“ICS cybersecurity? What’s that? Is it worth doing? Can it be done? No it cannot, I heard…Even if you did the market isn’t large enough to support it long term”
Dragos, Inc. announced today its C-Series financing which is the largest investment ever into an industrial control system (ICS) / operational technology (OT) cybersecurity company. The investment is $110M for a total raised of more than $158M over the four years the company has been around. As the co-founder and CEO it fills me with great pride because of the team Dragos has assembled and our amazing customers who have truly partnered with us on our collective journey. Seeing them leverage our technology, services, and intelligence to make their companies more secure and further their maturity is something amazing to behold. Most citizens never understand or gain insight into how hard their infrastructure companies work to provide safe and reliable services and goods; I can tell you first hand this community works amazingly hard. There’s a lot of unknown passionate professionals running proof of concepts, implementing projects, advocating internal to their org, getting trained, working long hours, etc. all to allow companies like Dragos to exist to serve this community. Thank you.
I’ve written before on what it’s like to raise venture capital, you can view that blog here. In this post I want to walk through some of the challenges I’ve faced for Dragos from an investment perspective and the path along the way explicitly to help explain what I think this investment means for the broader OT/ICS cybersecurity market and community. I’ll speak a lot about our journey so far but the point isn’t about Dragos’ financing but instead the amazing realization that OT cybersecurity is worth doing, a large enough market to do it in, and that it can be done.
I will say without any intent to hype it up that I do believe this is a watershed moment and I hope to share that perspective with you.
I started Dragos a little over four years ago with my co-founders Jon Lavender and Justin Cavinee who had worked with me at the National Security Agency on our mission of identifying and responding to threats to ICS worldwide. We started the company not out of the desire to create a company or technology. To be candid we all abhorred the idea of becoming a software vendor after a career of being practitioners and community members in this space. But we did so out of a stark realization that the industry was changing and the threats were becoming more numerous and aggressive. What we were seeing as “answers” were a copy/pasting of IT security best practices into the ICS networks with little regard for the unique mission and threats those systems faced. I had authored the SANS ICS515 class on ICS incident response and network monitoring to help educate and train the workforce but realized that the only way to scale human knowledge fast enough in the face of what we were seeing was to also ensure those practitioners had ICS specific cybersecurity technology as well. We needed to do this in a company that would refuse to get acquired and be a long term player to put a dent in the problem. It’s my view though that to make the best technology you need the best people and you need to be hyper informed on the changing risk landscape if you’re going to counter it. So we built Dragos focused on our visibility, monitoring, and response technology but also with a professional services team of ICS cybersecurity experts to do everything from threat hunting and pentesting to incident response and architecture reviews while being trusted advisors to our customers. To inform everything we did and to help educate our community we built an intelligence team to identify and track threats specifically focused on ICS. To date we track 14 state adversaries explicitly doing so. I say all that in context of this fund raising to say – most investors hated our approach.
We got off the ground with a Seed investment from DataTribe. The only reason they invested was they had a background in the intelligence community and military and understand that we were mission focused. I’m sure they didn’t know much about what we wanted to do but they knew the problem was important and we were the team that would stop at nothing to satisfy the mission. When I went to raise the Series A round of $10M to finance our operations I met with and pitched well over 100 investors. Many of them sought us out to learn more about ICS/OT cybersecurity. The broader OT security market which encompasses ICS and the industrial internet of things (IIoT) (not to be confused with IoT, Alexa and a Gas Turbine have little in common) was very interesting to investors but none of them seemed to believe it was worth focus. I received pushback from the investors that fell into three distinct camps; these camps were challenges I heard from plenty of non-investors as well that I had encountered over the years:
- Companies have tried to do ICS security before and failed. It’s not doable. People don’t care past regulation or fear. These companies won’t change. OT specific cybersecurity will never be successful.
- The market is too small. If you’re interested in getting quickly acquired we’ll invest but if you’re interested in going the distance, we’re not along for the ride. The OT market is so niche.
