This last week, Industrial Defender announced that it had been acquired by Lockheed Martin for an unspecified amount. Brian Ahern and his team are to be congratulated on this apparently successful exit that they had been working towards for the last 12 years. Industrial Defender has long been the largest of the cybersecurity firms specializing in industrial control systems. It is a very fractured market with little consensus as to the products and services that critical infrastructure asset owners need. Yet Industrial Defender has persevered and succeeded both by its leadership and the growing awareness of the cybersecurity threat to this sector through incidents like Stuxnet that have raised the visibility of nearly every company catering to critical infrastructure sectors. But it is also somewhat incorrect to consider these asset owners as a single interest, as they encompass not only the traditional utilities and related oil and gas suppliers, but also manufacturing and transportation. The risks for these asset owners range from intellectual property theft in the oil and gas and manufacturing sectors to sabotage in the electricity industry. And I won’t even get into the Department of Homeland Security’s broader definition that includes financial services, healthcare, and national monuments. For our purposes, we are talking about the protection of systems that result in a physical action in real time, like the movements of electricity, water, oil, gas, turbines, pumps, and various other devices. If it controls a sensor that detects something in the physical world or an actuator that causes a physical action, then it’s likely an industrial control system or cyber-physical system. And in that sense, portions of nearly every industry have some stake here.
What is interesting and a bit baffling is the decision by Lockheed to buy Industrial Defender. As Loren Thompson notes, Lockheed has always chosen to leverage its size to organically grow its cybersecurity capability. Moreover, its involvement in the energy sector and other industrial control system sectors has been organic and somewhat fleeting. For a company used to bidding on contracts worth no less than $50 million, the industrial control system world is nearly a polar opposite, particularly where cybersecurity is concerned. For years, Lockheed has tried to pitch its sophisticated command and control technologies used for the defense and intelligence community to electric utilities and other critical infrastructure asset owners with limited success. And perhaps that is why it acquired Industrial Defender. It may have wanted to inject a bit of a culture change in its approach. However, one wonders how much a 130-person company can influence the culture of a company with more than 100,000 employees. Lockheed employees that are not part of the company’s marquee F-35 Joint Strike Fighter program may wonder the same thing at times.
However, the acquisition also raises the specter of a much larger merger of the national security and critical infrastructure sectors. For example, the President’s Cybersecurity Executive Order and subsequent release of the Framework for Improving Critical Infrastructure Cybersecurity seem to imply a close relationship. In fact, the media has frequently pondered whether the government would eventually treat critical infrastructure asset owners the same way it treats the military-industrial complex. Even today, it’s not unusual for large energy companies to recruit those with military and intelligence community experience for cybersecurity and physical security roles. Nonetheless, we’re largely talking about for-profit companies that depend upon consumers, not national governments, for their revenue. Moreover, the threats that these companies face is nothing compared to the threats our military experiences on a daily basis. Despite what the media may be reporting, the chances of catastrophic, widespread, and long-term (i.e., more than a few days) failure in any of our critical infrastructure sectors due to cybersecurity attacks is highly unlikely. And that is reflected in the spending levels of asset owners. Regulation and greater awareness are boosting spending somewhat, but not a lot. And more importantly, there is still a general lack of consensus on where cybersecurity spending should be directed. Should it go to hiring people, to purchasing products, or to contracting for outside services? As Lockheed seeks to integrate Industrial Defender, it will need to get better answers to these questions lest it lose patience and go back to bidding on work where the government frequently tells the world exactly what it wants to buy.