Klaus Mochalski
Hello and welcome to a new episode of the OT Security Made Simple Podcast. I'm Klaus Mochalski, founder of Rhebo. My guest today is Dirk Seewald. Dirk and I have actually worked together a lot. Dirk is a partner at eCapital which was an investor in Rhebo from 2016 to 2021. Dirk previously worked a lot in the cyber security sector, including as a board member at Phoenix Contact. But he can tell us all about that himself. Today, we will definitely take a look at what has happened in the market environment in the field of OT security, i.e. security for operational technology, in recent years. And of course we will be listening to the perspective of an investor in particular, what has developed there, what exciting things are happening and which developments we need to pay particular attention to. Before we get started, I'd like to hand over to you, Dirk, for a brief introduction for our listeners.
Dirk Seewald
Yes, thank you very much, Klaus. I'm very pleased. Thank you very much for the invitation. Klaus, as you've just said, my name is Dirk Seewald. I'd like to introduce myself in two or three sentences. I'm a partner at eCapital, a venture capital investor that invests in early-stage B2B companies. One of our investment focuses that makes us a bit special is cyber security, alongside sustainability, IoT and semiconductors. In the end, cybersecurity is also the topic that has been on my mind for almost 20 years.
As Klaus just mentioned, I have two lives. I am an engineer by training. I spent the first half of my professional life as an entrepreneur in the telecommunications sector. The second half, however, has been in the field of cyber security for industrial systems, i.e. for OT, since 2006. I have been deeply involved in this industry, so to speak. First I was Chief Operating Officer, then Chief Executive Officer of a company that was one of the first to manufacture devices and solutions for securing industrial plants. We sold the company to Dominate, then to Phoenix Contact, and I was then responsible for the global cyber security solutions business at Phoenix Contact. And it was in this context that Klaus and I got to know each other.
Klaus Mochalski
On the one hand, it was a very exciting time. On the other hand, the discussions, including the technological discussions, were of course always very helpful, because it was clear that you had already dealt with this topic very intensively - at a very early stage from today's perspective. It may also be interesting for our listeners to know that you also invested in a competitor of Rhebo as part of your involvement with Phoenix Contact. This means that you actually have a good understanding of this market, from several perspectives and over a very long period of time.
Can you tell us something about this early insights into what we now call the OT security market? What were your first impressions? What prompted the investment decision back then, and what has changed in the first few years from your perspective?
Dirk Seewald
In fact, Klaus: At the time, we were ultimately looking at the market for new cyber security solutions for operators of critical systems and industrial automation that were profitable. And at a time when the big question was, what assets do I actually have in an industrial plant, in a process facility, in a production facility? After all, it's not so clear when you take a closer look at which IT assets are actually being used. Over the years, and in some cases over the decades, quite interesting structures have developed that you then have to deal with somehow, including Internet access via DSL, which is not documented anywhere, etc.. It's been uncontrolled growth to some extent. That was a big issue back then. So first of all, what kind of devices are there in these networks, which ultimately always end up moving something?
So in the end, industry always means that a Bit, let's say, triggers something. That somewhere an arm moves, a robot arm, some servo motor starts up, so in the end some physical effect follows. That is very central. That's why it was important to know what assets actually exist in the networks. How can you access these assets? And I can also remember scenarios that were not documented with a pen and pad, but ultimately electronically. That was the one big challenge, so to speak.
And the other operational challenge, which we were really able to solve for the first time with the initial solutions, was to recognize real anomalies in the communication. So that was actually the second step. After starting to monitor the communication and then understanding which commands were being exchanged, which were perhaps unintentional or unconscious? What data is being transported?
And that's when a whole range of solutions finally came into play. And I think that was exactly the moment when, let's say, a handful of companies emerged, including Rhebo. And we got to know each other at the time and we ended up investing in an international provider. But we always kept an eye on the field. Well, me in particular. So as I said, in my estimation or for me, the first phase was about identifying assets and then, in the second step, really monitoring communication and recognizing anomalies.
Klaus Mochalski
In any case, what you say is very exciting. Especially these field studies. So what actually were the first problems that were recognized in the factories and automated production facilities when you first took a close look around. What the infrastructure looks like - the IT systems that actually control physical processes.
