Investment Recommendation: Claroty
Today, Claroty came out of stealth, announcing a $32 Million venture financing led by Bessemer. That’s a lot for an early stage startup, but this is an important company for our nation and our planet. To explain why, I thought I’d share this excerpt from our internal investment memo.
EXCERPT from APRIL 2016:
The Need for Industrial Security
The physical infrastructure of modern civilization runs on machinery: traffic lights, railroad switches, nuclear reactors, water treatment, electricity distribution, dams, ship engines, draw bridges, oil rigs, hospitals, gas pipelines, and factories depend upon mechanical elements such as pressure valves, turbines, motors, and pumps. These actuators (like the ones in the original Bessemer steel smelting process) were once manually configured, but today these machines are controlled by software running on directly-attached, single-purpose computers known as Programmable Logic Controllers (PLC). PLCs, in turn, are connected in aggregate to computers running Human Management Interfaces (HMI) through closed, vendor-proprietary Supervisory Control & Data Acquisition (SCADA) protocols like DNP3 and Profibus. Industrial manufacturers provide the machines, the PLCs, and the HMIs, and so Operations Technology (OT) teams typically need to use a mix of controllers and interfaces. This is collectively known as an ICS.
During the PC revolution, many of these ICS components migrated to cheap, standard PCs, and their SCADA connections migrated to LAN switches and routers that leveraged the connectivity benefits of those PCs’ standard Ethernet ports. The security implications were relatively minor until the Internet came along; but now, if any computer in the building is connected to the Internet, all the machines are potentially exposed. ICS security had once depended upon an air-gap between IT and OT networks, and where absolutely necessary devices like one-way diodes were used to send data out of the OT network to the outside world. However, trends like remote management, cloud, IoT, and the adoption of open standards are eroding the network segmentation and creating new attack vectors.
The threat of ICS attacks differs greatly from threats plaguing other computer networks. First, there is little valuable data to steal from a PLC (with the theoretical exception of pharmaceuticals), and yet the consequences of an attack are potentially catastrophic; the worst doomsday scenarios of cyber warfare arise from compromised machinery such as gas relays, dams, reactors, and water treatment facilities that can kill millions of people when they malfunction. To get a taste of the kind of damage we’re talking about, watch this video from 2007, where members of the Idaho National Laboratory hacked some of its own machinery.
Second, the fear of unexpected downtime also makes OT teams less willing to experiment with new hardware and software updates. These factors create an environment of older computers running older software that is never patched despite the accumulation of known vulnerabilities.
Finally, OT teams will not run encryption or conventional cybersecurity software on their computers, lest the security processes interfere with the precise and fragile timing of their network; they would rather be infected than incur downtime. And evidence of infections is mounting:
• The Stuxnet worm, allegedly developed jointly by NSA and the Israeli Army’s intelligence arm (Unit 8200), crippled the Iranian nuclear program by destroying their centrifuges;
• Iran crippled the operations of the most valuable company on Earth, Saudi Aramco;
• According to BVP-funded iSIGHT Partners, the Russia-based Sandstone Team developed the Blackworm malware that shut down power for 700K Ukrainians;
• For two years, an Iranian group controlled malware inside a dam in Rye, New York (near BVP’s Larchmont office).
The malware behind these attacks likely lay dormant for some time, and there is no comprehensive way to know how much more already lurks in critical ICS just waiting to be activated. According to the ICS-CERT, we discover more and more infections every year in US infrastructure. So, at a time when nation-states, terrorists, and criminal organizations are scrambling for an advantage in cyberspace, society’s most critical infrastructure remains exposed and undefended.
Although our investment in cyber foundry Team8 is gaining market value, we originally invested for more strategic reasons. Following our roadmap principle of “following the attackers,” we have long known that ICS would develop into a significant target, and hoped Team8 would provide us the best opportunity to invest in this market. They did just this with Claroty (fka Team 82), which is the second spin-out. Claroty is one of two dozen companies addressing cyber attacks on ICS. While Claroty is a newer entrant in this relatively nascent space, we believe deep the experience of its team makes it the likely winner.
Recall that retired Israeli General Nadav Zafrir had founded Team8 to focus the world’s best nation-state cyber warriors on the biggest challenges of cyber security. Zafrir recently commanded Unit 8200, considered Israel’s equivalent to the US National Security Agency (NSA). But unlike the NSA, which employs career-minded employees, Unit 8200 draws and trains the smartest draftees from the Israeli population, who, like everyone else, typically resign their military commission after three years. Naturally, several of them founded cybersecurity companies like Check Point, Palo Alto Networks, and NICE. So now Zafrir, along with the Unit’s former Head of Cyber (Israel Grimberg) former Chief Technology Officer (Assaf Mischari), and distinguished officer Liran Grinberg, recruit and commercially train the top 1% of those graduates, re-purposing them in cybersecurity startups.
A principal skill set attributed to Unit 8200 is blind protocol analysis. If, for example, you wished to hack a Siemens centrifuge, you’d need to deconstruct the packets sent back and forth between the HMI and the PLC, or between the PLC and the actuator. Most protocols were cobbled together decades ago and were rarely well documented, and in some cases the vendors themselves treat them as holy writ. Unit 8200 is reputedly the best in the world at quickly and accurately understanding and parsing them down to the individual bit level. Team8 recruited the best, most experienced ICS thought leaders in Unit 8200, led by their team leader Benny Porat (CS PhD), to staff Claroty.
When Team8 starts a new company, it marries a technical team with an entrepreneurial founder. In the case of Claroty, Team8 recruited Amir Zilberstein, who founded the successful Waterfall Security and Gita Technologies. Waterfall develops ICS security products (unrelated to Claroty’s product); Gita’s technology remains undisclosed. Team8 also recruited Galina Antova, the former head of Siemens’ Industrial Security Services division, to run business development. Antova is a super impressive executive — highly connected, brilliant, and fast-moving. [See Appendix: Due Diligence for summaries of the team reference calls.] Next step is to recruit a CMO — we hope to get Patrick McBride, who was a star at iSight.
With meaningful Operations Technology (OT) experience on the team, Claroty is taking a different approach to the market than its competitors who generally come from cybersecurity backgrounds. Rather than lead with the cybersecurity benefits of their product, Claroty has developed an OT visibility platform that first and foremost surfaces operational issues. By deconstructing the proprietary vendor protocols, Claroty has delivered the first heterogeneous HMI with analytics that span an ICS network. Seeing as how most OT teams today care more about downtime than infection, we believe this approach will enjoy a far better reception in the near-term.