OT Under Threat: Dragos' Robert M. Lee on Navigating Cyber-Physical Risks

systems and OT cyber company. He serves in various roles for the government, including the Department of Defense and the Department of Energy, is an Air Force Academy grad hua and did stints at the National Security Agency Cyber Command, and advises universities such as Duke, Carnegie Mellon, and we'll make sure Auburn's on that map soon too. Thank you.

Rob, thanks for joining us today. Thanks for having me. So, in all sincerity, I think you played a major role as a citizen CEO putting operational technology on the map. I think everyone in the community knew it mattered, but you helped find its real day in the sun. So I think before we jump into some of the threats and some of the issues, you're looking at, maybe just an explainer, A101 what is operational technology? Yeah, so I usually describe OT as all the stuff you have

Robert M. Lee: in it, plus physics. So it's the side of the business that actually is the Robert M. Lee: reason the business exists. Whether it's the generation of electricity, the transmission of it, manufactured Robert M. Lee: goods, pipelines, rail, ports, it's sort of everything that ends up interacting with the physical

Robert M. Lee: world. And what I always find so interesting is as we've talked about enterprise cybersecurity Robert M. Lee: as an example for years, and all these boards and CEOs and government saw enterprise Robert M. Lee: IT and enterprise IT cybersecurity. They thought it meant the enterprise because there's no CEO Robert M. Lee: or CFO that's confused about where they generate revenue. And there's no serious policymaker in

Robert M. Lee: this scene that's not aware of the critical part of critical infrastructure. But what it Robert M. Lee: meant was just enterprise it. And so there's been sort of an awakening over the Robert M. Lee: last five, six years, especially at an executive level and policy level, understanding that a Robert M. Lee: lot of the things we thought were getting done were just simply not getting done

Robert M. Lee: on the OT side of the house. And so as we look at those specialized Robert M. Lee: systems, sometimes it's as simple as Windows software and Windows systems with specialized applications, sometimes Robert M. Lee: it's specialized control equipment and so forth. But as we look at that side of Robert M. Lee: the house, it interacts with our local communities, our physical impact, the ability to impact

Robert M. Lee: life instead of just data loss. It's nice to see it get a. Lot more focused and in terms of consequences in life, death, it clearly is at the top of the list. But can you delineate the difference between it, OT and sort of give a little bit of legacy? Because a lot of the OT systems that are being deployed now have been around for a long time, right? Yeah. In it it's Robert M. Lee: not too uncommon to have like a two to five year life cycle. In OT,

Robert M. Lee: it's very common to have a 20 to 40 year life cycle of equipment. 20, 40. 20 to 40. And many of them are operated well past 10 as well. Robert M. Lee: Yeah, by far. And so yeah, when you think of typical enterprise it, you're thinking Robert M. Lee: cloud servers, you're thinking enterprise systems that are Windows operating systems, domain controllers and so Robert M. Lee: forth. And really it's about specialized applications for the purpose of managing data and information.

Robert M. Lee: And it's usually a system focus and data focus. In OT or operation technology we Robert M. Lee: might have that stuff too. But we also have more of a systems of systems Robert M. Lee: and physics approach where we will have those specialized equipment, specialized network communications, specialized environments Robert M. Lee: that are really focused around automation. And historically it was very disconnected, very manual. You

Robert M. Lee: might have turning a sluice gate by hand to open up a small dam. That's Robert M. Lee: where we were. Where we quickly got to is a highly automated world where all Robert M. Lee: of that was digitized and connected, getting connected up to enterprise IT systems or directly Robert M. Lee: to the Internet. And now what used to be only done manually can be done Robert M. Lee: remotely and scalably. And of course that's going to have an impact on what adversaries

Robert M. Lee: can reach out, target it and cause consequence. And you mentioned safety and life. You Robert M. Lee: know, there's an attack in 2017 where an adversary broke into a petrochemical facility in Robert M. Lee: Saudi Arabia explicitly to cause an event at a facility that would have killed people Robert M. Lee: if they were successful. Luckily they weren't successful. They only cost $300 million in downtime.

