpoint.

Darktrace is among the first vendors to use graphs to visualize communication relationships, contributing to its high score for usability. Graphs can be used to detect and map network connections at a depth that no other technology currently offers.

Darktrace’s recent acquisition of Cybersprint adds global attack surface mapping capabilities to its platform, and together with its capability for internal attack path modeling, attack chains can be traced end-to-end. Darktrace does not use digital twinning technology.

Strengths: Darktrace is great in leveraging AI and ML techniques. The solution is robust and reliable, and its asset inventory capabilities are among the best in OT security solutions included here. The platform offers very good and reliable vulnerability management and excellent usability.

Challenges: Darktrace has no firewall functionality and depends on third-party providers. Evaluation and analysis don’t take place inline and, therefore, not in real time. Additionally, there’s no deception technology integrated into the product.

Dragos

Founded in 2016, Dragos is among the newer players in this space. Its founders are the same people who were largely responsible for designing the OT security cyber mission for the US government. This company is well funded and backed by the likes of BlackRock, Koch Disruptive Technologies, and Hewlett Packard Enterprises (HPE).

Dragos recognizes the value in building and enabling a strong community of defenders. Dragos’s offerings include the Dragos Platform, Dragos WorldView (a discrete OT-specific threat intelligence service), and native threat hunting and incident response capabilities. To this end, Dragos also offers what it calls the Neighborhood Keeper program, an opt-in collective defense solution for collecting aggregated, anonymized OT intelligence. It provides continuous situational awareness into threats, vulnerabilities, and attacks on OT systems and, combined with the largest in-house team of OT security threat researchers of any vendor in this Radar report, allows Dragos to offer an edge to any customer who seeks deep visibility and actionable intelligence for their OT environments.

Neighborhood Keeper forms a key part of the broader Dragos “collective defense” strategy and includes mechanisms for participating organizations to confidentially share and collaborate around anonymized intelligence. In the future, Dragos Platform customers enrolled in Neighborhood Keeper will also be able to use it as a mechanism for Knowledge Packs updates, which expand coverage of threat detections, asset characterizations, dashboards, and response playbooks.

This solution is known for its ability to reliably discover and visualize assets; track communication relationships in OT networks; detect threats based on tactics, techniques, and procedures (TTPs), including MITRE ATT&CK for ICS; and manage vulnerabilities. Continuous behavioral analysis detects threats at an early stage of the cyber kill chain. Insights from the company’s own threat intelligence team are used to continuously update the IoC and TTPs as well as to correct and resolve new vulnerabilities. Frameworks such as MITRE ATT&CK for ICS help rank and prioritize threats and vulnerabilities. The platform provides concrete guidance for action and curated playbooks to eliminate vulnerabilities or minimize the attack surface. Dragos offers alternative solutions if, for example, patches or updates are not possible or desired.

Dragos excels at effective implementation of AI technologies. When paired with its bespoke threat intelligence, this provides a comprehensive and consistent assessment of the risks within an OT environment. Its protocol and application decoding support is quite strong, with more than 130 supported protocols at the time of this writing.

The management interface is clean, and information is easy to acquire, but the UX could be better, as operating the system is not always intuitive. A split view makes it possible to work in two views in parallel.

This solution integrates with leading network security partners, like Cisco, Fortinet, and Palo Alto Networks, to enable its dynamic network segmentation capabilities. Through automated synchronization of asset groups and mapping to next-generation firewall (NGFW) policies, this feature delivers strong, effective security through network isolation.

The most notable feature of the Dragos platform is its playbooks. Users receive straightforward, explicit instructions, and the manufacturer offers alternative solutions as well. All playbooks are manually curated, incorporating Dragos’s frontline experience from service engagements. This is especially useful in OT environments since patches or configuration changes are not always possible or wanted. This functionality helps to increase security and reduce the burden on operations teams, and it also positively impacts usability and boosts ROI.

