There has been a steady series of announcements over the last four years of the largest ICS vendors, Emerson, Honeywell, Scheider Electric, Siemens, Yokogawa, etc., offering OT security services and security products. The marketing and sales of these solutions tends to get lost amongst the large vendors’ high revenue offerings and the more focused messaging from OT security companies.
The impact and market share for these solutions through the ICS vendor channel is still up in the air. It’s easy to make cases why this will be successful and not.
Why This Makes Sense
- The large ICS vendors have a trusted and locked in (expensive and painful to switch ICS vendors) relationship with their asset owner customers. I could stop here. This is the key reason it might work.
- The ICS vendors can bless or block all but the passive solutions. They have been doing this for two decades, although more and more asset owners are ignoring the “it will void the warranty” contention.
- The ICS vendors know more about their offering and are best positioned to tailor security solutions for their offering.
- The ICS vendors already have contractual vehicles in place making it easier to add another product or service to an order.
Why This Doesn’t Make Sense
- The security product and services business model is different than the ICS vendors business model.
- The revenue and profit from the OT security offerings, while growing, is tiny compared to the overall company revenue and profit. If security screws up one large deal a year, it is a net negative the ICS vendor’s P&L. Which leads to …
- Conflict between the security team and ICS product team. If the security team is doing its job it is pointing out the shortcomings and related risk of their parent company’s offering. It is pointing out mistakes the project team is making. If the security team believes the Acceptance Test should fail because of security issues, what happens?
- A mix of systems at a site and at multiple sites means the ICS vendors security offerings will need to be applied to other ICS vendor solutions. Or the asset owner needs to get similar security offerings from multiple companies.
The best approaches for ICS vendors succeeding with security are:
- Including security products with the procurement package. This has been happening for years with firewalls and anti-virus. It is much less common for OT detection, industrial firewalls and other add-on projects.
- Services that can be viewed as an extension of the maintenance contract. Companies pay now for predictive maintenance services. They could pay for other cyber maintenance, network monitoring and detection services if they are positioned correctly. It’s easier for an ICS vendor to sell this as a service rather than a product.
The last two decades provide more reasons to be skeptical than hopeful that ICS vendors will garner substantial OT security market share. We have seen many cases where large companies jump into OT cybersecurity only to retreat or capitulate when the economy turns. We are seeing this in 2023 with some of the large consulting firms. For a small niche to succeed in a large company it needs either consistent cheerleading from changing executives or a larger than average profit that doesn’t need care and feeding.