critical infrastructure cyber securityinfo.bayshorenetworks.com/hubfs/assets/...security... · it...
TRANSCRIPT
Joe Dews, Partner
JUNE 2015INSIGHTS
Critical Infrastructure Cyber Security
1
CRITICAL INFRASTRUCTURE CYBER SECURITY
The United States Department of Homeland Security (DHS) defines Critical Infrastructure as “the assets, systems, and networks, whether physical or virtual” that are vital to “security, national economic security, national public health or safety.” Examples of Critical Infrastructure include electricity generation plants, power grids, dams, water treatment plants, oil refineries, natural gas pipelines and transportation and telecommunication systems. As traditional global industries have replaced analog control systems with digital control systems and increasingly adopt Internet of Things technologies to optimize processes and increase efficiency, this has increased the vulnerability of such critical infrastructure assets to cyber threats. Industries such as finance and retail have for many years made significant investments in security technologies and systems to protect their IT assets, but traditional industries have been much slower to embrace such technologies and systems to protect their operational technology or “OT” assets such as SCADA systems and other industrial control systems. These industrial control systems are increasingly being targeted by sophisticated adversaries, especially in attacks against the energy sector.
History
Most cyber attacks reported by the media have involved the stealing of sensitive personal or financial information in electronic form from corporate IT systems. In recent years however, we have begun to witness the successful execution of cyber attacks designed to penetrate, analyze and in some cases cause physical destruction to critical infrastructure assets.
Starting in November 2009, covert cyber attacks dubbed Night Dragon were launched against several global oil, energy, and petrochemical companies, targeting proprietary operations and project-financing information on oil & gas field bids and operations.
The Stuxnet worm, discovered in June 2010, was aimed at the centrifuges in Iran's Natanz nuclear facility and was the first known cyber attack specifically designed to cause physical damage by targeting SCADA systems and PLCs. The Duqu worm discovered in September 2011, thought to be related to Stuxnet, also targeted industrial control systems.
In January 2014, CrowdStrike reported an ongoing cyber espionage campaign against a range of US and European targets, mainly in the energy sector, by attackers referred to as Energetic Bear and believed to be Russian. This campaign involved over 10,000 intrusion attempts, and in June 2014 Symantec reported that this attacker (which they refer to as Dragonfly) had the ability to launch sabotage operations against their victims to disrupt or
damage energy supplies, if they chose to do so. Legitimate software download bundles on the websites of three different Industrial Control System vendors had been Trojanized to include the Havex remote access Trojan used by Energetic Bear. A variant of Havex has also been the first malware reported to actively scan OPC servers used for controlling SCADA devices in critical infrastructure.
In late 2014, Cylance publicized Operation Cleaver, a campaign linked to Iran that had been active for over 2 years and penetrated over 50 targets in some of the most sensitive critical infrastructure sectors in the world. Targets included militaries, oil & gas companies, airlines, airports, energy producers, utilities, transportation companies, chemical companies and governments. Countries impacted included Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, the United Arab Emirates and the US.
In December 2014, Germany’s Federal Office of Information Security reported a cyber attack that targeted the network of control components at a German steel mill. The attack caused machine outages that prevented automated systems from properly shutting down a blast furnace, which suffered catastrophic damage.
The Threat Today
InfraCritical conducted a study in 2012 which located close to a half million devices across the US which were connected to key control systems,
AGC’s Critical Infrastructure Cyber Security Market Overview _____
2
with over 7,000 of these devices being considered operationally critical. After conducting a security review of this device population, the DHS concluded that the vast majority of the systems had insufficient security measures in place.
Particular urgency surrounds the need for critical infrastructure cyber security in the energy sector due to a huge threat surface, historic underinvestment in security systems, the vulnerability of existing industrial protocols, and the increasing reliance on automation to control facilities. In both 2013 and 2014, Homeland Security Department’s Industrial Control Systems Cyber Emergency Response Team responded to more incidents in the energy sector than in any other field. In November 2014 Admiral Michael Rogers, Director of the NSA and head of US Cyber Command stated before a congressional panel that China and “one or two others” have the ability to shut down US power grids.
