Rockwell Automation bolsters cybersecurity arsenal with acquisition of Verve Industrial Protection
Leading into its Automation Fair event in Boston, Rockwell Automation has signed a definitive agreement to acquire Verve Industrial Protection, a cybersecurity software and services company that focuses specifically on industrial environments.
Attacks against operational technology (OT) and industrial control systems (ICSs) are on the rise, with 60% of the incidents resulting in operational disruption, according to a research report, “Cybersecurity Incidents in Industrial Operations,” conducted by Rockwell Automation and the Cyentia Institute. The study analyzed more than 100 cybersecurity incidents in industrial environments.
As companies add hardware and software to legacy equipment, attack surfaces expand, increasing opportunities for cyber attacks. The Verve Security Center platform is designed to enable real-time asset inventory, vulnerability management and risk remediation that could strengthen Rockwell’s current offerings and address these issues.
“The foundation of OT cybersecurity starts with visibility into assets,” says Matt Fordenwalt, Rockwell’s senior vice president, lifecycle services. “You can’t protect what you don’t know you have. This continues to be a critical challenge for manufacturers. With the Verve acquisition, our customers can quickly assess their assets, prioritize risk and apply countermeasures to mitigate vulnerabilities, all within a single platform. The addition of Verve to our suite of solutions allows customers to further build resiliency and continuously improve the security, safety and availability of their operations.”
So, where does Verve fit into the extensive portfolio already amassed by Rockwell Automation?
“Rockwell already has FactoryTalk AssetCentre, which is an inventory software that manages assets and asset updates,” explains Tobey Strauch, an independent principal industrial controls engineer in Fremont, California. “Perhaps they have plans of developing that further. Rockwell also owns Maverick, but that does not mean that Maverick must install Rockwell programmable logic controllers (PLCs). Recently Rockwell has acquired some data-center type companies and cloud-computing companies.”
Remember that Rockwell Automation is a technology company and only makes PLCs as part of an umbrella that supports manufacturing systems, notes Strauch. “Rockwell also has a manufacturing execution system (MES), supervisory control and data acquisition (SCADA) and other technologies, as well as partnerships with Cisco that mean they must be concerned with the security aspect of their customers’ worlds,” she explains. “PlantPAx made Rockwell a distributed-control-system (DCS) provider, which means the scope of its reach is past the machine.”
Verve’s skill set includes network hardening and understanding the threat development in the operational-technology (OT) realm, continues Strauch. “My assumption is that Rockwell wants to be able to offer that skill set to its already broad customer base,” she notes. “PlantPAx was introduced in 2008. Picture 15 years of customers in a broader scope than just PLCs, and they have a concern for cybersecurity.”
There are also government guidelines and regulations, Strauch points out. “Rockwell has products supporting water and energy, which means they must be accountable to National Institute of Standards and Technology (NIST) changes and government demands,” she explains. “Cybersecurity has a legal aspect that OT people are not accustomed to. Companies do get charged for breaches.” When a breach occurs based on a manufacturer’s card, it could be held liable.
The Verve Security Center platform was built to provide IT-level security while addressing the unique challenges of the OT environment. At the center of the Verve platform is an asset inventory system that recognizes all industrial assets, regardless of manufacturer. Verve’s proprietary approach communicates directly with the assets, gathering critical information without impacting network performance and interrupting production. It then aggregates a wide range of data sources, including Rockwell’s partner technologies, into its platform to provide actionable insight for customers to address the highest risk assets.
“With three decades in the field, I know that seamless integration is paramount to avoid disruptions to critical system security," notes Kevin Owens, CEO of CyberStorm Defense in the northwestern United States. Prior to founding CyberStorm Defense, Owens was senior research engineer at Schweitzer Engineering Laboratories in Spokane, Washington, where he worked after spending more than 10 years as engineering leader for the U.S. Department of Defense.
Over three decades, Owens has cautioned companies against allowing acquisitions to divert focus from the core needs of critical infrastructure cybersecurity. "In my experience, agility is key," he stresses. "The acquisition must not hinder Verve's swift innovation in addressing emerging cybersecurity challenges. Clear communication is paramount. Rockwell and Verve must commit to ongoing support, innovation and addressing specific challenges in critical infrastructure."
Verve professional services also provide ongoing remediation, along with strategic roadmap and business case development, which could further deepen Rockwell’s cybersecurity consulting capabilities.
“We are excited about the opportunity to join Rockwell, the leader in industrial automation and digital transformation, to further secure manufacturers’ assets around the world,” says John Livingston, CEO of Verve Industrial. “Our platform has helped clients mitigate thousands of vulnerabilities and is an important addition to Rockwell’s OT cybersecurity solutions, providing actionable intelligence to quickly mitigate cybersecurity risks, so that manufacturing facilities can stay up and running.”