The range of integrations is quite impressive. Strategic partnerships like the one with Juniper Networks make the solution highly attractive. It should be noted, however, that Dragos requires port mirroring for traffic analysis in its platform. Users should check beforehand whether their network infrastructure can handle port mirroring or whether new switches and routers need to be purchased.

Strengths: Dragos excels in the areas of asset discovery and inventory, threat detection, and vulnerability management. Action instructions and playbooks are notable features. Despite needing some UX improvements, the split view is a very useful feature.

Challenges: Dragos doesn’t offer deception technologies, and the GUI is not always intuitive.

Microsoft Defender for IoT

Microsoft has one of the most comprehensive portfolios among the vendors in this report. Defender for IoT complements the vendor’s broad range of IT services solutions and is ideal for anyone who likes to have everything from a single source. Defender for IoT integrates perfectly into the company’s own portfolio, and with its growing portfolio of third-party integrations, other solutions can be integrated as well.

Microsoft Defender for IoT can be deployed on-premises or in the cloud. This makes it extremely scalable—and it receives a high score for this evaluation metric—as well as flexible, powerful, and highly performant. Users praise its ease of use. Microsoft also offers valuable resources for documentation and onboarding. Simple licensing models at moderate prices make the solution a contender for SMBs. With its global footprint and vast partner network, Microsoft Defender for IoT is a good fit for those without in-house IT expertise.

Assets and traffic are monitored in real time. The solution stands out in terms of its asset inventory but remains in the middle of the field in its recognition of industrial protocols and standards. More than 130 protocols from industrial vendors with focus on IoT as well as open standards such as IEC, ISO, and OPC are supported.

Nevertheless, among others, important industrial automation communication protocols are missing, making it less suitable for brownfield environments. Additional protocols can be supported via the Horizon software development kit (SDK). However, using SDKs and programming interfaces requires high-level technical expertise. Furthermore, as is the case with other vendors in this report, deception technologies are leveraged during threat research and intelligence gathering but are not directly available within the solution for customers to enable, configure, or otherwise benefit from.

Microsoft provides all essential security components, including behavioral analysis, firewall, secure user and access management, microsegmentation, security orchestration, automation, and response (SOAR), and XDR. With its cloud-based AI and ML power, Microsoft provides fast and excellent analyses. OT-specific SOAR playbooks enable less experienced operators of IIoT infrastructure to automate remediation of OT threats.

Rendezvous capabilities are a measure of how the OT security system overcomes the challenges of an air-gapped environment when performing maintenance or receiving patches. Defender for IoT supports this capability by giving the customer the ability to select the forms of remote connection to the platform elements as well as by leveraging Azure for authentication to provide tighter controls.

Dynamic network segmentation is a powerful feature, and it’s one supported by Defender for IoT with its SIEM and SOAR integrations. This mechanism enables effective responses and segmentation of protected systems based on their real-world activities. An example of this is the malicious IP address detection by Defender for IoT, which triggers an integration with a SIEM solution to block the IP address from all connected devices.

Siloed information is the bane of a security team’s existence; it slows down operations and creates risk. To overcome this, special care has been taken with Defender for IoT’s UX. Users engage with the system through on-premises sensors, a local management console, or the Azure cloud portal, as well as via native integration with Microsoft security stack solutions such as Microsoft Defender 365 and Microsoft Sentinel (as well as Splunk, QRadar, and others), which facilitate bidirectional information synchronization. Real-time viewing of system events and telemetry data as well as rule and policy setup for alarms and notifications are among the options available for user interaction.

Strengths: This is a highly scalable and capable solution that blends integrations with other Microsoft products with its own capabilities. The result is a solution that is comprehensive in scope, intuitive, and effective for OT security.

Challenges: Without integrations into the Microsoft SIEM or SOAR, some capability is diminished, and deception technologies are not leveraged within the solution.

