A recent widespread outage, precipitated by CrowdStrike Holdings Inc. pushing a faulty content update to Windows hosts, affected IT and operational technology (OT) systems around the world. Although details of the causes are still unfolding, CrowdStrike issued a statement regarding the involvement of its products, saying that "there was an issue with a Falcon content update for Windows Hosts." Not all organizations were equally affected, and some were substantially impaired, with operational impacts including hundreds of airline flight cancellations and other downstream effects in the wake of this incident.

Three key issues were the most immediate, with two involving the selection and deployment of IT, OT and cybersecurity technologies. First, incidents affecting a widely adopted provider can have a proportionately large impact on customers and those that depend on them. Second, there is the impact of such issues beyond IT, when OT has interactions with or dependencies on IT — and in this case, cybersecurity — technology providers. The third issue is the fragility of the systems revealed in this case. If the processes and techniques that led to this outage could manifest regardless of the technology providers involved or the number of them in use, this must be addressed by the industry to reduce fragility and assure greater resilience for digital technology.

Buyers must ask themselves to what extent they can realistically mitigate such risks without sacrificing the advantages of working with a popular supplier — particularly when that supplier offers tangible value that customers regard as either well-differentiated or simply necessary. In security, the answers will be partly reflected in the choices buyers make between comprehensive platform strategies that are being increasingly embraced by major vendors, or an architectural approach more decoupled from dependence on any one provider. This event will also further conversations about the intersections of IT and OT, and how organizations can mitigate risk exposure from one to the other.

The dilemma of technology concentration risks

The issue of risk concentration in one, or a few, widely adopted providers is hardly new in either IT or OT. Microsoft Corp. in particular has faced this issue for years, given its high penetration into so many aspects of technology, which now includes cybersecurity and OT, as well as multiple venues in IT, from operating systems to business productivity applications and cloud computing.

Recently, concerns were raised by the US Cyber Safety Review Board in its analysis of a number of Microsoft security issues over the past several months. Microsoft is far from alone, however. Nearly every major technology provider that concentrates functionality around key offerings has faced the music when an outage affected a broad swath of not only customers, but those dependent on them as well.

CrowdStrike has gone to considerable lengths to underscore that a cyberattack was not a factor in this case, which is not surprising given its business. However, such statements speak to concerns that cyberattacks and threats have played a role in past large-scale outages. Among the most visible that linked IT with OT impact: the NotPetya attack of 2017 that affected global logistics, particularly for companies such as A.P. Møller - Mærsk A/S.

Even though a cyberattack was not the cause in the case of CrowdStrike, this event, given the parties involved, is not without issues for security. Many descriptions of cybersecurity-related incidents from the US National Institute of Standards and Technology, for example, reference the familiar triad of confidentiality, integrity and availability. Whether this had a bearing on the outcomes of the CrowdStrike incident remains to be seen.

Impact and mitigation: Not a simple problem

The impacts on vendors and their customers are intertwined. For vendors, it could be tangible in the form of questioned investments. Customers will have to factor in the cost of lost productivity, as well as remediation of and recovery from the incident. There will likely be downstream impacts as well, especially when incidents shut down critical business applications instead of purely IT office systems.

Airlines, for example, must deal with the fallout from canceled flights and disrupted passengers, crews and aircraft movement as their automated boarding gates, baggage handling systems and flight information display systems are disrupted. Retailers may encounter a loss of sales from point-of-sale downtime. In healthcare, the stakes can be even higher, should operational outages result in delayed or deferred care.

For operational technology, this event seems likely to precipitate greater scrutiny of the intersections of and dependencies between IT and OT, which remain problematic for many. In 451 Research's recently published Technology and Business Insight report, we described how only 48% of respondent companies in Europe, the Middle East and Africa, and just 23% in North America, said they have implemented network isolation, microsegmentation, or air gap measures to prevent a spillover into OT from their IT environment.

To the extent that such exposure remains high, so does the risk of incidents like this. To the extent that operational tech has a more direct dependence on IT (more than a few instances of OT run on IT operating systems and applications), the exposure is also more direct. Technology providers and their customers will likely be motivated to consider two critical issues: measures to improve resilience against such incidents and options in mitigating risks of exposure to any one provider.

Multiple providers could diminish their dependence on any one vendor, which may reduce risk concentration. It does nothing, however, if the techniques that competing providers leverage to deliver benefits are effectively the same and could result in similar outages. The need to address fragility in such systems then becomes a higher priority.

Nor is having multiple providers a panacea. There are real and practical limits to reducing vendor risk concentration. Major providers would hardly have succeeded to the extent they have, if their offerings introduced more concerns than benefits (exactly the opposite is true, for a variety of reasons). They may not always provide the best-performing functionality, but could offer other advantages — sole sourcing for a variety of needs, for example, or preferential packaging and pricing strategies that leverage economies of scale. Organizations cannot lightly turn their backs on these advantages, especially when the cost is born by the buyer, who must themselves deploy and integrate offerings from a variety of other providers.

There are also advantages to a strategy more decoupled from any one provider. In cybersecurity, the pros and cons for both approaches play out in three prevailing patterns of architecture: platforms, decoupled and federated. Platforms emphasize the integrated functionalities offered by a single provider. A decoupled approach means what it implies: The architecture leverages components decoupled from single-provider "stacks" or those offered by multiple vendors and integrates them as needed into a comprehensive whole to meet operational and use-case objectives. A federated approach is a strategy that leverages tools as deployed, correlating insight and taking action across those tools while maintaining the advantages of existing investment.

There are many reasons for decoupled and federated approaches. Among the most evident in security operations has been improving costs in the adoption of components such as storage from a different provider than the one offering security analytics, threat detection functionality and response automation. This has played a role in the embrace of security data lakes that take in input from a variety of sources. The opportunity to yield more useful findings across this data is also a motivation, if the economics of the approach make sense to the organization.

The reality is that there are aspects of all three approaches in many organizations. In some cases, a business may have more than one cybersecurity platform provider, in addition to many individual tools from other sources in its environment. It may have varying degrees of integration across those tools. Additionally, when new approaches appear, they are often innovative and disruptive pure plays (the platform providers were once startups themselves, after all).

Conclusion

Each organization will be exposed to the benefits and issues inherent in these approaches. For providers, this is the price of success. There is already talk of whether this major incident involving CrowdStrike and Microsoft poses an existential threat, or whether it will have an impact on other successful providers. It is too early to speculate on that, but highly successful providers have already shown themselves fairly resilient to such issues. The response of those involved in this case will certainly have a hand in shaping the outcomes.

Today, however, the paradox of a platform's success will be top of mind for many. In the security market, the timing is auspicious, with the security community preparing for its major annual gatherings — at Black Hat, DEF CON and other conferences in Las Vegas — only a couple of weeks after this incident.

^{This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.
451 Research is a technology research group within S&P Global Market Intelligence. For more about the group, please refer to the 451 Research overview and contact page.}