My interview last week with Nozomi Networks CEO Edgard Capdevielle dug deep into the OT visibility and detection market today and more importantly where it was heading in the next 1-3 years. Lots of candor and interesting comments from Edgard, and Edgard’s thoughts of convergence have stuck in my mind.
Based on his past experience in storage, he actively sought out a segment undergoing convergence and stressed that convergence, once started, goes in only one direction.
Key excerpts from Edgard in this clip:
Convergence is an incredible force … here we go IT/OT convergence … All security markets eventually go to the CIO/CISO. Convergence is a one-way street … OT makes it go at a different pace … the path is the path that many other industries have walked before.
This led to the follow up question if convergence, once started, is a powerful force in one direction, then why wouldn’t most of the functionality of the OT visibility/detection management platforms be converged into their enterprise equivalents, such as Splunk or ServiceNow. Edgard, like Dragos’ CEO Rob Lee, doesn’t believe this will happen because OT is different, and they are betting on this with their time, sweat and equity.
I’ve conveniently taken both sides of this issue. In OT visibility / detection market predictions I wrote in Oct 2019:
Passive Detection GUI’s will be used for configuration only. Those great demos the ICS passive detection security vendors provide on how an analyst can use their GUI’s to detect and analyze incidents … not important. They will go away. An analyst doesn’t want to look at this screen. The analyst wants the screen that all of the potential detection data feeds into.
And then an article I wrote last month had me pointing out that what most are calling convergence is integration, and that IT / OT integration, not convergence is what is currently happening.
This conversation with Edgard has made me wonder if that recent Integration v. Convergence article underestimated the power of convergence. I think it is still dead on that we should not conflate integration and convergence. Connecting and passing information and even commands between OT systems and IT systems is integration, while having a single system handle a function for both OT and IT is convergence.
Today, at best we can say there is increased integration. Data has been sent to the enterprise for decades, but more is being sent. This data is being stored and used in more systems for more purposes. Detection events and asset inventory from the OT visibility / detection solutions are being integrated with their enterprise equivalents.
It’s hard to think of convergence examples (beyond technology convergence, e.g. Windows, application whitelisting, managed switches, which is something else). Perhaps you could say OT perimeter firewalls are converged with enterprise firewalls or anti-virus updates and management are IT/OT converged into a single system.
OT visibility and detection are great solution categories to watch because they can be truly converged into a single system with minimal impact on the IT/OT separation or risk to OT. The argument Edgard, and I believe Rob Lee, make against this convergence is that OT requires special knowledge and skill to be of use. And this will be why the OT visibility / detection solutions will not be converged into the enterprise solution.
The conversation with Edgard makes me wonder again if I, along with most of the ICS/OT community, is underestimating the power of convergence. In an early draft of this article I wrote “we may end up with a world where the OT sensors in the OT visibility/detection solution will be all that remain”, as I’ve also predicted in 2019. If convergence is this powerful force, then why would we have an OT specialized sensor. Looking at Cisco and other switch manufacturers, why wouldn’t they integrate the IT and OT sensor code into a single container in the networking device?
And to finish with a real blue sky thought, what if the OT specialized business model is selling an OT specific update feed to all the vendors offering these sensors. Looking back to 2006 – 2009 timeframe, Digital Bond had the large network and IDS companies trying to buy a frequently updated ICS IDS signature feed from us. We passed on the opportunity, and it was unlikely it was a viable business model back then.
How much true OT convergence with the enterprise will there be? In five years, the market will have decided and shown us the answer.