“We had to go out and talk to experts and just have the conversations and then be brutally honest about what those people were telling us about the problem. In many cases, we didn’t even tell them what we were thinking about doing. We would call them up and say, “How are you securing your industrial control systems today?” and just listen.” – Joshua Steinman

“We really learned to go in, us. Instead of imposing what we thought the problem would be for other asset owners, really let them tell us what their problems were. So that was probably one of the biggest takeaways during the customer discovery. And it was also great to hear that a lot of people had, I would say, some similar problems across different industry verticals. And everyone knew that there needed to be some change and wanted to see change. So that was also very refreshing for me.” -Brandon Park

What are the biggest challenges in critical infrastructure cybersecurity? In this episode of Hack the Plant, we hear from two entrepreneurs, Joshua Steinman & Brandon Park, who just did a 7 month long customer discovery process trying to understand where the key problems are now to keep our ICS systems safe from cyber threats.

J​​oshua Steinman is a former naval officer, ICS cybersecurity startup founder, and cybersecurity policy senior director during the Trump administration.

Brandon Park formerly worked at Amazon as a Security Engineer focused on securing ICS at scale. Prior to Amazon, he supported Department of Defense and Department of Energy projects.

Their conversations spanned from ICS cybersecurity experts to operators to  executives at companies with large footprints in the space – and led to some surprising and unexpected insights that have led to the launch of something called Galvanick.

How can this make our ICS more safe, reliable, or cyber-resilient? Join us to learn more.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

Transcript:

Joshua Corman: 

Our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life.

Bryson Bort: 

I’m Bryson Bort. And this is Hack the Plant. Electricity, finance, transportation, our water supply. We take these critical infrastructure systems for granted, but they’re all becoming increasingly dependent on the internet to function. Every day I ask and look for answers to the questions. Does our connectivity leave us more vulnerable to attacks by our enemies? I’m a senior fellow at the R street Institute and the co-founder of the nonprofit ICS Village, educating people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded GRIMM in 2013, a consultancy that works the front lines of these problems every day for clients all over the world.

For today’s episode, I’m joined by Joshua Steinman & Brandon Park, two cybersecurity entrepreneurs working on innovating in critical infrastructure.

J​​oshua Steinman is a former naval officer, ICS cybersecurity startup founder, and cybersecurity policy senior director during the Trump administration.

Brandon Park is a Security Engineer at Amazon focused on securing ICS at scale. Prior to Amazon, he supported Department of Defense and Department of Energy projects.

We discussed their recent collaboration – a 7month long customer discovery process trying to understand where the key problems are now to keep our ICS systems safe from cyber threats.

Joshua Steinman:

We’ve been deeply integrating digital systems into our industrial systems and networks. And I think that a lot of folks thought that what we were doing in those cases was yielding efficiency, driving uptime, getting to those five-nines, six-nines of uptime.

And on a certain time horizon, that’s probably accurate, but I think what we’re seeing now as folks realize that, in fact, there will be a price to be paid because of that, I think what’s going on is, at a zooming out even further what we’re realizing is that we traded almost predictable downtime for unpredictable downtime. We traded known inefficiency for unknown inefficiency. And I think that we’re really going to have to wrestle with this over the next five to 10 to 20 years because, for example, the Colonial Pipeline executive, CEO, whomever it was, I think he testified to Congress about this, many of the people required to operate that pipeline manually, which is how it was operated previously, are retired. Some of them are dead. And instead, we injected digital systems to manage these types of infrastructures.

Bryson Bort:

This led to conversations with ICS cybersecurity experts, operators, executives at companies with large footprints in the space.

Joshua Steinman:

We had to go out and talk to experts and just have the conversations and then be brutally honest about what those people were telling us about the problem. In many cases, we didn’t even tell them what we were thinking about doing. We would call them up and say, “How are you securing your industrial control systems today?” and just listen.

Bryson Bort:

They talked through what was surprising, unexpected and challenging.

