The Future of the ICS Security Market Revealed
Cue the music for the big reveal (Duhn Duhn Duhnnnnn)!!! As we approach the end of 2018, you will undoubtedly begin to see lots of articles and posts on the year in review, predictions for what the future brings, and more. So… I’ve decided to enter the fray and provide an update on the state of the state within industrial cyber security and what’s happening there. So here it goes…
Roughly sixteen months after my first public predictions of what I expected to happen in the Industrial Control System Security (OT/ICS/SCADA) market, the time has come to review my predictions, compare/contrast those to others who also have a view of the market, and then explain where I believe the future of the ICS Security is headed. As I make my way through, I’ll be referencing several articles written mostly by myself and Dale Peterson, of S4 and Digital Bond fame. You will find a list of articles, all of which are loosely referenced or used contextually in the writing of this article, at the bottom of this article. Speaking of S4, I’ll be attending S4 2018 in January… if any of you are planning to attend, reach out and let’s connect.
For now, let’s get back to the predictions! So back in August 2017, I pointed out that the market had too many players. At the time, Dale Peterson and I estimated roughly 20-25, and I predicted that there would be significant market consolidation. Today, as I type this article, the market has largely spoken as from what I can tell, there are only a handful of consequence to explore (even less when if you decide to further sub-divide the market by applicable use case). Please note that as I say that, I mean no disrespect to any of the other companies or colleagues who are out there and have been hard at it for quite some time… trust me, I know what that feels like as I’ve been right there in your shoes.
For so many vendors and pundits alike, they like to point to funding by VCs and PEs as a critical determinant of who will be left standing in the end. But as I’ve previously noted, simply tracking who is getting funded by whom is not really a solid gauge of who is winning in this market… funding only means something when companies have a solid product, service or solution that customers see significant value in and are willing to vote for in the form of dollars! Only WHEN and IF that’s the case, can funding be applied to scale and accelerate market adoption. Otherwise, the investors are simply throwing more money at bad investments, to prop them up and essentially “buy time”. I would submit that the market has evolved beyond that point, and if a company is not winning deals and customers, then their days are numbered. There simply is no better testament for predicting winners and losers. In the words of one of my favorite Siemens colleagues, “either you handle the business, or the business will handle you”.
Since making those predictions, a few things have happened –
- Time – given the benefit of time, it’s easier to sort through all the hyperbole and get a real sense of who is winning and who’s not. Investors and boards are only willing to stick their necks out so far!
- M&A – time obviously plays a big role here too, but the realities and dynamics of the market come into play, forcing some out of the game altogether while snapping up others via acquisition.
- Market Drivers Revealed – perhaps I shouldn’t even say “revealed” as much as “reaffirmed”. I have a feeling that several the folks reading this article may already know this, but it has occurred to me that while several pundits and others seem to be solely focused on the ICS detection market, however, there’s a whole world out there who is focused on a few other areas of much greater importance and impact to their business. More on that in a moment…
Now, with all that as the backdrop… and, with the added knowledge I shared in my last article re: standards, compliance, and frameworks, I’d like to finally share my thoughts on what matters most to companies (read: what’s of most value and impact), who in the market is meeting that challenge, and then share some thoughts on who will likely be left standing when the dust settles.
What Matters Most to Companies (Read: What’s of Most Value & Impact)
Coming back to the topic of frameworks, I’ve previously noted that many companies like to talk to the NIST Cyber Security Framework, as do I. I have found it to be a great way to compartmentalize the issues to be addressed. Remember that the NIST Cyber Security Framework uses the five categorical breakdowns of Identify, Protect, Detect, Respond, and Recover.
When it comes to cybersecurity programs, there is a clear chain of activities associated with those categorical breakdowns, starting with Identify, and then heading left to right, to Protect, and so on. If you map things out in that way, you will note that Detect is not at the beginning. Curious… Why then, is it that there is so much focus and attention around ICS Detection, e.g. anomaly detection? Well, I have my theories for why this is, and without a doubt, this has become one of the most highly competitive areas, as well as areas of focus. I don’t want to come off as necessarily stating that Detect and ICS detection is not important… I really don’t. But what I will say is that it is not the use case of top importance to customers, nor should it be.