- IT and OT are converging. There won’t be an OT network in the years to come. IT? OT? It’s all just T. Enterprise cybersecurity will be rolled into the plants there’s no need for OT specific cybersecurity. OT specific security isn’t worth doing.
Finding people that didn’t agree with the three points above in the broader market was hard. In reality, very few of the practitioners in our small ICS security community believed such things. I think many people in our community have wondered if it’ll take some giant cyber attack on ICS to get people to take it seriously, but my view was “we’ve had all the attacks we need.” Every industry has representative attacks and stories. That wasn’t the issue or need and no one should hope for it. The reality was there wasn’t a large investable market which means for the business there was no obvious need to address this risk. I viewed building a technology company and staying around long term as necessary to getting these companies resources for workforce development, training, etc. as much as anything else.
On the three points here’s where I disagree in order:
- Just because a few companies have failed on this path doesn’t mean that it won’t be successful. But more importantly the efforts I’ve seen failed before were largely re-skinned IT security efforts with some ICS marketing. It was obvious they were going to fail. This community does care about its infrastructure but we are a community of people who understand what does and doesn’t work. Our infrastructure members will invest beyond regulation and fear but not in things they don’t believe will work. Also undeniably over the last decade there has been a larger and more proactive community advocating cross company cross vendor cross conference etc. on what does and doesn’t work.
- The OT market is huge. It’s hard to put a real number on it; some orgs claim 20-30B, but however you size it, it’s huge. Most people associate it with electric utilities and oil and gas. But manufacturing, rail, water, mining, transportation, etc. should come to mind. And the physical systems in the data center. And building automation systems. And airports. And and and. It’s actually harder to find companies that don’t have OT than those that do. These businesses aren’t in the business of selling emails. They produce goods, interact with the physical world, and provide services all powered by OT. The major risk is in the OT and when executives are aware of that and have an answer to address it they will in a way a majority of investors I’ve met have misunderstood.
- IT and OT convergence happened a decade ago. I’m near tired of hearing how it’s “coming.” We have had Windows in ICS/SCADA/DCS/OT/etc. networks for more than a decade. The convergence is actually the digital transformation of these organizations coming at the same time of ICS specific adversaries. But no matter what the underlining operating system is that’s not the point. The point of OT cybersecurity is that the mission is different. The threats are different. The risks are different. The culture to get the job done is different. The challenges are different to succeed. Therefore the way you secure it will be different. I’m not saying all IT security is useless in the plants. There’s plenty we can learn from and adopt. What I’m saying is the unique and most critical part of these businesses deserves a specific focus that understands and accounts for the people, culture, process, technology, mission, risks, threats, etc. of that side of the business. To not accept that is naïve.
When I went to investors saying we wanted to focus exclusively on OT cybersecurity and we wanted to partner with our customers not just in providing technology but also having smart people and actual insights to provide it didn’t go so well with most of them. You cannot describe all the VCs in one broad stroke just like you cannot describe any group; and I’ve met and really enjoyed getting to know plenty of VCs, but to say the vast majority didn’t understand this market is an understatement.
Not only were the pushbacks from above tangible but also “and you want to hire experts to do professional services? Won’t that lower the margins on the software sales? I don’t think that’s a good idea.” But even extremely mature companies are relatively immature in their OT cybersecurity journey and need a partner not just a technology. That’s also how we get better. So it was non-negotiable. Our team’s people are and were our secret weapon. For all the words like innovation and disruption that get flaunted in Silicon Valley it was interesting how many investors we scared away by simply being different than what they had seen before. The reason we were successful in our A round was largely due to Energy Impact Partners and AllegisCyber. AllegisCyber is a VC built by former operators (ran companies before) which helped them see what we were doing beyond a spreadsheet. Energy Impact Partners though deserved the lion’s share of the credit as they are a VC built by the electric companies. Southern Company, National Grid, Xcel, Oklahoma Gas and Electric, etc. and those companies knew first hand how important OT was and the necessity of a full solution.