Brandon Park:

One of the biggest things that we were going to be dependent on is the customer actually knowing their environment to answer the questions properly. So that was another thing that we were finding during the customer discovery processes where some of these organizations may not have someone who thoroughly understands how their environments operate. We really learned to go in, us. Instead of imposing what we thought the problem would be for other asset owners, really let them tell us what their problems were. So that was probably one of the biggest takeaways during the customer discovery. And it was also great to hear that a lot of people had, I would say, some similar problems across different industry verticals. And everyone knew that there needed to be some change and wanted to see change. So that was also very refreshing for me.

Bryson Bort: 

What did they develop? How could it make our ICS more safe, reliable, or cyber-resilient? Join us to learn more.

Josh, why don’t you tell us about your background and the mistakes that have led you to being on this podcast?

Joshua Steinman:

Thanks, Bryson. It’s great to be here. Thanks for having us. So yeah, I started my career as a naval officer and did a bunch of expeditionary work in that capacity. And when I wasn’t deployed or training, I was doing some stuff with tech policy for the senior officers in the Navy specifically the Chief of Naval Operations, I served on a group called the Chief of Naval Operations Rapid Innovation Cell where me and a group of 10 other junior officers and enlisted folks were tasked with finding asymmetric opportunities for the Navy in future conflicts. And in that capacity, I wrote the white paper that turned into the Defense Innovation Unit out in Mountain View, California.

I got off active duty. I went to go work at a cybersecurity startup that had just gotten out of Y Combinator. I did that for just under two years and then I was asked to come to Washington and be the senior director for cyber on the National Security Council. Did that for about four years. And at the tail end of that tour, being a deputy assistant to the President and senior director for cyber on the NSC, started talking to a bunch of friends including Brandon and our third cofounder, Felix, about how to maybe start something in the industrial control system cybersecurity space. And that led to the six months of customer discovery that we’re going to talk about here.

Bryson Bort:

Brandon?

Brandon Park:

Yup. Bryce, thanks again for having us. My background, studied electrical engineering and then went into the controls and automation space. Specifically, I was at Merck, a large pharmaceutical company, working on vaccine manufacturing. Started getting interested in the networking and security side of things and then found myself at Bechtel. They’re a large engineering, construction and procurement company. They were spinning up an ICS cybersecurity lab to help support their DOD and DOE missions. So I worked on that for a bit and then left to go to Amazon to help spin up their cybersecurity team, focused on our global operational and fulfillment footprint.

Josh and I’ve known each other for a few years. We’ve always been interested and find ourselves talking about the control system space and what we can do to try to improve the situation. And yeah, this is where we find ourselves now.

Bryson Bort:

And so what led me to bringing you on the show was that you had done an industry survey, startups, the smart ones at least, try to go figure out what is this potential problem from the folks who might actually buy it, and what did you learn?

Joshua Steinman:

Thanks, Bryson. Yeah, it’s a painful process, talking to customers. We’re big fans of Y Combinator and all the folks that have come out of that program. And it’s one of the first things that they talked about in the material that they put out is just go talk to customers. And so that’s where we started. Initially, our first idea and the one that we were toying with for really about a year was to do an industrial control systems cybersecurity specific insurance company. And we started doing a bunch of customer discovery in that space. We talked to folks in the insurance industry, reinsurance and then potential customers. And that took several months, starting in February of this year.

Ultimately, we decided against that for a bunch of different reasons, but the potential for catastrophic loss and failure was probably the biggest one as well as the not yet … We don’t think that the insurance industry itself is really ready for an ICS insurance product and we didn’t see that market timing as positive. So we looked into that potential business model for about two months and ultimately came to the conclusion that we shouldn’t do it. And so from there, we explored five other business models, happy to go into as many of them as you want. But throughout that entire process, from the beginning to the end, our methodology was simply to call as many people as we could, ICS cybersecurity experts, operators, executives at companies that have big ICS footprints, consoles, consultants, even some of our friends from the policy world and just continue to engage with them around these core questions of, “What are the big problems you’re experiencing right now? How are you solving them at present? How would you like them solved in the future?” etcetera.