I think the crazy thing is that these stories can still be told today. We still start with our new customers with a security analysis, where a major component is the identification of these systems, these assets. What you have already described. In other words, the motivation to introduce such a system is still very similar today. You first want to get to know your own system. And the maturity of the plants in which we carry out these analyses has only increased relatively slightly. If you look at how much time has passed and how much has been reported on this topic. This means that the surprises we experience there are very similar today. For example, we are seeing communication with the Internet from systems where it should not be taking place. We have systems that no one has ever heard of. We have login attempts from stations in the classic office IT environment that shouldn't even be taking place. This means that we find this MS-DOS relatively rarely, but we still find Windows XP systems.
Why do you think that is? You have a bit of an external perspective as an investor, you're not so much involved in the day-to-day business. Do you have any idea why this development is taking place so slowly?
Dirk Seewald
Yes, I don't think there is one cause for this. And ultimately you can see that from the fact that we are still struggling with these issues. And I think that will take some time. I think there are a number of factors.
One of the factors is certainly the long investment cycles. So when we talk about industrial plants or process plants, we are actually always talking about decades. Ultimately, this also means that the infrastructure that is installed there, i.e. the control systems, the plants, the robot technology, but also the IT infrastructure, was planned at some point and is then amortized, so to speak, and correspondingly smaller budgets are then available for further maintenance. And the mantra "never change a running system" certainly still applies. There is certainly a lot of truth in this when it comes to running infrastructure. And that is certainly one of the points here.
However, I would mention two or three others, the second of which I have seen time and again and you have certainly also seen in the industry. Namely, the question of how to deal with risks. Ultimately, cyber risks or the risk of cyber damage occurring - whether deliberately, unintentionally or as a result of an act of war - can no longer be ruled out today. Ultimately, these are corporate risks and are often dealt with together with many other risks by a risk manager or by an organization that has to manage these risks. And risks can be dealt with in different ways. You can ignore them, you can mitigate them with technology. That's what we always like to talk about, namely using technology to deal with them. You can insure it. And so there's a whole range of things you can do to deal with these risks.
By the way, my feeling at this point is that the entire range of ways to deal with these risks, including cyber risks, has been exhausted over many years or is still being exhausted. Interestingly, cyber risks in particular are becoming more difficult to insure. That's why I'm coming to this point. This is certainly a business model that industrial insurers considered many years ago in order to ultimately make offers. As far as I know, these policies have never or very rarely been really profitable for insurers. And we have now seen for the first time, at the end of last year, that insurers have actually said: We are restricting this insurance significantly, we are increasing the prices very strongly. Or even to such an extent - I remember that shortly before Christmas 2022, the CEO of Zurich Insurance finally announced to the Financial Times that he could imagine that cyber risks could no longer be insured at all. This will of course limit the scope for dealing with this type of risk - and that is one of the hopes - and we will ultimately have to focus on the root cause.
In other words, how do we reduce these risks? How do we really deal with them in the infrastructure? Because - and now the monologue is coming to an end - it's not as if the complexity is decreasing. If we look at the last few years - and every single citizen, even every single listener to this podcast, will know this - that in a very short period of time, all employees who were able to work from home or in a hybrid environment ended up doing so. We have a huge exponential growth of hybrid devices that IT departments have to contend with. And that hasn't stopped at the shop floor either. So, we're going to struggle with more complexity and that doesn't make the problem any smaller. There is some hope in this for technology providers like you.
Klaus Mochalski
I find it very interesting, especially the insurance topic. Of course, we have also observed this and there have also been efforts by the state to restrict the whole thing, especially for critical infrastructures or industrial companies that are considered critical. They say you can't buy your way out of it.
And I think you have to look at it from the company's perspective. Of course, one thing is the risk that I want to reduce and that I can perhaps buy out. But in the end, it's also about the consequences if this risk materializes. What are the consequences? And I don't think that even insurance companies can fully predict this today because they simply don't have the data that they have for weather events, for example. There is historical data for weather events, which is not available here, so it is hardly surprising that there are now discussions about restricting this.
There will probably be a back and forth in the next few years to regulate the policies in more detail. It's similar to the way critical infrastructure regulation imposes requirements on companies that want to be insured. There will certainly be a wide range of developments. I think we could go into this topic in greater depth. We could go on for a very long time just talking about insurance and the extent to which it is good or bad.
