Claroty's cybersecurity: more critical than data security?
Currently, Claroty is experiencing a period of what Chassar calls ‘hyper growth’ which, he says, means the company is rapidly gaining momentum as the levels of connectivity in industrial systems increase. This increase in connectivity has resulted in the creation of a wider attack surface that cybercriminals and other adversaries can exploit.
“Malicious hackers are increasingly understanding that they can do more than compromise data — they can also disrupt the physical industrial processes that underpin global supply chains. Recent incidents have shown that with the expanding attack surface, certain types of breaches can shut down operations. When this happens, the resulting impact on organisations is typically far worse than that of a data breach. This is not only in terms of lost revenue, people’s wages, and income — but it is also in terms of physical safety. This is one of the primary drivers of the market’s momentum. At the same time, there is a growing need to address the problem, which is our mission.”
Chassar said that this accelerating demand is driving 100% growth on a quarterly basis for Claroty, and the team is scaling the business accordingly. He noted that half of all Claroty employees were hired in just the last nine months, and that a strong company culture has allowed Claroty to address the challenges that inevitably come along with such rapid growth.
So apart from the expanding attack surface, what else is impacting Claroty and its services?
Chassar says there is also something referred to as the Purdue Model. He explains that this is a network segmentation-based reference architecture for industrial control systems (ICS) that was created by Theodore Williams in the ‘90s. He said this model is now starting to collapse because of the increased levels of connected technology, including IoT and 5G. This, along with the aforementioned attack surface, means much bigger perimeters that stretch beyond just one building that CSOs and CIOs need to protect.
He uses car production as an analogy. “Take for example a brake manufacturing plant in the Czech Republic. The car manufacturer may use a headlight manufacturer in Poland and a computer component manufacturer in China. All of these places reflect the expanding attack surface, so you are now trying to protect this massive perimeter and at the same time you have to be aware of the greater potential for lateral movement across connected supply chains. This could be someone gaining access through a back door and then moving across the network. This is one of the biggest challenges we face and is critical when it comes to securing industrial environments.”
It’s not the usual case of personal and company data theft
Industrial cyber attacks differ from other kinds of well-known cybercriminal activity, such as personal and corporate data breaches and loss, which can lead to reputational damage and fines. Chassar said the difference is that with the latter, there are mitigations in place. “When personal data is breached and extracted there are mechanisms such as insurance, backup, encryption, multi-factor authentication, and others that are widely implemented to help further protect that particular data,” he says.
“However, on the industrial side you are often looking at technology and systems in place which are sometimes decades old and therefore difficult, if not impossible, to update and patch. And when there is any kind of attack, processes can grind to a halt. Imagine a major car manufacturer that produces a vehicle every 50 seconds. If that is stopped for five hours, how many cars are then not produced? On top of that, the next question to then ask is, how many people cannot earn money because they can’t work on making the cars? In this respect, industrial cyber attacks can have a much more tangible impact than data breaches.”
The critical benefits of industrial cybersecurity protection
The first important thing to establish with Claroty’s customers, Chassar says, is identifying the assets they have operating within their industrial environment. This is because, he adds, customers aren’t always aware that, say, their heating controls are connected to this environment. The same goes for engineering workstations, controllers, sensors, and other devices. Chassar advises they need to start with finding out which parts of their operation are connected to their industrial environment, because you cannot protect what you cannot see.
“This is how Claroty helps at the start of the journey — by identifying the devices and connections and which ones pose inherent risks, such as a control system that hasn’t been updated in ten years. Once you understand what and where those inherent risks are, the next step is prioritization. Our threat detection capabilities enable customers to know when they are being attacked and exactly what the residual risks are. We apply our standard cybersecurity procedures to the perimeter and everywhere within their environment.”
Chassar says the firm also takes the approach of looking at vulnerabilities from the hackers’ point of view with risk scoring, so organisations can more easily prioritise and then make the changes and also keep them up to date with regulatory requirements.
He adds that the company is backed and adopted by the top three industrial automation vendors globally: Siemens, Schneider Electric, and Rockwell Automation. Claroty’s strategic partnerships with all three have allowed the company to build a solid understanding and awareness around all their protocols, capabilities, and vulnerabilities. He explains, “This in turn has also enabled Claroty, via our Team82 research team, to know where the threats are coming from, the constant changes within the threat landscape, and the reality of the dark world.”
How partnerships matter
Off the back of the investment, Chassar says the company has been able to grow its coverage of what has long been the sector’s most extensive library of industrial protocols. He said this means Claroty’s platform is fully compatible with both greenfield IoT and IIoT environments and traditional brownfield OT environments. Developing and expanding support for the various protocols utilized within these environments requires close collaboration and a strong relationship with the industrial vendors — including those that are Claroty investors and partners.
“We have always been a technology company rather than a services-based one. Because of that we have also built very strong technical integrations with our IT security partners. These are the same companies that have control of the firewalls and other technologies that our customers already rely on. Not only does this enable us to work in harmony, we can also plug and play directly into these environments. That creates opportunities for our customers to easily integrate our platform with their existing tech stack,” he states.
Chassar says the company has three partner categories which have different values but are equally important. The first, he says, is the service partners that are driving enterprise transformation and include the likes of Deloitte, KPMG, NTT, and Kudelski Security. The second is ICS/automation vendors including Siemens, Schneider Electric, Yokogawa, and Rockwell. And then there are strategic integrations with CrowdStrike, Check Point Software Technologies, and Tripwire.
“We consciously focus on the industries that have absolute excellence in what they do and have a very large customer base. We are strongly committed to taking a ‘partner first’ approach. There is a real skills shortage in OT and specifically in OT security, so we are enabling our partners to develop these skills and giving them the economies of scale needed to address the shortage.”
The future of these partnerships
These relationships are going to become tighter, Chassar says. “Just in the last six months we have increased our focus on driving up our partners’ certifications and their capabilities within OT cybersecurity. At Claroty we have taken our core central knowledge and skills and shared these openly with them, which has driven up the volume of skills and capabilities so they can take advantage of our hyper growth that I mentioned at the start. This tightening of partner relationships is the future right now.”
Chassar said this was significant because it was vitally important for those in industrial cybersecurity to be aware of the criticality of protecting these environments. This stems from the momentum caused by the convergence of OT and IT. He cites everything from vaccinations and pharma companies to automotive production, all the way through to food and drink manufacturing.
“Our mission is to be the industrial cybersecurity company and to protect everything within the four walls of an industrial site — and ultimately keep enterprises going. We’re not focused on preventing the extraction of personal information or, for instance, credit card numbers. Our goal is to help companies maintain their production and overall business operations.”
He offers the example of developing technology for a car production line whereby a breach would halt the supply of vehicles. “On the industrial side it is more about business continuity than reputational damage and fines. Look at the Colonial Pipeline incident, in which operations halted after the breach, as well as JBS foods. Stopping production of things consumers need leads to lost revenue and an impact on stock markets, which is very difficult to repair. It can mean people can’t go to work anymore because the tins of beans and cars aren’t being made.”
“The bottom line is everyone, no matter which field or sector they are in, should be aware of industrial cybersecurity and how vital it is to protect the world’s increasingly connected industrial plants and production facilities. This issue has huge significance to us as individual consumers and the economy at large.”