The Birth of an Industry Cyber Security Innovator

August 11, 2010 was a bright sunny day at the otherwise nondescript Wyndham San Jose. I had traveled out to the West Coast to attend the Smart Grid cybersecurity conference. Two separate events in my work had preceded that trip, and a third occurrence about four days before made that event actually kind of exciting (I believe a first for my visits to Wyndham San Jose). 

The Long and Winding Road…

The first event was a run-of-the-mill smart grid conference I had attended not long before, a pretty regular stop on my itinerary as a VC focusing on emerging technologies in the energy and industrial markets. At this conference, a number of otherwise conservative utility folks sat on a stage and talked about the benefits of IP-enabling everything. They were not only talking about smart meters, they were imagining and planning a world in which the grid would become an intelligent, manageable network with all that entails.

Like many in the Israeli tech community, I had served in one of “those” units in the Israeli military, had gained some experience from my work with an earlier generation of Israeli security startups, and had some fond memories of Matthew Broderick impressing a girl by war-dialing his way to near-global thermonuclear war. All of this had me pretty convinced that if the plan is to “IP-enable everything,” particularly devices that were not designed to talk to each other, you were going to need some new capabilities to make it all secure and robust…or else really bad things were gonna happen.

I took that conviction and started to look for investment opportunities, leading me to the second event - a company called Waterfall – a pioneer in the still-nascent field of information security (we weren’t slapping “cyber” on everything just yet) for infrastructure and energy companies. Waterfall had developed an elegant optical communications device called a “one-way diode” to enable companies to securely share some types of information with outside parties through a link that simply could not be hacked. As an Israeli company with no sales force on the ground in the US, and very limited resources – they had managed to achieve a very high penetration of some pretty tough customers, specifically nuclear power plants. So for starters, I had a company I was looking at as a possible investment that had done some pretty unlikely things – usually an indicator of a changing market landscape, some unique technology, or both. In a way, Waterfall was an indication that the total separation of industrial equipment from IT networks was starting to, but hadn’t yet, collapsed.

So off I went to San Jose. I did not know that four days before that event, Symantec had published a study of a new type of malware called Stuxnet, which marked the first time that a state-sponsored attack on industrial control systems had been caught “in the wild.” You could tell by the excitement in that room that this was a really big deal to the folks who – like Joe Weiss from ACS – had been predicting this kind of shit was going to hit the fan for a long time.

One of the key lessons I took from my prior efforts in the network security world was this: fear is a lousy way to build a big sustainable business. I had always been most impressed by use cases for encryption and intrusion detection/prevention technology which were focused on enhancing a customer’s ability to do business, rather than aimed at the fears keeping the customer awake at night. So, I addressed this question to a panel of august industry experts – including some like Andy Bochman from IBM, now at Idaho National Labs, who would become friends and advisors in this adventure: “What can be offered to the industrial and utility stakeholders that not only enhances security but makes things better?” Crickets. No one I talked to had any idea what my problem was – there were fascinating discussions about the relevance of elliptical curve cryptography for securing smart meters (bad idea btw), about the likely uselessness of the US Government’s new efforts to regulate critical infrastructure protection (near total)…but nobody was talking or thinking about how security could make the evolution of industrial networks a good thing – all were focused on security as a fear mitigator. This was my first warning sign that getting to the right strategy was going to take some time.

What followed was about four years – an eternity in VC terms – of starts and stops, looking at new companies, trying to collaborate with colleagues from industrial and automation giants like GE and ABB to understand their needs, going to lots of other conferences and events. One of the most exciting things I learned was that the question of whether or not to connect OT (operational tech) equipment to IT (you know) networks had been largely trampled into the mud by a nearly instinctive evolution among customers I talked to – they were connecting things because “that’s just how business gets done.” If you’re used to backing up your files to a remote server, or g-d help us the cloud, it hardly seems logical to prevent your engineers from using human machine interfaces (HMIs) that were remotely connected to an actual controller or valve. Industrial control systems were becoming networked because networks are good and productive – but very little (if anything) was being done to ensure the network was secured or even manageable.

In my view this was the critical sign that by mid-2014 a new investment in the space would not suffer from the dreaded similarity between being early and being wrong. 