So, what is of most importance (you may ask)? Simple. It may sound silly, but sadly its true… most companies are just trying to figure out what they HAVE in the first place. I think we can all agree that if you don’t know what you have, it’s basically impossible to secure it. So, what do I mean when I say, they need to know what they have? This is just another way of essentially saying that companies need a way to understand what assets they have, both from an operational and cyber perspective. In OT/ICS/SCADA parlance, this means everything inside of the de-militarized zone (DMZ) from Level 3.5 and below of the ISA-99/IEC62443 model. Today, everything outside of the DMZ uses TCP/IP of one form or another, and it is relatively simple to download some asset inventory tool off the internet, feed in a range of IP addresses and VOILA! Back comes a list of assets with IP Addresses and all sorts of information about those devices, how they are connected, etc.
If you attempt to use that same approach in the OT/ICS/SCADA environment, either of two things will happen –
- Nothing happens – this is the least of your worries, but the gist of this one is that the tool is ill-equipped and so instead of seeing your asset list, you see nothing. Why? As many (if not most) OT/ICS/SCADA systems are heavily proprietary and have proprietary or modified protocols versus standard ones like TCP/IP. Consequently, a standard TCP/IP based IT tool won’t have a clue how to interact and get the information needed.
- Bad things happen – really hope this doesn’t happen to you, but the other alternative is that the IT tool causes control equipment to freeze, reset, reboot, or crash, potentially leading to loss of visibility, loss of control, or loss of measurement. Why does this happen? Simple… IT tools use active techniques in a relatively blind way. They reach out and ping and prod devices without knowing what they are really talking to and having any idea whether that technique is acceptable or not. OT/ICS/SCADA equipment is generally built for one purpose and one purpose alone, and that is to operate at a maximum efficiency and effectiveness, enabling simple measurement from sensors, reporting to graphical user interfaces, or perhaps an adjustment to control operations based off a simple set of parameters. They are not meant to handle obtrusive scanning and the like.
So, there’s your dilemma. People need to know what they have, but –
- They cannot use their favorite IT tool to gather this information.
- They don’t want to pay for an asset management module from every OEM vendor within their environment (e.g. Siemens, Rockwell, Emerson, Honeywell, etc.).
To make things even more interesting for the likes of Utilities in North America, or anyone globally who aligns to NERC CIP, they are even regulatory mandated to understand what assets they have, and to monitor changes to their asset base such as configuration changes, etc.
I like to talk about this dilemma, to some extent, by simply collapsing all the info on this topic into a simple use case, of which I think you will find is a foundational issue to be solved. We simply call this “OT Asset Management”. Without OT Asset Management, asset owners have no idea what they have, how vulnerable it is or is not or anything else of great consequence.
But… once you understand what you have, you can then begin layer on additional use cases or solution sets that begin to provide a much clearer picture of the OT/ICS/SCADA environment. Said differently, this begins to provide one with visibility and awareness of their environment.
In my opinion, the best vendors and solutions out there not only speak in terms of simple asset inventories (e.g. a listing of what they have), but more importantly delves into the assets in a much larger way, legitimately helping optimize the operations of their assets by improving engineering productivity or improving actual asset operations by some measure. (What is the relationship between cybersecurity and productivity?) They not only track configuration changes, but also possess the ability to align those with the management of change mechanisms, aligned with corporate change and/or audit policies (I see a change was made, but were the proper individuals or groups notified and aware prior to the change?). Systems must provide asset information on the entire system, not just the assets who are talking on the network. And given that not all traffic is TCP/IP network traffic, this means that the system must have visibility down to Level 0, for serial devices. And finally, for companies in the Energy/Utilities space, there simply must be the ability to automate tracking and reporting, aligned with NERC CIP.