Bryson Bort:

You mentioned the five business models. We could go through those.

Joshua Steinman:

Absolutely. So six including the insurance one, so I’ll just go through them at a very high level. So the first was industrial control systems, cyber insurance, and again, we came to the conclusion that that probably wasn’t a good model to pursue. Then we started looking at an interesting and novel and somewhat emergent insurance-style product called parametrics. And these, they’re not exactly insurance policies. They’re like options contracts. The most notable prominent example of a parametric is crop insurance where the one party agrees with the other that in the case of a very specific set of objectively observable circumstances that the one party will pay the other.

And so this is really interesting and what’s really interesting to us because it’s essentially converging with a bunch of things that are happening in the blockchain space because that discrete and observable set of circumstances are what the blockchain people would call an Oracle. And so we looked into that a lot about, “How would we create cybersecurity oracles? How could we try and build products that would enable anyone to know whether or not, for example, a system was compromised from anywhere in the world without having access to that system?”

So we brainstormed that for a while, talked again with the same folks in the insurance space about that, but for that second idea, that parametric idea came to the conclusion again that it was a little too early for us to pursue. So that was idea number two. From there, we moved on to a third idea and that was cyber risk scoring for industrial networks. So this happens in the IT space and there are companies like SecurityScorecard that are doing it and have seemed to have had some success. But on that third idea, cyber risk scoring for industrial networks, we looked into it but became convinced that this mental model called the principal agent problem was going to be a big issue there. Because the ultimate customer for a risk score for an industrial network from our perspective was going to be probably a major manufacturer or an OEM, think of like a major car company.

And so they would want the results of these risk scores and they might be the ones that would pay, but then the people that we would be doing the work with would be their subcontractors. And as we played out how that would work, we just didn’t really see good vibes almost coming out of it because imagine getting paid by a major car company and then being told, “Hey, go talk to the subcontractors and do an assessment of their OT networks or their ICS networks, OT operational technology, operations technology.” And we just foresaw a lot of friction there, going to companies that we had no commercial relationship with, but had a commercial relationship with customer and then trying to get them to basically give us pretty invasive network access.

The more we thought about it, the more we talked to folks. We just didn’t think that that was going to be workable. So that was the third idea, risk scoring for industrial networks. And then again, we continued to do customer discovery, continued to talk to folks that were feeling the pain and we considered a fourth idea which is standing up an ICS-specific managed security services provider or MSSP for short. And this was probably the number one thing that we heard from folks, as we were talking to potential customers. People kept saying to us, “I just want to pay someone to fix it all for me.” And so we started looking into the unit economics of that.

And from our perspective, we were thinking about building a software company, a venture-backable company. And the more we looked into the unit economics of starting an MSSP, we just didn’t think that it was going to be a successful business model. Also, there are some pretty major consulting firms like Deloitte and Accenture that are already doing this, run their own security operations centers. In some cases, they have OT-specific offerings. And we just weren’t sure how we would differentiate ourselves, except for going to the very high end as an MSSP for industrial networks.

So from there, we pivoted to a fifth idea which we called in shorthand TurboTax for industrial cybersecurity. And again, this had to do with the previous idea and responding to the inspiration for the previous idea. People talked about just wanting someone to fix it. So we started thinking about, “How would we build something that would essentially be as easy to use as TurboTax, but at the same time would buy down the risk to ICS networks?” and played that out, sketched out some ideas, talked to some people. And the conclusion that we came to there was that we would pretty quickly run into the challenge of having these different silos within industrial companies where you have an operations team and then maybe you have someone responsible for security or maybe a security team and having some kind of automated web interface system that was going in and potentially making changes to that operational infrastructure.

As we talked to people, it just seemed to be something of a nonstarter. And so that fifth idea, Turbo Tax for industrial security, we also set aside. And Bryson, just for your listeners perspectives. As we considered each one of these ideas, we’re talking about like weeks of conversations and notes, phone calls and market research. And I’m just covering here at the high level what was a very long process. Ultimately about six months. For folks that want to know more about this, I’ve covered it on Substack that I’ve been putting out, which is just my last name, that’s dot-substack, steinman.substack.com.

