New US OT Cybersecurity Coalition Indication of Maturing Market

In April 2022, five high-profile Operational Technology (OT) security vendors—Claroty, Forescout, Honeywell, Nozomi Networks and Tenable—announced they would form a coalition to work with the US government and industry in order to advocate for “vendor-neutral, interoperable, standards-based cybersecurity solutions”. Dubbed the OT Cyber Coalition, it will be represented by Monument Advocacy, a bipartisan lobbying firm that will help the Coalition to lobby the US federal government and shape public policy on matters of OT cybersecurity. The Coalition aims not only to provide industry expertise and feedback on public policy proposals, but also to advocate for funding for federal OT cybersecurity.

Cybersecurity for industrial information and control systems has been a slow growth market since inception, especially when compared to the market for IT security. While the risks and vulnerabilities of industrial systems have been obvious for more than a decade (certainly from 2007 post-Stuxnet), the vendor ecosystem has developed at a painfully slow pace. High technology fragmentation within industrial systems have been the primary issue, meaning it has continued to subsist by sustaining perilous beliefs like security-through-obscurity and unbreachable air gaps. These are however increasingly difficult to justify as disruptive Industry 4.0 technologies permeate both legacy and greenfield operations. Industry advances in the adoption of Internet of Things (IoT), automation, Artificial Intelligence (AI) and Machine Learning (ML), edge compute, and smart connected processes has amplified the risks to a degree that they are now starkly visible to even the most unskilled script kiddie. While a niche vendor ecosystem focused on OT cybersecurity has been slowly but surely emerging, driven by the Fear, Uncertainty, and Doubt (FUD), it is not primed to grow significantly in the coming years. This lack of growth is aided by the fact that OT cybersecurity vendors are also increasingly marketing the ‘added-value’ of their solutions (i.e., how to monetize cybersecurity) and not just the FUD narrative.

Around 2017-2018, industrial cybersecurity was at a nadir and traction from vendors was difficult, despite the explosion of the IoT (including in industrial) ecosystem. While all understood the importance of securing industrial systems, not many were willing to invest more than strictly required by law. Today, the market is set for fast expansion, ignited by a number of different fires.

• The pandemic was an initial catalyst, driving Original Equipment Manufacturers (OEMs) in utilities and manufacturing to really focus on digital transformation, making that transition to cybersecurity easier.
• Second, the Biden Administration in the US is starting to fill the cybersecurity vacuum left by the outgoing president with a number of new programs and policies, not least being the May 2021 Executive Order on Improving the Nation’s Cybersecurity. This in turn has driven various industrial security alliances and consortiums to snap out of hibernation and start advocating again for industrial cybersecurity. A set government-led agenda also means targeted organizations can justify putting budget aside to comply with new requirements.
• Third, organized cybercrime groups are wreaking havoc with sophisticated and destructive ransomware attacks on industrial operators that are difficult to hide; their loud and public displays of attack (and shaming) can no longer be swept under the corporate carpet (Colonial Pipeline being one in many in that scenario).
• Fourth, but not least, is the current armed conflict between Russia and Ukraine, where the might of Russia as a nation with advanced cyber-skills, and its increasing global alienation, is instilling well-placed fears about its potential attacks against critical infrastructure (not just against Ukraine, but its allies) and consequently prompting spending in cybersecurity.

All of these are fermenting to kick the industrial cybersecurity market into high gear. Lobbies such as the OT Cyber Coalition are a natural next step in a maturing market, where industry stakeholders want to ensure the technologies and processes they have invested in remain not only relevant, but also help to accelerate market demand by steering government along the right course (i.e., their course) in standards recommendations and regulation development. Certainly the principles touted by the Coalition are straightforward and make sense in a market that has been traditionally fragmented and highly proprietary. Vendor-neutrality and interoperability are laudable concepts. Standards are certainly important to enable mass-market adoption. This is the salient point as the lobbyist will want to ensure it is their standards that will ultimately prevail. Partnering with competitors may seem antithetical to their goal as a company, but it is also a good way to concert efforts and ensure the most relevant and useful standard is pushed through that can enable both interoperability and vendor-neutrality. It’s easier to capture markets from a competitor if the solution is easily interchangeable. Of course, there is always the danger that concertation could eventually lead to collusion down the road, but that is a matter for the future.

The OT Cyber Coalition is one of many industry groups to have sprung up in the last decade and joins the ranks of others such as the OT Cyber Security Alliance, the Industry IoT Consortium, and the Resilient Infrastructure + Secure Energy Consortium, among many others.

For stakeholders such as industrial OEMs building control systems and operators running industrial facilities, these various efforts will help to create a more homogeneous security framework for best practices, standards, and applicable regulation across the board. Today, the industry is at the crux of various standardization efforts to promote vendor-developed technologies, and what will prevail will be spearheaded by companies with a significant market presence. Lobbying efforts may help to some extent, although they will remain nationally focused. While this works well in a large country like the US, with well-developed policy and sectoral regulation in the space, such efforts are less likely to work at an EU-wide level. Lobbying the EU Commission is possible, but they are less willing to bend an ear to industry advocates (especially if they come from across the Atlantic). Instead, stakeholders should focus more on standards development organizations like IETF, IEC, and ISO.

For operators, it will be easier to choose the right solution, as they will look towards guidance from their national authorities. OEMs, on the other hand, will need to take into account their client base and where those devices eventually end up. What is clear is that industrial cybersecurity is on its way to becoming a mature ecosystem, driven by an increasingly crowded ecosystem (230+ vendors) and with a clearer-than-ever roadmap for mass-market adoption.