Interview: Galina Antova – Operational Technology

Galina Antova cut her teeth in IT working for IBM and then at Siemens but she is now making her mark as a successful entrepreneur in the operational technology (OT) space. Smart Industry’s editor Tim Cole caught up with her in the restaurant at the top of Munich’s 600-foot TV tower to talk about how the company she cofounded four years ago, Claroty, can help protect critical IoT infrastructures.

You bill yourself as an expert in OT security. How does that tie into IoT?
I had the privilege to work in the wonderful world of industrial automation services at Siemens where I discovered that the whole world runs on industrial automation – literally everything! About this time, Stuxnet became public – the worm virus that targets industrial control systems affecting critical infrastructure systems like electrical grids, water supply, telecommunications, and so on. Suddenly, OT security was on everybody’s minds – protecting operational technology, namely the hardware and software that monitors and controls physical devices. Companies started talking more openly about it and budgets were starting to be created.

Lots of companies are involved in critical infrastructure – whether they know it or not.
Galina Antova, CEO, Claroty


Traditionally, that sounds more like the responsibility of the IT security people.
At this point I realized that IT security companies weren’t doing much when it comes to industrial cybersecurity. Maybe they did some marketing but they really didn’t have the technology that gives you the visibility about what’s going on in those networks. Industrial networks, in those days, were really a black box. Often, nobody really knew who was taking care of security; sometimes it was the automation engineers themselves, sometimes the IT department. That’s where I saw my opportunity so, in 2014, I left Siemens and teamed up with two guys from Israel who were at the cutting edge of technology. They were working for Unit 8200, which is sort of the equivalent of the NSA [the US National Security Agency].

What do you do differently from other security companies?
We wanted to create technology that fits right into the world of industrial automation. That means it should not interfere with the processes’ uptimes. Availability is the number one thing we need to protect. That meant we had to spend a lot of time studying the different components of networks and understanding how they communicate with each other. We had to find a way to passively listen to what’s going on in those networks and extract information without disrupting the process itself. By analyzing that data, we can monitor security in real-time, machine-to-machine communication, which is the nature of industrial automation.

How long did that take you?
We were in stealth mode for almost two years. When you go to a really big customer like these, they have pretty much everything under the sun, so providing comprehensive security means you have to understand all the different devices and protocols. We have a pretty sophisticated research team that is separate from our development team whose job is just blind analysis of the protocols. Who are your clients? There are a number of large vendors in the OT area like Siemens, Schneider, Rockwell, and GE who provide the basic equipment for big national and international infrastructure systems. We are currently about 150 people around the world. Our R&D is based in Israel but our headquarters is in New York. We started officially selling in 2016. Today, we have customers in 15 vertical markets, everything from mining to oil and gas, all kinds of manufacturing from automotive to petrochemicals, pharmaceuticals, food & beverage – all of them large companies all over the world.

How do you plan to expand your business?
The nice thing about our market is that lots of companies are involved in critical infrastructure – whether they know it or not. Even if they’re not an industrial company, they all have an office, and offices have building management systems; they have elevators, they have lights, and they’re all operated by OT networks. So, we were able to start expanding to data centers, commercial real estate, and many other industries. Recently, we branched out to include IoT devices that may not be so visible but are still critical, things like security cameras or your Apple TV or your printers. It doesn’t matter if we’re dealing with an industrial network or an enterprise IoT network, if you don’t know how they’re communicating, they are potential attack vectors. Our business proposition is: “We cover all the invisible devices in your network.”

Are companies today in the process of repeating the same mistakes they made 25 years ago in IT security, namely let’s build it and if security issues crop up we’ll fix them later?
You’re right, we’re going through the same cycle. The difference is that we simply don’t have 25 years to evolve the defenses. In IT, it happened very gradually and naturally, first anti-virus, then firewalls, then IPS; attackers and vendors sort of played a game of catch-up. The reality today is that operational technology and IoT are everywhere and they’re all connected to other networks, and both pretty much lack any kind of security footprint. How do you close the gap? One way Claroty is different is that we don’t build products, we built a platform. Each one of the features that we offer, in IT security they’re a separate product category. For example, we do asset management and there are a bunch of companies on the IT side that do that. The same for vulnerability management, for virtual segmentation – think VMware for OT networks. We build all kinds of different products into a consolidated platform including secure remote access. That makes it easy to gain visibility and monitor threats within OT and IoT networks.

Doesn’t that create rivalries or even conflicts of interest between old-school IT security departments and OT?
[laughs] People are always the problem, aren’t they? A major reason companies aren’t adjusting faster lies in their organizational structures. There are geographical differences. The US, for instance, appears to be moving faster than Europe in terms of governance structures. What we see with the great majority of companies is that once awareness reaches the board level things really start moving. Top brass starts asking, “Who’s responsible for OT and IoT cybersecurity?” and the answer is nobody, because engineering does engineering, and IT security does IT security, they don’t do OT security. So typically, the chief information security officer gets the responsibility and starts reshuffling priorities. The question becomes, “Where do I spend my next dollar? Do I spend it on the third or fourth end-point security protection products, or do I spend it on a technology that lets me see the true state of my critical infrastructure components for the very first time?”

One Comment

  1. Daniel Ehrenreich says:

    The industry needs massive education done cy ICS experts:
    1) Where are the risks ?
    2) Why everyone must be worried?
    3) Why the IT CIO can not help?
    4) Why we must understand best practices?
    5) What might happen if you do nothing?

Leave a Reply

Your email address will not be published. Required fields are marked *