The Security for Critical Infrastructure panel at AGC’s recent 11th Annual West Coast InfoSec Conference highlighted key aspects of the critical infrastructure threat today. First is that significant adversaries are not criminal enterprises with a short-term profit motive, but advanced persistent threats including government or quasi-governmental groups in China, Iran and Russia. Another is that the small number of physically destructive attacks so far is due to motivation rather than any lack of capability. While actually using this capability to cause massive physical damage or disruption would likely be considered an act of war, the existence of the capability represents a significant strategic threat.
PwC’s The Global State of Information Security Survey 2015 reported that the number of oil & gas respondents citing foreign nation-states as the source of incidents grew 108% in 2014 from 2013. In the power & utility sector the number of respondents attributing incidents to foreign nation-states grew 118%. Foreign nation-states were the fastest growing new source of security incidents in both sectors.
Regulatory Initiatives
US regulators and policy makers have been increasingly active in efforts to protect critical infrastructure from cyber attacks. In April 2009,
NERC issued an advisory on the inadequacy of cyber security for the electric grid, and has since promulgated a series of increasingly strict Critical Infrastructure Protection (CIP) standards. In February 2013, the White House issued an executive order on improving critical infrastructure cyber security in partnership with the owners and operators of critical infrastructure, and in November 2013, NERC CIP version 5 was approved. In February 2014, the White House announced the release of a Cyber Security Framework compiled by NIST, and in February 2015, the White House issued an additional executive order on promoting private sector cyber security information sharing.
There is a similar level of activity in Europe. In December 2012 pan-European entity ENISA published a set of guidelines for smart grid cyber security. ANSSI, France’s national agency for computer systems security, in 2014 promulgated plans designed to make critical infrastructure more secure.
The Convergence of IT, OT and Physical
Security
Information Technology or IT consists of computer, storage, networking and other systems that create, process, store, and exchange all forms of electronic data. While IT security is far from a solved problem, the IT industry has decades of experience developing and deploying IT security solutions. Awareness of cyber risk is pervasive, and IT departments have significant financial and personnel resources devoted to mitigating this risk.
Operational Technology or OT consists of hardware and software systems that monitor and control physical equipment and processes. Key components of OT systems include Distributed Control Systems, SCADA systems and PLCs, which are used in industries such as water, oil & gas, energy, manufacturing and defense. OT assets typically have very long refresh cycles, of up to 30 years or more, so many systems remain deployed that were not designed to be secure when connected to IT networks or accessed remotely. Many of these deployed systems are unable to be upgraded to add security features
AGC’s Critical Infrastructure Cyber Security Market Overview _____
3
due to memory or processor limitations, the need for continuous operation, or the fact that the original system supplier no longer exists and ongoing support is unavailable. There is also very limited experience in the OT world in detecting and mitigating cyber security vulnerabilities.
Physical security has traditionally been a critical aspect of protecting OT assets by limiting physical access by unauthorized personnel. Physical security is also necessary to protect against sabotage and armed attacks such as that on PG&E’s Metcalf substation in 2013, which caused $15 million worth of damage and took the substation out of operation for 27 days.
To properly protect today’s connected critical infrastructure requires solutions that converge the capabilities of IT, OT and physical security. Such solutions must be able to integrate with the many disparate systems common in OT environments, support a variety of industrial protocols (including proprietary vendor-specific protocols) that are not used in IT networks and some of which are insecure, accommodate OT business processes, and be usable within the staffing limitations and budgetary constraints of organizations such as regulated utilities.
Market Size
According to Marketsandmarkets, the overall Critical Infrastructure Protection (CIP) market was approximately $72 billion in 2014, with expected growth to $115 billion by 2019. Cyber security is forecast to be the fastest growing segment within the CIP market. Marketsandmarkets also forecasts the overall global cyber security market to reach $120 billion in 2017, with public sector and utilities accounting for approximately $36 billion of that amount.
