Industrial/OT Threat Detection and Response - What Do Users Want?

By Sid Snitkin

ARC Report Abstract


Threat detection and response is the hottest area in the industrial/OT cybersecurity market today. Companies recognize the visibility and early detection benefits of passive network monitoring and want these capabilities.  But many still struggle to choose a solution or even select suppliers for proof-of-concept “bake-offs.” 

At the 2019 ARC Industry Forum in Orlando, Florida, we dedicated an entire workshop on these challenges.  To kick it off, ARC provided an overview of the industrial/OT threat detection and response market; how solutions vary in focus, scope, and capabilities; and the need for alignment with a company's cybersecurity management strategy.   Following ARC's presentation, a panel of end users offered their insights and recommendations on the prerequisites for successful use of this technology.  A lively panel discussion followed, raising additional perspectives and insights from attendees. 

Industrial/OT Threat Detection and Response Solutions

ARC’s Industrial/OT Cybersecurity Maturity Model (next page) clearly delineates the role of threat detection and response.  While the earlier steps can help companies protect facilities from conventional cyber-attacks, it has become clear that sophisticated attackers can overcome these defenses.  Rapid detection and response are essential to minimize the impact these attacks could have on safety and operational performance.                 

Threat Detection ARC%20Industrial-OT%20Cybersecurity%20Maturity%20Model.JPG

Companies at the “Detect” maturity level have technology that rapidly detects system abnormalities, cyber or otherwise.   Companies at the “Respond” level have the resources and supporting technology needed to rapidly identify and manage actual cyber-attacks.   While each step adds an additional layer of protection, both are required to address sophisticated cyber-attacks.  

While detection and response technologies serve different purposes, ARC recommends that users consider their interdependency in technology evaluations.  Anomaly detection offers many benefits, like asset discovery, but only has cybersecurity value if it helps defenders reduce the impact of a compromise. Alerts need to distinguish cyber-attacks from other anomalies and include the kinds of information defenders need to initiate a rapid response.  Good solutions also support defender efforts to identify attackers, understand the attack stage, and take the required actions.    Gaps in defender support functionality need to be identified and addressed during investment planning.          

The table on the next page summarizes ARC’s recommendations for key features that companies should consider as they develop detection and response technology requirements.   Identify those that are relevant for your situation and eliminate those that your OT and SOC environments already cover adequately.  The remaining items provide a basis for evaluating detection and response solutions.   Ideally, they are all addressed in a single solution as this will minimize integration issues and avoid potential gaps that might impact defender effectiveness.  

Supplier support should also be considered.  As with any technology, user and product support are important.  In the case of detection and response, companies should consider a supplier’s ability to provide incident response support.  The supplier’s knowledge of industrial/OT cybersecurity, the threat landscape, and its platforms can help reduce the duration and costs of a cyber incident.   

End User Concerns and Suggestions

Three end users participated as panelists in ARC’s OT Threat Detection and Response Workshop.  These were Michael Hoffman, Principal ICS Security Engineer at Shell; Jason Nations, Senior Manager, Enterprise Security at OGE Energy Corporation; and, Dan Rozinski, Technical Fellow, Manufacturing and Engineering at The Dow Chemical Company.   Following are some of their observations on industrial/OT threat detection and response and recommendations for companies considering investments in this technology. 


Michael Hoffman characterized visibility as the biggest cybersecurity challenge he faces.  Shell has a very mature cybersecurity program, but the organization wants more understanding of what is happening across its many different OT environments.  The company also values the many different benefits of anomaly detection.  These include automatic asset discovery, connectivity and data flow patterns, and detecting system malfunctions.  Shell has evaluated all major solutions and believes they all do an excellent job for specific use cases.   Companies should clearly understand all their use cases before selecting a specific supplier.

ARC Advisory Group clients can view the complete report at ARC Client Portal

If you would like to buy this report or obtain information about how to become a client please Contact Us

Keywords: OT, Cybersecurity, Anomaly Detection, Threat Management, ARC Advisory Group.



Engage with ARC Advisory Group