Nozomi Networks (Guardian/Vantage)

Nozomi Networks was founded in 2013 and is privately held, with its headquarters in San Francisco, California. It focuses on building automation, critical infrastructure (electric utilities, gas, and oil), government agencies, manufacturing, healthcare, and transportation and logistics. The company has become a strategic partner of major suppliers such as Tempered (a market leader in ZTNA for critical infrastructure) to add network visibility and threat detection capabilities, and OTORIO (a provider of SIEM and SOAR solutions for OT networks) to correlate asset data and events for an early detection of security incidents.

The platform includes a Central Management Console and two solutions: Vantage—for asset discovery, network visualization, vulnerability assessment, risk monitoring, and threat detection—and Guardian, which provides ICS visibility and security. Like other market competitors, the company operates its own lab with its own cyberthreat intelligence and asset intelligence services. Data is collected via smart polling and remote collectors. The solution consists of hardware and software and can be transparently inserted into existing networks at the switching layer (Layer 2). The costs for hardware and software are separate, which makes the solution more flexible for changing requirements.

The solution received a high score on the AI for threat detection key criterion because of its ML algorithms, which can continually learn and correlate data to better anticipate issues as well as to consolidate multiple alerts into a primary issue for more focused remediation efforts. This is similar to a Tier 2 analyst learning a customer’s environment, then applying that knowledge to better secure the systems. In the age of the skills shortages and hiring challenges, this is a standout feature.

This solution doesn’t include any deception technologies or dynamic network segmentation features, although the latter is available through formal partnerships maintained by Nozomi. A relatively new addition is the Nozomi Arc sensor, which collects host-based data for deeper asset intelligence and enables monitoring of hosts found within OT environments.

The GUI is very well thought out and clean, and the UX is among the best for the solutions evaluated for this Radar. Maintenance of the solution follows industry-standard methodologies, which include either scheduled outbound calls from the Nozomi on-premises infrastructure back to the Nozomi cloud or via out-of-band methods like USB drives.

The solution has been designed especially for OT and ICS landscapes. It provides excellent threat detection and response, vulnerability assessment, and risk management for OT and assets in IT environments, leading to users reporting fewer false positives than with other solutions they’ve assessed. The solution detects threats independently and integrates with all major legacy IoT monitoring and SIEM solutions. Integrated user and access management is not part of the functionality but is compensated for by integrations and strategic partnerships.

AI is at the heart of Nozomi Networks’ solution. The asset inventory is continuously updated based on the traffic. New network objects can be recognized in detail and processed automatically. The Nozomi Networks platform does a good job detecting and correctly assigning devices in the inventory.

Nozomi Networks offers the option to add threat intelligence as a service. This gives users regular updates with enriched data on the current threat landscape at any given time. In combination with the continuous behavioral analysis of network participants and flows, threats can be quickly detected and responded to. Behavioral analysis-based solutions also protect against zero-day attacks. The solution consists of hardware, software, and optional cloud-based SaaS components.

Strengths: The platform impresses with its clear GUI and user guidance. Nozomi Networks is among the few providers that use deep packet inspection (DPI), and its asset inventory is more complete and more accurate than those offered by other vendors.

Challenges: This solution doesn’t offer deception technologies or dynamic network segmentation natively.

OTORIO RAM2

Founded in 2017, OTORIO is one of the newer entrants to the market. The Israeli company focuses on OT/IT security for ICS. With its risk assessment monitoring and management solution (RAM2), customers get a SOAR solution and a patented digital OT/IT twin created with the information from various operational and security systems. Among other things, digital twins can be used for predictive analytics or to simulate cyberattacks and evaluate risks to business continuity.

In addition to RAM2, the focus in this report, OTORIO offers two other OT-focused solutions: spOT, a point-in-time risk assessment technology, and remOT, which provides zero-trust remote access for OT environments.

The solution architecture uses a familiar manager-client architecture. The manager is deployed in a location that can be reached by clients, which are called edge devices. The edge devices perform the data collection activities and send the data to the manager for analysis. Plug-ins, which are like integration modules, enable comprehensive data collection capabilities.

