You’ve likely noticed an increase in the number of new entrants into the industrial control system (ICS) cybersecurity field over the past year or so. Even longstanding companies in this space have been expanding their cybersecurity-related products and services. Further evidence of the increasing interest in this space can be seen in the outside investments being made here. A case in point is the investment of $40 million by private investment firm Tinicum into PAS.
According to PAS, the funding from Tinicum will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, the company’s cybersecurity software product.
Asked about the driving factors behind this investment in PAS, Eddie Habibi, founder and CEO at PAS, said, “Quite simply, oil and gas, chemical, power and other critical infrastructure industries are investing in ICS cybersecurity. They understand that the stakes are high with production, safety, environmental, brand and even personal liability at risk from a cyberattack. In fact, we are seeing a significant number of ICS cybersecurity initiatives being driven by boards of directors, who are highly concerned, having seen what can happen to companies—such as Target—that get breached. At a macro level, the challenge these companies face is wanting to apply well-understood cybersecurity best practices, such as inventory, configuration, vulnerability, patch and compliance management on a set of ICS endpoints into which they have little visibility today. They can tackle the workstations, servers and routers that exist in a process control network, because standard IT-based cybersecurity solutions work there. But they cannot take those same IT solutions and apply them to highly complex, proprietary DCSs, SISs, PLCs and smart field instruments primarily because those solutions have architectural constraints. These unaddressed endpoints comprise 80 percent of the cyber assets that exist within a facility.”
Explaining why Tinicum invested in PAS in particular, Habibi said, “We have technology that is architected to interrogate DCSs and other proprietary systems for complete configuration data which, in turn, gives companies the ability to apply the cybersecurity best practices they so eagerly want in their ICS environment.”
More specifically, Habibi noted that Cyber Integrity gives companies “immediate, day-one visibility into the highly complex configuration of industrial control systems that are typically tracked with a spreadsheet today. If you can see it, you can begin to secure it. This visibility gives our customers the ability to go further and detect breaches pinpointing not only that an unauthorized change occurred, but the detail of what exactly changed.”
Tinicum’s investment will be applied to PAS’ three-year technology roadmap, which is focused on proprietary control systems. The funds will reportedly be used to introduce new products and new functionalities related to PAS’ cybersecurity offerings.
In the joint release by PAS and Tinicum announcing the investment, there were several references to critical infrastructure. Considering that PAS is most known for its work in the oil and gas industry, we asked if this reference to critical infrastructure meant that PAS planned on expanding further into other industries, like the electrical grid and power generation industries. Habibi said, “The same ICSs that provide automated control and safety functions in oil and gas are deployed in power as well as other critical infrastructure industries. Cyber Integrity is ICS vendor independent and sector agnostic. One of the reasons for raising investment was to expand our cybersecurity footprint within these verticals as well as others. In fact, the need for ICS cybersecurity software goes beyond critical infrastructure. We have customers in other sectors, such as consumer goods, pulp and paper, mining and pharmaceuticals who are equally concerned their ICS is vulnerable to the same threats facing our oil and gas customers, such as ransomware, disgruntled employees, nation-sponsored attackers and more.”