The ICS Cyber Security Detection market has 20+ vendors chasing this niche with most focused on passive network monitoring to create an asset inventory and identify cyber incidents. I’ve written on this developing market, interviewed participants on stage and in my podcast, and hosted an ICS Detection Challenge at S4x18 (and another planned for S4x19).
Our asset owner clients are getting bombarded by sales efforts from these companies and asking me what they should do. If their ICS security program is at the right stage of maturity, and they are willing to commit the manpower these solutions require, we are encouraging them to try one of the market leaders out.
Here are four predictions for the ICS detection market. The first three are straightforward, and the fourth is new, less obvious and the most interesting.
1) Most Will Fail
This is an obvious prediction because cybersecurity markets don’t have 20+ profitable competitors, and the ICS security market is much smaller than the general IT cybersecurity market.
The large number of entrants is largely due to the media buzz around critical infrastructure hacking and the free flow of venture and angel funding. Many VC’s want to have a play in this area, and the amount invested is a very small bet for most of the funds. (See my interview on this with two VC’s on the S4x18 stage). The funding is likely to accelerate the shake out as investors will want to get out of the non-winners with as much as they can salvage.
2) Passive-Only Is A Phase That Will End Soon
The competitors are almost all promoting passive-only solutions today because it is an immediate answer to the asset owner objection that adding security will cause an outage. That said, the information available using an active component that uses legitimate control system commands to gather data is so valuable to detection and asset inventory that the passive only solutions will be left behind. Most of the competitors know this and have active solutions in development, or already existing as stealth products, for when they feel the asset owners are ready.
(Personal Note: when we released the first ICS IDS signatures, funded by the USG, back in 2006 we were told repeatedly that passive IDS would crash the ICS. Really!?! It’s a slow moving community, but eventually we learn.)
3) Encrypted ICS Protocols Will Kill Passive Monitoring Over Time
Given the aforementioned speed of the ICS security community, this is not short term issue, but it is worth considering in vendor product strategy. Modbus and EtherNet/IP are being wrapped in TLS. OPC UA has encryption. Other protocols are starting down this path. I know Adam Crain has put forth an alternative that is technically compelling, but it seems like the wrap it in TLS will win the day. The highly security conscious asset owners are both the most likely to deploy encrypted ICS protocols and the most likely to invest in an ICS detection solution.
4) Even The Winners Won’t Be Around In 5 Years
(they are all interim steps and small parts of the detection solution)
No need for all of the participants and VC’s to panic. The winners, and there will be winners, will be acquired and some money will be made (see Tofino/Belden, RuggedCom/Siemens, Industrial Defender/Lockheed, Wurldtech/GE).
There are technical, trend and market end game reasons for this last prediction.
Technical
This product category is only a small part of an ICS and Organization’s cyber detection solution.
Despite the funding and market buzz, passive and active network monitoring are only a small piece of an effective detection solution. Even if you buy the argument that OT is better served with it’s own detection solution / OT SOC (listen to the S4x18 Scali / Lee debate on this), you would want a full featured OT SIEM. You would want to ingest firewall logs, application whitelisting events, Windows, Linux and ICS application security events, switch logs and eventually PLC/controller events (the bleeding edge is seeing examples of this such as GE Mark VIe lock and unlock controller security events). I’d argue that many of these are actually better indicators of cyber incidents than the passive anomaly detection monitoring. Monitoring ICS firewall logs for blocked egress attempts is a great example.
The products as they currently exist are not close to the end state for ICS detection. There are IDS/IPS products in the IT world, and this could be a sustainable small product niche. Given the size of the OT space as compared to the IT space, the operative word is small. It’s more likely the passive only monitoring solutions would either be purchased and absorbed into IT IDS/IPS products or into an ICS vendor solution in the same way the ICS firewalls were purchased. (More on the ICS vendor acquisition strategy coming)
Trends
OT is being absorbed into IT (albeit with special teams just like ERP)
The CIO / CISO / COO / IT are becoming responsible for ICS security and large parts of OT. The battle is over from a market perspective, the realization and results are just lagging. Without getting into whether this is good or bad, it was largely due to those in charge of OT ignoring (and often hiding) and not making progress on the ICS cyber-related risk for so long.
I know some readers are saying, hell no! Not in my company! And there will be hold outs who maintain a completely separate OT and OTsec organization for years. This is not comforting for ICS detection solutions, because these holdouts will be small and diminishing as the move to being absorbed into OT gains steam.
The middle is disappearing
The Internet and technology is destroying the middle. This includes people, companies and solutions that are between the source and the end customer. As noted in the previous section, this product category is not the end solution that customers want. It is in the middle. There could be specialized sensors on the ICS that send alerts, events and information to the ultimate detection solution, but these types of sensors don’t get the price points that a monitoring / detection application would receive.
Side Note: I’m fascinated what this means for one of my favorite and most impressive ICS companies OSIsoft. This is a separate article.
