Why Microsoft acquired OT security firm CyberX

Microsoft has acquired CyberX, a seven-year-old security firm handling factory and enterprise operational technology networks. Terms of the deal were not announced, but it’s a clear indicator that the IoT market is maturing, and that the big IT firms are willing to step ever deeper into the nitty-gritty operational tech in order to deliver what their customers need.

CyberX is an Israeli firm that helps big companies secure their manufacturing plants, utilities, and other infrastructure against cyberattacks. Its software uses analytics to track the behavior of data across networks, monitoring that traffic to ensure things aren’t trying to ping devices they shouldn’t or send traffic out to strange locales. One advantage of its software is that it doesn’t need to be deployed on each individual device, which can be difficult when you’re trying to secure a million smart meters in the field or thousands of low-memory sensors in a plant. It also means companies can deploy it across devices that have been in the field for years.

Microsoft plans to tie the CyberX software into the Azure IoT security suite of services, which include Azure Sphere, a device-to-cloud combination of hardware and services. With Azure Sphere, Microsoft installs software onto a secure enclave on a chip and uses keys to link the device to the cloud. The device can be identified and on the cloud side, Microsoft keeps an updated list of vulnerabilities and tracks behavior. Such device-to-cloud security is the gold-standard for the internet of things, but it requires a lot more memory and computing power than some of the smaller connected devices have. It also requires Sphere credentials to be installed when the device is manufactured, meaning that older devices in the field miss out on the security benefits of Sphere, but could use CyberX.

This is where an approach like CyberX can complement what Microsoft already has on offer. The company can secure embedded devices that don’t have a lot of memory, and it can protect devices already in operation. It also gives Microsoft more credibility in the industrial IoT and with customers such as utilities, that are increasingly trying to converge the IT and OT (operations tech) networks. Historically these two networks have been controlled by separate fiefdoms, but as companies try to pull data from the operational infrastructure into the IT networks for analysis as part of a digital transformation, they need to work together.

Microsoft, Amazon, and other IT vendors have historically tried to focus on the IT side, building out services such as Microsoft’s Azure IoT Edge or Amazon’s Greengrass to try to link the IT infrastructure to the OT world. Large, vertically integrated companies such as Johnson Control, Rockwell Automation, and more have historically worked with Microsoft and others to link their OT data with the IT services provided by tech giants. Startups such as Foghorn, Balena, and Seeq are also trying to make a name for themselves creating similar links.

But those links were pretty basic, and most industrial clients found them frustrating to use. This was in part because the IT giants weren’t sure they wanted to go deeper into the OT space, which requires domain expertise and carries a lot of responsibility. For example, if software monitoring a safety valve goes offline, people’s lives can be lost and manufacturing processes can grind to halt, costing millions.

But it seems that the demand and need are there, so the tech giants are trying to beef up their OT credentials. It makes sense that they would start on the security side, which is where the IT folks typically have an advantage over their OT brethren, who have had the luxury of air-gapped networks. (Not that the IT folks couldn’t learn a bit about security from the OT world as well.)

This is why we’re seeing deep partnerships between companies such as Cisco and Nozomi Networks and Microsoft’s acquisition of CyberX. The IT giants are gingerly stepping into the OT fray to help companies ensure that their digital transformations don’t open new holes in their networks. After security, I’d look for companies that handle data ingestion or analytics to attract the attention of the IT crowd.