CIARA: Better Risk Management in an Evolving OT-Security Landscape

OT Cybersecurity luminary and self-described “ICS Security Catalyst” Dale Peterson has recently interviewed Radiflow CEO Ilan Barda, as part of his S4-affiliated “Response Unsolicited” series.

In the interview the two discussed the current state of the evolving OT cyber-security industry, as well as Radiflow’s solutions for industrial operations and how they fit into the new paradigms of protecting ICS networks.

You can watch the full interview on the S4 Events channel. Here are three takeaways from the interview:

Use of digital image vs. digital twin for network-specific risk calculation

Calculating an OT-network’s exposure to risk, toward producing an overall network risk score, is based on multiple datasets used to simulate numerous breach and attack scenarios.

First, there’s the threat environment: who are the attackers threatening the SuC and which attack tactics they employ. This information is derived from open TI sources (e.g. MITRE ATT&CK) as well as from customers’ own TI sources.

The second dataset is the controls (threat mitigation measures) installed on the network, derived primarily from the customer’s reporting, as well as from iSID’s network learning capability.

Even accounting for the locale of the SuC and the industry it operates in, these two datasets are very general, as they don’t take into consideration the specific properties of the SUC: device properties and vulnerabilities, protocols, devices’ business process and zones affiliations, and the potential inter-zone and inter-business process attack vectors. You need to simulate how the specific SuC network reacts to breach and attack attempts.

Now, breach & attack scenarios could be simulated on the live SuC network; this, however, is widely considered dangerous to the network, as the simulation itself can make changes to the network.

To circumvent this problem, CIARA uses an offline digital image of the network, generated by iSID based on analysis of a representative amount of mirrored data traffic from across the network (making the process non-destructive and non-intrusive, as it has no effect on network operations.)

It’s important to differentiate between Digital Images and Digital Twins. Digital twins simulate IIoT devices’ functionality, so they carry over each device’s logic and databases, while digital images contain device & network properties, without carrying over device functionality, since what devices do is practically irrelevant to attack likelihood calculation, which is based on asset inventory and network architecture, not on how devices operate.

Digital images therefore are smaller in size – 20% or so of the size of a digital twin – but this actually enables more efficient breach and attack simulations (OT-BAS), and subsequently a more accurate risk calculation.

That said, the inputs required for any assessment depend on what you’re assessing, and as the market needs mature and evolve there will be a need to incorporate more information in the simulation, for example some software applications installed on devices, and how they affect exposure to risk (e.g. through lateral movement  inside the device.)

Pros and cons of an integrated iSID-CIARA solution vs. two standalone products

For its breach & attack simulations CIARA could, in effect, use a digital image generated by a non-Radiflow solution, and CIARA is on the path to allow this. We have received requests for integrating with other companies’ solutions. Using 3^rd-parties’ digital images via CIARA’s many APIs is especially useful for customers who’ve already invested in another vendor’s OT-security solutions and now choose to add CIARA for risk assessment and management. This type of modular, mix-and-match approach is common in the IT domain, since its size and availability of tools and expertise support a more granular solution mix.

However, considering the size and the nature of the OT security industry – much smaller and much less granular than the IT security industry – it makes a lot of sense to combine solutions from the same vendor and system integrator. OT risk assessment is very much human-expertise and customer-interview based; and by using an IDS and a risk management solutions from the same vendor you maintain the same relationship with the vendor and the system integrator and carry over the same knowledge they already have about the network, about its specific industry and threat environment and about the customer’s needs (which may not always be simply overall risk, but rather, say, improve compliance).

Value of CIARA to Consultants vs. MSSPs

One of the ways Radiflow is able to compete with its much more deep-pocketed competitors, in addition to leading the way with new technologies and approaches to securing OT, such as focusing on risk management, is working with global channels and MSSPs, and indeed in the past year or so we have been diligently enlisting MSSPs. It should be noted that in many cases the MSSP is already handling the customer’s IT security, so our offering can be used as a “foot in the door” to get customers’ OT business.

We found that MSSPs are excited by the prospect of offering their customers risk management and ongoing customers risk management services, and being their customers’ trusted advisors they are able to get their users onboard, either as part of the planning and implementation stage or later on down the road, as an add-on to their existing offerings, making it a win-win for both parties. But in the end, MSSPs don’t sell products, they sell a service; as such they are looking for a long-term stream of income, so by getting in on offering risk they’re able to greatly increase their long term revenue stream while solidifying their customers’ commitment through proving value.

When it comes to consultants in the OT cyber-security space, especially the larger players, you need to look for what the value of CIARA is to them. Consultants by and large get paid for finite projects, so for them the value of CIARA is in initial or ad-hoc risk assessment, i.e. providing a snapshot of the customer’s risk posture as a starting point for an OT network hardening plan, not ongoing assessment. So obviously Radiflow needs to understand the MOs of both MSSPs and consultants and adjust both the product and the message accordingly, and to date it seems like CIARA’s appeal extends to both.

If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.