But I would like to go back to one point you mentioned: the current geopolitical situation. We have already talked about the fact that changes in this industrial sector, where the security of industrial plants is concerned, are developing rather slowly because of the long investment cycles, the reluctance to invest in new technologies and the issue of insurance. Operators have to consider quite a few topics.
Now, a little over a year ago [note: the podcast was recorded in mid-2023], a pretty huge geopolitical influencing factor was added. You spoke briefly earlier about warlike events that are also manifesting themselves in cyberspace. What is your view of the general situation, especially with regard to cyber security in the OT sector, as a result of the Ukraine war that started [in February 2022]? There were already a whole series of documented attacks in the run-up to it, which were most likely caused by state players. Has this really changed the landscape? There has been a lot of talk about it, but has there actually been a real change here, at least in the behavior of companies and then of course also in the behavior or investment behavior of investors in this area?
Dirk Seewald
I'll preface the answer by saying that in my experience, things move in the cyber security market when something happens. That's unfortunate, but at the end of the day we're probably all human somewhere and we ultimately need a pain point to make us change in some fundamental way. In June 2010, that was Stuxnet. We both actively witnessed it, and that ultimately led to the industry waking up a bit and realizing that it's not just Bits that you move back and forth, but that you're actually using it to move physical infrastructure. You need these moments when you are shaken awake, and now and again they occur.
And in my opinion, the start of the war in Ukraine was one of those moments when we all became aware of this danger. Ultimately, it led to the NATO countries moving closer together. This has led to a partial 180-degree shift in the perspective of individual European countries, member states, including Germany, with regard to the issue of defense and also the means and commitment, the budgets, or even the perspective of political players. So I think that was a very important factor here. And interestingly enough, cyber is also currently being talked about as the fourth domain in the military environment. And if you follow the reports on the situation in Ukraine, I can at least see that these are always hybrid operations. Whether you shut down the enemy's infrastructure before finally striking kinetically. Or using IT infrastructure data intelligently for active warfare.
So these are certainly topics that are very strongly intertwined. What we are seeing is that dual use is no longer a no-go area, meaning commercial technologies are also being used for defense. Institutions have been created, such as the NATO Investment Fund, which was set up to invest in relevant companies. It was endowed with one billion US dollars and invests this money in start-ups, in some cases directly.
An initiative has been launched called DIANA. This is a program designed to support companies early on in the phase of cyber and defense solutions and to provide accelerators.The first three calls for proposals have now been issued. And one of these three deals specifically with the topic of secure data transmission in the field. Of course, a topic such as quantum security plays a role here. Of course, topics such as how current technology can be used in this context or how artificial intelligence can be used to achieve the necessary effects also play a role. I think there is now also a field for companies that can use their solutions to serve critical infrastructure and make industrial plants more secure. I think this is very wide open and also underpinned by the relevant institutions. Again, these are all long-term decisions that have to be made. But I think we can already see today that what has happened in the last twelve or 18 months, what the geopolitical perspective offers, will also have a medium and long-term effect and that this is not a short-term effect that will be gone again next year and will no longer be taken into account. So dual use and defense are, I think, a big issue for cyber.
Klaus Mochalski
This means that there are certainly opportunities for start-ups, certainly also for established companies, but especially for start-ups. And right after that, I'm interested in the area of IT security and the area you describe, dual use. I would say that the interface between goods for civilian use and for military use is historically very pronounced in the USA and Israel. And there is also a strong overlap with the cyber security industry. The most successful IT security and OT security start-ups are often American and Israeli-American companies. The Ukraine war is currently more of a European challenge, a European problem. Are the initiatives you describe, i.e. this NATO investment fund, an opportunity?
Dirk Seewald
This is my perception that it is not just a European problem, not just for the West, but for the whole world. You can also see that in the implications that this has. And interestingly, these are exactly the things I have just described, i.e. a focus on European companies. Interestingly, some countries, including the USA, did not participate in the NATO Innovation Fund that I just mentioned. And why not? Because they have other local government measures that ultimately already cover these objectives.
So we, which are mainly Western European countries, are actually catching up with other countries. That's why there is a very big focus, including this innovation fund, on the European countries. And if you look at Germany again, there have also been initiatives from time to time that have looked at the cyber domain in particular. I would like to take this opportunity to highlight the Cyber Agency, which was set up a few years ago and, as far as I can remember, has actually been organizing the first challenges since last year, which run over several rounds and ultimately provide funding for interesting projects or companies, sometimes over several years. And to the best of my recollection, this really took off last year. So, Cyberagentur is another example, specifically from Germany. Let me summarize the answer to the question once again: The NATO Innovation Fund is clearly focused on Western European countries.