Robert M. Lee: But what they were trying to do was cause like an over pressurization or release Robert M. Lee: of chemicals that would have killed 30 to 60 people that day. And, and so Robert M. Lee: when you deal in consequence like that, or the water attacks we've seen in the Robert M. Lee: United States in this past year where there was the ability to impact chemical levels Robert M. Lee: and water levels and have a local impact on communities, that's the stuff we freak

Robert M. Lee: out a lot about. And just to put a fine point on it, these are cyber enabled attacks that can have physical consequences. Absolutely. And the Rubicon has been crossed, has it not? In pretty much every industry. So I usually these days the first Robert M. Lee: discussion with a board member or so forth. They'll be like, yeah, well what's really Robert M. Lee: going to take, what's really going to be required is for one of these big

Robert M. Lee: attacks to happen. Then people wake up and I'm like, which one do you want? Robert M. Lee: What industry? We've taken down the electric systems multiple times across Ukraine. We've had multiple. And we're going to pull the thread on that. Yeah, multiple water attacks in the Robert M. Lee: US and abroad. We've had rail systems go offline, we've had ports go offline. It

Robert M. Lee: was a cyber attack. They ended up causing port issues in Australia where if you Robert M. Lee: think about it, it wasn't just oh yeah, my Christmas gifts, it was pharmaceuticals and Robert M. Lee: medicine and food being able to get into that country. These are impacts that are

Robert M. Lee: not only national but local security and they matter a whole lot. And when we look back just to Covid not so long ago, we see how important supply chains are and the ability to get a product from A to B. But when I think ot, I think primarily the grid and the electricity sector and the energy sector writ large and I think water systems. But it's much more than that, isn't it? Robert M. Lee: It's much more. But I do think it's an appropriate thing to have a risk

Robert M. Lee: based discussion. And when we talk about like significantly impactful critical infrastructure to copy from Robert M. Lee: the Solarium commission reports, I think it is right to place the focus there to Robert M. Lee: start with. From a national security lens, business leaders at any company should be looking Robert M. Lee: their ot. But national security, you better care about your energy systems quite a bit

Robert M. Lee: if. You don't have electricity. Nothing else. Nothing works. Nothing works. The electricity industry would, Robert M. Lee: would tell you it is the critical infrastructure. And it is, I think it probably Robert M. Lee: is. Yeah. But, but it relies on water. It relies on water and it also Robert M. Lee: relies on transport. Like there's a lot of infrastructure that if rail goes down, you're

Robert M. Lee: not getting the fuel sources that you need. And so and pipelines and natural gas Robert M. Lee: in this country would, would say that they matter a whole lot for generation of Robert M. Lee: electricity these days. So it's, it's just all interconnected and, and yeah, I mean it's Robert M. Lee: everything from building automation systems to on data centers to ports and infrastructure. It's quite

Robert M. Lee: literally anything that you interact with the world of physics and computers. You'Re, you're probably talk be unfair but culturally one community grew up sort of with a technological bent. The other public safe. I think three mile aisle. When I think some of this and when I see some of our OT defenders and quite honestly they need to be at the same tables that all our IT defenders are. Yeah, yeah, absolutely.

Robert M. Lee: And I think also there's always the bias and there's always the cultural boundaries of Robert M. Lee: getting IT into OT and OT education into it and, and you go to different Robert M. Lee: companies and sometimes they get it right, but a lot of times it's one or Robert M. Lee: the other that's getting it wrong. Either the IT folks are coming in going, oh Robert M. Lee: my gosh, why don't you patch and encrypt? And you know, they throw their IT

Robert M. Lee: book at the operations side and the operations side is going, hold on. This plant's Robert M. Lee: been running for 30 years without any disruption. Exactly. And the only time it's ever Robert M. Lee: been. Taken down when you layer it on. Exactly. And then there's the OT folks Robert M. Lee: that are like, hold on. Now this has consequence and we matter. And it is Robert M. Lee: focused on their bias of, well, we want to protect our cloud servers and the

Robert M. Lee: OT side of the house. Like, hey, we generate all the revenue here. Like, we Robert M. Lee: should do something about this. It's a bit of everybody sometimes. Now, can I. And disagree with me. I have a hard time delineating and differentiating that. The cyber physical convergence, we all talk about it, but in the real world it's one of the

same, isn't it? Obviously you have unique attributes, but at the end of the day, from a blue, from a defender's perspective, you need to look at your systems in its totality, not in the way you wish they were, but in the way they have to do. Both you have to. I agree with that. You have to look Robert M. Lee: at your risk as an organization and defend your organization. And that's going to encompass Robert M. Lee: IT and ot and it's going to encompass your suppliers and third party. But how

