The first OT Security product segment to have a company, actually multiple companies, valued over $1B is OT Detection. The next OT security product segment that is seeing multiple early stage investments and has the same look of fast market cap growth in the next 1-3 years is the software/firmware analysis space. The main feature driving this segment’s growth is the SBOM and vulnerability management component.

What do these two product segments have in common? It’s not that these are the most pressing product needs from an OT cyber risk reduction and management perspective. For example neither address the insecure by design / lack of authentication problem for most ICS protocols and Level 1 devices today.

So what do these two product segments have in common? They both can be deployed and used without making any changes to the ICS or the physical system being monitored and controlled. Detection got its foothold by being passive, only listening to the network. Even listening only had some serious push back in the early years as Operations was skeptical that that cable into a switch span port was not putting traffic on the network.

SW/FW analysis is an offline process not even taking place on the ICS. The input comes from the vendor, or from an asset owner providing a vendor package. The output from the analysis is some sort of human or machine readable file. These files can drive changes to an active ICS, primarily patching and secondarily configuration changes, but only if the changes are approved by the team doing cyber maintenance on the ICS.

While they are not the most pressing absences from ICS security programs, almost all would agree they are a worthwhile and necessary additions, at some point, to the ICS security program. They also are in line with what IT is doing (detection) and beginning to focus on (SW/FW analysis). This makes them easier wins for programs trying to show OT security progress without impacting operations. Think of the questions:

  • Do you have an asset inventory?
  • Do you have a SBOM?
  • Do you know what vulnerabilities exist and have not been patched?
  • Are you monitoring your OT environment for cyber attacks?

It would be natural to want to answer yes to these questions, and you can without changing one thing in your ICS.

OT is about as far away from DevOps as almost any T. The still prevalent attitude is don’t touch if it is working unless absolutely necessary, and even then typically wait until there is a planned outage. The idea of making changes to your PLC’s / controllers to require user and data authentication, add role based access control, or have endpoint detection and response running on new logic/programs are typically non-starters for Operations. This would require changes to the Level 1 device and typically anything that communicates with it. These changes may introduce problems.

There is also the challenge of add-on boxes versus the integrated solution. Tofino was the first industrial firewall/gateway with ICS DPI. Tofino and its competitors have been deployed and continue to sell, but the investors have voted with their wallets that this is a small space. Tofino founder Eric Byres and I spoke over ten years ago that this capability would only be widely deployed when it was integrated in the PLC / controller and at a minimal cost as a percentage of the PLC. All but the most security conscious asset owners are loath to put another box in the communications line with the life cycle costs and additional potential failures.

It bears watching how the security features now available in the Rockwell Automation Logix line (CIP Security) and Schneider Electric PLC’s (Modbus Security) are used. Forget legacy, brown field sites. What percentage of new projects are using these security features? This will tell us a lot about the true appetite to secure OT.

Going back to the main point of this article … if your company is looking to sell a security product or service to a large portion of the OT market, it would be best if it required no changes to the ICS and had no impact on the ICS or physical process.