Energy corporates are increasing investment in cybersecurity startups with particular focus on zero-trust solutions and post-quantum security.
The energy sector is becoming an increasingly attractive target for cybercriminals and even state-sponsored cyberattacks. Oil company Halliburton was one of the most recent to be hit by an attack, while a ransomeware cyberattack in 2021, which resulted in the six-day closure of US oil company Colonial Pipeline, underscored the vulnerability of critical energy infrastructure.
Investment by energy companies in cybersecurity startups is rising in response. Taking stakes in the next crop of cybersecurity technologies is seen as a way for energy companies to stay ahead of potential malefactors.
“VC is a strategic tool that Chevron employs to stay at the forefront of innovation, ensuring robust protection of our critical IT and [operational] infrastructure against the constantly evolving threat landscape,” says Christopher Lukas, chief information security officer of oil major Chevron.
Although the dollar amount invested in cybersecurity startups is lower than in the boom year of 2021, it is already, in the first eight months of 2024, more than twice what was invested all of the previous year.
Safeguarding operating infrastructure
One of cybersecurity areas of particular interest to energy companies is protecting operational technology systems, the vast networks of physical assets from oil wells, rigs and refineries to power grids and gas pipelines. Put simply, if we were to think of IT cybersecurity as protecting software, then operational technology cybersecurity would be all about protecting hardware.
Andre Turenne, Vice President of Investments at National Grid Partners (NGP) – the venturing arm of utility National Grid, says operational security was a key factor when deciding to invest in cybersecurity startup Dragos.
Dragos specialises in protecting industrial control systems and operational technology environments from cyber threats.
“When evaluating technologies and startups, we get a lot of help from our business units. Protecting operational technology environments is more than just standard threat detection and monitoring of your networks.
“For operational environments, we felt Dragos had both the best monitoring solution and the best incident remediation methodology,” explains Turenne.
Stuart Coleman, a venture executive at Chevron Technology Ventures, echoes a similar sentiment about the critical nature of asset discovery and monitoring: “One of the important cybersecurity elements for a large-scale energy company like Chevron is asset discovery and monitoring. In other words, if a device, a laptop or USB drive, gets plugged in, somewhere in our systems, do we know what this device is and do we know that it is actually safe?”
This focus on operational security has led Chevron Technology Ventures to invest in companies like Mission Secure, which identifies and prevents cyber threats at lower entry points within a large corporate IT infrastructure, spanning across pumps, compressors, and centrifuges.
Another notable investment by Chevron in this area was Claroty, an Israeli and New York-based operational technology cybersecurity company, which has developed an industry-centric platform to secure critical infrastructure and cyber-physical systems.
“We have seen successful cybersecurity companies emerging from the medical space that are looking to expand into the energy sector.”
Kemal Anbarcı, Chevron Technology Ventures
Interestingly, energy corporates are looking at cybersecurity innovations with a track record in other industries. Kemal Anbarcı, managing venture executive at Chevron Technology Ventures, points out: “We have seen successful cybersecurity companies emerging from the medical space that are looking to expand into the energy sector. There are some very crucial similarities in the sense that both sectors are critical. A lot of monitoring tools that have been applied to healthcare IT and medtech have applications in industrial settings as well.”
Zero-trust cybersecurity solutions
The other major area within cybersecurity of interest to energy VC investors is zero-trust architecture.
Zero-trust cybersecurity solutions assume that no user, device or system, inside or outside a network, is inherently trustworthy. Such solutions are all about verifying every access request, irrespective of origin, before allowing it to interact with the network.
NGP’s successful exit from Aporeto, which was acquired by Palo Alto Networks in 2019, exemplifies the potential in this area. “We held the company for about a year. They were early on zero-trust tech and focused on distributed workflows and how to protect containers in the cloud. They were so early, in fact, that none of the big players had a solution for it yet, so one of them – Palo Alto Networks – chose to buy Aporeto. Our timing was right,” recounts Turenne.
Another example of a zero-trust solution is Xage Security, backed by Chevron Technology Ventures. The company provides a zero-trust model for complex environments without requiring an equipment overhaul. This approach can be particularly valuable to energy companies with diverse and geographically dispersed assets.
Post-quantum security
The potential of quantum computing to break current encryption standards is also spurring interest in post-quantum security solutions among energy CVCs.
James McKell, a venture executive at Chevron Technology Ventures who connects CTV with Chevron’s chief cybersecurity office, stresses the importance of preparing for the quantum future.
“Investments in post-quantum security are important, as usable quantum computers are coming. It will take time to prepare and upgrade our current inventory of applications running on existing cyber standards,” says McKell.
Anbarcı, who leads much Chevron Technology Ventures’ investing, notes: “Computing power is growing and quantum computing will be here soon, probably sooner than most people think.”
CTV’s investment in a UK-based company dubbed PQShield, developing quantum-resistant cryptographic solutions to protect data against future quantum computer-based threats, reflects this forward-thinking approach. “We believe PQShield owns a lot of IP attached to algorithms that will replace the standard RSA encryptions widely used today,” notes McKell.
Anbarcı says that wanting to get ahead of the curve on quantum computing is pushing Chevron Technology Ventures to come out of its typical investment comfort zone. “We typically seek to invest in cybersecurity businesses with proven track records and an established customer base. These tend to be mid to late-stage deals, although we have definitely invested in early-stage deals in the post-quantum security space as well,” he says.
Other CVC investors are still a little wary about quantum investments, however. This is especially true if the CVC is driven by both strategic and financial considerations: “I have looked at it [quantum computing cybersecurity] quite a bit, and it is still early in the market…Getting in too early could sometimes significantly hurt your financial returns. Timing matters. You want to be early but not too early, and quantum computing cybersecurity might be still too early,” says Turenne of NGP.
Looking ahead
The cybersecurity startup market has shown resilience even in the face of broader market volatility. “Earlier-stage companies weren’t affected in the past couple of years as much as later-stage companies, whose valuations generally went down much more,” says Turenne.
“Overall, the sector has held up reasonably well. In my view, acquisition prices for companies that have early traction with a unique solution are still healthy,” he says.
Later-stage cybersecurity companies have also generated some exits for energy investors. RiskIQ, a cybersecurity that NGP invested in, for example, was bought by Microsoft in 2021 for $500m. “RiskIQ was a later stage company that focused on threat detection and vulnerability management outside the firewall. They had built a very large database on cyber threats and had tier-1 customers. I think that is what got Microsoft so interested in them,” says Turenne.
Energy investors are optimistic about the outlook for cybersecurity investments. Anbarcı of CTV predicted increased activity from CVC peers in this domain, also stating: “Maybe we, at Chevron Technology Ventures, are somewhat ahead of most of them since we have been investing for far longer than most. We have also built an internal track record and credibility that help us invest in areas before it was fashionable to do so.”
Regulatory changes have the potential to boost investment in the sector. Stricter regulations have come in over the past 12-18 months in the US and Europe regarding the software bill of materials, requiring companies with critical infrastructure to report all open-source and third-party components in their code. This has increased demand for cybersecurity companies like Finite State, which helps companies monitor third-party code and connections.
