Growing cyber attacks on small utilities, like the one on a water treatment facility in the town of Aliquippa, Pennsylvania, outside Pittsburgh, last month, has prompted one prominent operational technology security firm to launch a program to offer free software, training and support to small utilities.
Dragos, a Maryland-based provider of cybersecurity solutions for operational technology (or OT) environments on Wednesday unveiled what it is calling the “Dragos Community Defense Program.” Under the program, Dragos said it intends to provide free cybersecurity software for small water, electric, and natural gas providers in the United States.
While organizations of all sizes are struggling to hire and retain operational technology (OT) cyber talent, the issue is more acute with small utilities like rural electric utilities, said Dawn Cappelli, the head of the OT CERT (Computer Emergency Response Team) at Dragos. “These organizations are lucky if they even have an IT security person. They certainly don’t have someone to secure industrial environments,” she said.
Cyberattacks on small utilities prompt action
The announcement comes amid a string of attacks on small utilities. The FBI and CISA joined with the NSA and Israel’s National Cyber Directorate (INCD) last week to issue a joint Cybersecurity Advisory (CSA) highlighting “continued malicious cyber activity” by Iran’s Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors against utilities using operational technology (OT) devices manufactured by Israel-made Unitronics Vision Series programmable logic controllers (PLCs). Those PLCs are used in the Water and Wastewater Systems (WWS) Sector and industries like energy, food and beverage manufacturing, and healthcare, according to the alert.
“Small utilities are critical infrastructure, but have limited resources to defend their systems from cyber threats. Protecting power and water systems has become more challenging than ever as global threat actors and ransomware groups target critical infrastructure with increasingly sophisticated cyber attacks,” Dragos said in a statement.
The Community Defense Program is limited to US-based utility providers with less than $100 million in annual revenue. Participating utilities get access to the Dragos Platform including OT asset visibility and inventory tracking, threat detection, vulnerability management and threat hunting capabilities. They also are enrolled in Neighborhood Keeper, a threat intelligence sharing community made up of Dragos customers and get access to training via Dragos Academy, Cappelli said.
Participants will also get membership in OT-CERT, a Dragos program that provides access to free cybersecurity resources for the industrial control system (ICS) and operational technology (OT) communities, the company said.
Small utilities “need a lot of help”
A trial version of the program was originally launched in 2022 in the wake of Russia’s invasion of Ukraine to help small utilities protect themselves. Thirty US organizations took part. That trial showed that those organizations “needed a lot of help,” Cappelli said. “It was resource intensive and it didn’t scale.” In response, Dragos created a virtualized version of its platform that small utilities can install themselves and get up and running. Dragos said it will provide support to help them work through any questions or problems. “zoom meeting: talk about “It can be scary and intimidating for them,” Cappelli said. “We wanted to eliminate that fear: that they don’t need to be OT security expert. We’re going to build a community,” she said.
“We look forward to bringing the Community Defense Program to the many small utilities that struggle to build OT cybersecurity programs due to a lack of resources and expertise,” said Robert M. Lee, Chief Executive Officer and Co-Founder of Dragos, Inc. in a statement. “Governments and large infrastructure providers are heavily investing in industrial cybersecurity, but small utilities that deliver critical services to the majority of people haven’t been able to do the same. They have been over-strained and under-resourced for far too long and the Community Defense Program aims to change that.”
Private and public programs target utility cyber risk
In addition to making its software available for free, Dragos will also provide them with training and support build a security program. That will include monthly meetings to share knowledge and help building incident response plans, conducting tabletop exercises and more, Cappelli said.
The new program is one of a number of private and public efforts to boost the cybersecurity of critical infrastructure amid mounting threats from nation-state and cybercriminal hacking groups. In September, for example, CISA announced that it is offering free security scans for critical infrastructure facilities, such as water utilities, to help protect them from cyberattacks.
Companies that are interested in joining the program can submit an application online, Dragos said.