Robert M. Lee: you do it ends up getting into the. Yeah, that's the specific. And, and what, what led you to start Dragos, by the way? So, I mean, I started out Robert M. Lee: in control systems, but not as an engineer. When I first got in the Air Robert M. Lee: Force and had the ability to do like small TDYs, stuff like that, I would Robert M. Lee: go out and do humanitarian missions in places like Cameroon, building control systems for water

Robert M. Lee: filtration and wind turbines. And it was cool to see the impact where mom working Robert M. Lee: all day long and all she wanted to do was educate her kid, but she Robert M. Lee: didn't have lights that was working at night. And so if nothing more than charging Robert M. Lee: a car battery, strong LED lights, and her kid could study to try to get Robert M. Lee: out of that situation. That's cool. That is cool. And so when I joined the

Robert M. Lee: Air Force proper. And they were like, hey, you can go be a pilot. I Robert M. Lee: was like, nah, like, what? And like, my parents are enlisted. I don't want to Robert M. Lee: be a pilot. And they said, well, you can go. What do you want to Robert M. Lee: do? I was like, go to Africa. And they're like, go join comm then. And Robert M. Lee: in the way it turned into cyber when I was there, I'm like, what do

Robert M. Lee: y'all do on control systems? They're like, what are, what are control systems? It's like, Robert M. Lee: oh, boy, it's everything. You know, those stinky things, you want to stay sunk, and Robert M. Lee: the floaty things, you want to stay fly, you know, floating and the flying things Robert M. Lee: want to stay. It's all control systems. And so I got it tapped and woke Robert M. Lee: up one morning in Germany in the nsa, and they said, hey, you're in charge.

Robert M. Lee: And I said, what's charge of what? They're like, find the unknown unknowns. Like, what Robert M. Lee: does that mean to y'all? They're like, I don't know. Rumsfeld's big into it. Like,

Robert M. Lee: okay, we're doing control systems. And when I got out and saw our, our collective Robert M. Lee: response to Ukraine, because I got to lead up a portion of that investigation, and Robert M. Lee: I saw the bias of let's just copy and paste IT controls into a power Robert M. Lee: plant, I was like, I called my co founders, like, we gotta, we gotta do Robert M. Lee: something. We gotta start a company. Like, start a company, be a vendor. Like, yeah,

Robert M. Lee: I'd like my kids to have lights and water. So that was basically it. And who's doing it, right? And this may be an unfair question. Obviously those that are turning to Dragos for support, but in all sincerity, who is doing the IT OT thing, right? From a company's perspective, first of all. I will say without my bias

Robert M. Lee: of do this and do that, and here's what I think is right. I will Robert M. Lee: say anybody who is taking an informed approach to addressing OT security, what I mean Robert M. Lee: by informed is you're not leaning on your biases. You're not, hey, here's the playbook Robert M. Lee: you ran in it. I'll copy and paste it. Anyone is looking at what are Robert M. Lee: our unique risks and how are we genuine risk based and genuine risk based approach,

Robert M. Lee: and they're saying, let's partner together and get something done in ot. I can stand Robert M. Lee: by that. And I would say it's right. In terms of companies, I do think Robert M. Lee: the electric sector in the United States led the discussion writ large. And, you know, Robert M. Lee: there's over 3,000 of them and we're probably talking about the top 150 or so, Robert M. Lee: but, but those top 150 or so have put a lot of work into this.

Robert M. Lee: And it's not just through regulation and NERC SIP and things like that. I think Robert M. Lee: it was a lot of partnership with government over the years. Government comes and goes Robert M. Lee: in ebbs and flows of expertise. But the national security community reached out years ago Robert M. Lee: to the electric sector to say, hey, here's the classified risk that we actually do

