The Industrial Control Systems (ICS) Cyber Security Conference in Atlanta is a wrap. I’m sitting in the food court in the Hartsfield–Jackson Atlanta Airport attempting to distill four incredible days of content and discussions (while enduring the wafting pungent aroma of fast food) into a blog post for you. Firstly, let me start off by thanking Mike Lennon and his team for one of the most put-together events that I have attended in while. A solid cross-section of people in the industrial cybersecurity field gathered in Atlanta to share stories from the trenches, swap stories and celebrate some of the successes. The overall atmosphere of the conference was one of reflection, which is what it should be, given where industrial cybersecurity is at the moment, as an industry.
Let us be honest, the Industrial cybersecurity market is still in its infancy. From the many conversations and sessions I attended, one major theme came to the fore; people desperately want to understand where we are as a market and what the future holds in store for this market. In many cases the question was prompted by the recent declaration on the future of ICS security products by Dale Peterson. Everybody in the industry wants to know if their product is simply destined to become someone else’s feature.
Here are my views on the current state of the industrial cybersecurity (product) market and its possible future. Your inputs and comments are always welcome; do leave them under the article for everyone to read.
In my mind, the Industrial Cyber Security (Product) space is still nascent. As a market, vendors have had success, but only with what Geoffrey More refers to as the “innovators and early adopters”. In his book “Crossing the Chasm” Moore demonstrated there are cracks in the “adoption curve”, between each phase of the cycle, representing a disassociation between any two groups; that is, “the difficulty any group will have in accepting a new product if it is presented the same way as it was to the group to its immediate left.” The largest crack, so large it can be considered a chasm, is between the Early Adopters and the Early Majority.
As I indicated, vendors have had success, with the early adopters. They are the rare breed of visionaries — “who have the insight to match an emerging technology to a strategic opportunity– driven by a ‘dream’. The core dream is a business goal, not a technology goal, and it involves taking a quantum leap forward in how business is conducted in their industry or by their customers. These customers are willing to take the journey with their vendors.
The compelling events
Lucky for us, we do have some compelling events that can propel early adopters. Macro-level events that will impact the entire market (Think: the next Stuxnet), Messo-level events that may impact an industry (Think: Norsk LockerGoga) or Micro-level (A new CEO/Board member who is very concerned with risk and industrial Cybersecurity or a new high profile CISO or “Local event” – where the company was breached/infiltrated/hacked/ransomware/ etc. While these compelling events may expand the early adopters, the real challenge is to cross the Industrial Cybersecurity chasm.
Looking across the Chasm
Many of the industrial cybersecurity products currently available will ultimately fail to deliver on their promises. The basics are missing and so is the future value of current solutions. Scalability challenges exist. Industrial cybersecurity vendors promises are fragile at best – good enough for early adopters, but not enough for the early majority pragmatists. The early Majority “care about the company they are buying from, the quality of the product they are buying, the infrastructure of supporting products and system interfaces, and the reliability of the service they are going to get”. Pragmatists won’t buy from vendors until they are established. The catch being vendors can’t establish themselves without the pragmatists buying from them.
The current offerings are delivering a feature set focused on passive (yes – some active) discovery, inventory, baselining and anomaly detection. This feature/function set have become table stakes for the existing opportunities. Vendors in total have conceivably engaged with perhaps around 5 percent of the TAM and closed considerably less. That means that there are still some early adopters out there, but we haven’t crossed the chasm. According to Moore, “As opportunities from the early market of visionaries become increasingly saturated and with the mainstream market of pragmatists nowhere near the comfort level, they need in order to buy, there is simply an insufficient marketplace”
Traversing the Void
So how do we cross the chasm? Two things are clear now.
- Get the basics right! Industrial cybersecurity vendors needs to get the basics right and close the cruel gap between the “marketing and deployment”. “Working well in a PoC” will not get you across the divide. Mark Brosseau from Epcor made some pertinent comments in his Adventures in IT/OT convergence, under the section title of Things I wish I’d Known. Mark, like many early adopters has had a somewhat bumpy ride and felt “OT advanced cyber tools aren’t always fully implemented”. In his experience, operation and function didn’t always line up with vendor information. Early adopters are persistent and willing to do the hard yards with their vendors; however, the early majority is NOT.
- Creating future Value. This refers to not only to product scope and maturity, but more importantly creating value beyond your own product/feature set. The real value is true understanding of customer needs. Beware of the “funky feature trap” – your graphical user interface (GUI) no matter how fancy it is, will not get you across the chasm.
Industrial cybersecurity vendors need to elevate their thinking and their discussions; utilize the enthusiasm of their early adopters. Focus on risk management – not zones and conduits, and that funky GUI. Empower industrial companies recognize, manage and protect what will impact their business. Help them identify their “crown jewels” and not just the devices but the business impact!!
Play nicely with others upstream and across the aisle. Be part of a value-chain that starts even under Layer 0, with the supply chain and winds its way up into the boardroom. We are not alone, hence don’t assume you need to, or even should attempt to do this alone. OT vendors, IT vendors, MSSPs and the entire ecosystem need to work in harmony, integrating their offerings into a cohesive security framework.
It is not just product but combining technical capabilities with standards-based process (automated where possible).
Similarly, It is not all about perimeter and endpoint security, there are diverse areas such as threat intel, SOAR, social engineering, and employee (and supply chain) awareness trainings which should all be brought into the fold.
It is a good bet that we will continue to see feverish partnership and M&A activity to facilitate this outcome. The vendors that execute this vision will succeed in crossing the divide.
Keep in mind that many (most) high tech ventures fail trying to make it across this chasm.