Industrial Cybersecurity: The Battleground in Our Backyard
A Matter of National Security and Investment Opportunity
We break from our AI series today to highlight a more under-the-radar growth opportunity: industrial cybersecurity. Not only is industrial cybersecurity a $50b+ global market opportunity, it’s also essential to our national security, and the need for it will only be accelerated by the adoption of AI.
Luckily, we have leaders like Josh Steinman, CEO of Galvanick, building companies to protect critical infrastructure. Here we ask Josh to explain the basics of industrial cybersecurity and offer some more details on the market.
The Deload explores my curiosities and experiments across AI, finance, and philosophy. If you haven’t subscribed, join nearly 1,500 readers:
Disclaimer. The Deload is a collection of my personal thoughts and ideas. My views here do not constitute investment advice. Content on the site is for educational purposes. The site does not represent the views of Deepwater Asset Management. I may reference companies in which Deepwater has an investment. See Deepwater’s full disclosures here.
The Battleground in Our Backyard
Software has eaten the world.
In the years since Marc Andreessen made his famous prediction about software, the world has been consumed. Just as the consumption of the world by software had massive implications, so too does the aftermath. Now the physical and the digital are inextricably intertwined. That creates new opportunities in automation and efficiency, but it also creates new attack vectors for bad actors.
Our toasters, scales, shower heads, and even coffee makers are all connected to the internet. It may seem extreme to worry about the connectivity of benign devices (it’s not), but that’s only a microcosm of the broader issue. The scarier reality is that equipment in modern factories, refineries, pipelines, and other critical infrastructure connects to the internet just like our toasters. And those are some serious attack vectors.
Rewind back to 2021’s Colonial Pipeline attack. Hackers infiltrated Colonial’s billing system, forcing the company to halt pumping of fuel. The halt created gasoline shortages in much of the southeast. I was living in North Carolina at the time, and we waited in a 1970s style fuel line for an hour to get $20 worth of gas.
Experiencing a gas shortage from an industrial hack was crazy. Something like it is bound to happen again. Maybe even something worse.
The hyperconnected physical world demands more robust security solutions to combat bad actors who try to attack our infrastructure. Industrial cybersecurity is destined to become the fastest growing part of cybersecurity. Our national security and quality of life depend on it.
In this piece, I interview Josh Steinman, CEO of Galvanick. He’s building an industry-first extended detection & response (XDR) platform to replace the current disparate and insufficient piecemeal approach to industrial cybersecurity. Galvanick recently announced $10 million in seed funding from MaC Venture Capital, Founders Fund, Village Global, Countdown Capital, and others including Deepwater Asset Management (my firm).
Industrial Cybersecurity 101 with Josh Steinman
Doug Clinton: What does an industrial cybersecurity attack look like? Explain like I’m five.
Josh Steinman: An industrial cyber-attack is when bad guys use computers to cause problems at places like power plants, factories, or water treatment facilities.
Here's an example: imagine a power plant that uses computers to control how much electricity it produces. Now, picture a bad guy who wants to cause problems. This bad guy uses his own computer to send false instructions to the power plant's computers.
So, instead of the computers telling the power plant to produce the right amount of electricity, the bad guy's false instructions could tell the power plant to produce too much or too little. This can cause blackouts, equipment damage, or other serious issues.
DC: How exactly do companies manage this today? Is it physical monitoring? Piecemeal cyber solutions? Who in corporate is responsible for it?
JS: Before Galvanick's XDR platform, industrial cybersecurity largely depended on a mix of various measures, including both physical and digital protections, managed by a combination of IT and operational technology (OT) teams.
Physical Monitoring and Access Controls: This involves restricting and monitoring physical access to critical areas where servers and other important hardware are located. It can also include ensuring network devices are secured and can't easily be tampered with.