Recent M&A Activity
Increasing recognition of the cyber vulnerabilities of critical infrastructure, as well as regulatory requirements designed to address these vulnerabilities, is reflected in recent M&A activity focused in whole or in part on critical infrastructure cyber security. In March 2014, Lockheed Martin announced the acquisition of
Industrial Defender and in May 2014, General Electric announced the acquisition of Wurldtech. In December 2014, Belden announced the acquisition of Tripwire, the leading provider of NERC CIP compliance software, for $710 million or 4.8x TTM revenue. In March of 2015, Tripwire announced that sales of its NERC Solution Suite grew 50% in 2014. Continued M&A activity in 2015YTD has included the announced acquisitions of Critical Intelligence and Savant Protection, both with cyber security offerings addressing industrial control systems, as well as the acquisitions of multiple companies with physical security offerings for critical infrastructure.
Catalysts for Continued Growth
NERC CIP v5 Compliance – NERC CIP v5 covers many more facilities than previous versions, so numerous additional organizations need to implement technologies and procedures to become compliant. Key provisions of v5 become effective on April 1, 2016, with the remainder becoming effective one year later. Market Awareness and Risk Management – As a result of increasing market awareness of the vulnerabilities of industrial control systems, cyber security is gaining greater mind share within the Risk Management function of utilities and other critical infrastructure market segments. Potential Insurance Requirements – Cyber risk insurance is one of the fastest growing insurance lines, and Frost & Sullivan sees insurance driving implementation of technology solutions to comply with policy requirements. Growing IoT Deployments – New ROI-driven deployments of analytics-based IoT applications by utilities, chemical companies, and the oil & gas industry will include security as a portion of the project budget. Groups such as the Industrial Internet Consortium are working to speed the adoption and deployment of such applications with their testbed, reference architecture and standards initiatives.
4
Source: AGC Partners, Company Websites
Defense Contractors IT Security
Physical Security
Industrial Automation
Critical Infrastructure Security Ecosystem
CIS Focused
Some CIS Offerings
Consulting/Systems
Integration
Electrical Equipment
AGC’s Critical Infrastructure Cyber Security Market Overview
5
Representative Critical Infrastructure Security M&A Transactions
Announced
Date Target Buyer / Investors Target Description
EV
($USD M)
LTM Rev.
($USD M)
EV / LTM
Revenue
6/11/2015 Brivo Dean DrakoProvides physical access control and video monitoring systems that connect physical
security and video M2M devices with security management software. $50 ND ND
5/8/2015 Savant Protection Digital GuardianDevelops and markets whitelisting security software solutions that protect industrial
control and business systems from targeted cyber attacks.ND ND ND
4/13/2015MSA Systems
Integration
MidCap Equity
Partners
Provides integrated access control systems, intrusion detection, and other systems to
large and mid-sized companies in markets including energy/utilities.ND ND ND
4/6/2015GS Security
Systems
Convergint
Technologies
Provides security systems integration and installation services to customers and offers
access control, video management, and other products and services.ND ND ND
4/7/2015 Critical Intelligence iSIGHT PartnersProvides industrial control systems cyber situational awareness, cyber intelligence
assessment, black box open source targeting, and other services.ND ND ND
3/26/2015 Quantum Secure HID GlobalProvides enterprise software solutions for managing identities and provisioning access in
physical security infrastructure.ND ND ND
3/10/2015 CyActive PayPalOperates as a predictive cyber security company that places its clients ahead of potential
cyber threats by predicting and preventing future attacks.60 ND ND
2/18/2015 Pro-Vigil Riverside CompanyManufactures and delivers remote video surveillance and monitoring systems and
services.ND ND ND
2/13/2015 Seccuris Above SecurityOffers security consulting services, such as enterprise security architecture, information
assurance audit, and other technology solutions.ND ND ND
1/13/2015 Oxalis Group Eaton CorporationDesigns and manufactures security and communication solutions for use in extreme
environments.ND ND ND
12/10/2014 Neohapsis CiscoOffers application security, cloud security, compliance, IT risk and security strategy,
mobile device security, and network and endpoint security services.ND ND ND
12/9/2014 Tripwire [1] Belden
Provides enterprise file-integrity monitoring software that detects changes in security