RAM2 can identify malicious patterns reliably by using proprietary plug-ins and engines for the collection and analysis of data, as well as by collecting data from security and industrial systems in the OT network. It raises alarms about suspicious activities and offers clear, concrete, and understandable instructions with actions and playbooks for different stakeholders to mitigate risk and protect against potential attacks. The platform integrates with external firewall solutions such as Fortinet’s FortiGate. By correlating information from FortiGate’s syslogs with data and events from multiple security and industrial systems, such as a DCS and historical data, it provides suggestions for configuration changes, updates, or segmentation improvements.

System maintenance is performed via an included tool that allows remotely updating the edge devices from the central manager. This follows industry standards, which keep OT systems separate from internet-connected network segments.

The OTORIO solution does not offer deception technologies. Nor is dynamic network segmentation available, but OTORIO notes that this is not an oversight—they have not observed market-driven requests for such capabilities.

This solution is SDLC IEC 62443-4 1 compliant, which is the IEC’s standard for secure software development to be used in industrial environments. OTORIO offers the solution in either VMs or in ruggedized physical equipment for deployment into harsh environments. The UI is flexible and open by design, which means that data can be visualized and consumed from within the operator portal or it can be sent to other common security operations platforms like a SIEM solution.

Strengths: The OTORIO solution combines unique, patented digital twinning, AI technologies, and a robust UI to create a powerful OT security solution. IEC compliance assures best practices have been followed, and it integrates easily with the remOT remote access solution for simplifying access to an often difficult-to-reach environment.

Challenges: Deception technologies and dynamic network segmentation are missing from this solution.

Palo Alto Networks IoT Security

Founded in 2005, Palo Alto Networks is one of the more mature vendors reviewed in this report and is well known for inventing the NGFW, a firewall based on a single-pass parallel processing (SP3) architecture and decoders that detect applications and protocols more reliably than IP filters or traditional gateway firewalls. Moreover, compared to conventional sequence-of-functions approaches, the single-pass architecture delivers better performance and integrated security.

The Zero Trust OT Security solution is one such integrated security solution on the Palo Alto Networks NGFWs that delivers visibility, threat prevention, and policy enforcement for OT assets, remote operations, and 5G connected assets and networks. Powered by ML, this solution rests on comprehensive OT-specific contextual security knowledge covering a breadth of OT assets difficult to rival. Additionally, while this space is dominated by the network-centric security solutions, it must be noted that Palo Alto Networks offers other OT security solutions for OT industrial clouds and the burgeoning field of OT security operations centers (SOCs).

Palo Alto Networks has incorporated AI and deep learning capabilities into its network security platform to bolster its threat prevention capabilities. These new capabilities are particularly critical as they enhance the existing intrusion prevention system, which protects against known malware and command and control cyberattack traffic. This results in a high score for the AI for threat detection key criterion.

Dynamic network segmentation is a strength of the Zero Trust OT security solution, which supports network segmentation for traditional local area network (LAN) network OT devices and also for 5G devices, a unique feature among the vendors in this report. Protocol detection and decoding is another strength, with more than 1,000 OT/ICS protocols currently supported. This is powered by the Device-ID, User-ID, and App-ID classification system used within the Palo Alto Networks ecosystem.

The Palo Alto Networks solution is one of the few OT security solutions that offers native support for ZTNA within the solution. This can be achieved using Prisma Access for ZTNA together with Palo Alto Networks NGFWs or with their GlobalProtect technology, again with on-premises NGFWs.

The Zero Trust OT Security solution scored high on the user experience evaluation metric, with tidy, clear dashboards and an intuitive GUI. Users can see at a glance the level of risk posed by an OT/IoT/IT device or application. Documentation and onboarding of new users is excellent, which also helped the solution get a high score for this evaluation metric.

This solution is FIPS 140-2, FedRAMP, SOC2, and Common Criteria compliant, resulting in one of the most certified solutions in this market segment.

Finally, keep in mind that harsh OT environments may present a challenge depending on the requirements placed on the device because not all Palo Alto Networks NGFWs are offered in a ruggedized form factor.

