Nozomi Networks CEO talks OT security and 'budget muscle'

ORLANDO, Fla. -- The marriage of operational technology and cybersecurity is a fairly new concept.

Nozomi Networks, founded in 2013, is an early example of a pure play operational technology (OT) and industrial control systems (ICS) cybersecurity vendor. Jeff Zindel, Honeywell's vice president and general manager of cybersecurity, told TechTarget Editorial last week that when he joined Honeywell in 2013, there was "very little awareness" about OT cybersecurity in general. That has changed greatly in recent years in the wake of incidents such as the ransomware attack on Colonial Pipeline and malware attacks such as Triton and BlackEnergy.

Nozomi Networks' products focus primarily on anomaly detection, vulnerability management and data analytics in OT settings including manufacturing plants, healthcare and critical infrastructure, though Nozomi's portfolio has grown to include IoT security solutions as well.

TechTarget Editorial sat down to discuss OT security with Nozomi Networks CEO Edgard Capdevielle at Honeywell Connect 2022, Honeywell's user conference held last week in Orlando. Capdevielle discussed the changing landscape of OT security as well as the challenge of building the "budget muscle" organizations need.

How has the ICS/OT/IoT security landscape changed since you became CEO of Nozomi Networks in 2016?

Edgard Capdevielle: It has changed quite a bit. In 2016, IT and OT were still pretty separate, and their convergence had not progressed much. You would have found that the majority of our customers not only had different organizations for [OT and IT security], but had organizations that were not collaborating and not necessarily friendly to each other.

Edgard Capdevielle

The typical situation would be that IT guys would walk out of the room when the conversation turns to OT, and that has changed completely. Last week, I talked to one of my customers, and the CIO had somebody reporting to him with the title of 'IT-OT convergence.' It's changing pretty dramatically from folks that don't talk to each other to potentially becoming a unified organization where OT happens to be one of the specialties.

What has Nozomi Networks been working on lately?

Capdevielle: We've been working on a ton of stuff. At the very beginning of 2021, we introduced our very first cloud-based offering. Cloud technology is one of those things that the world of OT has been relatively late to adopt. We adopted cloud-based technologies in IT a long time ago, and OTs are starting to adopt it now.

We've also discovered as we go into some of these OT networks that they may think they're purely OT networks, but you also find a lot of IoT devices, and we now have solutions for pure play IoT use cases. In a commercial building, for example, it's majority IoT, and Nozomi has been extremely successful in smart buildings and airports -- some of the largest airports in the world use Nozomi for protection. We've also expanded into other verticals like healthcare.

OT security, as a whole, is generally thought of as lagging behind IT security in terms of maturity. Is that gap getting smaller?

Capdevielle: Yes, absolutely. OT security is getting better. We're all rushing to close that gap. We have had these flagship incidents that have made it very evident that [OT security] has to change. If we hadn't had a Colonial Pipeline [attack] or a Triton or a BlackEnergy, we wouldn't be doing this. I think those flagship attacks have shown the need to modernize and upgrade OT security.

What would you say is the biggest threat facing organizations using OT and IoT?

Capdevielle: I'd say there are two. Number one is that many organizations have not built their 'budget muscles' around OT security spending. If you're trying to improve your firewalls, you had a budget for firewalls last year. And the budget for IT spending in cybersecurity tends to grow, so you get to spend a little bit more on firewalls this year. That's what is called budget momentum. Well, when you have a new category like OT security, you don't have that budget momentum. Cybersecurity budgets are not growing to include new categories -- that's number one.

Number two is the legacy concept of air gapping. I think believing that air gapping is possible over long periods of time is the No. 1 threat to an organization's safety. Air gapping is basically taking a snapshot of an environment, believing that the environment is contained and then moving on. Outside of military and nuclear environments, nobody has the real discipline to keep an environment air gapped.

Thinking about OT security, what are people sleeping on? What aren't people talking about enough?

Capdevielle: I think we are talking about a lot of the topics and trends, like the ongoing convergence of OT into IT, the increased adoption of cloud and the increased adoption of active technologies -- these are all things that people are talking about and experimenting with. I think the one thing people are not actively talking about is how to get out from behind this 'budget muscle,' as I called it.

You're trying to do something meaningful from an OT security implementation perspective, but because it hasn't been meaningful in previous years, you don't have a lot of budget momentum to invest from. You have to create a new category -- a new budget line item -- and you have to take money from somewhere because the growth of IT budgets is not big enough to encompass a new category. How we make room for an initial OT security investment is a topic that folks may not be talking enough about.

Editor's note: This interview was edited for clarity and length.

Alexander Culafi is a writer, journalist and podcaster based in Boston.