policies for the purpose of compliance management.710 $147 4.8x
10/28/2014 TASC [1] Engility Holdings
Provides cybersecurity and data analytics consulting and software development services,
for US military defense and homeland security sectors.1,300 1,100 1.2x
10/21/2014 SilverSky [1] BAE
Provides Security-as-a-Service security solutions, offering firewall management and
monitoring, intrusion detection and prevention monitoring, and more.233 75 3.1x
7/24/2014 S12 SEC Gestion [2] Sonaecom
Provides transaction policy compliance software and management services for
government, telecom, energy and finance industries.ND ND ND
5/9/2014 Wurldtech General Electric Provides security solutions against the threat of cyber attack on critical infrastructure. ND ND ND
3/19/2014 Cyvera Palo Alto NetworksDevelops and provides customized cyber defense solutions that protect critical
infrastructure, finance, defense and industrial sectors.191 0.1 1724x
3/19/2014 Optellios SenstarDevelops and manufactures fiber-optic security technologies for high-profile and critical
infrastructure, commercial, and residential sites.ND ND ND
3/12/2014 Industrial Defender Lockheed Martin Provides cloud technology solutions, hosting, colocation, and managed network services. ND ND ND
10/9/2013 Encari [3] PowerSecure
Provides NERC CIP compliance consulting services for generation and transmission
utilities, municipalities, and cooperatives.6 ND ND
6/13/2012 EdgeSeven [4][5] Accumuli
Provides security information event management (SIEM) systems integration and related
application hosting services for businesses in the UK.6 1.5 4.0x
3/31/2012 Fandotech Industrial DefenderProvides colocation and application hosting, data backup and recovery, managed
storage, email and Web hosting, and managed firewall and email security services.ND ND ND
10/4/2011 NitroSecurity McAfeeDevelops network intrusion prevention systems that enable businesses to identify critical
threats, respond intelligently, and ensure continuous compliance monitoring.160 30 5.3x
9/1/2011 Byres Security BeldenProvides firewall hardware and software used to protect data in industrial automation and
supervisory control and data acquisition (SCADA) systems.7 ND ND
MEDIAN 4.4x
[1] Amount shown for LTM Rev was projected CY14 revenue
[2] This transaction represents a 60% acquisition
[3] The transaction amount stated here includes a maximum potential earn out of $1.2 million
[4] The transaction amount stated here includes a maximum potential earn out of $4.7 million
[5] The LTM period used in this transaction was 13 months
Source: Capital IQ, Company Websites, 451 Research
AGC’s Critical Infrastructure Cyber Security Market Overview
6
Representative Critical Infrastructure Security Private Placements
Announced
Date Target Location Buyer / Investors Target / Transaction Description
Size
($USD M)
2/24/2015 Tempered Networks United StatesIDG Ventures; Ignition
Partners
Provides connectivity solutions for critical infrastructure, industrial control systems, and Industrial
Internet of Things applications. $20
12/23/2014 Indegy Israel Magma Venture Partners Develops and operates a platform that protects critical data servers from the threat of a cyber attack. 6
12/18/2014 N-Dimension CanadaEnerTech Capital Partners;
EDCProvides smart grid cyber security protection solutions for the power and energy sector. 4
12/3/2014 NexDefense United StatesBuckhead Investments; Mosley
VenturesDevelops and offers cyber security software for automation and control systems. 2
9/28/2014 Argus Cyber Security IsraelMotus Ventures; Magma
Ventures; Vertex VenturesOffers automotive protection solution to detect automobile cyber attacks. 4
9/18/2014 CyActive IsraelJerusalem Venture; Siemens
Venture
Operates as a predictive cyber security company that places its clients ahead of potential cyber
threats by predicting and preventing future attacks.ND
6/29/2014 ThetaRay IsraelGeneral Electric; Jerusalem
Venture; Poalim Ventures
Offers malware detection and prevention solutions for critical infrastructure, strategic installations,
communication systems, and financial systems.10
6/4/2014 Cyber X United StatesGlenRock Israel; Gilot Capital
PartnersProvides security solutions for critical networks. 2
2/20/2014 Cylance United StatesBlackstone; Khosla Ventures;
Fairhaven Capital
Provides threat detection, prevention, and cyber security solutions for companies, governments,
critical infrastructure and end users.20
1/28/2014 ThetaRay Israel Poalim VenturesOffers malware detection and prevention solutions for critical infrastructure, strategic installations,
communication systems, and financial systems.3
9/9/2013 Crowd Strike United StatesAccel Partners; Warburg
PincusProvides comprehensive end point protection against cyberattacks. 30
