Series B Money from Moore Strategic Ventures Will Help Shift5 Move Beyond Military
Moore Strategic Ventures led a $33 million investment into a military and transportation security startup founded by officers who stood up U.S. Army Cyber Command.
The Series B extension funding will help Washington D.C.-area Shift5 expand from safeguarding military vehicles to protecting commercial modes of transportation such as passenger aircraft and locomotives, according to Shift5 co-founder and CEO Josh Lospinoso. He said Shift5 plans to pursue commercial vehicle certifications to facilitate big investments and protect the widest range of systems possible.
“These are not theoretical problems anymore,” Lospinoso told Information Security Media Group. “These are real risks that cybersecurity professionals need to be taking seriously and thinking about. I want to encourage CISOs that have technology deployed outside of their enterprise networks to really be thinking really clear about, ‘Do I have observability into these systems?'”
Booz Allen Ventures, JetBlue Ventures and Teamworthy Ventures also participated in the round, which came 16 months after Shift5 completed a $50 million Series B funding round led by Insight Partners. The company does 90% of its business with the United States Department of Defense, which Lospinoso said has insulated Shift5 from massive cybersecurity spending cuts stemming from the economic downturn.
“Once you’re inside the platform, it’s game over.”
– Josh Lospinoso, co-founder and CEO, Shift5
Lospinoso spent 10 years as a cyber officer, leading teams that build dozens of elite hacking tools for the National Security Agency’s Tailored Access Operations, Army Cyber Command, and the Cyber National Mission Force. After leaving the United States Army in 2018, he co-founded Shift5 (see: AI Heightens Cyber Risk for Legacy Weapon Systems).
Securing the Supply Chain
Shift5 has developed software-defined radios to get visibility into radio frequency attacks, which he said allows adversaries to masquerade as the ground station and send data packets to an aircraft. The tool makes it possible to see a radio frequency payload as it’s going on the antenna and through the transceiver, allowing organizations to harden against the attack and develop mitigations and heuristics.
Hackers like using maintenance support diagnostic tools to pivot from IT onto operational technology assets by flashing firmware on a maintenance device, physical interdiction or capitalizing on the software supply chain, Lospinoso said. These techniques can access the kernel of the operating system and will create spoof messages, which Shift5 can detect by looking at where they came from, Lospinoso said.
“Supply chain is a huge issue,” Lospinoso said. “The access vectors are real. And we’ve seen examples of adversaries using those access vectors. And once you’re inside the platform, it’s game over. There’s no security whatsoever built into the data networks on these platforms.”
Shift5 limited competition when selling to the Department of Defense, but does see companies like Dragos, Claroty and Nozomi Networks securing industrial control systems platforms running on rail switching infrastructure. Shift5 focuses more on securing rail or aircraft equipment itself rather than the networks, which has created opportunities to partner with third-party security vendors, Lospinoso said.
Expanding to Cover the Entire Fleet
Lospinoso said Shift5 can take its techniques, analytics and learnings from defending military assets and push them out to other industries since, unlike competitors, the company doesn’t focus only on a small number of verticals. Instead, Lospinoso said Shift5 has abstracted the differences between assets into an API that organizations can build on top of.
Shift5 wants to expand its presence from a small subset of customer fleets to full fleet deployments to give organization the power of observability across their entire fleet base, according to Lospinoso. He said Shift5 can massively increase the number of fleets and messages it’s protecting without generating a large amount of false positives.
The company wants to once again double its annual recurring revenue in 2023 as well as increase the number of customers it serves, according to Lospinoso. The economic implications of having operational technology that’s inoperable for some time are massive, meaning CISOs must pay attention to everything from TSA cyber guidelines to how to look after non-IT networks.
“Not every CISO has a fleet,” Lospinoso said. “But for those who do, this is an emerging frontier.”