The only OT security product market to date is OT Detection solutions (with a slice of asset inventory). It is led by Armis, Claroty, Dragos and Nozomi. There are another 5 credible vendors and 5 or more niche players.
There has been a relatively large amount of venture funding in this product market. Sales are increasing, and yet still are a tiny percentage of the total available market. Most importantly it has mindshare amongst early adopter asset owner company executives. You better have an answer on what you are doing to detect attacks in OT.
What is the next OT security product market? Three possibilities.
OT Secure Remote Access
There are companies focused on this product segment, such as Cyolo, Xage, Xona, and Zscaler. There are offerings from vendors who you don’t think of as OT Secure Remote Access vendors, such as Claroty, Fortinet, and OPSWAT.
The list of companies with an offering in this space is large because it is an almost universal asset owner need. Probably even more competitors than your search will identify because some vendors confuse the issue by categorizing their secure remote access product as a zero trust solution.
OT secure remote access product offerings got a jolt from Covid as formerly forbidden remote access became a necessity. Having additional OT intelligence and features is more important if you are going to allow everyday control and administration over this remote connection.
The real questions for the OT secure remote access product market are:
1) is it large enough?
2) are the OT specific features valuable enough to differentiate this market from the generic IT remote access product market?
3) will these OT capabilities be integrated into general purpose secure remote access solutions.
My analysis at this point is yes, yes, and yes.
Even if my analysis is correct, this potential OT security product market has some time and space to run before consolidation and acquisition.
SBOM
Two years ago I would have marked this as the next OT security market with a mix of a product and SBOM/vulnerability clearinghouse service. (Here is my past SBOM market coverage) Progress has been slow the last two years, and there are more signs of it being overwhelmed with complexity and problems rather than initiatives that will cause it to bloom into a market.
The challenge for OT/IIoT focused SBOM vendors such as aDolus, Finite Stage, Fortress, NetRise and others is how to stay in business until the market is ready. Getting too aggressive and running through funding may lead to a forced exit. Being too passive and you lose the opportunity to build brand and establish the market.
Asset owners, albeit with some exceptions, haven’t been interested in OT/IIoT SBOMs. This isn’t surprising given the large number of unpatched vulnerabilities in OT they are dealing with, and often failing, before considering non-visibility components and libraries that a SBOM would reveal. There may be another Log4j that will peak interest, but this will more likely lead to questioning vendors rather than a desire to collect and manage SBOMs.
I’d double down on my earlier predictions that asset owners won’t want to collect and manage SBOMs. The risk reduction achieved for the required expenditure, even with great new solutions, is too large. If this market happens it will be vendors creating and maintaining SBOMs, perhaps with help from a vendor in this market, and a marketplace providing SBOM information when queried by asset owners.
The best hope for this product market is likely the right regulation from the US, EU and other governments.
OT Cyber Risk Management
This is too big to tackle in detail here.
Asset owners want to know what OT cyber risk metrics they should track, how they are doing over time, how they compare to their peers, and what they should do to reduce cyber risk.
The real question is will this be a separate product market or will it be subsumed by the OT detection product market, or SIEM / SOAR or Vulnerability Management. There are some small players who have a standalone OT Cyber Risk Management solution. Each has their own proprietary methodology and many are getting more traction selling the compliance monitoring feature.
I’ll try to dig into the OT Cyber Risk Management product market later this summer.