How does Dragos help its customers to protect their digital infrastructure?

We have a dedicated team of threat intelligence analysts looking at threats in the operational technology space, in particular, in critical infrastructure. We gather information about how threat actors are targeting critical sectors like electricity, oil and gas, manufacturing, and give organisations the information they need to defend themselves against against those threats.

We then codify that intelligence into detection mechanisms, building out a software platform that is used to monitor those for those detections, to give people practical mitigation advice.

There’s a vast amount of potential threats out there, so we help to prioritise actions and give really practical advice based on our our experience of how to how to deal with those threats. We also have a professional services team to provide incident response to help organisations recover and get their operations back up and running as quickly as possible.

The CrowdStrike outage demonstrated that operational disruption can be as damaging as threat actors in some instances. Do you have a customer proposition to account for this?

Yes, we help people to put in place a ‘defensible’ architecture by monitoring external threats, but we also are very focused on what’s happening inside of that architecture. We’re looking at the traffic that’s moving around it, and we can see potentially hazardous or dangerous behaviours within that environment, something that might manifest as adversarial behaviour from an external threat actor could also be an internal threat actor, or it could be somebody just bypassing a process, and all of those things can affect the resilience of a digital system.

For example, maybe an engineer is just trying to do their job, but they might plug in a device they’re not supposed to and accidentally introduce a threat or bypass a procedure. We’re just as likely to see that kind of behaviour as a threat behaviour and give people a proportionate response to that as well. Prioritisation is very important. If we alerted an organisation on every time a computer was plugged in, they’d be overwhelmed in that environment. It’s important that it’s usable and scalable for organisations

As field CTO you have good view of cross-border operations. Are there any geographies you think are approaching cybersecurity better than others?

It’s really interesting to look at the different approaches and we’re seeing a raft of legislation and mechanisms being used in many countries. For the last 20 years, the US has had some very stringent regulations around the US electricity market and how cyber security is managed there, for example, and it’s driven a high level of cyber hygiene in those environments. And they’re constantly updating those regulations, and it’s very prescriptive. But what we’ve seen across Europe, the Middle East and the Asia Pacific regions is more risk-based legislation.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

So different starting points, slightly different approaches. But many, countries are beginning to understand the societal impact of a potential attack on critical infrastructure. With an adversary attacking a private business there’s a fiscal impact. But the knock on effect is you can’t get oil or gas to a customer, they can’t run their cars if you can’t get electricity to them, there’s a societal impact, and that is often is much greater. And so it’s really good to see governments and other institutions working in collaboration with private businesses to try and improve that position.

Data centres are becoming widely classified as critical infrastructure. Are there any particular challenges in this area?

Data centres a quite unique case, because they cross the IT side in terms of the criticality of the systems that they’re hosting, but they also have operational technology that support their operating their facilities. So vast amount of air conditioning. They have a huge reliance on power. So all of that technology that supports the safe running and operation of data centers is very similar to other critical sectors. But then the impact and knock-on effect of the loss of one of those facilities is very high.

Data centre operators recognise this risk and the big hyperscalers, in particular, are incredibly proactive even without legislation, because they’re protecting their business. In an ideal world, that’s how it would always be, that organisations aren’t told exactly what they should do and when to do it.

But sometimes that’s a necessary thing to really create a cultural change, like getting drivers to wear seat belts when they were first introduced. Bringing data centres under the under the protection of critical national infrastructure allows governments to provide greater support and assistance to them in helping them on that journey.

So you work across the private and public sector?

We’re recognised internationally as being the leaders in threat intelligence in this space. Governments want to speak to us about the prevalence of risk, and we then we advise them of what the right kinds of controls may be. But we advise agnostically on what we think are the right controls.

What about controls in the form of regulation?

Legislation can often be prescriptive. It drives people to do 20 different things all at once. And, actually, there are some key things that you can do to really drive the risk down within your environment. The first one is to be prepared and have Incident Response Plans. It’s to create a defensible architecture around your assets. It’s critical to make sure that only trusted people can get through that defensible architecture by having a secure remote access solution.

Then, because you’ve created a bubble, essentially a perimeter around your assets, we advise people should monitor what’s going on inside, and then finally, to have a risk-based vulnerability management process. And with those things in place, we believe a majority of both criminal and state actors can, actually, be prevented from using their current tactics and techniques.

The challenge with prescriptive legislation, is sometimes it asks for capabilities that are common in the IT space and not necessarily that impactful in operational technology. Operational technology facilities can be five to fifty years old, so it’s incredibly challenging and actually distracting from the basics, which are what can really mitigate threats.

And ultimately, businesses have been managing resilience for themselves for a long time. You know, these companies are built on resilience, keeping the lights on, keeping the gas flowing. We live in a world of incredibly reliable energy networks. But they’re now dealing now with an adversary with intent. The weather doesn’t have intent, mechanical failure doesn’t have intent, but threat actors do, and that’s a new thing they have to deal with, and they’re adapting to it, but it is at their core to be resilient, and I’d rather see organisations supported rather than forced into implementing controls.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up