Klaus Mochalski
This means that there is an opportunity, especially for Germany and for German companies, German start-ups, to become active in this area. Supported, of course, by organizations such as the Cyber Agency, which is even based in eastern Germany, which was a very exciting development. And I also followed it a bit. In the beginning, there were some of the typical teething problems with such a large investment and an organization with a long-term perspective.
But the first projects are now underway and I actually find it very exciting. From your point of view, how does this sort of, let's say, governmental or large-scale organizational perspective compare with the more venture capital-driven scene in the USA? Is there a difference, or is this just a perception that is shifting a bit due to these activities in this area in particular?
Dirk Seewald
Ultimately, a company has to become competitive at some point, i.e. be able to prove itself on the market. And that's why these initiatives that we've just talked about - cyber agency, accelerator, DIANA - can only ever be a start in the first few years. To take investment risks out of such a project at the beginning, so to speak, from an investor perspective. That ultimately the biggest risks are eliminated and you have the first prototypes. You have your first PoCs, i.e. your first pilot customers, and it then becomes interesting for private investors to continue such companies. Interestingly, they are everywhere. So they also exist in Israel, they also exist in the USA.
Where I believe we have a lot of catching up to do in Europe, and in Germany in particular, is in this area. We have now done this as eCapital and together with a handful of other European specialized funds in the field of cyber security. We finance early-stage companies. We call this Series A Seed. These are typical venture capital terms that aim to ensure that a company has at least a first product, a first customer, and then prepares for the growth phase. And the growth phase is typically the phase where we here in Europe still have some catching up to do. In other words, when a company actually wants to scale up. Geographical expansion, the sales organization needs to grow, you have financing requirements of several tens, 20, 30 million euros. And you have to be quick. These are certainly phases in which there is a need to catch up. But that's also the case in the USA.
So I think what we are now seeing here in Europe are the first serial founders or the first generation of serial founders, some of whom are already investing again. And we can certainly highlight you and the other founders of Rhebo. Rhebo is not the first time you have founded a company, but the second. Maybe there will be a few more to come. Ultimately, that's something that we're still missing here to some extent. But I think we're on the right track.
Apart from that, perhaps I can summarize again at this point: Many major innovations - the ones we depend on today, be it the Internet or the antivirus, which I don't think is even used today, or at least not in this form - much of it ultimately has its origins in early military or military-related research projects or initial initiatives. Whether it's DARPA [Defense Advanced Research Projects Agency] in the USA or Unit 8200 in Israel. Ultimately, these are areas where the risks are high and where you have to be very innovative, also in terms of technology, in order to ultimately prevail. And these will then become innovations that will also become established in the commercial, private environment and from which we benefit today. With our laptops, with our iPhones and Android phones and Google applications and so on. In many cases, these innovations have their origin and application in government.
Klaus Mochalski
Yes, I also see that as a huge opportunity for Germany. And I think we've missed a lot in that respect. Right now, due to the current situation, we are once again talking about investment in the Bundeswehr, that much more needs to happen there. And the debate is not so much about whether this will happen, but rather how it will happen. And I believe that there is a great opportunity, a great chance to get something back for the industry, for the labor market, for investment activities. If you look at what has been happening in Israel, and especially in the USA, for some time now, as you have already described, I believe that this really is a huge opportunity. Thank you very much for this perspective
I have one last question for you. I am also a company founder. We've reached a certain level with Rhebo, but we've always fallen a little short of our own plans and expectations. I think you've already mentioned one aspect - internationalization. We're still in a situation in Germany where we can't avoid internationalizing once we reach a certain level of growth. And as a founder, you have to keep in mind that it's best to plan for this right from the start so that, as you say, you can be fast. You can't just do it when you need the capital; the plan has to be there already and transition has to be seamless.