Firewalls and Intrusion Detection Systems (IDS): These are digital protections that monitor network traffic. Firewalls allow or block network traffic based on predefined security rules. Intrusion Detection Systems monitor networks for suspicious activity and potential cyber threats. However, these tools are typically designed for traditional IT systems, and they may not always perfectly suit the unique requirements and protocols of industrial systems.
Antivirus Software: Antivirus software can help detect and block malicious software that could harm the system.
Regular Updates and Patch Management: Keeping all software and hardware updated with the latest patches can help protect against known vulnerabilities that attackers could exploit.
Security Information and Event Management (SIEM) Systems: SIEM systems collect and analyze security data from across a company's network to identify potential threats.
Employee Training: Employees can be trained to recognize phishing attempts and other potentially dangerous user behaviors.
As for responsibility, traditionally it's been split between IT and OT teams, if the company has them. IT teams typically manage the digital protections and OT teams manage the physical access controls.
However, the increasing integration of IT and OT systems (the so-called "convergence" of IT/OT) has blurred these lines. Therefore, a unified, comprehensive approach is often needed to ensure proper industrial cybersecurity. It's becoming more common to have dedicated cybersecurity teams that understand both IT and OT, or even specialized roles like a Chief Information Security Officer (CISO) who oversees cybersecurity across the entire organization.
DC: Have things like Colonial or other major attacks changed the discussion in the industry at all?
JS: Yes, major cyber-attacks like the one on Colonial Pipeline have significantly altered discussions in the industry. Here's how:
Increased Awareness and Urgency: Such incidents have raised the public's awareness about the vulnerability of critical infrastructure and the potential impacts of successful attacks. This increased attention has led to a sense of urgency in enhancing industrial cybersecurity measures, as both public and private sectors recognize the critical need to protect these vital systems.
Regulatory Changes: High-profile attacks often lead to changes in regulation and policy. For example, in the United States, following the Colonial Pipeline attack, the Transportation Security Administration (TSA) issued new cybersecurity regulations for pipeline operators. This includes reporting cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and having a cybersecurity coordinator available 24/7.
Increase in Investments: The heightened awareness of industrial cybersecurity risks has led to increased investments in cybersecurity solutions. This includes not only private sector investment but also governmental funding aimed at bolstering the cybersecurity of national infrastructure.
Shift in Strategy: These incidents underscored the need for a more proactive, rather than reactive, approach to cybersecurity. This has led to a shift towards strategies like zero-trust architecture, and the adoption of more advanced technologies like Industrial Extended Detection and Response (XDR) platforms.
Focus on IT/OT Convergence: The Colonial Pipeline attack and similar incidents highlighted the need for better integration between IT and OT security. The convergence of these once separate domains has become a major talking point in discussions about industrial cybersecurity.
Emphasis on Incident Response: Having a well-planned and practiced incident response plan has been recognized as essential. Companies are focusing more on their ability to quickly and effectively respond to incidents to minimize downtime and damage.
DC: Which industries are furthest along in preparing for this? Which are furthest behind?
JS: In terms of securing their industrial (operational technology, or OT) environments against cyber threats, different industries have progressed at varying rates.
Industries that are generally ahead include:
Energy and Utilities: Given the critical nature of their operations, and the potentially catastrophic consequences of successful cyber attacks, these industries have typically placed a high priority on securing their industrial systems. This has led to substantial investments in OT-specific cybersecurity measures.
Chemical and Pharmaceutical Manufacturing: These industries deal with sensitive and potentially hazardous materials, and hence, have prioritized securing their industrial systems against potential cyber threats.
Defense: As a highly sensitive sector, defense organizations have long been at the forefront of cybersecurity. They have invested heavily in the protection of their industrial systems due to the potential national security implications of any breach.
Industries that are generally behind include:
Water and Wastewater Treatment: These sectors have been slower to adopt comprehensive OT cybersecurity measures, often due to budget constraints or a lack of awareness about the potential consequences of cyber attacks.