That brings us to the sixth and second to last idea which was this idea of trading on vulnerabilities. So we went back to that second idea of the blockchain Oracle’s and things like that and started looking at how we could create incentive structures. We actually really didn’t like this idea, even though we thought that it might be quite profitable. And we opted really not to talk about it very publicly as well. We thought it was not dangerous, but just we didn’t like the vibes. As we took the six months to do the customer discovery, the number one thing that we all wanted to do was create a company that was going to improve security in the first order, not in the second order. And that sixth idea that we explored, we just felt would be not great at that first order even though maybe the second order, it might be positive.

Bryson Bort:

All right. Well, that’s quite a list and I hope that the suspense is starting to build for our listeners to what you actually did, but before we get there, let’s go back through these. All right, so ICS cyber insurance, insurance in cybersecurity and the greater market has been a huge part of conversation, right? We have since started in 2012 2013 was the canary and the coal mine that enterprise cybersecurity is a problem for these folks. And then fast forward to this year where we have the year of ransomware. We had the attack on the Florida water plants. We had Colonial Pipeline affecting the eastern seaboard. And of course, all of the companies that we don’t ever even see in the news that are being affected by this. And cyber insurance just is like, “Well, at the very end of it, that’s what we got to mitigate risk.” So what else did you see and learn from that?

Joshua Steinman:

Bryson, I think that’s a really good overview, and frankly, what we pulled off of that multi-month investigating, customer discovery investigation process, you’ve really summarized quite well. So just to provide a little bit more detail on that, we got concerned especially when seeing some of the litigation fallout that happened as a result of NotPetya and WannaCry where you had people that did have big insurance policies try and collect on those insurance policies and then have the insurance companies simply take their policyholders to court. And we’re not here to take sides.

There are a bunch of arguments both on the pro and the con as to whether or not that’s the right thing to do, but as we looked at it, we realized that regardless of how we sort of comported ourselves, were we to become an insurance company that that type of interaction with our policyholders would end up being one of the major modes that we were going to use to interact with them. And that just wasn’t for us where it would be that someone would say, “Hey, look, I had this terrible catastrophic thing and I need this 100 million dollars because I have to replace all this equipment,” and our reaction is the policyholder or whatever, the insurance company would be like, “Well, we’re taking you to court because it’s an act of God or act of war, who knows what.”

And to dig in just even a little bit deeper, pivoting off another thing that you said, where you were talking about these other companies that have very quietly been the subject of many of these types of attacks and without naming names, we’ve had breweries attacked just in 2021, a major food processing company, many, many more, just too many to name. And so as we dug into these scenarios and then obviously through our friends, ICS, cybersecurity, really small community, a number of percentage of whom are probably listening right now to your podcast. What we also didn’t want to do was be in this position where some zero day or some vulnerability in a widely used PLC gets surfaced and then all of a sudden you have some major percentage of your customer base exposed to risk.

And so as good students of Nassim Taleb and The Black Swan, we were just very nervous as we started to think about all the dependencies, the small number of OEMs that manufacture industrial control systems. And again, as we just kept digging into it, we just thought, “It probably wasn’t for us.”

Bryson Bort:

I have to give you the award. You are the first guest in the over year that we’ve had this who has mixed industrial control systems and blockchain.

Joshua Steinman:

Thanks.

Bryson Bort:

It’s a dubious honor.

Joshua Steinman:

It is interesting if you look at these parametrics, this is for the second idea, because with crop insurance, it really does go back to some of the foundational like mathematical heuristics of how block chains work, but these parametric insurance policies, which farmers have been buying for many years, do rely on these types of nearly objective third parties. In the example of parametrics, they are relying on weather stations in many cases operated by the National Weather Service. And so we were almost shocked when the insurance contacts that we were talking about started going down this rabbit hole.