By the time the B round came about, a $37M investment, a lot of the naysayers of OT cybersecurity in the context that it couldn’t be done fell to the side. We were flooded with investors who wanted to invest. But, most of them were talking about and thinking about acquisitions. My view was and is that the OT cybersecurity market is so large that it can not only support one company IPO’ing or being of that size but multiple. This was not a widely shared view to say the least. Most of the 70+ investors calling who were interested in us because of the importance of ICS quickly had the wind taken out of their sails and the conversations would noticeably shift when I mentioned our vision was to be a long term company and not to build to be an acquisition target. To them it was clear now that OT cybersecurity could be done. They agreed it should be done. They did not believe it was a large market. Luckily, this time around we had Canaan which is a well respected Silicon Valley VC to add that type of credibility to our name in those circles but believed in the mission and in the market size. They saw what many at the time didn’t and I think that a big reason for that is how involved they had been with pharmaceutical companies and others realizing that maybe there was something to this OT market. Vision is an easy word to say and hard in practice. (Hear their perspective in this blog here.) We were fortunate to also be joined by a direct strategic investment from National Grid, Emerson, and Schweitzer Engineering Labs. Obviously those three understood OT and have continued to be great partners.
To claim that the C round is some sort of finish line is obviously silly. It’s really just the starting point. But to have a record setting $110M investment isn’t about Dragos. It’s about our OT cybersecurity community and the broader market. It’s a massive signal to everyone that not only is OT cybersecurity important (most everyone gets that), and is doable (people starting to realize that), but that the market is large enough to make it a worthy investment (new to most). This time, instead of taking calls from all the interested investors, we focused on letting the industry tell the story. The only thing more powerful to me than a large investment is having the asset owners and operators themselves tell their story. Thus, for the C-round we had the venture arms of National Grid and Koch Industries lead the round with investments from Saudi Aramco and HPE as well. One of the largest electric and natural gas companies in the world, with the largest manufacturer in the world, with the largest oil and gas company in the world, with one of the largest manufacturers in the supply chain in the world. That’s a powerful story. That’s a signal to everyone including the investors that the OT cybersecurity market is large, worthy of investment, and will be around for a long time. These are industry leaders saying not only do we believe in the technology we’re seeing but this market and category is important to our businesses at a strategic level. That’s a powerful signal to the other companies in their space and broader. That’s the new piece here. That’s the story. That’s what I think serves as a watershed moment. The community itself standing up and saying “we’ll get this done ourselves, it’s of strategic value.”
There are plenty of savvy investors and VCs that I’ve had the privilege to get to know. But across the broad swath of them the conversations have changed as they learned about our C round. And it’s not just investors. I’ve run into the naysayers every month and sometimes every week of my entire career. It gets tiring. And don’t even get me started on “you’re technical? Are you sure you can be the CEO? Shouldn’t you bring in someone else?” discussions. That’s a less polite blog I’ll write some time. But I know many of you in our community run into the same conversations about our ICS community. To all of you I will tell you now that I can say with great confidence the folks telling you that it “can’t be done” “shouldn’t be done” or “cannot be done long term” are on the wrong side of the argument. We have a lot of work to be done. But this is a community milestone.
It’s not a Dragos only story. The work by so many firms, so many passionate professionals, students, practitioners, leaders, government agencies, and even competitors have been a part of getting here. And here we stand on a larger platform than ever before, as an OT/ICS cybersecurity community, to tell our story.
If you’re in our community we at Dragos hope this provides some ammo for you to propel your ICS security journey forward. If you’re not in the ICS security community and you want to join, we hope this is a good signal to you that you can have a wonderful career here and its worth your time. Your local power company, water utility, oil and gas, manufacturing, rail, data center, mining, etc. companies are hiring. Go check them out. Their mission is worth investing in.