The Core Elements for Success…

Along the way I learned that I was really looking for a team with a few characteristics:

1. Understanding of how industrial entities actually function, and what the people in those companies actually care about

2. Credibility in looking into the nasty minds of attackers, knowing what they can and are likely to do to exploit the peculiarities of industrial equipment

3. A technology offering and go to market that emphasized enhancing business operations, not just securing the asset base

4. And finally, the ability to be perceived as playing at the network layer, thus not running afoul of the big guys (Rockwell, Schneider, GE, Siemens, HoneywellYokogawa, etc).

I had two key discussions on this final point. One was with two sales guys from a smart meter company, who told me that the involvement of a leading network equipment company in managing the backhaul of data from smart meters meant that the whole thing was now completely secured. I pointed out that their meter – with no crypto processor in it - was a communications node that sits on customer premises outside the encrypted link, they simply repeated the name of the networking vendor and said “that means it’s secured.” The second was with the cyber security exec at an oil and gas major, who said that any security company addressing the PLCs themselves “had better walk in the door holding hands with all the PLC vendors.” But – almost in the same breath he said that if someone could secure the network layer that connected those controllers, that type of technology was something he would evaluate without the blessing of the controller vendors because “then it’s about the network, which isn’t really their domain.”

The problem was that while many of the growing cohort of startups I was tracking had some of those boxes checked, none really brought it all together. And, I should probably admit that after spending so long looking at the opportunity, the idea of making a passive investment and watching from afar felt like a huge missed opportunity to try to put some of these convictions to the test in the field.

Getting the Band Together…

I had been working together with Amir Zilberstein, the founder of Waterfall and someone I had come to genuinely appreciate as a veteran of both the hard core cyber and industrial domains. He in turn had been talking at length to Nadav Zafrir and the folks at Team8. So, we started to look at opportunities together, after the third or fourth didn’t gel, we just kind of looked at each other and said “why don’t we just start the company from scratch?” Immediately thereafter Amir brought in Benny Porat – one of those guys who finished their BSC in computer science at 19 cause high school wasn’t keeping him occupied enough, and had just about wrapped up his PhD in Pattern Matching and Streaming Algorithms while simultaneously commanding a team of similar mutants in the Israeli army’s cyber research unit. Oh – and he was just a few months away from the ripe old age of 28.

So, the three of us started on the most critical phase of any startup – googling possible names for the company and seeing which ones wouldn’t run afoul of porn filters (a bigger problem than you’d think).  And just when we had a name (which didn’t survive,) we caught a rumor that the former head of Siemens’ industrial security services business had just left her job and was in Israel meeting with ICS security startups – so we tracked down Galina Antova, chased her back to her native Toronto in a snow storm to convince her to come aboard, and the rest was history.

Actually the rest was about 90 hours a week over two years, grinding road trips to potential customers and partners, rocky helicopter rides, missed birthdays, lost sleep, some huge wins and frustrating setbacks in building out an incredible team, and some unbelievable good fortune in lining up partners, customers and investors that have helped to launch the company in a pretty unique way. I’ve been in and around venture backed tech companies since the mid-1990s, and I cannot ever recall anything – IPO pricing calls, M&A closing dinners, whatever– that comes close to how great a feeling it was the first time we saw a cynical, grizzled process engineer look at our screens, smile and say “Hey – this can really make my work better.” 

Claroty – Clarity for your OT Networks

In September, we came out of stealth mode, putting a name, some faces and a website on this company, Claroty. Yes, we replaced the “it” with “ot” – because we’re about bridging the gaps between the IT and OT worlds and driving true OT security. Our launch announcement highlighted a lot of what we think is special – and a lot of what we set out to build from day one. We have a team that combines some of the best protocol researchers, software developers, and – let’s face it- hackers to have been produced by the Israeli and American taxpayers in recent years. We have folks with actual dirt under their fingernails from building control system networks in power plants, desalination plants, food and beverage factories and more. And increasingly, we have managed to attract proven talent from some of the pioneers of the industry – Waterfall, Industrial Defender, Brightsource, SiemensSchneiderJohnson Controls and more.

We have a product that has been put through the ringer in week-long evaluations by some of those scary industrial automation folks I mentioned above, and came through not only intact but with higher scores than all comers. We have won multi-million dollar deployments with some giant customers, and I truly believe that we are just getting started.  You may have seen us last week at the American Petroleum Institute Cyber Conference…if not, you’ll be seeing us everywhere soon.

The original idea continues to be at the core of the platform and the team – industrial control systems are networked devices.

We are here to ensure that the evolution of the industrial network is positive, productive, and secure.