Since I began seriously covering the ICS Detection Space in 2016, the products were quite similar. They passively listened on switch span ports and taps to:
- create an asset inventory (and provide vulnerability management but not asset management)
- detect attacks using a combination of signatures, anomaly detection and behavioral analysis
The vendors were mostly startups with a few exception, such as GE and Kaspersky. It was a simple matter of analyzing similar offerings across product, sales and marketing, headcount, finances and installed base. And after that they could be put in tiers. This has changed.
The product of the last five years still exists, and it remains a competitive space. However, it has been split by narrower solution areas, new or more highly promoted managed services, and go to market / channel strategies. I have yet to find a simple way to create a diagram to show the market, so I’ll break it down by categories.
“Traditional” Products From Dedicated To ICS Detection Companies
If I was still doing tiers, Nozomi and Dragos would be Tier 1. They are the two best positioned companies to remain private or IPO for the next three years. That said, my expectation is one or both will be acquired in that timeframe.
Dragos wins the majority of the business in geographical areas they are active in when the decision maker is responsible for the SOC, directly or up the organizational chain. The $110M of recent funding will likely only enhance their marketing and talent acquisition leadership, see Part 1. With CISOs increasingly getting overall responsibility for OT, this is a great position to be in.
Nozomi’s path is less clear. The introduction of their own managed service and new partnerships with Yokogawa and Honeywell to use the Nozomi product in their managed services may indicate a strategy to focus on winning the platform for managed services approach. More likely it is just one of a multi-pronged effort to get their product into the market. More will be known after the next funding round or if they choose acquisition rather than more investors.
Claroty has slipped to the second tier, but is still above all others, so they would be alone in this second tier. All other independents would be in the third tier, and will be a niche player or bought out as discussed in Part 1.
Solution Areas
Vulnerability Management
All of the participants in the traditional ICS detection market tout their vulnerability management. What we have seen is this is also now a product category by itself in a converged IT/OT. The person in OT might want to buy a single product that does detection, asset inventory, vulnerability management and more with their one chunk of money. If a company has invested in a vulnerability management solution, and the CISO has a say in the decision, many would want the IT vulnerability management solution to cover OT as well.
The best example of this solution area is Tenable after their acquisition of Indegy. I asked Marty Edwards, VP of OT at Tenable, how he would describe Tenable’s offering. He said Tenable is the “ground truth for the state of the asset”. This included knowing all of the vulnerabilities related to missing security patches as well as configuration vulnerabilities. Note that this is not attack detection. Also important, Tenable is not in the asset management business, and are focusing more on integrations with those that do asset management such as ServiceNow.
Tripwire, who is not in the detection space, competes in the vulnerability management space and has both OT and IT experience and products. They are not a pure vulnerability management play as they do asset management and protection products as well.
Rapid7 is a big player in vulnerability management and offers a SIEM. This makes them a potential acquirer if they believe that asset owners will want a unified vulnerability management solution. The same is true of Qualys and other companies with vulnerability management solutions.
Edge and Cloud Services
Microsoft’s purchase of Tier 2 vendor CyberX was all about accelerating their IoT edge and Azure cloud services, as evidenced by this Microsoft article. The ICS protocol technology and the development team were the prize. Microsoft wants to get the IoT data, in the broadest definition of IoT, into the cloud so they can use it to offer digital twin services, predictive maintenance services, and other services.
They may offer security services in the cloud, but they won’t be deploying CyberX sensors off of ICS switches. And why would they? It will be a lot easier to get the information from the Cisco switch with the ICS detection module and stay out of that market.
Does this mean that Amazon, or Google or IBM, may be a potential acquirer of a traditional ICS detection vendor? Perhaps, but I think it is just as likely that Amazon could choose to pick a subset of the protocols that are most likely to result in data sent to the cloud (80/20 rule) and do it themselves.
Network Devices
Cisco bought Sentryo to integrate the detection capability into their network equipment. From Cisco’s site:
“No need for dedicated appliances and out-of-band networks. Cisco Cyber Vision is embedded into Cisco’s industrial network equipment. You will appreciate the unique simplicity and the lower costs when looking for deploying OT security at scale.”
What if rather than deploy another appliance you could replace your ancient switch with a new switch and the integrated detection engine at the same or lower price? You can. The detection engine as a VM or container in the network device is the future. This is why I predicted earlier in the year the prices of the detection appliances is going down. Which may be a shock to some of the traditional ICS detection vendors who have been slashing prices, temporarily they thought, to win deals.
Could other network device manufacturers be potential acquirers of the detection vendors? The ones with large sets of industrial network devices would be the most likely candidates.
Here’s an idea. It would be a very risky, bet the company, gangster move … what if an ICS detection vendor moved strictly to providing low cost VM/container detection sensors for network devices that sent the data to SIEMs and asset management solutions? It might be the move if you know you can’t win the competition as it exists, and you have enough money left to last two years.
Larger Companies With A Security Portfolio
This category includes companies that have added on to their IT security portfolio by buying or building an OT capability. If the asset owner uses this product for IT, it is worth a serious look for OT. And vice versa. The best thing about this category is the OT detection product is much less likely to disappear or change markedly by acquisition.
Kaspersky is the best example of this category. They have complimented a broad endpoint focused IT security line with an endpoint focused OT security line. The challenge for Kaspersky, beyond the Russian company selling to US and Europe issue, is that the ICS vendors still hold sway over what endpoint security products are approved to be deployed on their system.
Forescout, with their purchase of SecurityMatters two years ago, is another example. Unlike CyberX, it appears that the SecurityMatters product is being used as entree to sell other Forescout security products and cloud services into existing SecurityMatters/eyeInspect customers.
Of course, Tenable would also be in this category.
ICS Vendor Managed Services
ICS vendors like Honeywell, Schneider Electric, Siemens, Yokogawa and many others are offering ICS detection and other security services. Some have also announced they are reselling detection products. ICS vendors selling detection products are unlikely to be much of a factor in the market. The additional revenue from the detection product is a tiny percentage of the system and not worth the trouble for the sales and deployment team.
Managed services are recurring revenue, and they are counted in a different bucket. Vendors have been announcing these offerings for about three years now. Lately, it seems to be more serious both in what is being offered and the marketing of the services. This will at a minimum test to see if the asset owners want this from their ICS vendor.
There are conflicts of interest with the ICS vendor having to report that their own product or team is deficient. And there are issues with many asset owners that are not a single vendor shop. If I have Emerson, Rockwell and Siemens deployed, whose managed service to I sign up for?
The main factor going for this offering is that often asset owners trust their ICS vendor and even more often they rely on them. In these cases the ICS vendor is who they ask if there is an issue or concern. When the Emerson Ovation team came out with a highly priced combination of OEMed security products and called it Security Center, I doubted that electric and water sector customers would buy this from Emerson. I was wrong. The Emerson seal of approval and making it slightly easier to maintain commanded a much higher price than the combined products.
These ICS vendors are another potential acquirer of the traditional ICS detection vendors. This could be to jumpstart and drive down the cost of the managed service, or it could be a competitive move, or both. When Shell asked all of their vendors to use Nextnine so they could use the same product across their sites. The vendors went along and integrated it. And then Honeywell bought Nextnine causing difficulty for their competitors.
Prediction: The ICS vendors will have some success measured by their ICS security managed service market share when the market is small. As it grows larger their market share will decrease. Their best hope for recurring revenue services are around digital twin related services.