The only key criterion this solution doesn’t execute on well is deception technologies. Deception technologies are not offered directly inside of the OT security solution, though are available through integration with its Cortex XDR technology, and from this, Cortex XDR is able to integrate with popular deception technology vendors.

Palo Alto Networks’ OT security solution can be used as a standalone product or as a complement to existing IT services landscapes. In addition to physical appliances, VMs and Kubernetes containers are also offered. Panorama is the central management platform.

Overall, Palo Alto Networks offers an impressive range of security solutions for on-premises, edge, and cloud computing. All modules integrate well into the overall portfolio. Palo Alto Networks also enables OT SOC automation playbooks to integrate its XSOAR technology with the OT security platform.

Strengths: The Palo Alto Networks Zero Trust OT Security solution excels because of its comprehensive approach to coverage of assets, its strong AI capabilities, powerful dynamic network segmentation features, intuitive UI, and ease of integration with other technologies.

Challenges: This solution doesn’t offer deception technologies without additional licensing and may not be suitable for the harshest OT environments because of the lack of ruggedized NGFWs in all form factors.

Rhebo

The German company Rhebo was founded in 2014 and was among the first vendors to use behavioral analysis and allow lists to actively protect OT environments from unknown (zero day) attacks. The company founders were experts in IT network security who understood the special requirements of operational technology and the processes and needs of the IT professionals who often manage OT security systems. The overall goal of the Rhebo solution is to provide a simple, high confidence, low false positive security system for OT environments.

The Rhebo Industrial Protector includes protocol and application decoders that allow a signature to be created for any application or protocol, no matter how unique. Although the solution leverages deterministic threat detection methods, it does not integrate AI into its threat detection capabilities. And though deception technologies are appearing in the OT security space, the Rhebo solution does not integrate these technologies.

Maintenance is carried out through the Rhebo central management architecture. From the controller, updates are pushed down to remote sensors. The controller itself is updated out-of-band, either through SFTP or via a USB drive that’s connected physically to the controller by the customer.

Dynamic network segmentation is not included, though not because it was forgotten. Rhebo holds that since OT networks are heavily architected and all network traffic is inherently known, there is little practical use for this feature.

The protocol detection and decoding capabilities of the solution are quite good. As Rhebo indicates, identifying and decoding protocols are two separate capabilities, and few solutions identify and decode as many industrial protocols as Rhebo.

This solution employs ruggedized physical hardware when needed and is thus able to ensure consistent performance across different OT environments. With a hierarchical sensor and controller architecture, scaling the solution is a simple matter of deploying additional controllers as needed to support the sensors. Finally, the UX makes good on the original goal of creating a simplified experience for customers. Though there are only a few displays, all relevant information is presented in a concise and comprehensive manner.

Strengths: The Rhebo solution is a no-nonsense OT security solution aimed at delivering simplified security operations. Rhebo’s meticulous focus on the requirements of OT clients is highly commendable.

Challenges: The solution doesn’t offer deception technologies, AI for threat detection, or dynamic network segmentation.

SCADAfence

SCADAfence was founded in 2014 in New York and is another one of the more established providers of OT security. The OT veteran continuously develops its platform with strong coverage across several key criteria and evaluation metrics.

The SCADAfence Platform is a non-intrusive solution. It’s available as software, VM, or cloud service, and the company will also provide an appliance on request. The solution’s standout feature is its dynamic baseline technology, which uses ML techniques for fast behavioral analysis. This technology enables reliable discovery of assets, applications, and protocols, which is reflected in its high score on the AI for threat detection key criterion.

The optional SCADAfence Governance Portal gives users the ability to test their systems against regulatory or compliance frameworks. The resulting report can be used for audits or as the basis for a catalog of actions to improve the security level.

SCADAfence’s platform is highly scalable and covers a wide range of industry applications and protocols. Customer reviews praise the UI as intuitive. SCADAfence uses hardware acceleration for high-performance DPI in real time at wire speed. This innovation makes SCADAfence a powerful and efficient platform.

