SOCs as a service have become big business

Now if they can only get the marketing right…

In the past decade, security operations centers (SOCs) have become big business, especially in the operational technology (OT) arenas of manufacturing and infrastructure, but they are nothing new. In fact, under the name network operations centers, they’ve been with us since the 1960s and are an integral part of big information technology (IT) companies. But the industry is struggling with how to present itself to the market.

OT providers like Rockwell and Honeywell have maintained SOCs for decades, but only for their purposes. As IT and OT operations have converged through the introduction of wireless industrial monitor controls, sometimes known as the industrial Internet of Things (iIoT), those companies have found a profitable business model.

“Once (companies) sell a piece of hardware, they don’t necessarily have recurring revenue attached to that,” observed Ethan Schmertzler, CEO of Dispel. “Because they all got slammed by supply chain issues, they’ve got sales teams that are sitting there, twiddling their thumbs. So they’ve got to have some kind of recurring revenue product that they can put in the market. What better to say than, ‘Hey, we’re going to sell you this piece of hardware. And here are all these security operation tools we can bring with it,’ which is a new market for them.”

That model was on display last November at the Rockwell Automation Fair. The event is a snapshot of the Rockwell ecosystem with every partner company in attendance, almost every one of them highlighted security services all tied into the Rockwell SOC system.

Manufacturing companies lead the way

“We’ve been monetizing cyber services for a few years now,” said Rockwell CISO, Nicole Darden Ford. “We rolled out SOC as a service in 2022. Rockwell has been traditionally an industrial automation company. People didn’t see us in cyberspace. But when they were able to go to the booth and really experience what we’re able to do, it was just it was an eye-opener for many of our customers. And it’s sparked a ton of conversation. So it really helped them to understand our cyber expertise and the amount of investment we’ve made in this space, and how we can support them in their journeys.”

Honeywell has been in the SOC as a service for a bit longer, according to their CISO, Mirel Sehic. “We’ve been at this for about 10 years. You can think about business as kind of two distinct buckets. One is direct to customer/partner network. Depending on which vertical we’re discussing, we have different go-to markets, but the message is consistent: improve the aging infrastructure and the view on operational technology, and apply some cybersecurity hygiene.”

Getting a handle on the market

Operational technology (OT) attack surfaces are traditionally the bastard stepchildren of the cybersecurity realm. Everyone acknowledged they exist and must be dealt with, but IT security seems sexier and more profitable. That seems to be changing.

Because the vulnerability of national and corporate infrastructure has been such a focus of security news, it is concerning to many observers that OT has received such a small amount of investment. At the same time, the market growth shows that management understands that vulnerability.

It’s difficult to get a handle on the size of the OT security market. Industry researchers from Gartner to Forrester say its runs the gamut from $15 billion to $50 billion. In either case, it is a fraction of the IT security market at more than $200 billion rising at an estimated 12.5% annually through 2035. However, all analysts agree that the OT market is rising faster: almost 16 percent annually.

The total addressable market (TAM) for OT security comes in at a healthy $150 billion. However, the TAM for all of cybersecurity is $1.5 trillion. This seems to be a misdirection of investment as a mid-level security breach in an infrastructural system can affect millions of people while an IT breach may affect hundreds.

The question is, how do you get access to such a service? If you are in an ecosystem where it’s available, like Rockwell’s, that is pretty clear-cut. But not everyone is. That’s opening the door to traditional IT service providers for industry-specific solutions.

VSOC, SchmeSOC

One emerging niche is the automotive industry supply chain. Generally referred to as Vehicle SOCs, the term comes with a variety of acronyms including VSOC, VeSOC, and vSOC. For the uninitiated, that tends to add confusion when one realizes that VSOC also stands for virtual SOC… which is what vehicle SOCs are, anyway.

“Manufacturing enterprises differ in what they manufacture, but securing the supply chain really doesn’t depend on what is manufactured,” said John Flory III, CISO for HarborShield Cybersecurity.

“They all have machinery that is run off a computer network, which can be hacked. They all make components with that machinery that often contain microcontrollers and microprocessors that can be hacked. The people working in the supply chain are all using IoT devices to control and monitor the manufacturing process. The final system that goes out to the user is, more often than not, considered an IoT device. All of those points represent an attack surface that must be secured. Securing all that is the responsibility of the SOC. However, running a true SOC is an expensive proposition and is largely the domain of the endpoint of the manufacturing chain. Many of the suppliers up to that point cannot afford to maintain one, much less coordinate it with the end point’s center.”

Where the virtual SOC comes in

There are multiple companies participating in this security industry niche. Companies messaging on automotive security, like Upstream and Trend Micro, but as stated previously, is more marketing messaging than reality. That doesn’t make the product and services ineffective, but there are other ways to cover attack surfaces that cost less. For SMEs in the supply chain and a managed security service provider (MSSP) may be all that is necessary.

Be that as it may, a benefit these companies seem to ignore is a growing concept of “decentralized” security. While a physical SOC is mandatory for large and widespread enterprises it also serves as a single point of attack that criminals and state actors can focus on. A good example of that problem is T-Mobile, a company that uses five SOCs around the world and has been breached five times in three years.

Decentralized security

As a result, companies like Dispel are providing tools and services that broaden the attack surface. Schmertzler pointed out that NIST found that attackers expend resources at the reconnaissance stage. “That reconnaissance stage is interesting because if you could stop someone there or if you can make the cost of finding an industrial control system really high, then they’re likely to go elsewhere.” He explained that the military has followed this philosophy for a century, calling it “the moving target defense.” Instead of a static target defended with many security layers, you have a dynamic environment, hidden among different public-wide providers.

This is the growing philosophy around modern SOCs, not the marketing language about discipline-specific (e.g. “vehicle SOC”) language. That doesn’t mean the companies pushing the latter messaging. It does mean that there are more options available to any market.¯