In short, the best systems are not OT/ICS/SCADA cyber security for cybersecurity sake, but rather are squarely centered in asset management for operations, yet still provides measurable security benefits as well (some would even say as a side effect). Why am I saying this? Because asset owners care about safety and operations at the end of the day, not cybersecurity for security stake. By approaching in this way, asset owners achieve a positive ROI, much faster.
Who Is Meeting This Challenge?
Knowing most all the dominant market participants extremely well, there is only one vendor that meets the criteria in its entirety from where I sit. It’s because of that fact that Siemens selected PAS Global as their strategic partner of choice when it comes to the use case of OT Asset Management. Some of you may know or have met Eddie (Habibi), Tamara (Anderson) and the rest of the team… but PAS has been in business now for more than 25 years and they have the experience and the customers to show for it. In addition to forming a strategic partnership with Siemens, PAS also received a significant funding to accelerate market adoption to the tune of $40M in May 2017. Together, Siemens and PAS is addressing this foundational use case for customers across the spectrum and across the globe.
There are other market participants who can provide bits and pieces of the criteria above. But the fatal flaw for most (if not all) of them is that they primary orientation is security versus operations (plus security). PAS provides an orientation that works for both operational engineers (plant engineers, control specialists, etc.) and cyber-focused practitioners. That’s may sound like a subtle difference, but this is a huge difference.
Of the other vendors in the market that touch on elements cited above include –
- Claroty (asset inventory, tracking configuration changes for what can be seen on the network)
- Nozomi Networks (asset inventory, tracking configuration changes for what can be seen on the network)
- Dragos (asset inventory, perhaps more)
- **Formerly Security Matters (now Forescout; asset inventory, tracking configuration changes for what can be seen on the network)
These are other dominant vendors that also perform aspects of OT Asset Management, and clearly, the market has spoken at this point in terms of market consolidation. It has been noted that these vendors (w/ the exception of Security Matters) have 4-5X the number of customers of any other vendor. As such, these dominant vendors, along with two other powerhouses I will detail in the next couple of weeks (Tenable and Darktrace) seem to have all the measurable traction in the market. I should probably note here that the only reason I didn’t already add Tenable or Darktrace to the list above has more to do with style than anything else. Neither I, nor Tenable or Darktrace, sees themselves as being focused on the OT Asset Management use case.
This leads to the next two topics that I plan to write about, which are (in my humble opinion, as well as many in the market) two of the next most important use cases – Vulnerability Management and Detection. Assuming you have this foundational use case of OT Asset Management addressed, the next thing you are going to need to get a clear picture of is – what vulnerabilities exist; of those, which are the highest priority? And from there, we will branch into detection…
Just one last point before I wrap. It should be noted that for the foreseeable future, there will be the need for devices such as data diodes/unidirectional gateways, boundary and next-generation firewalls, patch management, whitelisting, and other protection mechanisms. All of these are admittedly part of the larger industrial cyber security market and largely help with the Protect portion of the NIST Cyber Security Framework. As a result, vendors such as McAfee, Symantec, Cisco (firewalls), Waterfall, Owl CyberSecurity, Palo Alto Networks, and a number of additional companies have not been cited here, nor do I plan to cover them overtly. Please don’t mistake my omission to covering them now or in the future as a statement that I don’t believe in them or see a need. Rather, just as my previous article noted, they are stupid simple security… in other words, you don’t have to think about it… you just do it!
I hope you all find this article to be of assistance to your endeavors as you are implementing your industrial cybersecurity program, and that you’ll join me for the ones to follow…
Background & Loosely Referenced Articles
The original post can be accessed here.
This article was written by Matt Morris, an Industrial IoT and cybersecurity entrepreneur, executive and author. Matt is currently Managing Director & Regional Head for Siemens Industrial Cyber & Digital Security Group, where he leads all aspects of the business, from P&L ownership to business development, sales and delivery, and advising on strategic investments and acquisitions w/ Siemens investment arm – next47.