A couple of weeks ago I had the pleasure of being a guest on Dale Peterson’s “Unsolicited Response” video series, where we discussed Radiflow’s OT risk management solution (you can watch the full interview on the S4 Events channel).
Following the interview I received lots of feedback and questions, and I would like to elaborate on a few:
Use of digital twin vs. digital image for network-specific risk calculation
Calculating an OT-network’s exposure to risk, toward producing an overall network risk score, is based on multiple datasets used to simulate numerous breach and attack scenarios.
First, there’s the threat environment: who are the attackers threatening the SuC (System under Consideration) and which attack tactics they employ. This information is derived from open TI sources (e.g. MITRE ATT&CK) as well as from customers’ own TI sources.
The second dataset is the controls (threat mitigation measures) installed on the network, derived primarily from the customer’s reporting, as well as from iSID’s network learning capability.
Even accounting for the locale of the SuC and the industry it operates in, these two datasets are very general, as they don’t take into consideration the specific properties of the SUC.
As discussed in the interview, to circumvent this issue without affecting the operational network, CIARA uses an offline digital image of the network based on analysis of a representative amount of mirrored data traffic from across the network (making the process non-destructive and non-intrusive, as it has no effect on network operations.)
In the interview I further discussed with Dale the difference between Digital Images and Digital Twins. Digital twins simulate IIoT devices’ functionality, so they carry over each device’s logic and databases, while digital images contain device & network properties, without carrying over device functionality, since what devices do is to a large extent irrelevant to attack likelihood calculation, which is based on asset vulnerabilities and network architecture, not on how devices operate.
That said, as the OT security market’s needs mature there will be a need to incorporate more information in the simulation, for example the SBOM (which software applications installed on devices, and how they affect exposure to risk).
The pros and cons of an integrated iSID-CIARA solution vs. two standalone products
For its breach & attack simulations CIARA could, in effect, use a digital image generated by a non-Radiflow solution. Using third-parties’ digital images via CIARA’s many APIs is especially useful for customers who’ve already invested in another vendor’s IDS or have an up-to-date OT CMDB and now choose to add CIARA for risk assessment and management. This type of modular, mix-and-match approach is common in the IT domain, since its size and availability of tools and expertise support a more granular solution mix.
However, as I mentioned in the interview, considering the size and the nature of the OT security industry – much smaller and much less granular than the IT security industry – it makes a lot of sense to combine solutions from the same vendor. The tight integration between iSID (Radiflow IDS) and CIARA (Radiflow risk management) provides extensive continuous exchange of dynamic information between the two systems: the digital image generated in iSID already includes aspects such as zones and business processes that drive more granular risk assessment; updates of the digital image received from iSID trigger risk re-assessment in CIARA; changes in risk due to new TI feeds automatically update the severity of events in iSID; and more.
Furthermore, if you’re using the complete Radiflow suite we can provide flexibility in your deployment road-map while maintaining a cost-effective framework, alleviating the headaches of “should I move from the initial visibility exercise to risk assessment or compliance assessment, or proceed directly to continuous anomaly monitoring?”, or “should I enhance the anomaly detection SOC with continuous risk monitoring using TI feeds, so I can be pro-active in updating my SecOPs processes”, etc.
As we work closely with our customers in their OT security journey we witnessed quite a few times the value of such flexibility, which enables our customers to update and optimize their deployment plans according to their changing priorities.
Value of CIARA to Consultants vs. MSSPs
In the interview Dale commented that CIARA is a natural fit for consultants, as it enables them to enrich their OT risk assessment process. However we see CIARA as an attractive offering also to the leading MSSPs in the industry. This is becoming a major go-to-market path for us.
It should be noted that in many cases the MSSP is already handling the customer’s IT security, so our offering can be used as a “foot in the door” to get customers’ OT business. We found that MSSPs are excited by the prospect of leveraging their position as their customers’ trusted advisors, and offering them the initial OT risk assessment as part of planning the customer’s security road-map (based on that assessment). Furthermore, as MSSPs focus on selling continuous managed services, the use of CIARA enables them to extend their SOC services with continuous risk monitoring services. This, in turn, greatly increases their long-term revenue stream while solidifying their customers’ commitment, through proving value.
I was very glad to witness the success of this approach throughout the past year as we built strong relationships with leading global MSSPs and together landed OT security contracts with tier-1 customers.
When it comes to consultants in the OT cyber-security space, especially the larger players, you need to look for what the value of CIARA is to them. Consultants by and large get paid for finite projects, so for them the value of CIARA is in the initial or ad-hoc risk assessment – i.e. enhancing their manual risk assessment with data-driven breach simulation results as a starting point for an OT network hardening plan – not ongoing assessment. So obviously Radiflow continuously monitors the MOs of both MSSPs and consultants and enhances the CIARA feature-set accordingly. To date it seems like CIARA’s appeal extends to both.
Final Thoughts & Looking Ahead
I’ve greatly enjoyed the discussion with Dale and the follow-up questions and comments from his viewers, which also show the traction that OT risk management has gained. If you’ve been following the buzz in the OT security industry over the past few months, and as apparent in the interview, data-driven OT risk management solutions have become a must-have or will-have among CISOs and OT security professionals, and have been well-received and appreciated by our users and partners.
As mentioned in the interview, we believe that countering the increased sophistication of attackers and the constant introduction of new threats requires continuous assessment of ICS network risk. This, in turn, requires industrial organizations to set up a mechanism for continuous streaming of digestable OT feeds from all business units, to provide SuC-specific actionable insights. In addition, there’s a need for better community sharing of cyber-incident and attacker information (that is currently often not disclosed in full) to help detect new attack trends.
Based on this year deployments and the feedback we’ve received we’ve already devised extensive plans for the CIARA road-map. Stay tuned!
If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.