Last week ICS manufacturer Rockwell Automation bought OT security company Verve Industrial Protection for an undisclosed (non-material) price. On Tuesday I wrote on this from the Verve and OT security company’s point of view. Today’s article covers the acquisition from the Rockwell Automation and ICS manufacturer’s point of view.
ICS Vendor Commentary
It’s hard to find a major ICS vendor who is not trying to sell OT security products, consulting services, and managed services. Honeywell, Emerson, SEL, Siemens …
Why?
The cybersecurity revenue in the next five years, even with optimistic estimates, will be a footnote in the financial results. Rockwell Automation’s annual revenue is between $6B and $8B. Emerson’s annual revenue is $20B.
Is it the allure of the cybersecurity market? The outsized coverage it gets in media, automation conferences, and financial community. This is more likely. I can imagine a ICS vendor board member or senior executive asking “what are we doing about cybersecurity?”. The team needs an answer for this, especially if their peers have a cybersecurity offering and practice.
The answers fall into two categories, one that makes sense and one that doesn’t. Although both are being accepted by ICS vendor executives.
Supporting and Increasing Core Offerings (this makes sense)
A potential asset owner customer often asks the ICS vendor if their system is secure? The asset owners are more capable of analyzing the answers than they were five years ago. Integrated security products, and the services to deploy and maintain these integrated solutions, can help make the sale and keep the customer happy.
There’s been a history of ICS vendors including anti-virus and other EDR on their computers. Including firewalls and other network security architecture elements as part of the project plan and deliverable. Secure backup and secure logging as part of the solution. The ICS vendor is in a great position to identify, test, select, deploy and maintain these security solutions. It also reduces the possibility of conflicts if the asset owner tries to layer their preferred security solution.
Not having a credible answer to the “is your system secure” question could affect the sale, although security is rarely the determining factor, and more likely affect the deployment and acceptance schedule.
In short, cybersecurity products, consulting services and managed services make sense for the ICS vendor if they can be proven to contribute to the sale and customer satisfaction of the ICS vendor’s core offerings.
Non-Core Security Products and Services (this doesn’t make sense)
Yes, a vendor can make some money selling cybersecurity, in theory, – – a tiny fraction of the company’s revenue and profits. It most cases it is easier to get this revenue and profit by improving a core offering rather than having some separate cybersecurity offering that will always be separate from the core offering.
The best example of this are the OT detection products and services that are passively monitoring OT network traffic and increasingly doing informed scanning (Armis, Claroty, Dragos, Nozomi). Will having this complex and manpower intensive offering affect the ICS vendor’s sales of core offerings? I think not. Other’s disagree.
I’ve had the following discussion with multiple ICS vendors offering security services:
Question: What if there is a security issue with your company’s product or, even more serious, an issue with the way the your company designed and deployed the project?
Answer: We are an independent entity within our company. We would tell the asset owner the truth. Give our honest assessment of the situation and how they should respond even if it will hurt our company.
Commentary: This answer is either not true or a bad strategy for the ICS vendor. You are going to let some small division with minimal financial contribution sabotage relationships with major customers? The way a vulnerability is characterized and recommendation can vary greatly based on the security professional making this decision. I wouldn’t expect the ICS vendor unit to lie, but I would expect their analysis and recommendation to be colored by how it will affect the company.
Question: Our OT environment includes products and systems from your competitors. Can you offer these services on their products?
Answer: Yes. We are an independent entity with our company. We provide these services for all vendors.
Commentary: This is true. The question is how good are they? If there is an incident with Vendor B’s system, how likely are they to work with Competitor Vendor A’s security service. If there is a security analysis, will they say those other companies are doing it right and our company’s offering is substandard? Again, they could do this in theory, and it would be a foolish corporate strategy.
The trend line is clear that the ICS vendors want to offer it all: security products, security consulting services and managed security services. It’s yet to be seen whether this is what asset owners want. Especially the lucrative large asset owners with many sites and many different vendor systems.
If ICS vendors are successful, I’m skeptical that they will be happy they made this decision. My prediction is you will see at least three spin offs or closings of their “independent” cybersecurity offerings in the next three years.
Rockwell Automation Commentary
Rockwell Automation buys Verve last week. This week they announce they will resell, deploy and provide services for the Dragos solution. And they already have the same arrangement with Claroty. And probably others.
I reached out to Rockwell Automation for more information on THE question: Why Buy Verve?
No comment, which is usual during this period of a non-material acquisition. I would keep my cards close to the vest as well.
I talked with a former Rockwell Automation employee and asked them why Rockwell Automation would want Verve. They had no idea as the company already has an offering in every category of product or service on the Verve site.
It’s hard to see why they would want Verve’s IP or products or installed base. When Microsoft bought CyberX or Tenable bought Indegy it was a quick way for those vendors to bring in OT specific protocol code and the talent that understood OT. Rockwell Automation already has more and likely better expertise on anything OT and ICS security then Verve.
Was it a way to give a jolt to the consulting and managed services team at a good price?
Was it a reaction to Honeywell buying SCADAfence or, even more directly competitive, the announcements that Siemens has been making? … we need to do something?
Rockwell Automation, after some 2010 – 2013 fits and starts, has been on the leading edge of integrating security into their solutions. I’d also include the Ovation team, SEL and OSIsoft (pre-AVEVA) on this list, and surely I’m forgetting a couple of others. I’d expect the Verve acquisition won’t lead to a significant change in Rockwell Automation’s cybersecurity offerings or success.