Industrial cybersecurity company Dragos plans to open an office in Saudi Arabia next year to allow the company to more quickly respond to cyberthreats to energy infrastructure in the Middle East, Dragos CEO Robert M. Lee told CyberScoop.
From the 2012 Shamoon attack on a state-owned oil company, to the infamous Trisis malware that caused a Saudi petrochemical plant to shut down in 2017, the Kingdom has been the scene of high-profile cyberattacks on industrial facilities.
“A large reason for us to build the office there in Riyadh simply boils down to that’s where threats are,” Lee said. “And identifying those [threats] and learning from them makes our software, makes our approach better for all of our global customers.”
The Saudi office will mark a major expansion for the Maryland-based company that Lee, a former Air Force and National Security Agency cybersecurity official, founded in 2016. Dragos on Wednesday also announced a $37 million Series B funding, some of which will be used to stand up the new office.
The office is projected to open in the Saudi capital of Riyadh in the second quarter of 2019, Lee said. Dragos’ incident response specialists will be based there to counter hackers targeting industrial control systems in the region.
The company’s expansion to the Kingdom comes as the international spotlight has been on Saudi Arabia’s dismal human rights record. Saudi journalist and dissident Jamal Khashoggi’s grisly murder last month sparked a global outcry. It is unlikely that Khashoggi would have been killed without the knowledge of Saudi Crown Prince Mohammed bin Salman, according to news reports citing Western intelligence officials.
Lee said there was a robust discussion within Dragos about whether the company should expand to Saudi Arabia. The decision to do business in the Kingdom ultimately came down to the benefits Saudi civilians – and not an authoritarian government – could derive from the company protecting infrastructure from hackers.
“We’ve made hard choices as a company before in doing what we think is right for our customers,” Lee said, adding: “A simple guiding principle keeps Dragos moving forward, and that is that we protect civilians.”
That means infrastructure serving civilians, regardless of which government owns it, deserves protection, according to Lee, who said he would help protect the Iranian power grid if that were feasible.
Whether a government or civilians benefit from cybersecurity protection is, of course, not a zero-sum question. The Saudi government, for example, inevitably benefits from having state-owned Saudi Aramco protected from cyberthreats.
But for Dragos, Lee said, as long as the infrastructure is serving civilians and not military purposes, the company wants to protect it.
“We don’t take contracts in the U.S. or anywhere else to protect weapons systems,” he said.
The $37 million in Series B funding that Dragos announced Wednesday included investments from venture capital firm Canaan; industrial company Emerson; the investment arm of power company National Grid; and Schweitzer Engineering Laboratories.
The new funding “gives us years of runway to invest heavily across all areas of our business,” Lee told CyberScoop. The company is putting money into things like research and development, engineering, and incident response capabilities, he added.
In announcing the funding, Andre Turenne, director of National Grid Partners, said that “critical asset threats are on the rise, so an industrial specific cybersecurity strategy is increasingly important to companies.”
Dragos also said Wednesday that Joydeep Bhattacharyya, a partner at Canaan, would join the Dragos board of advisers.