Everything in our world is connected to a network. That’s not news to consumers or observers of the emergence of IoT, however today’s ubiquitous connectivity now also applies to all things industrial. Everything from the operational systems that run power plants and factories to elements of public infrastructure like traffic lights and rail switching — is run through industrial entities that have not been under the same obligations of security.
Life, Liberty and the Pursuit of Cyber Defense
While we’ve spent the past two decades working to protect business networks, we’ve long neglected securing these industrial networks and operational technologies (OT) that run our modern society. As a result, we find ourselves in a highly precarious situation.
Unlike attacks on business networks, which at worst lead to financial and reputational destruction, attacks on industrial systems can result in widespread loss of life.
What More Criminal Activity Means
With an expected market size of approximately 24 USD billion by the end of 2023 and a CAGR of more than 10 percent, the OT security industry has enormous potential. However, most critical infrastructure operators operate under regulated rates of return, which results in slow technology investment cycles.
The fact that many OT systems are a combination of independent subsystems (e.g., legacy and modern, proprietary and open protocols, wired and wireless) also contributes to OT security hurdles.
The other very real and reasonable dynamic at play here involves the actors and motivations behind most of the known attacks against operational and industrial systems to date.
Dating back to Stuxnet, it has broadly been concluded that nation-states have been more active than criminal enterprises. When a nation-state conducts attacks — especially against critical infrastructure — many expect their governments to provide the defense. However, the unfortunate reality is that cyber attacks fall within a gray area.
Regardless of the attacker or motivation, establishing what constitutes an act of war is challenged by immature policy frameworks and difficulties in attribution.
New regulations governing critical infrastructure will be slow to evolve and almost always backward-looking. What we really need to efficiently catalyze spending on OT security solutions (which will ultimately support improved products and overall better defense), are more profit-motivated attackers.
Effective Industrial Cybersecurity Requires Incorporating Free Market Dynamics
Most of us reasonably rely on our governments to keep us safe from attacks, either foreign or domestic. However, when it comes to cybersecurity, salvation lies in the dynamics of the free market.
We saw this play out in the business domain a couple of decades back. Initially, attackers broke into business networks primarily for the challenge, or to disrupt or vandalize specific organizations. These semi-simple break-ins resulted in some negative headlines, but for the most part, these breaches were largely ignored. Only later did making money emerge as the prime motivator, as seen by the eventual inundation of spam emails, bank account compromises and IP theft.
Thanks to profit motivation, the number of business network attacks began to skyrocket, which was quickly accompanied by a drastic increase in corporate cybersecurity spending.
This lesson can, and should, be applied to OT security. Consider this: Unregulated industries that are aggressively profit maximizing (e.g., manufacturers, energy producers, or mining and refining companies) view any instance of downtime as a direct threat to profits — and even scarier is IP theft.
If a more explicit connection to financial impact in influential industries like these can be established, OT hackers will be even more motivated to profit off of their attacks.
In turn, an increase in OT attack volume would lead to a flywheel of sorts, in which more attacks would lead to higher spending on defense, which would lead to new and improved technologies that could be consumed by and help protect both critical industrial networks and consumer-facing IoT.
Bridging the Startup / Customer Divide
The good news is that there are some really impressive startups out there that have built technology to defend against the potentially disastrous effects of a significant OT breach. Claroty, one of our portfolio companies, is one of them. There is also an unprecedented amount of capital going into these startups.
The missing link is getting these technologies in the hands of those who need them most. A company called Next47 is trying to occupy this space by creating opportunities for promising startups to be introduced to the large, industrial companies that make up the Siemens ecosystem.
Bridging the divide between startup innovation and corporate institutions yields benefits for both parties. Having the gap in place opens up new and expanded revenue streams for the startup while giving the corporate institutions a competitive advantage.
The advantage for all infrastructure will be OT security — the benefits extend way beyond that to protecting us all from the potential of a devastating attack on our infrastructure.