Cybersecurity platform Galvanick is in growth mode, most recently closing on a $10 million seed funding round. The company, which is based in Mid-City, closed the round in early June with participation from investors including Hollywood-based MaC Venture Capital.
Galvanick provides cybersecurity services for industrial control systems, specifically the software infrastructure used to operate manufacturing equipment for drug, aerospace and food and beverage companies.
Joshua Steinman, the company’s co-founder and chief executive, said he sees many companies leave the ports for their equipment’s network open for ease of access, and that this puts companies at risk of being hacked. Steinman is the former senior director for cyber policy on the National Security Council. He worked on the 2018 National Cyber Policy and on several executive orders relayed to U.S. cybersecurity during the Trump administration.
He said during his work there he became aware that industrial infrastructure has its own unique set of risks.
“We had a bunch of really high-profile incidents that really exposed the fact that these types of systems and networks do not have the kind of cybersecurity that even traditional IT networks have, and they can’t,” Steinman said. “The technologies that you would want to use in order to secure industrial systems and networks are just very different from those that you would use to secure computers and cell phones, and servers … two-factor authentication on (manufacturing equipment), it just won’t work.”
Reducing human labor
Steinman said that Galvanick reduces the human effort needed by a client’s own cybersecurity or IT team by investigating anomalous events automatically with an extended detection and response — or XDR — platform. The platform synthesizes information from an industrial control system’s network, identifies potentially malicious or anomalous behavior, correlates it in near-real time with other data sources and provides “actionable” insights to the security or operations team. Steinman said that current industrial cybersecurity tools operate at the network layer only, meaning that they look at network traffic in and out of a facility without analyzing it.
“Maybe they’ll find a malicious executable or something that looks suspicious that they see moving at that network layer,” Steinman said. “But then the challenge is (figuring out), did someone at the company put in the work order to change the parameters of this endpoint here? Then you have to go check another system, and then you have to go check another system, so it just creates a lot of human effort.”
He said Galvanick’s goal is to enable a company to save money on labor, adding that the platform can integrate into an existing cybersecurity system. Services are offered through annual contracts, which are priced according to the employee headcount its platform saves. Steinman said this usually correlates to the complexity of a facility.
Deployment can cost anywhere from tens of thousands of dollars to single-digit millions. He explained that services for an oil refinery would cost more, since it would likely be a more complicated control system, while services for a small manufacturing facility generally cost much less.
“What people have to do (without Galvanick) is they have to go out and get their own data-processing platform … and then they themselves have to build all of those integrations, and they have to build that correlation engine themselves. Often we’ll talk to folks who have tried to do this in-house and it seems somewhat doable. And then after a few months, they realize it’s a really big task to do all this. We build all that stuff ourselves, and then we just sell it (to them) instead of having to recreate the wheel.”
Network segregation
Dr. Clifford Neuman, an associate professor of computer science at the USC Viterbi School of Engineering, said that industrial control systems should be on their own, segregated network, apart from the rest of a business’ normal operations.
He said the benefit of this is being able to have a strict, well-defined set of protocols, because human activity on the industrial control system’s network will be substantially more limited. The industrial control system’s software would be interacting with itself only to run equipment and manufacturing infrastructure, making intrusion detection much simpler.
“You don’t know what your employees are going to be doing on the web,” Neuman said. “That could be legitimate things, like going out to vendors … but you don’t know in advance what’s happening. So, when they go to some other site because they’re phished or something else, that’s hard to determine in your traditional network. In the case of your industrial control systems, if you’ve got an isolated network, you don’t have users doing anything. It’s only the devices that are communicating to one another.”
If a company’s control system is set up separately from other operations, the company would likely need Galvanick’s services to a lesser degree because a lower level of investigation would be required to detect and define malicious behavior. Since humans would have limited access to the independent network’s firewall, phishing scams or ransomware attacks would not be as easily carried out.
“The other benefit that you get is that almost all of the communication on this isolated control network should conform to a well-defined set of protocols,” Neuman said. “You should know what devices are communicating with what other devices; if you saw a connection going from a robot arm outside, you just block it, because you know that’s not something that should be doing. Whereas if mixed on this network you’ve got your employees’ workstations and everything else, it’s a bit harder to make that absolute choice (that) we’re not going to allow it, because it could be legitimate.”
Several major corporations have experienced hacks in recent years that cost them a substantial amount of money in spoiled product or halted production.
A cyberattack in 2017 caused companies including pMerck & Co. and Mondelez International, which owns food companies such as Cadbury and Philadelphia Cream Cheese, to lose hundreds of millions of dollars.
Steinman said that risks surpass the potential for servers to be frozen and equipment to be turned off, adding that a hacker could also disable safety functions.
“Another way these types of compromises can have a major impact is … threats to life and limb, and destruction at the facility,” Steinman said. “It’s a huge problem. You can order, for example, robot arms to do a whole bunch of things that can be very dangerous to human operators.”
Steinman said that Galvanick is still an early-stage startup that’s about a year away from operating at scale. Funded with the new investment, the company is working with design partners and will be building to scale through a staggered onboarding approach. It will be deploying its product to existing clients and using the client feedback to inform product development.
“Our goal is to enable small teams, including like a single person … to keep tabs on all these systems and networks on the industrial side,” Steinman said. “We are continuing to make the product more robust, we’re hiring a few more people and we’re really focused on making sure that our product delivers on the promises that we’ve made to our customers.”