8/13/2013 Cyvera Israel Battery VenturesDevelops and provides customized cyber defense solutions that protect critical infrastructure, finance,
defense and industrial sectors.11
8/5/2013 ThetaRay IsraelGeneral Electric; Jerusalem
Venture
Offers malware detection and prevention solutions for critical infrastructure, strategic installations,
communication systems, and financial systems.ND
7/25/2013 VidSys United States New Spring Capital Provides physical security information management (PSIM) software. 16
4/30/2013 Wurldtech CanadaSiemens Ventures; Vanedge
CapitalProvides security solutions against the threat of cyber attack on critical infrastructure. 5
2/13/2013 Cylance United StatesKhosla Ventures; Fairhaven
Capital
Provides threat detection, prevention, and cyber security solutions for companies, governments,
critical infrastructure and end users.15
11/7/2012Grupo S12 SEC
GestionSpain Telvent Outsourcing
Provides transaction policy compliance software and management services for government, telecom,
energy and finance industries.4
7/20/2012 N-Dimension CanadaEnerTech Capital Partners;
EDCProvides smart grid cyber security protection solutions for the power and energy sector. 4
3/9/2012Dowley Security
SystemsUnited States ND
Provides electronic security and network integration solutions to critical infrastructure and commercial
markets.4
2/22/2012 Crowd Strike United States Warburg Pincus Provides comprehensive end point protection against cyberattacks. 26
8/29/2011 AlertEnterprise United StatesKleiner Perkins Caufield &
Byers; Opus Capital
Provides information technology and operational technology convergence software for corporate and
critical infrastructure protection.19
12/31/2010 Industrial Defender United States ABB Technology VenturesProvides security event management systems and automation systems management software for use
in protecting industrial automation systems.6
12/19/2006Waterfall Security
SolutionsIsrael ND Provides cyber security solutions for industrial networks and critical infrastructure. ND
Source: Capital IQ, Company Websites and Publications, 451 Research, Press Reports
AGC’s Critical Infrastructure Cyber Security Market Overview
7
AGC Partners, now in its 12th year of business, announced 28 transactions in 2014. With buyers and sellers across the United States,
Europe, and Asia, AGC is more active than ever with outstanding relationships across the globe with entrepreneurs, strategic buyers
and private equity professionals. Since AGC Partners’ inception in 2003, we have completed 247 technology M&A and growth equity
transactions. Moreover, AGC has completed 45 consecutive quarters of profitability. Our continued passion is to discover and work with
exciting emerging growth companies, helping them to achieve their vision. For more information, visit www.agcpartners.com. Maria Kussmaul Co-Founder, Partner IT Security
Maria is a co-founder of AGC Partners and is a Partner in the investment banking group focused on
the IT security sector Prior to co-founding AGC, Maria was a co-founder, general and venture partner of Castile Ventures,
a seed and early stage venture capital firm
Joseph Dews Partner EnergyTech and IIoT; Critical Infrastructure Security
Joe joined AGC as a Partner in 2012 and leads the firm's EnergyTech and Industrial IoT investment
banking practice He has over 20 years of experience in technology investment banking including as Head of
CleanTech Investment Banking at ThinkEquity and as Co-Head of Technology Investment Banking at Needham & Company
Russell Workman Partner Defense Technology
With 15 years of technology and DoD acquisition experience, Russ has advised on over 30 M&A
and capital markets transactions spanning information security, aerospace / defense, application and infrastructure software, and healthcare IT
Before banking, Russ was a US Air Force officer managing the acquisition of intelligence and information warfare systems for the Intelligence Community, and has consulted on homeland security technologies, border security, and other DoD and commercial technology initiatives
About AGC Partners
Selected Recent AGC Security Transactions
NOTE: This document is intended to serve as information only, and to suggest that further analysis
and consideration may be warranted. Unless otherwise indicated, AGC does not believe that the
information contained herein is sufficient to serve as the basis of an investment decision. There can
be no assurance that these statements, estimates or forecasts will be attained and actual results
may be materially different. Only those representations or warranties which are made in a definitive
purchase agreement will have any legal effect. To learn more about the company/companies that
is/are the subject of this commentary, contact one of the persons named herein who can give you
additional information.