Part 2: Acquirers, Enterprise Vendors and Tier 3
See Part 1: COVID 19 Impact, Tier 2 and Tier 1 Analysis, and Valuation
First the updated chart and then the analysis below. You will see big changes in Tiers 2 & 3.
Funding data comes from Crunchbase.
Acquirers and Enterprise Vendors
When an ICS detection company is acquired by a vendor that is trying to sell to all parts of the company the OT side of the solution suffers and hopefully the overall value to the customer’s company increases. This is not a knock on the acquiring company, it is a realization that the purpose of the acquisition is not to maintain this small, in comparison, OT security island. The company was acquired to provide a more complete solution for large companies where ICS is a critical function.
With three significant acquisitions, and a fourth potential acquisition, we can start to see and forecast strategies.
Cisco Acquires Sentryo
I was waiting for one of the ICS detection competitors to try the bold move of jumping to where the market is going in three years, with the immediate hit to revenue. That is, where the detection sensor is a low cost collector, initial analysis, and forwarder of data to a SIEM/SOAR solution … AND removing the value and utility of the management system / GUI from a screen used for detection. The GUI would be only for system configuration (see Prediction 3). The price would go down dramatically and priority would be placed on two-way integration with asset management and SIEM/SOAR solutions.
The market may have missed this opportunity as Cisco is essentially doing this with the Sentryo sensors being embedded into Cisco’s industrial network equipment. Cisco will still be selling the management solution, but based on Cisco’s history of security acquisitions it would not be surprising for this to fade. The price will fall into line of a percentage of the underlying equipment cost for security.
Cisco’s industrial network equipment competitors are potential acquirers of the remaining ICS Detection vendors, such as the predicted Siemens acquisition of Claroty.
Forescout Acquires SecurityMatters
This was the first major acquisition in the ICS Detection space. SecurityMatters was faced with a decision between another round of funding or acquisition, and chose acquisition. While SecurityMatters insisted and still insists that the OT only SilentDefense product will remain a key offering, I remain skeptical because I wouldn’t recommend this if I were in Forescout.
Extending the Forescout eye products into OT with the integration of Silent Defense is the win. Existing Forescout customers with ICS would be the easiest sale, especially if it is a CISO decision. Existing SilentDefense customers who do not have a solution on the Enterprise can be pitched the Forescout solution. And new prospects can be told about the benefits of an integrated IT/OT solution.
If an asset owner is considering Forescout, it is an easy decision to put Forescout on the short list for OT security options. Both for what exists today and in the future. If Forescout is not being considered for the enterprise, then this would likely be true for OT as well. This does not mean that Forescout will abandon the SilentDefense installed base, as a former Tier 1 competitor it is too valuable. Growth of the base will decline, unless … rumors.
Note: COVID-19 has thrown a wrench into Forescout’s private equity deal.
Microsoft ‘Acquires’ CyberX
This has been rumored as happening since late February, and yet there is still nothing on the record from either company. This is all about adding ICS intelligence to Azure, if it happens.
Tenable Acquires Indegy
I wrote about this acquisition when it was announced and recorded a podcast with Marty Edwards, who recently joined Tenable. Of the four, this acquisition has the most similarity between what each company did in their own realm, especially since Indegy was the leader in active, sending packets, collection of information.
Much like the Forescout case we should see the sales and marketing focus on the overall Tenable solutions. Tenable.ot, powered by Indegy, will become additional features of tenable.sc and tenable.io.
Other Enterprise Vendors
Darktrace and Kaspersky are being moved into the Enterprise Vendor category. Kaspersky is by far the more active and successful of the two. We previously had Kaspersky in Tier 2. While my visibility is limited, they are likely dominating sales to the Russian team from a cyber nationalism perspective. Kaspersky’s ICS talent and ICS-CERT is impressive, and their product strategy makes sense. Much like Tenable, it is an enterprise security vendor extending their expertise, products and services into OT.
Tier 3
With acquisitions basically wiping out Tier 2, there is an opportunity for Tier 3 vendors to move up. To be the companies that will be the next acquisition targets for those that want technology at a lower price rather than pay more for a Tier 1 brand and installed base.
However you will see that Tier 3 has shrunk dramatically. SCADAfence has the best chance of the dwindling Tier 3 vendors to move into Tier 2 and be acquired. Aperio’s technical approach is different and places them as a potential acquisition candidate for an ICS cloud-based analytics company, or even OSIsoft.
- Fortiphyd Logic – Georgia Tech spinoff late to the game unlikely to make progress on the passive network side. More interesting for the Level 1 endpoint protection.
- GE – Their OpShield product has the best support for the GE Mark VIe and Bently Nevada products. The real potential win for GE is recurring services monitoring OpShield for their customers, and eventual integration with Digital Ghost. Not a player in non-GE environments.
- Honeywell – There hasn’t been much visible progress on ICS Shield since it was acquired with NextNine. Honeywell customers that do what Honeywell says are the likely market for this product, or, more likely, the Honeywell managed services.
- Rhebo – Remains a small player out of Germany. May have some customers or even a strong presence in German speaking markets (admittedly a blind spot for me). Expect them to stay in Tier 3 or give up on this product.
- SCADAfence – Based on demos (have not seen them in a pilot) the product is sufficient to move up. Market presence has them still in Tier 3, although Tier 2 vacuum may suck them up a tier. Pre-COVID they likely faced having another funding round or getting acquired in 2020, similar to the SecurityMatters and Sentryo decisions.
Process Variable Anomaly Detection
I’m a believer in the potential of process variable anomaly detection, especially when it is leveraging a digital twin similar to GE’s Digital Ghost. The idea of deploying a second monitoring network at Level 0/1 is unlikely to be widely accepted, and is why Mission Secure and Sigasec’s product strategy limits their growth potential.
- Aperio Systems – Uses data from historians as input to their machine learning algorithms. This is the future – but how far in the future? Next round of funding would indicate potential. They also are the most likely candidate to be acquired of the three in this niche.
- Mission Secure – They offer, but are not a serious competitor, in the passive monitoring of ICS Ethernet networks. There MSi Sentinel is monitoring Level 0/1 to identify process variable anomalies. Last raised money, $8M, in October 2018.
- Sigasec – There offering monitors Level 0/1 similar the MSi Sentinel. Next round of funding will be an indicator they have potential to be more than Tier 3.
Out
Some companies drop off the Tier 3 list.
- Bayshore Networks – really never belonged in this category. They do have a broad line of ICS protection products.
- Cyberbit – pivoted from OT security to “cyber ranges” for training and awareness.
- Darktrace – Moved to enterprise category. Has performed poorly in ICS focused RFP’s. Perhaps should be removed entirely, but will leave on for now.
- IronNet – Similar to Darktrace focused on enterprise. Made some noise that they were pursuing OT. Has not happened so dropping from the list.
- Videc – Still on their website, but no new releases announced, content or other activity seen on their IRMA product.