by Adit Singh, Partner, Cota Capital

This article was published by VentureBeat on November 22, 2022

Today, with the rampant spread of cybercrime, there is a tremendous amount of work being done to protect our computer networks—to secure our bits and bytes. At the same time, however, there is not nearly enough work being done to secure our atoms—namely, the hard physical infrastructure that runs the world economy.

Nations are now teeming with operational technology (OT) platforms that have essentially computerized their entire physical infrastructures, whether it’s buildings and bridges, trains and automobiles or the industrial equipment and assembly lines that keep economies humming. But the notion that a hospital bed can be hacked—or a plane or a bridge—is still a very new concept. We need to start taking such threats very seriously because they can cause catastrophic damage.

Imagine, for instance, an attack on a major power generation plant that leaves the Northeast U.S. without heat during a particularly brutal cold spell. Consider the tremendous amount of hardship and even death that this kind of attack would cause as homes go dark, businesses get cut off from customers, hospitals struggle to operate, and airports shut down.

The Stuxnet virus, which first emerged more than a decade ago, was the first indication that physical infrastructure could be a prime target for cyberthreats. Stuxnet was a malicious worm that infected the software of at least 14 industrial sites in Iran, including a uranium enrichment plant. 

The Stuxnet virus has since mutated and spread to other industrial and energy-producing facilities all over the world. The reality is that critical infrastructure everywhere is now at risk from Stuxnet-like attacks. Indeed, there are security flaws lurking in the critical systems used in the most important industries around the globe, including power, water, transportation, and manufacturing.

Built-in vulnerability

The problem is that OT manufacturers never designed their products with security in mind and, today, trillions of dollars in OT assets are highly vulnerable. The vast majority of these products are built on microcontrollers communicating over insecure controller area network (CAN) buses. The CAN protocol is used in everything from passenger vehicles and agricultural equipment to medical instruments and building automation—yet it contains no direct support for secure communications. It also lacks all-important authentication and authorization. For instance, a CAN frame does not include any information about the address of the sender or the receiver.

As a result, CAN bus networks are increasingly vulnerable to malicious attacks, especially as the cyber-attack landscape expands. This means that new approaches and solutions are required to better secure CAN buses and protect vital infrastructure.

Before we talk about what this security should look like, let’s examine what can happen if a CAN bus network is compromised. A CAN bus essentially serves as a shared communication channel for multiple microprocessors. In an automobile, for instance, the CAN bus makes it possible for the engine system, the combustion system, the braking system, and the lighting system to seamlessly communicate with each other over the shared channel.

But, because the CAN bus is inherently insecure, it’s possible for hackers to interfere with that communication and start sending random messages that are still in compliance with the protocol. Just imagine the kind of mayhem that would ensue if even a small-scale hack of automated vehicles occurred, turning driverless cars into a swarm of potentially lethal objects.

The challenge for the automotive industry—indeed all major industries—is to design a security mechanism for CAN with strong, embedded protection combined with high fault tolerance and low cost. That’s why I see massive opportunity for startups that can address this issue and ultimately defend all our physical assets—every plane, train, manufacturing system, etc.—from cyberattack.

How OT security would work

What would such a company look like? Well, for starters, it could attempt to solve the security problem by adding a layer of intelligence—as well as a layer of authentication—to a legacy CAN bus. This kind of solution could intercept data from the CAN and deconstruct the protocol to enrich and alert on anomalous communications traversing OT data buses. With such a solution installed, operators of high-value physical equipment would gain real-time, actionable insight about anomalies and intrusions in their systems—and thus be better equipped to thwart any cyberattack.

This kind of company will likely come from the defense industry. It will have deep foundational tech at the embedded data plane, as well as the ability to analyze various machine protocols. With the right team and support, I believe this is easily a $10B-plus opportunity. There are few obligations more important than protecting our physical infrastructure, that’s why there is a pressing need for new solutions that are deeply focused on hardening critical assets against cyberattacks.