An Insider’s 11 Take-Aways from Companies Winning Industrial (IIoT) CybersecurityOn November 15, 2017 by Sally
As you read through blogs and articles about cybersecurity and the Industrial Internet of Things (IIoT), it’s easy to get so focused on the complexities (and there are many), that you lose sight of the big picture. There is huge opportunity in this space—untapped by the existing IT cybersecurity players.
To state it in the simplest terms, when protecting free consumer accounts like, Gmail or Facebook accounts, the motivation for investing in security is driven by certain objectives—protecting customer trust, avoiding an unpleasant hit to the company’s reputation, etc. These are, of course, real and important concerns. But when an industrial company is trying to protect a $10 million turbine, the economics of investing in security become very different—and much more straightforward. There’s a reason why much of current security investments are directed towards the industrial space: it’s an enormously promising market—and one where new innovations can have an enormous impact.
GE Ventures, the venture capital subsidiary of General Electric, is one of the organizations that recognizes the large opportunities (and even greater responsibility) to lower costs and eliminate unplanned downtime for their customers. They have been working closely with industrial companies for decades. The company has also built longstanding trust relationships with customers and helps them take advantage of the industrial Internet and protect them from its inherent risks. They are rising to that challenge—their own Predix architecture, a platform that help to optimize industrial business processes, has an extensive security-in-depth strategy.
In addition to the security-in-depth strategy on their platform, GE Ventures is always on the lookout for startups that are advancing the industrial cybersecurity art. According to them, there are some very talented ones out there. Of course, IIoT is not an easy market to break into for startups. Industrial networks are different than enterprise IT that makes them a terrible place for moonlighting—having a great product roadmap in traditional IT is not a birthright to succeed in industrial cybersecurity. But there are some commonalities among the most successful and promising startups in this space. Here are a few from GE Ventures’ perspective:
1.) They know their stuff.
There are lots of things That GE look at when evaluating a startup: A team with the right specialties. Differentiated technology. But the most important factor separating companies treading water from those already swimming laps is that they are staffed top-to-bottom by people who “get” industrial applications.
The most successful startups have a kind of institutional knowledge of industrial control systems (ICS)—often gleaned from working in industrial in their previous careers. They’ve learned important lessons (sometimes the hard way): They know the market. They understand its constraints. They understand through experience the attack surface and exposure. And they always, always keep their eye on the ball: the business continuity of the customer.
2.) They take the IIoT Hippocratic Oath: First, do no harm.
No matter what they’re working on, successful IIoT startups never lose sight of their customers’ primary objective: this machine cannot fail. Whatever work they’re doing to secure a system, they know that it absolutely cannot slow down or knock out industrial assets. They create a security layer that’s at least as agile, if not more so, than the devices and systems it’s protecting.
3.) They don’t make things harder for the customer.
Successful IIoT startups know that their target customer has been doing things a certain way for years. They know not to make assumptions that these customers have the same in-house capabilities and institutional knowledge that a non-industrial enterprise would—or, when it comes to software, that they even speak the same language. And they don’t assume that the customer will be willing to fill in gaps that are lost in translation. The most promising IIoT startups are ready to deliver IT solutions to industrial, and they’re not afraid to make it clear that that’s where their expertise lies. But they come out of the gate speaking OT.
4.) They make security integrated.
Successful IIoT startups know that treating security as an additional feature or up-sell will never fly. Their customers expect security to be baked into the product and fully integrated into existing industrial process.
5.) They don’t try to eat the whole cake at once.
Enterprise IT security and IIoT cybersecurity are two totally different animals. You can’t just port something from one world into the other. Yet, there are lessons to be learned from the evolution of enterprise security. Among the biggest that successful IIoT startups adhere to: they don’t try to solve the security problem in one fell swoop.
In the enterprise world, we started with one big problem (protecting digital assets and data), and ultimately broke it down into a whole lot of smaller problems: perimeter security, identity/authentication, data loss prevention, compliance, etc. Smart IIoT startups apply the same thinking to IIoT cybersecurity. They’re not looking to “solve” industrial cybersecurity. They’re attacking smaller, discrete problems and developing useful solutions.
6.) They start with the assumption that they will be targeted.
Even the biggest and best digital companies in the world find malicious or unexplained code in their environments—sometimes threats that have been lying dormant for years. Smart IIoT startups expect that their solutions will be subject to the same types of malicious and/or intelligence gathering threats as well. That doesn’t mean they don’t spend a huge amount of time and effort trying to prevent breaches. But they spend just as much time and effort making sure that, if someone does get in, they can isolate that breach and prevent it from infiltrating the rest of the system. And they recognize that the ICS attack surface extends beyond industrial devices and networks themselves, to all parts of the organization and supply chain.
7.) They’re ready to scale.
Successful IIoT startups never forget that for industrial customers, zero downtime is acceptable. They know that it’s not enough to have great tech—they have to be ready to engage that technology on a scale of thousands of deployments, sometimes in multiple countries—sometimes overnight.
8.) They know that security starts well before connecting a single industrial device.
Successful IIoT startups recognize that some of the most dangerous vulnerabilities aren’t just flaws in their code, but weaknesses in their supply chain. They know that any OEM that incorporates subassemblies made by others can potentially introduce tampered firmware into their system by accident. And they’ve learned the lesson from vendors who had excellent technology but saw deals evaporate because the customer realized they were using an untrusted vendor for one component of the supply chain. Solid IIoT startups take steps to secure their products during every step from building to shipping, when it can be most vulnerable to mistakes or malicious actors.
One of the more interesting areas now being explored: public ledgers. A growing number of companies are looking at Blockchain public ledger technologies to help authenticate assets and provide an audit trail with end-to-end chain of custody. (Industry groups are getting involved too—the Trusted IoT Alliance recently announced a new initiative to promote standard ledgers to authenticate IoT devices.) It’s still very early days, but work like this could prove incredibly valuable for ICS, where many categories of non-IT assets (engines, parts, sub-parts) are connecting back to the IT backbone.
9.) They don’t get distracted by buzz words.
The startup space, or at least the media covering it, tends to be overly sensitive to the hype cycle. Whatever the latest hot concept may be (currently, AI and machine learning), companies rush to make sure they can claim to check those boxes. Successful IIoT startups don’t spend their time worrying about the latest flavor of the month. They’re laser-focused on delivering concrete answers to specific industrial problems.
10.) They understand the need to secure data at rest and in motion.
Industrial customers need solutions not just to secure data at the edge—where more data than ever before is being collected and processed—but also to secure data in motion as it travels to the cloud.
Data in motion poses a particularly cumbersome challenge for industrial systems. Some companies in this space are developing solutions to simplify passthrough of encrypted data, eliminating the need to decrypt data at any point in transit, and its associated risks.
11.) They understand the job is never done.
Good cybersecurity startups recognize that they’ll never be “finished” with their solution, and they don’t get too comfortable with their current design. They understand that real-world cybersecurity means ongoing, indefinite iteration.
This isn’t a comprehensive list. But if you’re charting the course of companies developing interesting new solutions in IIoT cybersecurity, it’s a good place to start.
Authors: Michael Dolbec & Abhishek Shukla, Managing Directors of GE Ventures