We were not thinking like, “Oh, let’s just add blockchain, just add AI.” We were not doing it. It was actually an insurance company that we were talking to and I’ll just obscure location and identity, but they were saying that they were seeing parametrics emerge in the broader cyber insurance space. There is one company already that’s doing this called Parametrix spelled with an X. It’s publicly available. You can go out and do it. They allow you to buy insurance for downtime of services that rely on the big cloud infrastructures like AWS or Google Cloud.

And while we didn’t ask them how they found those oracles, obviously, I’m sure many of your listeners, and in fact, we were very familiar with things like Downdetector where you can go and see whether or not a certain service is operating or not. But again, as we started talking to folks at the periphery of the insurance space, they started using language that a bunch of our blockchain user or our blockchain friends were using. And at that point, we were like, “Well, it’s worth exploring, but again ultimately turning away from.”

Bryson Bort:

All right, cyber risk scoring, the Holy Grail that if I could take all of this complicated constantly changing thing and turn it into a simple score or maybe some pretty polka dots.

Joshua Steinman:

We looked at this and we liked the idea a lot, but geez, we were just really at a loss for how we would even do an alpha version of this. I’m from Detroit originally and have a bunch of friends that are involved in the auto industry, that no senior executives in the auto industry. And so as we were playing that out in our heads, gaming it out, we just didn’t see a way to do it. Imagine if a major auto manufacturer was like, “Yeah, of course, I want to know the risk score of my OEMs.” And we talked to many OEM, original equipment manufacturer, subcontractors to a big industrial firm like a Ford or General Motors. We talked to many of them over the course of this process to just do basic customer discovery and we did not come to the conclusion that they would be friendly to this type of intrusive.

And it would be intrusive, even if we were well meaning, but an intrusive effort where the customer, their customer comes to them and says, “Hey, we’re going to send these nerds over to take a look at your operational infrastructure,” and we all know how this goes. In most cases, those infrastructures are not going to be pretty from an ICS cybersecurity perspective. So imagine if every time you have a customer, the only thing that that happens in between the time that you sign the customer and deliver the product is you’re fighting with all the people that you need to get the information from in order to deliver the product.

And so we just wargamed this whole thing out, talk to a few folks. And at the end of the day, we’d love to be able to have that, but the way in which some of these other companies that do risk scoring operate is they use publicly available information and publicly available tools to try and build a risk score. And mostly it’s around the IT infrastructure of companies. That’s how from our investigations companies like SecurityScorecard operate. And the fear there is if we were to start trying to do that in the OT space, God forbid, we might cause some damage, scanning the IP range of these factories or whatever. So we almost had this, what’s the Greek doctor the, “First do no harm”?

Brandon Park:

Hippocrates.

Joshua Steinman:

The modified OT cybersecurity Hippocratic Oath problem with what we might be doing, where if we tried to look for publicly available stuff to determine risk, we might in fact just cause the problems we were trying to mitigate.

Bryson Bort:

No good when the cure contributes to the problem. Managed service security providers aka MSSP, the untold heroes, I would say, in the security space, the few thousand companies that have the privilege of being in the haves category of being able to afford the resources, the personnel, the tooling, the time, the attention, and then all of the rest of the companies, the tens of billions of them, the mom and pops, the cookie stores, that depend on an MSSP to throw it over the fence and say, “All right, that’s my security. That’s what I pay for each year. Thank you.”

Joshua Steinman:

That’s exactly right. We looked at this one pretty hard. We did a bunch of really in depth Excel spreadsheet calculations, etcetera. And it actually goes back to some of the work that I did when on the National Security Council around workforce. I’m sure you’ve talked … I know we’ve had this conversation, privately and it’s been a pretty prominent conversation in the ICS cybersecurity community broadly over the past few years. We did a bunch of executive order work on cybersecurity workforce at the White House. That work continues. Tons of great work happening across the US government and elsewhere, but really, the conclusion that we came to was that it would be a manpower issue.

And as a startup, our concern was that we would essentially be fighting hire for hire to try and put together a team and the footprint that we thought we would need to stand up our own security operations center, the tooling the costs. We just couldn’t get to conviction that this was something that we could do in a scalable way. And the link in with training is that the one way we thought it might work was to essentially pair it with a training program. And maybe even one that looked at that apprentice journeyman and master model. So that was a different problem and I think a good model, but it wasn’t what we thought we could do with the team that we have.

