Why the Free Market is our Last Best Hope for Industrial Cybersecurity
by T.J. Rylander, Partner at Next47
On March 27, we had the pleasure of participating in the Washington Post’s first Technology Live event in San Francisco. In a series of conversations led by Washington Post reporters, technology executives and leaders such as Vijaya Gadde, Alex Stamos and Xavier Becerra discussed data privacy concerns and how the relationship between technology and public policy stands to evolve.
Also during the event, Next47 partner T.J. Rylander interviewed veteran CEO and cybersecurity expert Dave DeWalt on the current state of global cybersecurity. Read on to learn what we at Next47 believe is the missing component to advancing critical cybersecurity infrastructure once and for all, and how investors, startups and established enterprises can help us get there.
Everything in our world is connected to a network. That’s not news to consumers or observers of the emergence of IoT, however today’s ubiquitous connectivity now also applies to all things industrial: everything from the operational systems that run power plants and factories to elements of public infrastructure like traffic lights and rail switching.
While we’ve spent the past two decades working to protect business networks, we’ve long neglected securing these industrial networks and operational technologies (OT) that run our modern society. As a result, we find ourselves in a highly precarious situation. Because unlike attacks on business networks, which at worst lead to financial and/or reputational destruction, attacks on industrial networks can in worst-case scenarios result in widespread loss of life.
With an expected market size of approximately 24 USD billion by the end of 2023 and a CAGR of more than 10 percent, the OT security industry has enormous potential. However most critical infrastructure operators operate under regulated rates of return, which results in slow technology investment cycles. The fact that many OT systems are a combination of heterogeneous subsystems (e.g. legacy and modern, proprietary and open protocols, wired and wireless) also contributes to OT security hurdles.
The other very real and reasonable dynamic at play here involves the actors and motivations behind most of the known attacks against operational and industrial systems to date. Dating back to Stuxnet, it has broadly been concluded that nation states have been more active than criminal enterprises. And when a nation state conducts attacks — especially against critical infrastructure — many expect their governments to provide the defense. However, the unfortunate reality is that cyber attacks fall within a gray area. Regardless of the attacker or motivation, establishing what constitutes an act of war is challenged by immature policy frameworks and difficulties in attribution. And new regulations governing critical infrastructure will be slow to evolve and almost always backward-looking.
Effective Industrial Cybersecurity Requires Incorporating Free Market Dynamics
Most of us reasonably rely on our governments to keep us safe from attacks, either foreign or domestic. However, when it comes to cybersecurity, salvation lies in the dynamics of the free market.
We saw this play out in the business domain a couple of decades back. Initially, attackers broke into business networks primarily for the challenge, or to disrupt or vandalize specific organizations. This resulted in some negative headlines but, for the most part, these breaches were largely ignored. Only later did making money emerge as the prime motivator, as seen by the eventual inundation of spam emails, bank account compromises and IP theft. Thanks to profit motivation, the number of business network attacks began to skyrocket, which was quickly accompanied by a drastic increase in corporate cybersecurity spending.
This lesson can, and should, be applied to OT security. Consider this: Unregulated industries that are aggressively profit maximizing (e.g. manufacturers, oil and gas producers, or mining and refining companies) understand that any instance of downtime has a direct impact on profits, and just as scary is IP theft. As a clearer connection to monetary impact in influential industries like these is established, investment in defensive technologies will accelerate. And this increased spend would catalyze a flywheel of sorts, where the resulting new-and-improved technologies would then transition from not only being accessible to profit-motivated, industrial buyers, but also to critical industrial networks and consumer-facing IoT.
Bridging the Startup / Customer Divide
The good news is that there are some really impressive startups out there that have built technology to defend against the potentially disastrous effects of a big OT breach. Claroty, one of our portfolio companies, is one of them. There is also an unprecedented amount of capital going into these startups.
The missing link is getting these technologies in the hands of those who need them most. That’s an area that we, at Next47, are trying to occupy by creating opportunities for promising startups to be introduced to the large, industrial companies that make up the Siemens ecosystem. Bridging the divide between startup innovation and corporate institutions yields benefits for both parties: it opens up new and expanded revenue streams for the startup, while giving the corporate institution a competitive advantage. In the case of OT security, the benefits extend way beyond that, to potentially protecting us all from a devastating attack on our infrastructure.