Rockwell's Verve Buy Enlivens Critical Infrastructure Security

Manufacturers of industrial automation and control systems continue to scoop up industrial cybersecurity firms to provide customers with more protection for their factories and facilities.

This week, Rockwell Automation agreed to acquire Verve Industrial Protection, a cybersecurity software and services firm, which will become part of Rockwell's Lifecycle Services division. The acquisition follows the July commitment by Honeywell to buy SCADAfence, an operational technology and IoT security firm, as a way to acquire asset discovery and threat detection capabilities. And just last week, technology firm Siemens announced an all-in-one testing suite for industrial networks — partnering with Tenable on the initial testing tools, but committing to including more third parties in the future.

The large manufacturers are trying to catch up with attackers and fix their cybersecurity shortcomings, says Katell Thielemann, distinguished vice president analyst at business intelligence firm Gartner.

"OEMs are on a bit of a redemption journey," she says. "Their end-user clients are starting to be vocal about buying multimillion-dollar assets that contain vulnerabilities and misconfigurations, and then having to pay million-dollar support services contracts that allow fixes downstream."

An additional impetus for Honeywell, Siemens, and Rockwell to acquire cybersecurity services comes from the desire to create additional channels for sales, says Dale Peterson, CEO and founder of Digital Bond, an ICS consultancy.

"What we are seeing is the large ICS vendors are developing practices to sell cybersecurity products and services — sometimes through acquisition ... and sometimes through partnerships," he says. "It's unclear if this will be successful or how committed they will be to this in tough times."

Target Threats Tailored to ICS

The acquisition announced comes as attackers are increasingly targeting industrial control systems (ICS) and the industrial Internet of Things (IIoT). In May 2021, an attack on Colonial Pipeline's information systems resulted in the company shutting down pipelines, causing a fuel shortage along the East Coast of the United States.

Overall, 77% of attacks on critical infrastructure came from state-affiliated actors and organized criminal groups, according to an analysis of 122 public incidents published by Rockwell Automation last month. The largest share of attacks (39%) hit the energy sector, with critical manufacturing, transportation, and nuclear sectors each accounting for another tenth of attacks, according to the report.

Attackers are increasingly targeting industrial automation and safety equipment with tailored malware, while defenders have seen "a worrisome increase in disclosed vulnerabilities in industrial cyber-physical systems," says Thielemann. Typically, the vast majority (84%) of attacks have come through IT networks, while only 14% have initially infected an OT device, according to Rockwell's report.

Operators of industrial systems need to know what devices are present in their OT and IT networks, which are vulnerable, and which can be patched, she says.

"As the threat landscape starts to pose a clear and present danger in production environments, it is critical to know what assets you have, and to shift from a network-centric view of security to an asset-centric one," Thielemann says.

Industrial Automation Struggles With Security

The Rockwell-Verve merger might also be a way to change the industrial control system and automation industries' mindset on security. Operators typically have not had good visibility into the devices and equipment deployed to their operational networks, and patching equipment that have lifecycles of decades when dealing with software with lifecycles of years is a complex problem.

Rockwell Automation has rolled out signed firmware and support for CIP Security for defense-in-depth, supporting device identification and authentication using certificates on devices, says Peterson.

Still, industrial automation providers have a ways to go to earn their customers' confidence that they will put security ahead of profits, he says.

"[W]hether the asset owner will trust the ICS vendor to be straightforward about risk when it reflects poorly on their own systems or reflects positively on a competitor" is an open question, Peterson says. "All this to say that the ICS vendor as a channel for ICS security products and services is unproven."

Rockwell Automation did not disclose the details of its purchase agreement with Verve. The company noted that the acquisition must meet regulatory approvals and should close in the first quarter of its fiscal year in 2024.