Cybersecurity investors increase focus on critical infrastructure protection

There is a growing interest among investors to back cybersecurity startups that focus on protecting critical infrastructure — power grids, water utilities, transport networks, communications systems. In the past several months alone, multiple companies focused on this area — including i2G Systems, Mimic, and RunSafe Security — have raised money from corporate backers.

It is part of a growing recognition that protecting physical assets from cyberattack is as important as protecting digital ones

A big wakeup call came in early 2021, when the hacker group Darkside carried out the largest cyberattack on oil infrastructure in US history, hitting the Colonial Pipeline – which carries petrol and jet fuel from Texas across the southeastern US – with a ransomware attack, effectively forcing the pipeline shut until it paid up.

“I don’t want to say that was the one event that set it off, but it brought a lot of visibility to the sector. All of a sudden, people were asking the question – if this can happen to this pipeline, then what’s preventing it from happening in other places?” says Pradeep Tagare, head of investments at National Grid Partners, the CVC unit of energy network operator National Grid.

Over the past decade, there have been – to name just a few – cyberattacks on water systems in Israel, energy systems in Ukraine, light railway systems in San Francisco, a dam in New York, and a petrochemical plant in Saudi Arabia.

It has become plainly clear, if it wasn’t already, that critical infrastructure is vulnerable to malevolent actors, and companies with solutions that can prevent cyberattacks are in high demand. The need is becoming even greater as new kinds of infrastructure — from EV charging stations to solar farms and grid-scale batteries — comes online.  

Investors getting on board

For a long time, the protection of important infrastructure assets, in the context of investment, had been mostly focused on products that protect the IT – the data and the digital systems – that underly the assets, rather than the operational technology (OT) that ensures the systems are running smoothly as they should be. Now, industries are more savvy – it’s not just non-state actors trying to make money or foreign intelligence services looking for information. They are trying to shut down critical systems, having major implications for national security.

“Until a few years ago, most of the cybersecurity attention was focused on IT – internet networks. Then, a few years ago, people started realising the importance of OT – operational technology – security,” says Tagare.

“Broadly speaking, I think the energy industry is now fully aware and fully active in this space, so I would say the space has really matured over the last few years,” says Tagare.

Many energy and industrial CVCs have startups in their portfolios that provide operational technology protection – National Grid Partners, Shell Ventures, Siemens Energy Ventures, Chevron Technology Ventures are just a few units that have such investments. Last September, for example, BMW i Ventures and Lockheed Martin Ventures teamed up to invest in RunSafe Security, which creates software to protect critical infrastructure from cyber attacks.

“ What we found on the platform side – take an aircraft or something similar – is that there was a mis-held belief that the only point of exploitation was going to be via a traditional communications mechanism – ethernet, your in-flight WiFi, or other things that are constantly in motion. What bad actors are great at proving is you can get creative and find alternative ways to get into enabling systems that you’re maybe not thinking about,” says Brian Schettler, head of AE Ventures – formerly AEI Horizon X – the spin-out from aerospace and defence company Boeing, which has in its portfolio operational technology security-focused startups such as Shift5 and Galvanick.

“You had firewalls and other things to make sure nothing was going to come in over in-flight WiFi, but what if somebody could get access to a control system that took the inputs from the cockpit and translated that to the flaps?”

The move from IT to more operational technology has been less of a shift than an expansion, according to Tagare. The companies that were focused primarily on IT have not abandoned it in favour of operational technology, but the scope has grown steadily since the early 2020s. 

While incumbent cybersecurity companies are moving into the operational technology sector, as well as “OT-native” cybersecurity firms popping up, classic cybersecurity is still the big moneymaker.

“The IT market, if you just look at it from a total available market size perspective, compared to the OT market, is still significantly larger,” he says.

Interestingly, though, many of the large cybersecurity incumbents have yet to make inroads on the operational technology side of the ledger. The IT side still provides far more revenue.

Investors are increasingly on the lookout for startups that offer comprehensive solutions, protecting both the IT and the physical assets. The end-to-end protection, the reduced complexity and the lack of interoperability issues they offer make them attractive.

At a premium are proactive solutions, rather than just reactive ones – prevention is better than rectification. Things that feature an element of predictive analytics, AI threat modelling, autonomous threat-hunting platforms, are sought after. Today, startups need products that are agile and adaptable to evolving threats, relatively easy to integrate into legacy systems, and technically robust.

An additional benefit of having operational technology monitoring systems is that it provides a wealth of information on a platform’s maintenance needs, giving it a dual-use element that investors value at a premium. Hackers might not come along that often but being able to know when things will fail will always be necessary and valuable.

“That is almost a more lucrative business to be in. There is an explicit ROI on that particular value proposition of keeping aeroplanes in the air longer because I have awareness of maintenance events and can be much more predictive,” says Schettler.

Without operational technology security, asset owners have still been known to try and protect themselves by de-technologising, but the financial implications of doing that can be big.

“The phenomenon we saw in a lot of factories was that people were just turning off the digital systems of their machines because they didn’t want to expose themselves to that risk of an intrusion. In doing that, you lose all of the benefits of these being interconnected and digital systems to get more performance, productivity, quality, safety out of it,” says Schettler.

More infra, more threats

Many of the openings for bad actors can be found in legacy systems. These new vulnerabilities in legacy systems are partly a byproduct of their modernisation and digitisation – as decades-old facilities and infrastructure assets became more technologically advanced, their increased productivity brought with it new ways of being exploited.

“A lot of these systems weren’t necessarily as vulnerable, simply because they were so old and outdated. You could go in there with a hammer and break something, but it wasn’t necessarily going to be a digital exploit,” says Schettler

As new kinds of infrastructure come online – EV charging networks, grid scale and residential solar, onshore and offshore wind, battery storage – the tech to protect them is having to adapt.

In the case of EV charging networks, the challenge is amplified by the fact that they will necessarily be open networks, where anyone can access them to use and make payments. More access points means higher vulnerability relative to assets such as interconnectors, which are more closed systems.

“I think the next wave is to make sure that all of these assets get protected as well,” says Tagare.

“If you have a fleet of EVs and you have charging infrastructure, how do you make sure that those assets are protected? As you get driverless cars, how do you make sure those assets get protected? These distributed assets that are coming onto the grid are an interesting area where companies are starting to now look at solutions to protect them.”