And so from our perspective, huge opportunity in that space. There are folks that are working on it. I won’t say more than that. But again, our perspective was that the MSSP model would almost certainly have to be connected with the training model.

Bryson Bort:

In other words, a very people-heavy business.

Brandon Park:

Yes.

Joshua Steinman:

Yes.

Bryson Bort:

That’s what it boiled down to. And that is the problem for the MSSPs, is it’s a volume-driven commodity-based business with low margins.

Joshua Steinman:

Butts in seat.

Bryson Bort:

Butts in seats, I think everybody knows what that is all over the world. All right. Now you got to TurboTax. So I’m assuming you didn’t quite go the way here of everybody baking under $70,000 and utility gets free returns?

Joshua Steinman:

I wish. I wish. It’s funny. We got to see, I don’t want to say a lot of it, but we got to see a lot of interesting terrain at the edge of OT cybersecurity space. Again, we’ll obscure some of the folks that we talked to for their own out of a sense of obligation, duty, responsibility, respect. But we would talk to these companies, many of them large companies and we would ask them, “Hey, what’s your OT, cybersecurity program look like?” We wouldn’t hear back for a few days, and then back channel, we would get the response that, in fact, our asking the question was the thing that prompted them to think about creating a team that would be responsible for that problem. Big, big companies.

And so the TurboTax model was our thing and there are some of these like startup mental models like, “What types of startups could you do?” And so the mental model that we were using on the TurboTax one was essentially, “How could you build something that was self-service and that would essentially provide value to,” I’m not trying to be political here but, “the 99% sort of thing, companies that don’t have really big security teams? Maybe they don’t even have a security team. How do you buy down risk for them?” We liked that model.

I think that the mindset, that mindset is something that we are going to carry with us and also the mindset of just the user interface of TurboTax really simple, but as we looked into the actual like, “Click button here. Integrate system there. Scan IP range here. Describe a network there,” we did come back to this point, this conclusion that it might cause more harm than good, might do more harm than good. Again, we just struggled to figure out what things we could do at that very basic surface level that would buy down risk in an automated way because these types of self-service startups really have to be 99.999% zero touch. And we just didn’t see a way to get to an MVP on that would be scalable.

Brandon Park:

One of the biggest things that we were going to be dependent on is the customer actually knowing their environment to answer the questions properly. So that was another thing that we were finding during the customer discovery processes where some of these organizations may not have someone who thoroughly understands how their environments operating. And if we ask them barrage of questions and we may not be getting the answers that we were expecting or we could just really not be adding a lot of value outside of giving them headache.

Bryson Bort:

And the last and possibly the least, trading on ICS vulnerabilities.

Joshua Steinman:

Yeah. [inaudible 00:32:31] talking about it, but just very briefly, and for your listeners, that Substack that we spun up, it’s Steinman, my last name, dot-substack, dot-com, we wrote a little bit about this. We know that you know and maybe your readers know that you know, the vulnerability and exploit marketplace is one of the more novel, interesting, compelling places in cyber world. It’s very dramatic. You have individuals who have heroic journeys, researchers that are just absolutely brilliant, international intrigue, type of stuff happening and just a lot of pent up energy.

The thing, the sort of concept that I was talking about on the blogpost where we did go into this in some detail and it’s all there on that Substack is vulnerabilities, zero-day vulnerabilities or other exploits as stored potential energy to use a physics, I guess … Is it a metaphor? I think it’s a metaphor, metaphor or simile, one of those two. My sixth grade English teacher would be tearing her hair out if she knew that I wasn’t sure which one it was, but zero-day exploits or other vulnerabilities as stored potential energy inside complex physical digital systems. And the big idea that we were playing with is how do you unlock that store potential energy in a way that makes the system better.

