January 3, 2024
September 26, 2024
 —  
Blog

Comprehensive OT Zero Trust Protection: A Market Comparison

Comprehensive OT Zero Trust Protection: A Market Comparison

Last week, I discussed the NIST CSF and gave an overview of the desired outcomes for an OT Zero Trust Protection solution. One of the challenges in the OT Cyber Protection/Resilience Market is the confusion about what solutions each company offers. Most solutions do not fit neatly into the NIST CSF, crossing boundaries and solving pieces of the puzzle but not wholly solving a particular problem.

In discussions with prospects, we always get asked “Who else offers a solution like yours?” Most vendors want to answer “There is no one that offers a solution comparable to ours!”, but in BlastWave’s case, that actually is our position in the market today (always subject to change of course). We’ll talk about why more later ;-).

A more straightforward question is, “Who do you compete with in accounts?” Now, that is an easy question to answer.

The first and largest competitors are the legacy IT vendors (Cisco, Palo Alto, Fortinet, and Juniper) selling firewalls and IT VPN solutions. OT administrators repurposed them to protect OT networks since they were already in their network, but these solutions have failed to protect OT networks. Since they are also used to protect the IT network, any vulnerabilities give hackers a free pass to move into the OT network laterally. The failure of existing IT solutions to protect OT networks has led to the creation of new OT Zero Trust Protection solutions.

The next class of competitive threats is from Virtual Air Gap solutions that are scaled-up versions of data diodes, one of the first attempts to allow OT devices to connect to the internet safely. These solutions are site-to-site VPN solutions that encrypt traffic between enclaves and do not allow users to access a segment unless they come from another secure segment. The biggest weakness of this solution is that it requires a separate Secure Remote Access solution, so they are not a complete solution for a customer. They also do not typically protect within secure OT enclaves for east-west traffic (i.e., between devices), so no insider threat protection is provided.

The next class of competitors are Privileged Access Management (PAM) solutions that deliver cloud-based proxy SSL VPNs to access OT networks. They also often depend on cloud architectures, which increase costs for these competitors, add significant latency, and open up new attacks and denial of service vulnerabilities. They also are intrusive to the customer, as they either proxy the protocols used in OT or simply offer remote desktop solutions, introducing latency and adding performance challenges for remote sites. They also do not typically protect within secure OT enclaves for east-west traffic (i.e., between devices), so no insider threat protection is provided.

The final category is Comprehensive Protection. This category combines network protection (Network Cloaking), Secure Remote Access (SRA), and software-defined Microsegmentation. These solutions are the natural replacement for the legacy firewall and VPN solutions designed for OT networks. Comprehensive solutions meet all of the Cybersecurity Framework requirements and the desired outcomes for OT. These solutions also block the remote classes of risk identified by the MITRE ATT&CK framework, drastically altering the Return on Mitigation equation for OT networks and delivering the highest ROI by stopping most attacks before they can begin.

This last category is what BlastWave offers. If we compare the solutions and how they meet the desired outcome of Ot Zero Trust Protection, a summary of the capabilities is below:

If you are interested in reading the details of OT Zero Trust protection requirements, please download our our whitepaper and/or register for our webinar on Zero Trust Protection for OT today!

OT Secure Remote Access
Network Cloaking
Network Segmentation

Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.

Schedule a Demo