The how and why of raising OT security capital

Last year was huge for the cybersecurity market, fueled by rising incidents of cyberattacks, particularly ransomware that disrupted services and held companies hostage.

The numbers are striking: Investments in the space more than doubled from the year before to $29.3 billion, according to a recent report by investment bank Momentum Cyber. Two recent funding rounds, in November and February, even exceeded $1 billion. A record 286 M&A deals, worth $77.5 billion, were made, and 14 deals of those were over $1 billion each. This year is off to a promising start with Google’s $5.4 billion acquisition of Mandiant in March.

The market is responding to the evolving threat landscape. As new types of attacks arise, security vendors respond with new tools in what has become a cat-and-mouse game. This dynamic has driven the market for decades, but things are heating up now that the stakes are higher with hits on critical infrastructure and the U.S. supporting Ukraine in the Russian invasion.

One security area that has been seeing particular interest of late is operational technology.

Many attacks last year targeted companies that provide basic necessities of life, and consumers felt the pain. In February 2021, someone gained unauthorized access to the water treatment system in Oldsmar, Florida, and tried unsuccessfully to add more lye to the water supply.

And last May, drivers on the East Coast panicked when they couldn’t get gasoline after a ransomware attack disrupted Colonial Pipeline’s distribution network. That month, a ransomware attack on Brazilian meat supplier JBS resulted in beef shortages in South America, North America and Australia. JBS ended up paying $11 million in ransom.

The transportation industry has also been hit hard in recent years, seeing a 186% increase in weekly attacks from 2020 to 2021, and a 900% increase in maritime attacks since 2017. Recent incidents include attacks on the New York Metropolitan Transportation Authority and the CSX Class I freight railroad.

Critical infrastructure attacks and regulation

All these attacks on critical sectors have led to a slew of federal action plans and regulations affecting the water sector, pipeline operators and other critical industries.

In one example, the Department of Homeland Security’s Transportation Systems Sector-Specific Plan cites a number of elevated risks, including cyber and aging equipment, in guiding industry efforts to strengthen infrastructure security and resilience.

As Russian attacks on Ukraine have intensified, the U.S. government is increasingly concerned about Russia launching cyberattacks on American businesses, especially critical infrastructure. On March 15, President Joe Biden signed into law the Cyber Incident Reporting Act, which requires critical infrastructure providers to report cyberattacks to the Cybersecurity and Infrastructure Security Agency within 72 hours and ransomware payments within 24 hours.

Then, on March 21, the president reiterated earlier warnings, citing “evolving intelligence that the Russian government is exploring options for potential cyberattacks.”

Then the U.S. Department of Justice unsealed indictments on March 24, charging four Russians who worked for the Russian government with hacking operational technology (OT) of companies in the energy sector around the world over six years.

Legacy equipment in a modern world

For decades, cybercriminals focused on stealing information they could monetize, but now that OT environments are increasingly connected to the Internet, bad actors are trying to shut down infrastructure and conduct cyber-physical attacks like in Oldsmar.

The advent of ransomware and targeted attacks on critical infrastructure have changed the game and are putting operational technology security in the spotlight. At the end of the day, OT security is a national security issue.

OT, which enables critical infrastructure and systems to operate continuously and reliably, used to be siloed off from the IT network and the internet, but that has changed. Now, control networks and components are embedded in everything from airplanes and trains to military vehicles and electric grids.

OT was developed before modern standards for cybersecurity were, so the attack surface has grown, but it often remains unsecured. Applying standard IT security solutions doesn’t work, because OT systems need to stay up and running and can’t just be taken offline for patching.

The OT security market is ripe for growth after years of underinvestment. Gartner predicts that by 2025, there will be harmful and potentially fatal attacks on OT environments and that 30% of critical infrastructure organizations will experience a security breach that will disrupt operations or a mission-critical cyber-physical system. Research and Markets predicts that the global OT cybersecurity market will be worth more than $18 billion by 2023.

3 tips for raising capital

At Insight Partners, we’ve been following the OT space for a number of years, and the critical mass in customer demand was clear last year.

Here are three things that we look for when sourcing investments in the OT space:

Don’t just detect attacks, stop them

It’s not enough just to be able to detect cyberattacks. Security that accurately identifies truly malicious activity and stops it based on the signals they’re seeing — before the damage is done — will do well in the current market.

Become a must-have

Solutions that are indispensable to customers’ operations are more likely to see demand and will have higher retention rates. A security solution that can help mitigate or stop an attack on a critical infrastructure provider without disruption to operations is highly valued because of the financial costs and potential for harm to people from critical services outages.

Frame the story well

Every startup is going to have its own story and tell it in its own unique way. Some questions we tend to focus on when evaluating businesses include:

• What is the value proposition to the customer?
• Why is the founding team uniquely capable of solving this problem?
• What is the magnitude of the problem (i.e., how big is the market)?
• What are the sources of sustainable competitive advantage?

These are fairly straightforward and “simple” questions, yes, but the answers will form the foundation of any VC’s investment thesis.

It’s a good time for OT security providers to seek funding. The combination of increasing OT cyberattacks and the emergence of government regulations is fueling a funding frenzy.

In security, the stakes are high and the intellectual property is particularly treasured. Bleeding-edge cybersecurity solutions aren’t easy to copy, which gives innovators a head start in the market and the potential for sustained competitive advantage. It’s one of the many reasons we’ve invested so heavily in cybersecurity over the years.