Food and Beverage Manufacturing: This industry has seen slower adoption of advanced OT cybersecurity measures. However, the potential for disruptions that could impact food supply chains is gradually leading to increased attention towards cybersecurity.
Transportation and Logistics: Despite the critical nature of their operations, many companies in these sectors are behind in terms of implementing robust cybersecurity measures for their industrial systems.
DC: Give us a final word on why it’s time to get excited about industrial cybersecurity.
JS: Attacks on infrastructure have led to a significant reevaluation and intensification of cybersecurity practices within industrial sectors. They've highlighted the critical importance of safeguarding industrial systems and have driven innovation and investment in new security technologies and approaches.
With the advent of Industrial XDR platforms like the one offered by Galvanick, companies can more effectively integrate and automate these varied security measures, enhancing their overall cybersecurity posture. The XDR platform streamlines the process of detecting and responding to threats in real-time, across both IT and OT systems, thereby significantly reducing the risk of successful cyber-attacks.
DC: That’s why we’re excited. We’re glad you’re building Galvanick and honored to be investors. There’s no one better to do it.
A $50 Billion Market Opportunity
Deepwater estimates that the US TAM for industrial cybersecurity (ex-defense) is around $23 billion. Including international markets, the industrial cybersecurity TAM is more than double the US estimate, potentially close to $50 billion. There may be additional upside to our estimate depending on certain factors like facility-size spend and government regulation.
Our base estimate of a $23 billion US TAM assumes that 0.7% of the total GDP generated by manufacturing, transportation and warehousing, energy, and water infrastructure (est. ~$3.4 trillion) is spent on cybersecurity. That level of investment would put industrials slightly above levels spent by the financial services industry at 0.2-0.9% (0.5% on average) according to Deloitte. The investment in cybersecurity by industrials is even greater when considered through the lens of profitability vs revenue. The financial services sector has net margins generally 2-3x that of the broader industrial space — mid-20s for financial services vs high-single digits for industrials.
The manufacturing sector is the largest contributor to GDP in our four main industrial cybersecurity sectors. It’s also the most fragmented with over 290,000 manufacturing facilities in the US, most having fewer than 100 employees. There are almost 25,000 manufacturing facilities with over 100 employees and 850 with over 1,000 employees. Another way to consider the manufacturing sector is production per facility. Deepwater estimates that there are several thousand high-dollar-output facilities in the US that generate over $1 million in product per day.
Medium-to-large-sized and high-dollar-output facilities have the greatest direct financial incentive to invest in strong cybersecurity. They face the double impact from a cyber-attack of lost revenue from operational disruption as well as lost customer business. IBM estimates that data breaches cost the average business $1.5 million in lost business. A three-day shutdown could cost a medium-sized manufacturer an average of $750k+ in revenue and a large or high-output manufacturer more than $3 million.
These potential impacts suggest that the average medium-to-large-sized manufacturers should be willing to spend toward a million per year securing facilities from lost business and revenue, which may indicate upside to our TAM estimate.
Another factor that could drive TAM greater than our estimate is regulation. Energy, water, and many manufacturing facilities provide services critical to the functioning of our country. It’s reasonable to expect governments to consider mandating a base level of cybersecurity for critical operations, and it should be for integrated solutions that give sufficient protection. Outside of regulation, it’s also possible we see industry groups adopt certain standards for cybersecurity.
While spending to protect facilities may seem like an obvious investment, industrial operators face an acute challenge between spending adequately on cybersecurity to protect facilities from attack vs protecting often thin profit margins.
Intelligent deployment of industrial cybersecurity will be a near-to-medium term advantage for facilities that invest early. An industrial cybersecurity strategy signals to a manufacturer’s customers and employees that they care about threats to production safety and national security. Over time, customers will come to expect industrials to present a clear cyber strategy as part of doing business. A comprehensive industrial cybersecurity strategy will go from a nice to have to need to have, and that will cause a rush of change in this $50 billion dollar industry.