The ROI in threat intelligence solutions vs enforcing industrial security "101" in ICS/OT

Work meeting discussion

In ICS/OT, investing in cybersecurity technology has become increasingly important. However, many security leaders are left wondering:
Are threat intelligence solutions worth the associated costs, complexity, and potential distractions they introduce? Is adhering to the “Industrial Security Standards and Best Practices” concepts and improving existing compensating controls sufficient?

Understanding the Cost-Benefit Equation

As organizations implement more advanced digital defenses, questions often emerge regarding the return on investment (ROI) for these technologies. Threat intelligence solutions are appreciated for their capacity to provide timely insights into potential cyber threats; however, they also pose significant challenges. These solutions often generate a high volume of alerts, which can overwhelm teams and complicate decision-making processes. This persistent noise raises an important question: “Am I benefiting from these insights, or are they simply adding unnecessary overhead?”

In addition, ICS/OT environments are typically designed to be isolated from external networks, employing an “air gap” strategy for protection, which is huge factor that serve as a compensating control for many attack vectors. In these scenarios, some argue that existing compensating controls, such as network segmentation, strict access control policies, and endpoint protection are sufficient for maintaining security. This raises the question: “Does investing in threat intelligence yield tangible benefits in such contexts?”

The Case for Proactive Defense and Cyber Resilience

Despite ongoing challenges, the threat landscape for ICS/OT has evolved considerably. Professional attackers have advanced beyond conventional methods, targeting loopholes in connected systems and deploying advanced persistent threats against critical infrastructure. Even resources that appear to be isolated can be compromised by attackers through insider threats, supply chain weaknesses, or physical access.

Reactive response technology is simply not built to increase your defenses; THEY DON’T READ SECURITY CONTROLS.

Proactive defensive measures are essential for enhancing cybersecurity. Instead of waiting for a breach to occur, allowing businesses to anticipate and prevent attacks. By providing insights into global threat activity, organizations can proactively adjust their security protocols, address vulnerabilities, and safeguard against emerging threats. This approach is particularly critical in the ICS/OT environment, where the stakes are exceptionally high, and disruptions can lead to significant negative consequences.

Balancing Technology and Investment

How can organizations invest in cybersecurity technology while avoiding the problems of irrelevant data? The objective is to strategically implement the right technology. Threat intelligence solutions must be developed to meet the specific requirements of ICS/OT environments. By seamlessly integrating these technologies with existing security frameworks, organizations can enhance their defenses while minimizing complexities and costs.

Conclusion: Right Technology, Right Investment

Investing in threat intelligence for ICS/OT environments does not replace essential security controls; rather, it enhances them. Organizations can increase their cyber resilience beyond basic measures by selecting the right technology and strategically leveraging intelligence. When considering cyber maturity levels, reactive technology should be implemented at a later stage of an organization’s roadmap, while defense technology can effectively address needs during the early to mid-stages.

Download Resources

Case Study - Team Backlog

— Trigger

  • Organization is in a firefighting mode.
  • Spending money is creating additional requirements, and open new attack vectors.

— Challenge

  • 23 facilities globally.
  • Inconsistency in results between regions.
  • Different solutions deployed on each site to mitigate the same threats.
  • New management has no visibility or historical data to rely on in decision making.

Novaigu Platform

  • Identify the organization risk profile.
  • Discover and assess assets to establish a cybersecurity baseline.
  • Implement a cyber security maturity roadmap.
  • Implement mitigations based on criticality to improve resilience.
  • Reassess on regular basis to measure maturity and budgeting requirement.

Case Study - Regulatory Compliance

— Trigger

  • Change in Regulatory and Compliance requirements.
  • Implement a cyber security program and assess their maturity on annual bases.
  • Three facilities in the US and Canada.

— Challenge

  • Large quantity of assets (170 network devices, 340 systems, 1000s of network connected field devices per site).
  • Reliance on the IT team to manage their assets.
  • Five specialized resources and six months to complete the task.

Novaigu Platform

  • Identify ICS/OT assets and define ownership, responsibility and accountability, and segregate OT and IT assets.
  • Reduce efforts, logistics and time required to one week per site.
  • Execute a vulnerability Assessment to evaluate weaknesses in security controls (per frameworks and standards) and provide a detailed and prioritized roadmap for the cybersecurity program.
  • No disruption to operators during the activities.
  • Reduce average cost from 340K to 120K a year.

Case Study - Expansions & Upgrades

— Trigger

  • Additional production units.
  • System upgrades and migrations.

— Challenge

  • Lack of staff and skills.
  • New systems interface with the existing environment.
  • Added complexity to inventory and managed assets.
  • Site has no visibility, and the new systems are adding risks.

Novaigu Platform

  • Immediately discover the new connected assets.
  • Scan security configurations on each asset and harden it.
  • Classify and organize assets based on use, functionality and criticality.
  • Execute a vulnerability Assessment to evaluate weaknesses in security controls, user access, patch, AV … etc.
  • Report on gaps and prioritize remediations based on compliances, security lifecycles and maturity levels.
  • The remediations (hardware, software, labor) can upon negotiations contracted to Novaigu professional services for implementation.