Cybersecurity vendor Dragos will provide free operational technology (OT) security software to small water, electric, and natural gas providers, an offer that comes as critical infrastructure comes under increasing attack.

The program initially will be available in the United States and will include such tools as Dragos’ eponymous OT security platform and Neighborhood Keeper, a collective-defense information-sharing program run with the U.S. Department of Energy to make threat intelligence available to all users of the Dragos Platform.

The new offering is coming through Dragos’ Community Defense Program, an initiative launched last year as a trial program and that is now expanding. The goal behind the program is to help smaller utilities to protect themselves against cyberthreats.

“Protecting power and water systems has become more challenging than ever as global threat actors and ransomware groups target critical infrastructure with increasingly sophisticated cyber attacks,” Dragos co-founder and CEO Robert M. Lee wrote in a blog post. “Small utilities that service our local communities are on the front lines of the fight and are up against outsized adversaries when it comes to defending against cyber threats.”

At the same time, such small organizations with security teams that have multiple responsibilities “are now navigating national security issues, supply chain risks, vulnerability management, and cyber threats. At the same time, because of a lack of resources and expertise, they often struggle to build cybersecurity programs, especially programs to protect operational technology,” Lee wrote.

Part of the Community Defense Program

Along with the Dragos Platform and Neighborhood Keeper, the Community Defense Program includes access to Dragos Academy, an on-demand training and education program for OT cybersecurity and the Dragos Platform, as well as membership in OT-CERT (Operational Technology – Cyber Emergency Readiness Team), a program the vendor launched last year to deliver OT-specific cybersecurity resources to industrial and OT operators.

Those resources include how-to guides, demonstration videos, and best practices. The OT-CERT program has more 1,500 members from more than 60 countries, according to Dragos, a seven-year-old company in September raised $74 million in Series D funding, growing the total amount raised to $440 million.

OT cybersecurity is a fast-growing market, with Allied Market Research analysts saying it will grow from $15.2 billion last year to $84.2 billion by 2032. Driving the growth is the growing number of industrial control systems are being connected to the internet and other networks, the rising adoption of OT security solutions, and expanding government critical infrastructure security initiatives.

Critical Infrastructure a Popular Target

In addition, critical infrastructure operations are becoming a popular target of both financially driven and state-sponsored adversaries that see attacks on such systems as ways to squeeze money from victims or disrupt vital infrastructure operations in a rival country.

High-profile attacks in recent years include the 2021 attack on Colonial Pipeline by the ransomware-as-a-service (RaaS) group DarkSide. The company supplies almost half the fuel in the U.S. East Coast and the attack led to shortages in the region. That same year, JBS Foods, a global meat processor, was attacked by ransomware group REvil.

More recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that an Iran-backed group called Cyber Av3ngers were targeting water and wastewater systems with attacks that exploited a vulnerability in programmable logic controls (PLCs) from Unitronics that are used to monitor water treatment processes.

The warning came after attackers seized control of a municipal water operation in Pennsylvania, forcing operators to take systems offline and shift to manual operations.

A Whole-of-Government Approach

Protecting critical infrastructure is a key part of the White House’s larger federal cybersecurity initiatives. The government includes 16 sectors in that designation, including chemical, communications, energy, healthcare, agriculture, and transportation.

Government agencies also have rolled out a range of programs aimed at protecting critical infrastructure, from the Department of Homeland Security’s National Infrastructure Protection Plan to CISA’s Information Sharing and Analysis Organization.

In addition, CISA last month launched a pilot program that essentially will let commercial critical infrastructure entities use the agency as a managed services provider, tapping into shared services, support, and security expertise that federal civilian organizations have been offered for several years.