Robert M. Lee: see. This is real. And you got wonderful folks, the Tom Fannings of the world Robert M. Lee: at Southern Company, the Bill Furman, these folks that said, hey, we're going to take Robert M. Lee: a top level leadership approach to say we need to do this. And that mattered. It does matter. And that's why I wasn't blowing smoke when I said you brought the issue to the fore. The reality is Tom Fanning, Furman, they were leaders, CEOs

who took this seriously. And then obviously you did the same on a still appreciated but not fully understood set of issues. Before we jump into a couple of reports you guys released recently, I would like to Industrial control systems. What can you shed light on there? Yeah, I mean in industrial control systems in general, which is really Robert M. Lee: a type of ot, I mean that's, that's what we talk about a lot in

Robert M. Lee: terms of that physical consequence. That's what we mean. ICS data, ICS data, all that Robert M. Lee: kind of falls under the umbrella of ot. OT has come to include like medical Robert M. Lee: and things like that. And it's important. But our focus ends up really being ics. Robert M. Lee: We get down to it and again, I think we talk about people doing it Robert M. Lee: right. It's not only the leadership at those companies, but it's also when governments do

Robert M. Lee: it. And we, I think we'll talk later about Singapore and so forth, but there Robert M. Lee: are groups and organizations that are using the right terminology to say, hey, let's go Robert M. Lee: do this. Not it's all T, but okay, hey, there is an OT side of Robert M. Lee: the House. Let's figure that out. And again are figuring out what are the threats Robert M. Lee: that actually matter. We'll talk about some of those and how do we deal with

Robert M. Lee: those? Not what do you want to do? Not what would the theory say? Well, Robert M. Lee: not well, hey, I saw this at defcon and you know, we should think about Robert M. Lee: that. But no ground truth, reality, what's, what are the adversaries actually doing? Let's learn Robert M. Lee: from that and counter it. And I think that's what's really happening in ics. And you teed up this discussion perfectly. Dragos came out with two recent reports around some

of the malware that we're seeing. And honestly, I never thought I'd have a public discussion around a malware named Frosty Goop. Quite honestly, it makes me want to wash my hands the minute I say it. But we spend too much time, like, I Robert M. Lee: would say, being excited about and praising the adversaries. Oh, they're so cool. Look what Robert M. Lee: they did. Let's name them. Really cool stuff. And, like, they're jerks. They're civilians. Screw

Robert M. Lee: them, you don't get a cool name. And honestly, we had that discussion around counterterrorism. I'm glad you brought that up. That's worthy of a different discussion. But let's start with sort of pipe dream and the white paper y'all put out recently. What do we need to understand? Yeah. So pipe dream is probably the one that really, really Robert M. Lee: sucks. There's a brief kind of education recap to get into this. When you look

Robert M. Lee: at the. The world of ot, the. The thing that's really changed, like, why all Robert M. Lee: the focus now. The thing that's really changed, I mentioned it was kind of manual Robert M. Lee: and disconnected at one point. Then it went digital. And that digitization happened decades ago.

Robert M. Lee: That's not a new thing. But when that happened, it was still heterogeneous infrastructure. So Robert M. Lee: the chemical facility in Saudi Arabia had nothing to do with the chemical facility in Robert M. Lee: Houston had nothing to do with the electric transmission substation anywhere in the world. It

Robert M. Lee: was. It was bespoke, it was heterogeneous. It was that site. And when you're looking Robert M. Lee: at heterogeneous infrastructure, it's hard as an asset owner and operator to scale your workforce Robert M. Lee: for it. You got to retrain people as they go. It's expensive, it can be Robert M. Lee: unsafe, because there's not a whole lot to lean on in terms of expertise. But Robert M. Lee: from an adversary perspective, it costs more. Cost a heck of a lot more. And

Robert M. Lee: an adversary perspective, it's really hard to target it. Yep. When you want to do Robert M. Lee: physical consequence, it's that site. Not, here's this malware to hit everybody, it's that site. Robert M. Lee: When I was on the offensive side of the house, it was like Handcraft Farm Robert M. Lee: to table that side. Yeah, you needed very. It was very. It was boutique. And

Robert M. Lee: that was the world of heterogeneous. For all the right reasons. And we cannot go Robert M. Lee: back, we went to Homogenous, which was more common operating technologies, common network designs, common Robert M. Lee: implementations, common automation, vendors, vendors, buying vendors. And that Homogenous World opened up better margins, Robert M. Lee: better profitability, better safety records, better workforce, all these right things. The consequence though, is