And we certainly came up with a few ways that we could unlock that energy and we just couldn’t get to a formulation that was unlocked but for positive. So I’d leave it there. I don’t know, Brandon, any further thoughts on this?

Brandon Park:

No, this is an idea that we all smirked and grinned at and had some laughs with, but yeah, there was definitely the potential to do more harm than good, so that we quickly passed.

Bryson Bort:

All right, and to build the suspense a little bit more, so you’ve now been through this, you’ve done a bunch of months, you’re going to tell us what this great idea is shortly, what did you learn from the process, just the process itself, and how would you have done it differently?

Joshua Steinman:

So interesting that you should frame it that way because actually for folks that checked out our launched podcasts, well, actually, it is a podcast, I recorded it as audio, but it’s the Substack, we architected it as an after action report on customer discovery and tried to be pretty dispassionate and just really evaluate how we went through that process. And, Bryson, I know you know this is a former military guy and Brandon is an engineer working in this critical infrastructure space and defense and engineering space, same thing where we’re all tuned in to this concept of creating learning organizations that get better. I’m just going to let the truck go by.

And so that’s how we framed the launched post was as an after action report on this first increment. And I’d say that the number one thing that we discovered, and I don’t know, Brandon may have taken something away from it, so I’ll cede the floor to him shortly, but it’s that you follow the process, right? This genius stuff, the creativity, everyone’s like, “Oh, Steve Jobs this or Zuckerberg that,” that’s well and good and it’s right that there are these moments of brilliance in many of these startup stories, but at the same time, there is a process that you can run, and by running it, you actually bite down a lot of that risk and we had to run that process.

We had to go out and talk to users. We had to go out and talk to experts and just have the conversations and then be brutally honest about what those people were telling us about the problem. In many cases, we didn’t even tell them what we were thinking about doing. We would call them up and say, “How are you securing your industrial control systems today?” and just listen. And so there are some great resources available on this. The first one and the most interactive is Y Combinator’s free Startup School and you can just google, “Y Combinator Startup School,” and it’s a free curriculum with a bunch of videos, some workbooks. It sounds sort of, I don’t know, it sounds almost too good to be true, but it’s all free. It’s self-paced. And you go through the lectures and you follow the advice and it led us down this process.

And I think we did have some creative ideas and we do have some creative ideas. Those all have a time and place for them, but the sticking to the process is probably the biggest lesson learned on my side. Brandon, what do you think?

Brandon Park:

Yeah, I would just add with that we really learned to go in, us. Instead of imposing what we thought the problem would be for other asset owners, really let them tell us what their problems were. So that was probably one of the biggest takeaways during the customer discovery. And it was also great to hear that a lot of people had, I would say, some similar problems across different industry verticals. And everyone knew that there needed to be some change and wanted to see change. So that was also very refreshing for me.

Bryson  Bort:

So what did you ultimately decide to do? What is the big idea?

Joshua Steinman:

So thanks, Bryson. We’re going to go after this problem of providing context around the vast volume of data that gets generated on industrial control systems networks. I think Brandon can speak to this pretty specifically from his experience over the last decade plus, but the problem that we heard very consistently was that people either had very little visibility into what was happening on these networks or they almost had too much visibility. And so we’re going to try and solve that problem by building a platform that will just integrate all these disparate sources of information across industrial control systems, networks and endpoints and try and present that information to users in a really clean and understandable way. Brandon, I don’t know if you want to jump in, but feel free.

Bryson Bort:

All right, other than instantly getting funding and all the customers you could ever dream, if you could wave a magic air gap wand, what is one thing you would change in industrial control security?

Joshua Steinman:

That’s a tough question. I’m happy to jump in here and just say that I’ll make an observation, which is that over the past 30 years, I feel like we’ve been making decisions that we didn’t really understand the full context around. We didn’t understand the full implications of which is to say that we’ve been deeply integrating digital systems into our industrial systems and networks. And I think that a lot of folks thought that what we were doing in those cases was yielding efficiency, driving uptime, getting to those five-nines, six-nines of uptime.

