See previous analysis on my ICS Detection Market page.

We Have A Winner

The ICS Detection Market is the clear ICS security market winner of 2021 to date. Even before the Colonial Pipeline incident it was clear that well funded and relentless marketing by vendors in this segment has achieved dominant mindshare. Visibility and detection are rated as the top priorities in government, industry groups and influencers.  

This was not an overnight occurrence. The widespread promotion of these solutions dwarfed other messaging in 2017 – 2020. The reason it is now safe to declare it the winner, at least in the US, is the Biden administration is parroting this segment’s message. As evidence, three of the four bullets in the US Dept of Energy’s 100-day electric sector security sprint promote buying a product or service in this segment, see below.

  • “Encourages owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities;
  • Includes concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks; 
  • Reinforces and enhances the cybersecurity posture of critical infrastructure information technology (IT) networks; and 
  • Includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems.” 

This mindshare win compels an asset owner CISO to have a visibility and detection solution deployment plan for their career’s sake, regardless if it’s appropriate at this time. The effective and near omnipresent messaging will reach the CEO and Board, and they will demand to know what the company is doing for OT incident detection.

A potential speed bump is if the US Government extends its efforts to offer detection as a service as part of the information sharing exercise. Although the performance of the US government would almost certainly be far worse than private industry, it would provide cover for asset owners that need to say they are doing something and don’t want to spend resources on this. These would be reluctant paying customers anyway, so the market impact is likely delay due to confusion, more then lost customers. 

A new competitor for mindshare are the Supply Chain / SBOM vendors, and I’ll start coverage of this market this summer. Detection still has at least a 2-3 year window as the dominant solution in terms of spend, as creating SBOMs is one of the easier parts of the solution. Most asset owners can’t leverage the basic asset inventory the OT detection solutions create, let alone the expansion SBOM level detail would provide. It’s likely the detection solutions will try to extend their asset inventory and vulnerability management claims and import SBOMs. Perhaps even trying to subsume this segment into their visibility claims. Worth watching.

Finally, I can’t help myself from noting that we still, more than 20 years later, are awaiting the US Government saying that asset owners should deploy ICS that include basic authentication… that insecure by design must be addressed.

Show Me The Money!

My December analysis (Part 1 and Part 2) contended that both Claroty and Nozomi were overdue for a funding round, The upcoming marketing/sales push from Dragos after their $110M round only added to the need for these companies to either raise money, get acquired, or pursue a smaller niche strategy. Six months later no funding has been announced, although there are many murmurs.

The delay, for whatever cause, looks like a win for Claroty and Nozomi. The Colonial incident and Biden administration efforts can be pointed to as compelling evidence that the market is about to grow quickly and a higher valuation is in order. Any further delay however would be worrying, as Dragos has likely started to deploy a large chunk, let’s guess $30M, for 2021 marketing and sales.

There hasn’t been much change in the big three companies in the space. Dragos (elite team and threat intel) and Nozomi (enabling large asset owners and MSSPs to manage large deployments) positions have remained constant. Nozomi continued the push of their Vantage SaaS offering. Directionally this makes sense for Nozomi, but the current offering and publicly discussed vision is still immature. Claroty’s next move is still a mystery to me and a number of others in the industry who ask “what is Claroty doing?” or “what happened to Claroty?”.

The rest of the market competitors continue on, limited and falling behind more based on their marketing, sales and services rather than their products. In fact, they often can provide high quality reference accounts that love their solution. The problem is the effort required to win and service that customer as compared to available resources is limiting.

The only noteworthy venture round in the last six months was SCADAfence raising $12M, with one of the strategic investors being Rapid7.

December’s Part 2 update went into detail on potential acquirers, and this is still applicable. The only addition is FireEye, and perhaps they should have always been explicitly mentioned on a potential acquirers list. They have OEMed or used Nozomi, Claroty, Tripwire and others in the past. FireEye’s discovery of the SolarWinds incident, being brought in by Colonial Pipeline to help with the ransomware incident, and the previously discussed detection push makes this an ideal time for FireEye to have an OT detection offering.

Send In The Clouds

One area I’m trying to get smarter on for better analysis is what the enterprise software and cloud solutions are doing that could leverage, lower the value of, or directly compete with the OT detection market. Microsoft’s Azure and Amazon’s AWS now offer OT/IoT anomaly detection that could eventually be competitive. Splunk released Version 2 of their OT Add-On. And ServiceNow just announced a new manufacturing module. Stay tuned for more on this.


The biggest change in the last six months is an increase in the drivers of market demand. Little change occurred on the competitive front which benefits the leaders and makes more than niche success more difficult for all others.