But our podcast here is also called OT Security Made Simple, which is why I would like to conclude with a very brief look at this particular market, i.e. operational technology, as we described at the beginning, where physical processes are monitored and secured, especially critical infrastructure. There has been a lot of activity in this area, there have been start-ups that have been sold and then disappeared again. There is investment from larger companies. Are we approaching a convergence here, will there ultimately be a few providers serving this market, which is still quite manageable today? Or will this market continue to develop in a new wave? What is your current view as an investor, as an active investor in this market? How will this market develop over the next 3 to 5 years?
Dirk Seewald
Very good question, Klaus. I think there are currently 3,000 to 5,000 cyber security start-ups. And on the other hand, there is the CISO, the Chief Information Security Officer, who typically deals with 40 or 50 different tools and providers. And there are product providers of automation infrastructure who, of course, make big decisions about their supply chain with every decision they make for a new product that they integrate or for a technology that they somehow integrate. Because once you're integrated, you're suddenly part of the supply chain with all the consequences, with the risks and so on.
What am I getting at? I believe that we are currently in a phase where things are consolidating. This can be seen, among other things, in the current activities of recent years in the area of cyber security, where it is becoming clear that the trend is actually towards the emergence of larger platforms. And if you look at the companies in the OT environment that are currently still independent and privately owned, they are no longer companies that are, let's say, offering a technology somewhere or offering a product. Instead, some of them have already acquired other companies. And you can find a whole range of things that they do in their product sheets - typically asset discovery, asset visibility, vulnerability management intelligence, threat detection, change management.
I believe that there will actually be more platform providers who will have to do justice to this trend. On the operational side, whoever operates the IT infrastructure and wants to ensure security in this area is currently more consolidated and no longer wants to have a new supplier. So you will have to find your way into these ecosystems. And I think it's similar with technology that you want to integrate into products, because we have the issue of supply chain security and bills of materials, SBOMs, etc., where a whole new field is suddenly opening up, which has not become any easier due to the geopolitical situation.
So I think we are currently in a consolidation phase, which can be very interesting for attractive product companies, because large companies are emerging. There are large private equity investors who have actively taken on the cyber security sector and in some cases are making acquisitions worth billions and building platforms. There are listed companies that are actively pursuing an acquisition strategy, and this is a very interesting field. The important thing is that you are involved in this ecosystem from the outset, so to speak.
And you also said internationalization. I always say that cybersecurity is international from day 1. Ultimately, you always have to look at where the industries are, where the verticals are, where the geographies are in which my solution will actually be bought. I have to get there as quickly as possible. On the one hand, we have an advantage in Germany because we have a relatively large market that we can serve ourselves. We have a very strong industry in Germany. On the other hand, this is also a disadvantage compared to other countries, such as smaller countries like Switzerland or Israel, which have such small local markets that [the companies] have to get out from day one because the local market is too small. That's a bit of a challenge, so to speak, that you have in a very early phase. You can feel relatively comfortable in Germany with German customers, with German subsidies, etc., but you always have to be aware of that. In the end, you really have to get out. And that's what we actually advise every entrepreneur, especially in the B2B cyber security sector, from day 1.
Klaus Mochalski
That's a very good recommendation for all start-ups listening today. I think that's a very nice closing remark. To summarize, I can hear from what you have said that the motto of our podcast OT Security Made Simple from the user's perspective, i.e. from the operators of the systems, must always be at the back of your mind in everything you do - even as a company that builds a product. In other words, you always have to think about what customers want. The best product is useless if it is complicated to use. That's why this trend towards convergence means that the big suppliers, the big system integrators such as Siemens, Hannibal and Rockwell, will also be offering these systems in the future. They are simply doing this because their customers want it. And I believe that in the long term, this is also the survival strategy in this area, that you look for precisely this cooperation. One aspect may also be service. We had a separate podcast episode on this. But apart from that, I also think that this consolidation towards platforms that are simple and flexible for customers to use will actually be the best way to increase security in emergencies in the broadest sense in the long term.
Dirk Seewald
Yes, I can fully agree with that, Klaus. At the end of the day, the customer is not buying cyber security, they are buying added value. And in the end, this must also be operable and usable. And that's why, as you rightly say, the "simple" in your podcast title is very important. I can only agree with that.
Klaus Mochalski
Very nice closing words. Thank you very much, Dirk, for being here for this exciting discussion. Perhaps we'll actually take up one of the topics we've just discussed and haven't been able to discuss in detail again in another episode. I would definitely be up for it. Nevertheless, thank you for being here and for the very interesting discussion.