SCADAfence offers few integrations and doesn’t have its own active firewall capabilities. In particular, it lacks integrations with OT legacy systems and with deception technologies.

Dynamic network segmentation is achieved through automatic grouping and segmentation. Leveraging WYSIWYG rule creation capabilities, users are able to design detection rules to adjust networks on the fly to suit their unique business needs. This is a standout feature, not just for the OT security space but for security vendors in general.

Protocol and application decoding is quite good because of the DPI capabilities. This gives the solution the ability to read values within the packets, then create baselines to track these values and generate alerts when anomalous activity is detected. This is close to a “leave no stone unturned” approach for OT security.

Compliance is a weak spot, but the vendor is beginning to work through a number of common compliance frameworks and expects to achieve compliance in the near future.

System maintenance is achieved through scheduled outbound communication requests to the SCADAfence cloud. This is, of course, dependent on the customer’s network configuration.

Strengths: The SCADAfence platform offers a comprehensive set of capabilities to secure OT environments. It provides AI technologies and an intuitive interface and is easily customized to meet business needs.

Challenges: This solution does not offer deception technologies, and it currently doesn’t hold any compliance certifications.

Shield-IoT

Another of the newer entrants, Shield-IoT is an Israeli company that specializes in the security of IT/OT gateways and edge devices. It focuses on the energy sector (smart grids), logistics and transport, and private 5G networks.

The AI-powered software platform provides IoT/IIoT threat prevention and asset management solutions. It uses real-time AI/ML advanced analytics and rule-based and threat intelligence engines to detect the first signs of unknown threats, cyberattacks, and compromised assets. It focuses on devices that are deployed in the field, sometimes known as “out-of-perimeter devices” (such as smart meters and EV charging stations in smart grids, and CCTV cameras in cities), that are exposed to physical tampering and remote hacks and are in wide use across multiple public and private networks.

With its AI-based network security anomaly detection solution, deviations from normal behavior, industry standards, and recognized frameworks are detected. This approach protects the infrastructure against new and unknown attacks (zero days) as well as other sophisticated attack scenarios.

Shield-IoT’s solution is available as software-only or as a cloud-based service. Primary target customers are service providers, IoT operators, and integrators of complex networks. This solution is built using SaaS architecture, with an agentless approach. It leverages edge devices to capture relevant telemetry and perform an initial analysis, then offloads additional processing to the SaaS platform. This approach simplifies the deployment, making the solution easily scaled. However, it may not align with typical OT security directives that dictate on-premises equipment and data storage. Additionally, the solution doesn’t use dynamic network segmentation or deception technologies.

Shield-IoT has developed mathematical methods to efficiently evaluate large amounts of data, making the patented platform extremely attractive for landscapes with many devices. Shield-IoT uses “coresets” for this purpose, a method that works with data extracts instead of the total amount of information collected. This is another reason why the solution scales so well and remains performant without compromising reliability.

The platform is user friendly, with a clean and intuitive UI. While simplified interfaces can sometimes distract from a lack of capability, that’s not the case with Shield-IoT. Instead, the solution uses AI to deliver only key events through dashboards and reports.

The use of coreset-based AI is indeed a leap forward in analyzing large amounts of data. This technology saves valuable bandwidth in industrial networks, and importantly, it reduces storage space requirements and allows reliable data analysis even at less-performant endpoints at the edge.

Strengths: Shield-IoT is characterized by extremely good scalability and performance. Monitoring and analysis take place in real time with AI underpinning detection capabilities.

Challenges: This solution lacks deception technologies and dynamic network segmentation.

Tenable OT Security

Tenable OT Security, previously Tenable.OT, is a unified OT security solution designed to safeguard the modern and converged attack surface. It equips converged IT/OT security teams with a global view of their IT and OT environments, providing them and their leadership with the requisite visibility, security, and compliance for connected OT environments to manage, measure, and minimize cyber exposure and risk across the attack surface.

Tenable OT Security stands as a single product to cater to OT security use cases, but it also seamlessly integrates with multiple Tenable products, ensuring uniformity in the security operations experience for every stakeholder.