Robert M. Lee: now you can have scale. And so we've been adversarially. Yeah, yeah, yeah. So we've Robert M. Lee: been talking about it for years, saying, hey, the red lights are blinking. We're going Robert M. Lee: to, we're going to get to this point where we start to see attacks that Robert M. Lee: can actually scale. Because right now in the operations technology community, we deal with low

Robert M. Lee: frequency, high consequence attacks. It deals with high frequency, low consequence attacks. And if we Robert M. Lee: start to see scale, we're going to start to see medium to then high frequency, Robert M. Lee: high consequence attacks. And we're not ready. Combined pipe dream was that. And so in

Robert M. Lee: 2022, I got to use my, like legal language, right? The Drag dragos team worked Robert M. Lee: with an undisclosed third party and then the United States government to identify and analyze Robert M. Lee: Pipedream before its employment. All right, so what does all that mean? The adversary built Robert M. Lee: this capability and did not deploy it at their targets yet. In my assessment, this

Robert M. Lee: is their wartime capability. But they had already picked out, to our knowledge, like 13 Robert M. Lee: key sites across North America and Europe. And this capability is the first time we've Robert M. Lee: seen ICS or OT malware that is repeatable, reusable and scalable across industries. Works in Robert M. Lee: everything from a servo motor on an unmanned aerial vehicle to a gas turbine, to

Robert M. Lee: a carbon cracker to any different industry. It's taking advantage of that homogenous curve and Robert M. Lee: it just works. It's not like here's a vulnerability that you patch, it's just leveraging Robert M. Lee: the native functionality that's in these systems. And so it hasn't been operationally leveraged yet. Robert M. Lee: But we sounded the alarm. The White House put out information about it. The community

Robert M. Lee: took it pretty seriously. But unfortunately, I don't know that everyone's doing enough about it. Robert M. Lee: But the reality is that team is still developing additional capabilities off of it. It's Robert M. Lee: still out there. And if people don't prepare, that's the one I expect we'll see. Robert M. Lee: In conflict. How often do we see? Are we able to get something left of click where we can? That's not an everyday occurrence, right? I'm tracking like twice that

Robert M. Lee: we've been publicly talking about to boom stuff, which. Is pretty awesome in some ways. In other ways, pretty discerning and discerning. But this was a really good exam. I Robert M. Lee: mean, people talk public private partnership all the time. And this was the time that Robert M. Lee: I saw it really work where there was private sector expertise and insights in our Robert M. Lee: Own unique collection, third party and then intelligence services and the US government being able

Robert M. Lee: to work together. And I think I'm perfectly comfortable to say, like the NSA is Robert M. Lee: ccc really, really on top of this. We've got Dave Luber coming on soon. Good Robert M. Lee: stuff, good stuff. What Morgan and Rob and them did over there was fantastic and Robert M. Lee: it was really that polypride partnership to go amplify it out. Now it's on the Robert M. Lee: asset owners to do something about it, but the information's available and yeah, being left

Robert M. Lee: a boom. Is a nice place to be and rare so. And again, disagree with me. If you can exploit, you can attack. If you can exploit, you can attack. Robert M. Lee: But you may not be able to. Hear it, but you may not necessarily have. This provides the consequence. Exactly. Exactly what? And this is, this is the scary part. Robert M. Lee: I'm usually not this hype fud person, like let's just stay focused. But here's where

Robert M. Lee: it gets really terrifying. In it we saw a clear, we see a clear trend Robert M. Lee: all the time that state level capabilities eventually proliferate to lesser states and non state Robert M. Lee: actors, criminal networks and so forth. And one of the big issues with ransomware across Robert M. Lee: the enterprise IT community was the availability of democratize it. Yeah, Cobalt Strike as an

Robert M. Lee: example. Exactly. Used to it was I need to have a malware developer, a vulnerability Robert M. Lee: researcher, an infrastructure person, this, that and the other in a criminal group. That's hard. Yeah. Then it was like oh, here's an easy to use size fits all click Robert M. Lee: capability and all I got to do is have somebody to use it. Oh, okay.

