Frenos is hot. They won the Datatribe Challenge, and then raised $3.88M in a seed round led by Datatribe. They got Rob Lee on their Advisory Board. And the founders have hired some well known talent in the space such as Tony Turner and Vivek Ponnada. There hasn’t been an early startup with this type of buzz since pre-Covid days.
It was time for me to dig in and learn more. I had a chance last week to get a personal 1-hour briefing and demo from the founders and others at Frenos.
What Is It?
It’s an OT assessment product that imports data from other products, feeds, or files, and outputs an OT cyber risk assessment. They create a “digital twin”, which is limited today to what communication is allowed (from firewall and some other segmentation device rules) and asset inventory (from visibility/detection vendors or files). The future could see the introduction of additional data sources to enrich their digital twin, more on this later.
They also bring in threat intel and vulnerability feeds. They use AI, of course, to autonomously complete an OT security and risk assessment that includes the findings and recommendations. As the input changes the assessment is updated, hence the use of continuous assessment in their marketing.
What’s The Value Proposition? How Is It Different?
OT security and risk assessments by consulting teams are expensive and time consuming. I know. It was my company’s main consulting offering from 2000 – 2015. If there are a handful of plants / systems it’s feasible, but it doesn’t scale if you have 20, 50 or 100 sites.
I would guide asset owners to select three different types of sites, different in size, system, process, etc.; limit the consulting assessments to those three; and take apply those lessons learned and actions to the balance of the sites. This was effective, and I’d still recommend this. The context a skilled consultant will learn at those three sites from the process, culture, and business isn’t captured (yet) in any automated tool. My impression is the prioritized list of risk reduction actions will differ greatly from the OT security professional consultant and the Frenos tool, or other tools.
Still this isn’t a fully satisfying approach. Some of the 90%+ not assessed are going to have unique issues, and there is no effective way of tracking changes in security posture over time. No way of generating automated security metrics. Frenos addresses these deficiencies, at some level of effectiveness.
Cynical Note: Whether a continuous and autonomous OT assessment solution is effective or not, there are many companies that will want to say to executives, boards, insurance, regulators and others that they have an ongoing OT cyber risk assessment on all sites. The Frenos solution meets this need today.
Is It A Sustainable Category?
This is the most interesting question.
For the Frenos product as it exists today, the answer is no.
It would be easy for the visibility and detection products to pivot and add the existing capability. They already have the asset inventory, since they are the primary source of this information for Frenos. The visibility and detection products already have a high percentage of the actual communication flows. Adding the possible data flows from firewall ruleset import is easier. It’s smart to do, and I’ve been asking the leaders if they have this for at least eight years. They don’t. Points to Frenos for doing it, but the Armis, Claroty, Dragos, Nozomi … can and will add this if it has even a minor impact on sales.
I could also see Tenable, if they weren’t backing away from OT, adding this capability into their solution.
For the Frenos product of the future, the answer is maybe. If they bring in more and more difficult to process data sources it will be harder and more expensive for the others to add.
Endpoint protection is an obvious choice, and there are a number of solutions that would need to be imported and processed. Microsegmentation, edge devices (OT, IIoT and cloud), remote access, one-way devices, OT application security and others could be added to enrich the digital twin and improve the assessment.
Consulting services are not the challenge to this being a sustainable product segment given the price and scaling issues in consulting. The challenge is there are so many adjacent product categories that could subsume this category including:
OT Visibility (Asset Inventory and Detection): This is the main and most complex source of input to the Frenos Platform. And they have the existing communication data, which some would contend are more valuable than possible communication data. They could easily and credibly add continuous assessment to their marketing. Right now they are partners. They could be direct competitors. One could be an acquirer.
Vulnerability Scanning / Exposure Management: Tenable, Rapid 7 and others could add this capability. This is less likely given the on again / off again interest in OT. If IT isn’t driving them to this, it is unlikely to happen.
Risk Management Platforms: Axio, SecurityGate and others already make the same value proposition as Frenos. They approach it in a different way. Competitor or acquirer?
One Stop Shop: Fortinet and OPSWAT are the two main vendors in this category with Fortinet being the most integrated offering. If the category grows in sales they certainly will develop a continuous assessment solution that pulls data from their other OT security products. This would impact a pure play company like Frenos less than some of the other categories because the competition would be limited to asset owners who have committed to be a Fortinet or xxx shop.
The answer to whether this is a sustainable can be captured in the figures below. If we put all the product categories on the page (Figure 1), continuous OT assessment is placed in the center because an edge of the capabilities and value proposition overlaps with the other 4 categories.
The answer is based on whether Figure 2 or Figure 3 is true. In Figure 2, continuous OT assessment is an assessment hub from these and other product categories. This would lead to it being a sustainable category.
Figure 3 is the case where one or more of the other product categories develops the continuous OT assessment capability. Frenos and other pure plays would be surrounded and continuous OT assessment becomes a feature rather than a product category. Frenos gets acquired for a lesser amount, still not a bad outcome.
One last thought or possibility is Frenos, and their future pure play competitors, take the OSIsoft PI strategy. Most ICS vendors in 90’s, 00’s, and 10’s had their own historian. Yet PI was everywhere because asset owners had ICS products from multiple vendors and didn’t want multiple historians. The ICS vendors didn’t like including PI, but the historian wasn’t a major part of the sale and OSIsoft didn’t expand to other products to threaten the vendors larger revenue.
OSIsoft focused on developing connectors to almost every ICS product and making the best historian. As more OT security products get deployed, especially in asset owners with many sites and systems, this is another possible future.