Arlington, VA-based OT security firm Shift5 has raised $50 million in a Series B funding round led by Insight Partners. The firm provides security for the OT within and used by critical vehicles – such as military combat vehicles and civilian airlines, locomotives and ships.
The firm was founded in 2019 by Josh Lospinoso (CEO) and Michael Weigand (CGO). Both had served in the U.S. Army as cyber operations officers at a time when the generals realized that it was as important to defend their own devices as it was to be able to attack their adversaries’ equipment – and both were involved in the process.
“It was a unique experience,” Lospinoso told SecurityWeek. “We found an existing concentration on IT security, such as mobile phones, laptops and network gear. But we also found this new area of digital components that had received relatively little attention.”
Mobile vehicles were originally operated by analog components. Today they function through digital devices. “If you look into the fuselage of a modern aircraft or inside a combat vehicle you’re going to be greeted by dozens and dozens of tiny little computers doing everything from controlling the engine to moving the turret and operating all of the hydraulic lifts,” he continued. This OT side of modern vehicles has not received sufficient security attention.
The OT side of a modern vehicle is not new. The components were designed without adequate security – and a root and branch upgrade of OT would probably be more expensive than the vehicle itself. “It’s a sobering thought,” continued Lospinoso, “that your iPhone is about a thousand times more secure than the US army’s most important ground combat vehicles – and the reality is attacks against weapons systems are not theoretical; they’re really happening.”
With little practical potential to upgrade the OT element itself, the only solution is to add security from the outside. This is the purpose of Shift5. “For the first time in history, operators can begin to apply cybersecurity best practices to the operation of these critical systems, dramatically reducing their cyber risk,” says the firm. “Shift5 allows operators to gain visibility, detect threats, and maintain resilience of OT systems as cyber-physical attacks become an increasingly likely and attractive strategy for digital attackers.”
Lospinoso gave an example of the existing problems. “At least five of the radio frequency protocols that aircraft rely on for navigation, for landing and for situational awareness are at a protocol level not secure and not encrypted. You can spoof these things and shut down air travel. This is what we have today.”
Apart from the security issues, the assets work very well. So, the solution is to put sensible security measures and practices onto the assets to make it more difficult for an attacker to succeed – to the extent that they look elsewhere for their targets.
“That’s what we do at Shift5,” said Lospinoso. “We build intrusion detection and intrusion prevention systems that install seamlessly as a complementary component added to the ‘central nervous system’ of the assets – and we collect all the traffic. We make sense of the messages, and we provide real-time alerting and in some cases intrusion prevention to the operators. We provide all the infrastructure necessary to pull that data off a fleet to a central location where a security team has observability and awareness of what’s going on in the systems.”
The military is currently Shift5’s biggest customer, but the OT in civilian vehicles including ships, aircraft, locomotives, and satellites is similar in design and operation to that used in tanks, fighter planes and battleships. This funding round will help the firm solidify its position in the military market and expand into the civilian market for cyber-physical protection.
Shift5 raised $20 million in a Series A funding round in October 2021.
Event: Learn more about OT cybersecurity at SecurityWeek’s ICS Cyber Security Conference