As Claroty expands its “Claroty Technology Alliances Program” (CTAP), we have noticed a shift in the OT landscape in the context of network policy enforcement, segmentation, and network-centric controls to reduce XIoT risk. A couple of years ago Zero Trust and micro segmentation were unheard of in the OT world. Operating in converged networks, such as in healthcare-delivery organizations (HDOs), Claroty came to a conclusion that the most effective way to mitigate XIoT risk was not to rely solely on a patching strategy or a detection-only approach, but rather to combine these with a network-centric protection approach such as group-based segmentation or ACL-based enforcement. While these techniques have proved effective in healthcare and other converged environments, they are not as relevant in OT environments due to the obsolete network equipment commonly found in these settings. For example, the inability to enforce ACLs at scale and to tag devices on the switch level are two challenges OT networks face with effective network policy enforcement. These legacy challenges and the absence of NAC or equivalent orchestration technology, such as East-West firewalls that enforce authorization policies for the industrial internet of things (IIoT), have led to an industry-wide trend of detection-only technologies, such as Claroty’s CTD, to address the cybersecurity risks in IIoT and OT.
As digital transformation continues to drive IT/OT convergence and an era of remote work persists, new and existing companies are coming forward with solutions that bridge the gap between OT Operations and OT network security. Throughout the past 18-24 months, we were thrilled to observe a new wave of vertical-specific technology vendors that are tackling the complex problem of network policy enforcement. Especially in mission-critical environments, like industrial OT networks, with all their unique complexities and constraints. These new tech vendors are joining the efforts of traditional network security vendors, and Claroty’s strategic partners, including Cisco and Fortinet, to enforce network-centric controls within those mission critical environments. Their efforts present a viable path to mitigate XIoT risk with protection/prevention bolstering the detection-only approach.
This approach was synergistic with the introduction of Claroty xDome, changing the CPS security narrative from detection-only to a combined approach of detection and protection (prevention). xDome’s Network Security Management (NSM) module enables contextual Zero Trust controls to protect cyber physical systems (CPS). xDome NSM provides accurate XIoT policy recommendations, encompassing Claroty’s deep domain expertise, OEM relationships, a broad installed base, and dedicated research around the manufacturer-intended behavior of XIoT assets. With xDome NSM, organizations have a tangible way to compare observed device behavior to a clean “intended” policy, examine deviations, tailor the policy to their specific configuration / environment, simulate the policy effect to demonstrate network impact before and after implementation, and leverage Claroty’s seamless integrations with our Strategic and CTAP partners to actually deploy and enforce those policies throughout the OT environment without impacting operations.
As a method of network segmentation, xDome’s network protection capabilities lay the foundation for the Zero Trust practices that are core to improving an organization’s cybersecurity posture. Many of our partners utilize xDome to enrich their asset information by pulling asset, risk, and vulnerability data from the platform to enable contextualized policy enforcement. Some of our newly onboarded network security CTAP partners who keep innovating in the field of OT network policy enforcement include:
Arista Networks (https://www.arista.com) - CloudVision AGNI leverages device context from Medigate by Claroty. This greatly simplifies the identification and onboarding process of IoMT assets and application of segmentation policies to mitigate their risk.
Elisity (https://www.elisity.com) - The integration of Elisity with Claroty's industrial and healthcare solutions is geared towards enriching XIoT device identity for streamlined policy enforcement.
Mission Secure (https://www.missionsecure.com) - The integrated Claroty and Mission Secure solution enables organizations to gain not only complete visibility into their OT networks, but also the ability to enforce granular, context-aware cybersecurity policies.
Open Cloud Factory (https://opencloudfactory.com) - Open Cloud Factory leverages Medigate’s deep situational awareness to enrich its organizational-wide inventory covering IT, IoMT, and OT. This combination enables precision-based IoMT and IIoT enforcement profiles. Leveraging this increased precision and additional XIoT context allows for optimal preventative and responsive network security controls from OCF’s centralized enforcement point.
Opscura (https://www.opscura.io) - Leveraging the Opscura - Claroty integration minimizes network change management and network process workflows for a faster deployment. Additionally, Claroty enriches Obscura's device modeling so that it can have more accurate visibility into the network where it is deployed.
Effectively segmenting industrial and other mission critical networks can be a tedious, error-prone process. Understanding this challenge, Claroty enables our CTAP partner ecosystem to successfully protect the mission critical environments we are deployed at with all the network protection capabilities xDome and our partners have to offer. The CTAP program allows network security companies to easily integrate with Claroty’s products and join together with our Strategic Alliances — including Cisco, Fortinet, and Crowdstrike to provide better-together solutions to our customers. With more NSM focused integrations to come, we look forward to expanding our partnerships and ensuring the cyber and operational resilience of critical operations.
To find out more about the CTAP program and to sign up as a CTAP partner, visit: /partners/technology-alliances/ctap