Robert M. Lee: And then ransomware everywhere pipe dream is the cobalt strike of ot. It's right now Robert M. Lee: only in like three locations that we're aware of in terms of the vendor, the Robert M. Lee: government and that adversary. But if it gets out or if similar like capabilities get Robert M. Lee: developed and proliferate like we have always seen other capabilities do, we're going to start

Robert M. Lee: seeing criminals going, huh, forget ransom in your IT network. I'll ransom your city, I'll Robert M. Lee: ransom your port, I'll take down the portion of electric system until you pay me. Robert M. Lee: And there's real, real consequence in having non state actors be able to do the Robert M. Lee: type of consequences that state actors. Rob, not surprisingly you preempted two questions. I was going to say in terms of why it matter. He couldn't have answered that better.

Clearly significant in that respect. Before we jump to good old frosty goop, explain modbus tcp. Yeah. When we talk about that digitization of infrastructure and more, that ubiquitous Robert M. Lee: technology, one of Those is network communications, how systems communicate across the network. And unlike Robert M. Lee: IT protocols, where the point may be the network protocol, in ot, it's really about

Robert M. Lee: the command data in the network protocol. So it's not, oh, I have this protocol, Robert M. Lee: it's here's the value that changed the value to switch it from an open circuit Robert M. Lee: breaker to a closed one. Here's the value that switched it from a pump that's Robert M. Lee: off to on, which. Is a pretty big deal. Now, the ability to have physical

Robert M. Lee: impact. Yeah. And the most common protocol used cross industry is Modbus tcp. And so Robert M. Lee: that was like really the first one that was just ubiquitous and it allows you. Is that open source? It has open source versions of it. Yeah, I thought so. Robert M. Lee: And it essentially allows the interaction with that physical equipment in a variety of places Robert M. Lee: around the world, in a variety of industries. So that Modbus TCP protocol had been

Robert M. Lee: used by adversaries before for sort of espionage and pulling and polling data. But surprisingly Robert M. Lee: we'd never seen it used in an attck, which is, I mean, it's really surprising. Robert M. Lee: It's like the obvious one to use. And so Frosted Gu was that first time Robert M. Lee: we saw Modbus CC be used in an ability to actually impact or turn off Robert M. Lee: systems and be used in an attack. And it's on the other side of the

Robert M. Lee: spectrum of pipedream. Pipedream is this very sophisticated. You hate to give the adversaries credit, Robert M. Lee: but it's a good capability. Frostygoop is, wow. This is really basic as a technology. Robert M. Lee: This is really underwhelming. And the important part of that is it's super underwhelming. And Robert M. Lee: it works. It works super underwhelming and it's effective. And I think sometimes defenders get

Robert M. Lee: trapped into is it cool or not? Yeah, yeah. Same with the US Government. Right. If it's not stamped with all the compartments, it's sometimes not. Oh, absolutely. Some of

Robert M. Lee: the best was unclassified. Yeah. Anyways, but and I, you know, it's about what works Robert M. Lee: and I think we need to be careful of that because most of my time Robert M. Lee: was on the defense, but when I was on the offense in the US government, Robert M. Lee: there was never a point in my career that was like, man, how am I Robert M. Lee: going to impress the defenders today? Like that wasn't it. It's like, how do I

Robert M. Lee: get the mission done? I got five more to do and I got management to Robert M. Lee: go talk to. Well said. And so we need to gear up towards what are Robert M. Lee: the adversaries doing and how do we counter them? Not do we appreciate that it's Robert M. Lee: finesse. Exactly. And it was the ninth ever ICS malware. So we don't. We have Robert M. Lee: a lot of ICS adversaries. OT adversaries, but they don't always have to use malware

Robert M. Lee: to achieve their effects. And so when new malware comes along, we need to learn Robert M. Lee: from it. Especially since it's only the 9th and given that it was the first Robert M. Lee: one ever to use modbus TCP in an effect to cause disruption, it's something for Robert M. Lee: people to start taking into consideration, going, well, what would that look like in my

Robert M. Lee: environment? And it impacts a lot of folks. And Net net the outcome and the consequence is what we're defending against and hope to prevent preempt, you know, before we get further into frosty goop. And it's not to throw buzzwords out here, but the Internet of Things and industrial Internet of Things that is sort of netting together IT ot, is it not for sure. And I think the easy way to. And who

Robert M. Lee: you ask a different answer sometimes on this. But the way that I think about Robert M. Lee: it and the way a lot of folks think about it is it is more Robert M. Lee: of like, that's the mission function. And it may have a variety of technologies in Robert M. Lee: it. OT is that's the mission function. It may have a variety of technologies. We Robert M. Lee: have printers in an OT environment. Is that printer really just a normal printer? Then