Managed Services and The Cloud!
Over time more and more of IT and IT services are being outsourced to managed services and moved to the cloud. With IT becoming responsible for OT, the result is a large amount of the ICS detection responsibility will be passed to 3rd party managed services and cloud services. Detection is a great candidate to be one of the first OT services to be outsourced because it does not affect operations. It is simply analyzing exported data.
Market End Game
It is possible that a small boutique ICS detection company can exist and be profitable (the ICSsec world has many examples of this including Digital Bond). The VC and angels investing in this sector have little interest in a company remaining and throwing off a few 100K or even a 1-5M of profit and doing good work.
The winners in this space will be acquired for their technology and market presence. The losers in this space might be acquired for their technology or just fade away. I should note that most of the ICSsec acquisitions over the last decade have been fire sales and bailouts, and the founders in the losing vendors will walk away primarily with experience.
Here are the acquirers in the order that is likely to lead to the most profitable exit for the ICS detection competitor.
1) Large ICS Vendors (Siemens, Emerson, Schneider, …)
Back in 2011 I wrote skeptically about Emerson’s Ovation Security Center as it was a bunch of commercial products cobbled together with no shared management, little or no value add and a high price tag. It points to the power of the asset owner / vendor relationship that Ovation Security Center has sold well and improved asset owner security, even though I doubt it is good business for Emerson.
I’m remain skeptical of the business case for a security product sale by the ICS vendors, although GE with their Mark VIe and others have followed Emerson. Now the ICS vendors are wisely looking at security as another cloud service, along with predictive maintenance, efficiency services and eventually remote operation and administration, they will offer with a recurring revenue stream. Deploying a cloud based security monitoring and detection solution as part of the install and commissioning is a great solution. Heck, they can even give away the first year service as some of the predictive maintenance teams have been doing for years.
The ICS vendors also have an advantage over the other options below in that they are trusted to deploy sensors and collectors on the ICS. They provided and often deployed the other cyber assets on the ICS.
So the large vendors will likely buy up the best in breed technical solution for their systems and protocols when the market gets a little squishy. The reputation and installed base matters little to the ICS vendor, and there will be some bargains from those going under or stuck with impatient investors. There is also the musical chairs game. Once a vendor buys an ICS detection company they are no longer an eager buyer.
Competitors in this market place might want to survey the market, find a large vendor that is not well supported by the other competitors, and be the best in that ICS line. This could help with sales to asset owners and provide an exit strategy. This strategy would be to focus R&D on deep support for a narrower business sector and ICS vendors as opposed to shallow support for a wide range of ICS.
2) Managed Services Provider
ICS and OT can be the tail that wags the dog in some large companies. It is a small percentage of cyber assets in very large companies; it has received a small percentage of IT and executive focus and corresponding resources; but it directly supports the core reason many of these companies exist (power generation and delivery, manufacturing, mining, petrochem, …).
An ability to detect cyber attacks and cyber incidents in this critical area will increasingly become a selection criteria for very large managed services contracts. A single contract with a Fortune 100 company could be reason enough to acquire one of the market leaders in the ICS detection sector.
3) IDS/IPS Solution
As noted earlier, IDS/IPS is only part of a detection solution. It has proved to be a viable product category and it would be relatively simple to add ICS anomaly detection technology to their sensors and management systems. The rationale for this acquisition could also be to gain a foothold in a sector, ICS product line or country.
Note that many of the firewalls / perimeter security devices have this deep packet inspection capability. A company like Palo Alto could acquire one of the competitors to expand and deepen their ICS App Id’s.
4) Pivot
The detection mission that allowed the competitors to raise the early money will be abandoned or superseded by another mission for some. Threat intelligence, asset inventory and audit, vulnerability management, change management, operational situational awareness and overall OT security program management are benefits being touted by many of the competitors.
5) SIEM Product
A SIEM product vendor has the same rationale as a managed services provider to acquire and integrate this technology. The difficulty with this acquisition is the selling and deployment of sensors. If they are not selling and deploying sensors today, it is unlikely they would do this for the smaller OT space.
The long shot option is one or two of the current competitors grows quickly in sales and completeness of ICS detection solution, spurns acquisition offers with the support of their investors, and either proves Rob Lee right that an OT SOC is the right solution or develops/acquires the IT part of an enterprise solution.
As the ICS vendors buy up solutions, there may be a spot remaining for an independent, vendor neutral offering. And perhaps some private equity firm would buy out the early investors to allow the company to be an independent and growing concern.
We will be testing the passive detection capabilities of this product category again in the ICS Detection Challenge at S4x19, January 15-17 in Miami South Beach. While this is not the end state of an ICS detection solution, it is where the sector is now, and it can be a powerful detection tool if deployed properly and used with the right resources. The Challenge tries to identify what the product category can and can’t do at this time and identify what are the best solutions available.