Tenable OT Security’s pricing is tiered, based on the total number of assets across a customer’s sites and offering economies of scale as the number of assets increases, lowering the per asset price. Note that customers with multiple sites can partition their license by allocating a specific number of assets per site through the self-service provisioning portal.

This solution can be deployed via a physical appliance, the most popular option, as well as a virtual appliance, and is oftentimes integrated with the included Tenable Security Center (on-premises license) and/or Tenable Vulnerability Management (SaaS) to achieve a consolidated view of IT and OT risks.

Tenable OT security doesn’t itself include deception technologies; however, strategic partnerships enable the OT security solution to be deployed alongside deception products from other vendors. Rendezvous capabilities for software upgrades and system patches follow the standard for the OT security space, achieved either via internet connectivity with quarterly package updates or via air-gapped methods like a USB drive.

Tenable uses a proactive approach to exposure management by limiting the attacker’s ability to exploit vulnerabilities, preventing them from becoming active threats. Tenable OT Security addresses threat detection and uses its AI/ML capabilities to recalculate the priority of all security vulnerabilities, resulting in a vulnerability priority rating (VPR). Additionally, the system can dynamically create network segments or zones to report policy violations or changes to the network happening within or across zones.

Tenable OT Security developed and patented Active Query, the method of using vendor-native protocols to communicate with devices. Since OT/ICS devices may remain inactive for extended periods, passive solutions could overlook such devices. Tenable OT Security can evaluate controller data to extract any available information, including parameters, variables, logic changes, and changes of state (such as a program/run keyswitch or downloads).

Regarding compliance, the Tenable solution helps customers meet ISA-62443 requirements, a global security standard for Industrial Automation and Control Systems (IACS) that provides an extensive cybersecurity framework that covers risk assessment, security implementation, and maintenance. Additional frameworks and authorities include NIST, Center for Internet Security, United States Defense Information Systems Agency, Microsoft, and CISA’s CDM Program Approved Products List (APL).

Finally, the UX is simple and intuitive, what you’d expect if you’ve used other Tenable products. The OT security solution includes a local GUI that can be used in air-gapped environments, and the OT security solution’s data can be viewed in the included Tenable Security Center and/or Tenable Vulnerability Management SaaS product.

Strengths: Tenable’s OT Security solution is comprehensive, provides numerous mature integrations, supports complete OT/ICS protocol decoding, and leverages its unique VPR process to significantly reduce manual tasks while delivering higher quality alerts.

Challenges: The solution doesn’t directly integrate deception technologies.

6. Analyst’s Take

Industrial plants have long operated as closed systems. However, new technologies, optimized supply chains, and joint ventures have led to a high degree of interconnectedness and the opening up of these systems, leading inevitably to increasing security concerns. With the integration of IT and OT, the attack surface of industrial plants expanded massively. From a business perspective, it is not the cost of acquiring an OT security solution that should play the main role in decision-making but rather the cost of a production stoppage caused by a cyberattack. Technical managers in industrial plants, meanwhile, should familiarize themselves with the new threats and no longer focus solely on safety aspects.

When deciding on an OT security vendor and solution, a great starting point is determining the depth of features needed. As is the case with most security solutions, redundancy (often called defense in depth) can be an asset when architected into a system’s design.

Each organization will need to assess the extent of overlap between incumbent security solutions and new solutions; however, generally speaking, choosing a feature play in the OT security space is a great starting point for those who already have a significant OT security infrastructure.

On the other hand, for those who are looking to completely overhaul existing security solutions in their OT environments, looking more closely at the platform players (and, to a lesser extent, the maturity of the integrations and how they relate to the technology already deployed) will be a better starting point. From there, weighing a Mature vendor’s feature set against that of an Innovative vendor can be another useful guide. Mature vendors may be slower to roll out features but may also be less likely to introduce unintended software bugs.

7. Methodology

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Chris Ray

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2023 "GigaOm Radar for Operational Technology (OT) Security" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.