Critical Infrastructure: Exposure, Attacks, Results?
12–11–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 11, 2023, and while I didn’t get to the video update until the end of the day, here we are to talk through the news of the week.
Critical Infrastructure: Exposure, Attacks, Results?
The cyber story that got the most coverage this week was - notionally - about Iran hacking the water supply here in the United States. There was coverage across the spectrum, some of it more balanced than others, but I’d point you to one of the more breathless headlines from The Messenger, who writes “The government doesn’t even know how many water facilities use the equipment that Iran is targeting.” That number, as the week went on, turned out to be somewhere between 10 and 12, depending on your source, making the headline technically true, but not particularly helpful, as it appears that these attacks were better characterized by Deputy National Security Advisor Anne Neuberger as “largely unsophisticated efforts” the had “minimal impact.”
She went on to note that “some pretty basic practices would have made a big difference there” - which is as true for these water treatment plants as it is for high-growth startups.
The fact that this attack is attributed to Iran is largely irrelevant. Sure, you could draw the line that this is somehow tied into the fight between Israel and Hamas, but - again - as we’ve discussed now many times over, who is doing the attacking doesn’t change how we’re doing our defending.
An advisory from CISA and the FBI made plain the steps needed to ward off these attacks:
Implement MFA
Use strong, unique passwords
Check systems for default credentials.
While these attacks targeted a specific programmable logic controller (or PLC), this is not new. In fact, a separate group of researchers from Forescout last week announced 21 new vulnerabilities in Sierra Wireless cellular routers used in all sorts of applications - 90% of which are End of Life and can’t even be patched.
But, again, the thing to keep in mind here isn’t the fear-mongering tactics of the Iranians, who are literal terrorists using this to drive fear amongst the population, or the marketing team at Forescout (who are, ironically or not, doing the exact same thing).
The thing to keep in mind is that we’ve got to get and remain brilliant at the basics. It’s all the things we talk about week in and week out, that take time and effort and an understanding of your own operating environment.
We could, of course, spend our time running from crisis to crisis, or we can stay focused, build capacity and awareness, and understand our shortcomings. I’m for Option #2.
Fundraising
From a fundraising perspective, a relatively low total number last week - just over $6B in newly committed capital, but we noted a ton of funding announcements of folks “looking to raise” - including $3-$4B from Josh Harris’ debut fund at 26North, KKR’s new global climate fund targeting $7B, and a raft of smaller funds like Ascendo Ventures and Audacious Ventures spinning up $50M - $150M initial funds.
Things happen at the big end of this scale and the small end, and there’s room for investors of all types. As usual, the hard part isn’t actually raising the money, it’s deploying the capital wisely.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
https://www.forescout.com/blog/sierra21-supply-chain-vulnerabilities-iot-ot-routers/