CEO Robert Lee warns less than 5% of global infrastructure invests in OT visibility, leaving critical systems vulnerable to advanced threats. (Getty Images)
The head of a cybersecurity company specializing in protecting industrial internet-connected systems, Robert Lee, has raised concerns about the insufficient investment by American providers of critical infrastructure services in protecting their operational technology (OT) systems. Lee, the CEO of Dragos Inc., highlighted during a recent webinar that while some companies have taken steps to enhance their cybersecurity, less than five percent of the world's infrastructure has invested in OT visibility.
Lee explained that the lack of investment in OT cybersecurity is rooted in the historical focus on enterprise IT networks by boards and CEOs. He noted that the unique nature of OT cybersecurity, with different communication protocols in factory and industrial networks, requires distinct solutions compared to traditional IT security.
One alarming revelation came from an electricity provider, indicating a significant disparity in spending on IT security ($100 million annually) versus OT security ($5 million annually). Lee emphasized the need to "turn on the lights in the house" to understand the vulnerabilities in the OT systems, which often go unnoticed.
A major concern raised by Lee is the potential proliferation of advanced attack frameworks like Pipedream. Discovered in 2022 and attributed to a foreign government, Pipedream is a highly scalable and reusable threat capable of manipulating programmable logic controllers (PLCs) and causing substantial damage to OT systems. Unlike traditional vulnerabilities, once deployed, Pipedream cannot be easily stopped or patched.
Lee warned of the increasing risk that such sophisticated capabilities could fall into the hands of threat actors with fewer resources than nation-states, posing a significant threat to critical infrastructure. He cited the example of Volt Typhoon, a China-based group discovered by Microsoft earlier in the year, targeting critical infrastructure organizations in Guam and the U.S. mainland.
Highlighting the evolving threat landscape, Lee emphasized the shift in OT networks from being customized to automated and commoditized. This makes them susceptible to attacks that can impact entire industrial sectors or geographic regions, underscoring the importance of preparedness and root cause analysis.
While there has been progress in raising awareness, particularly through government initiatives and collaboration with the private sector, Lee stressed the need for increased investment in identifying and responding to OT threats. He called for a collective effort involving asset owners, operators, and experts from the private sector and government to strengthen national and local security.
In a separate development, cybersecurity firm Kaspersky issued threat predictions for the industrial control and OT sectors in 2024. These predictions include the continued prominence of ransomware, targeted attacks on vehicles in the logistics and transport sector, the growth of politically motivated hacktivism, the widespread use of offensive cybersecurity for gathering threat intelligence, and the increased intertwining of cybercrime and traditional crime in logistics and transport due to rapid automation and digitization.
