Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybersecurity Funding

OT Security Firm Shift5 Raises $50M to Protect Planes, Trains, and Tanks From Cyberattacks

Arlington, VA-based OT security firm Shift5 has raised $50 million in a Series B funding round led by Insight Partners. The firm provides security for the OT within and used by critical vehicles – such as military combat vehicles and civilian airlines, locomotives and ships.

Arlington, VA-based OT security firm Shift5 has raised $50 million in a Series B funding round led by Insight Partners. The firm provides security for the OT within and used by critical vehicles – such as military combat vehicles and civilian airlines, locomotives and ships.

The firm was founded in 2019 by Josh Lospinoso (CEO) and Michael Weigand (CGO). Both had served in the U.S. Army as cyber operations officers at a time when the generals realized that it was as important to defend their own devices as it was to be able to attack their adversaries’ equipment – and both were involved in the process.

“It was a unique experience,” Lospinoso told SecurityWeek. “We found an existing concentration on IT security, such as mobile phones, laptops and network gear. But we also found this new area of digital components that had received relatively little attention.”

Shift5 FundingMobile vehicles were originally operated by analog components. Today they function through digital devices. “If you look into the fuselage of a modern aircraft or inside a combat vehicle you’re going to be greeted by dozens and dozens of tiny little computers doing everything from controlling the engine to moving the turret and operating all of the hydraulic lifts,” he continued. This OT side of modern vehicles has not received sufficient security attention.

The OT side of a modern vehicle is not new. The components were designed without adequate security – and a root and branch upgrade of OT would probably be more expensive than the vehicle itself. “It’s a sobering thought,” continued Lospinoso, “that your iPhone is about a thousand times more secure than the US army’s most important ground combat vehicles – and the reality is attacks against weapons systems are not theoretical; they’re really happening.”

With little practical potential to upgrade the OT element itself, the only solution is to add security from the outside. This is the purpose of Shift5. “For the first time in history, operators can begin to apply cybersecurity best practices to the operation of these critical systems, dramatically reducing their cyber risk,” says the firm. “Shift5 allows operators to gain visibility, detect threats, and maintain resilience of OT systems as cyber-physical attacks become an increasingly likely and attractive strategy for digital attackers.”

Lospinoso gave an example of the existing problems. “At least five of the radio frequency protocols that aircraft rely on for navigation, for landing and for situational awareness are at a protocol level not secure and not encrypted. You can spoof these things and shut down air travel. This is what we have today.”

Apart from the security issues, the assets work very well. So, the solution is to put sensible security measures and practices onto the assets to make it more difficult for an attacker to succeed – to the extent that they look elsewhere for their targets.

“That’s what we do at Shift5,” said Lospinoso. “We build intrusion detection and intrusion prevention systems that install seamlessly as a complementary component added to the ‘central nervous system’ of the assets – and we collect all the traffic. We make sense of the messages, and we provide real-time alerting and in some cases intrusion prevention to the operators. We provide all the infrastructure necessary to pull that data off a fleet to a central location where a security team has observability and awareness of what’s going on in the systems.”

The military is currently Shift5’s biggest customer, but the OT in civilian vehicles including ships, aircraft, locomotives, and satellites is similar in design and operation to that used in tanks, fighter planes and battleships. This funding round will help the firm solidify its position in the military market and expand into the civilian market for cyber-physical protection.

Shift5 raised $20 million in a Series A funding round in October 2021.

Event: Learn more about OT cybersecurity at SecurityWeek’s ICS Cyber Security Conference

Related: OT Data Stolen by Ransomware Gangs Can Facilitate Cyber-Physical Attacks

Related: Security Vulnerabilities: A Threat to Automotive Innovation

Related: Autonomous Vehicle Security Firm AUTOCRYPT Raises $15 Million

Related: Railway Cybersecurity Firm Cylus Raises $30 Million

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Funding/M&A

Tenable has launched a $25 million venture fund to place bets on early-stage startups in the exposure management space.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.