And on a certain time horizon, that’s probably accurate, but I think what we’re seeing now as folks realize that, in fact, there will be a price to be paid because of that, I think what’s going on is, at a zooming out even further what we’re realizing is that we traded almost predictable downtime for unpredictable downtime. We traded known inefficiency for unknown inefficiency. And I think that we’re really going to have to wrestle with this over the next five to 10 to 20 years because, for example, the Colonial Pipeline executive, CEO, whomever it was, I think he testified to Congress about this, many of the people required to operate that pipeline manually, which is how it was operated previously, are retired. Some of them are dead. And instead, we injected digital systems to manage these types of infrastructures.

And my fear personally is that we have made that trade not knowing the full extent of what that trade entails. And basically the other side of that equation is only now becoming clear. There’s a great concept in a book by my favorite author, Neal Stephenson. The book is Seveneves. It’s about a near future sci-fi scenario where humanity needs to save itself. Without going into too much detail, nearly at the end of the book, he has this throwaway section talking about the very far future of humanity. And he’s describing an academic discipline that stood up over the millennia after this catastrophe that the book spends a lot of its time discussing. And this future academic discipline, he labels Amistics with the root word being Amish and he describes this in the book about how the Amish test technologies out for a long period of time before considering whether or not to adopt them into their culture.

And that concept has always struck with me, the concept of Amistics and I think that it’s, and it will sound funny because of just the words around it, but we’re at this Amistical moment, not mystical, but Amistical, Amistics, Amistical moment where I think we’re going to have to really reckon with the fact that we are going down a certain pathway of pure digitization and that pathway carries with it these unknown, nearly existential risks. And it’s easy for me to say because the energy is cheap, the goods are cheap. We’re seeing all the benefits and very few of the downsides, but a part of who wants to go back to having industrial companies that can and in many cases do operate manually.

And the Stephensonian description talks about how cultures make certain value-based decisions as they choose to pursue certain classes of technology, types of technology, strains of technology to use a biological comparison. And I really think there is an Amistical moment that we’re in right now where we do have to start making some of those decisions. And personally, obviously having seen behind the curtain on the National Security Council and then through this seven-month long customer discovery process, and Brandon can speak to this as well with his vast experience, but there are a lot of risks for the direction that we’re taking and I just don’t think that those are being presented to people. And so that’s my magic wand.

All right, you’ve waved your magic wand. Now we’re going to look into our crystal ball. In the next five years, what good thing and what bad thing that you think is going to happen?

Self-interested, I think, good thing, people are going to spend a lot more on ICS security. We actually think that within the next five to 10 years, spending on ICS security will be at the same order of magnitude as the spending on IT security in the next 10 years, so huge growth and we’d call that a good thing. I think that is one way in which markets try and buy down risk is by, unfortunately, increasing the price of goods and services usually in response to demands such as security demands. I think obviously the pretty clear bad side for me personally and, Brandon, I won’t speak for you, but I think these types of attacks on ICS networks and systems are going to increase and I think it’s really low-hanging fruit. Brandon, over to you.

Brandon Park:

No, that’s my biggest concern is that we’re going to see an increase in attacks and we’ll continue to do so. And I think the consequences are just going to get worse. So that’s the bad thing. The good thing, I agree with Josh, there’s increased visibility, increased awareness and more folks curious with securing the control system space which is definitely a plus. So we’re seeing that shift in momentum and I think that’s going to do wonders for the industry because Josh had mentioned increase in spend, but that also verifies that that problem really is there and then more people are interested in solving that. So I definitely see that as a plus for the next several years out.

Joshua Steinman:

On the fundraising side, we’ve got one OT cybersecurity company, one ICS cybersecurity company that in a recent fundraising announcement openly declared that they were preparing to go public and I think that’s a great indicator of the health of the market, of the room for growth, etcetera. So I think the future is bright on the entrepreneurial side of things.

Bryson Bort:

All right, that’s a wrap.

Since we recorded with them, Josh and Brandon have officially launched Galvanick to tackle this problem. We may have them on in the future to check in on how it’s going and what else they’ve learned.

Featured Publications