Infrastructure security vendor Dragos raised $200 million in new investment in a Series D funding round. The announcement comes as the security landscape adapts to the highest-profile critical infrastructure cybersecurity attacks in United States history.
The $200 million round was led by Koch Disruptive Technologies — the venture wing of Koch Industries — and investment management firm BlackRock based on a $1.7 billion valuation, the highest so far seen of any OT security firm.
Co-founder and chief executive Rob Lee told SC Media that the funding and valuation were evidence of a shifting understanding of security that started during the 2015-2016 Ukrainian power grid cyberattacks but only really took flight over the past year with the Colonial Pipeline ransomware, the Oldsmar, Florida, water treatment sabotage attempt, and the sweeping SolarWinds espionage play.
"Most of the investments in infrastructure has gone into enterprise IT. When policymakers and board members realized that they're spending 10 times the amount of the website than they are on their gas turbine security, it makes everybody feel uncomfortable from both a business risk and a national security risk," he said.
Colonial Pipeline demonstrated the chaotic effects of an industrial stoppage due to cyberattack. While not explicitly on the OT network, it showed that potential damage to an industrial firm would include the stoppage of a massive operation, and massive supply chain failures downstream from the victim. But most importantly, said Lee, it demonstrated that those attacks could happen on U.S. soil.
The United States has been spared many of the worst industrial attacks. Russia disrupted the Ukrainian power grid, not the American one, and placed Ukraine at the center of the NotPetya cyberattack. WannaCry largely avoided the United States due to its time zone; it was dependent on infrastructure that had been disrupted by the time U.S. companies turned on the computers.
This has been the first time that many investors have seen firsthand what disaster looks like, and the first cross-industry wakeup call they have seen regulators in the world's largest economy answer with concrete actions.
Lee said that while many of the regulatory moves were long overdue, some of the regulations that benefit his company are overly prescriptive.
"Security directive two and TSA [requirements] are going to make us plenty of money. And I violently disagree with what happened and you'll hear me in a policy discussion about congressional testimonies, etc, to say when I don't think it's a good idea," he said.
Lee said the $200 million investment comes before the company has fully spent the $110 million of its December Series C funding round. That mass of capital, he said, would be spent less towards creating new and innovative directions for the company and more toward refining and improving its current offerings.
"What most customers want is for you to do what you say you're going to do and deliver on that, and to consistently make it better and easier to do those things," he said.
Dragos said the money might smooth the way for more inroads into foreign markets.
There are an overwhelming number of potential clients in need of OT cybersecurity, Lee estimates. And the lack of visibility into global networks on the whole means vendors could be missing threats.
"As we expand out that visibility, industry-wise and geo-wise, I think we have a whole lot more insights to share. I bet you we have less than 5 percent of global infrastructure at the operations layer monitored. Maybe we're looking at some of the more critical places, like electric utilities, but we're definitely not getting the whole below-the-water iceberg."