I made a number of predictions in 2020, some overlapping, in both my coverage of the detection market and as a feature of the monthly ICS security month in review episodes of the Unsolicited Response podcast. The predictions help with my analysis and hopefully catalyze some conversions in the community. And every once in a while they are accurate.
ICS Security Month In Review Predictions
May’s Prediction: The rumored Microsoft acquisition for CyberX will not close for near the $165M that has been leaked, maybe for $50M less, closer to $100M if it happens.
Microsoft did acquire CyberX, and a single source in Israel gave the $165M price tag prior to and after the sale. Given the price of the SecurityMatters, Sentryo and Indegy acquisitions, and the fact that Microsoft did not see value from the installed base, I remain skeptical of that number.
June’s Prediction: Cyber asset and zone risk metrics will be a primary competitive factor in the ICS Detection and Asset Management markets over the next 1 to 3 years.
Accuracy: Looking good based on the fact that many, if not most, of the products are rolling this out in 2020 and highlighting it in their marketing.
July’s Prediction: The US .gov market will get some real ICS security talent due to a Covid-related softening of the ICSsec job market.
The dysfunction late in the Trump administration resulted in missing the window when there was real talent available, and the ICS security job market started rebounding in the fall. Even worse, the post election chaos and normal change in administration issues has resulted in less talent in US .gov.
There was no month in review podcast in August.
September’s prediction: Siemens will buy Claroty, or some other ICS detection company in the next year to jumpstart a recurring revenue security services business.
Accuracy: Pending with no indication of whether it is likely to be true.
The slippage that Claroty is having compared to top tier vendors Dragos and Nozomi makes Claroty a more likely acquisition candidate. Particularly in light of their need to either be acquired or have another funding round in 2021.
October’s prediction: We will not see widespread ransomware in hospitals over the next six months due mostly to human nature and fear of retribution.
Accuracy: Looking good for now, but still pending until April 2021.
November’s prediction: Chris Krebs will be offered his old job back as Director of CISA, and Bryan Owen chimed in on “why not Cyber Czar”.
The Solarwinds supply chain attack that occurred after this prediction make it less likely as a widespread government compromise happened while Chris was in charge. In addition, this would be viewed as a partisan move, and the Biden administration has been positioning the President-elect as a healer.
December’s prediction is not out yet.
Detection Market Predictions
From My ICSJWG Presentation In May (broader market predictions)
Market Split Prediction: Asset Management and Detection will be separate solutions.
Accuracy: So far, wrong, with most asset owners having one pile of money to buy one product.
I still believe this will be correct. The Tenable focus on vulnerability and configuration management is step in this direction.
Incident Response Prediction: Incident Response retainers will be major revenue source for many ICS detection vendors.
Accuracy: Partial at best to date. My SWAG is this is already true at Dragos.
Reduced Value & Price Prediction: This combines two predictions 1. Detection GUI’s / management app will be used for sensor configuration only, with a corresponding value / price collapse. And 2. Sensor appliances will be replaced by ‘embedded in switch’ leading to price decrease.
Accuracy: Partial at best to date.
The best indicators that this could be true are Cisco integrating the sensor tech into their industrial networking line and the continued statements by asset owners that they want to view the data on their enterprise tools.
May Market Analysis
Earlier Claroty Acquisition Prediction: Claroty will be acquired by Siemens or Schneider Electric in 2020.
I extended the timeframe and doubled down on this prediction later in the year.
Dragos Prediction: Dragos will have another funding round this summer, and then in 2021 be acquired by Crowdstrike.
Accuracy: Partial and too early to know.
The funding round occurred in December rather than in the summer for a reason I do not know. The $110M raised forestalls the need to be acquired in 2021, but I’ll let the Crowdstrike prediction ride.
Next Battleground For ICS Detection Products Prediction: Automated risk metrics and IEC 62443 compliance metrics will be where the ICS detection vendors, and asset management vendors will compete.
When this was predicted it actually was more a statement of where the pitches and new product features were focused on. So more of an early recognition of reality than a prediction.
November Market Analysis
Rundle Prediction: Some of the detection vendors will focus on selling a recurring revenue bundle that includes both their product and security services. The detection monitoring and incident response services being the key to unlocking the detection and forensics value of the product that is beyond most actual and potential customers.
Accuracy: Pending, but Nozomi’s Vantage offering and Drago’s valuation in the recent funding round make me optimistic this will be correct.
SIEM / Asset Management Integrations: Meaningful, seriously helpful integrations with Splunk, QRadar, ServiceNow and other enterprise software will occur only when those enterprise vendors add the OT data model and other OT capabilities into their systems … and they will. Until then integration will be primarily a data dump from the OT product to the Enterprise product.
Potential Acquirers: Vulnerability management companies (Rapid7), the big cloud providers (AWS), network device manufacturers (Fortinet), and ICS vendors for their managed service (Rockwell, Schneider Electric, Siemens) are likely acquirers of the ICS detection companies that are not break out stars (Dragos, Nozomi) and are not content with being niche players.