Robert M. Lee: it's like an IT device showing up in an OT network. Is it printing off Robert M. Lee: the manufacturing labels that the manufacturing process gets shut down. If I don't have those Robert M. Lee: labels, then it's part of the OT environment. So its ability to impact the mission Robert M. Lee: is more of the qualifier and less of the tech stack. But we're seeing a

Robert M. Lee: lot of IoT and IIoT pop up. And if it's sort of thinking the classification Robert M. Lee: here, if it's more of just reading data and that's interesting, then it's like, that's Robert M. Lee: fair game. Yeah, go for it's Iot. If it's, oh, I'm taking the values off Robert M. Lee: that smart sensor and then feeding it back into a control loop to have a Robert M. Lee: temperature change inside of a combustible process. Well, now that's ot, and it might be

Robert M. Lee: an IIOT device, but it's important. And not to go adrift. But we talked water energy. What about advanced manufacturing? I mean, this is all over because at the end of the day, it pumps or pumps or pumps. Absolutely. And fabs and microchips and Robert M. Lee: all of that. And I think a lot of folks think Their intellectual property is Robert M. Lee: stored in their enterprise IT networks only. And the reality is the most interesting parts

Robert M. Lee: of your intellectual property are usually in how you're doing something. Not the recipe. Recipes Robert M. Lee: can matter, but it's usually in how do I take Coca Cola would say, yeah, Robert M. Lee: Coca Cola would depend it, but even KFC would care. But at the end of Robert M. Lee: the day, usually it's how do I take cheaper quality inputs and make higher quality

Robert M. Lee: outputs? And the way I gear and implement that manufacturing process, the way that I Robert M. Lee: can develop certain, you know, micro technologies and nano chips and yeah, interesting things that Robert M. Lee: happen in Taiwan and other places, the how you do it is actually way more Robert M. Lee: interesting. And so not only can you do physical consequence and disruption, but you can

Robert M. Lee: also do intellectual property theft. And what, what U.S. government has been concerned about for Robert M. Lee: a while too is in advanced manufacturing and also in sort of civilian owned, government Robert M. Lee: operated or vice versa, infrastructure, could an adversary not disrupt, not steal, but manipulate? Could Robert M. Lee: a munition that I'm supposed to get a 0.5% failure rate on actually be manipulated

Robert M. Lee: to have a 6% failure rate? And what does that mean in terms of combat? Robert M. Lee: And so there's very interesting scenarios when it comes to advanced manufacturing and I'm. Glad you kind of brought that up because at the end of the day, cyber is its own domain, but it's an enabler to pretty much everything else. It enhances lethality,

it improves collection, target selection. Like since you brought up Taiwan, and I hope you don't want to roll that back, but let's get into a discussion around not only Volt Typhoon, but let's start with Ukraine and some of the lessons you've gleaned there. I mean, that was the first Rubicon I was aware of in terms of a cyber attack that had a physical consequence and took power offline twice. People normally forget

the one. Second year. Yeah, the second year was scary. It was actually scarier. Yeah. So what are your thoughts there and what insights can you share? So 2015 was Robert M. Lee: the first ever cyberattack takedown. Richard Power, to your point, in Ukraine, I always remember Robert M. Lee: it easily on the date and all because right before Christmas, right before Christmas. And Robert M. Lee: I got married that morning. Oh no. And I got the phone call and it

Robert M. Lee: was, we need your help. Because I just got out of the military, but I Robert M. Lee: knew all the folks over there and been training at Sands and so forth, and Robert M. Lee: I got the call saying, hey Rob, can you come and respond and help us? Robert M. Lee: We had a cyber attack, took down the power and I was like, it's probably Robert M. Lee: squirrels, man. I hung up. I was like, I'm not interested in this. I'm getting

Robert M. Lee: married. And then I got a secret. Squirrels. Yeah. And I got a phone call Robert M. Lee: from Mike Asante and he was like, no, dude, it's real. I was like, let Robert M. Lee: me wrap this wedding up, by the way. Yeah. Yes, indeed. And so I ended Robert M. Lee: up getting involved and helping lead the investigation. And there was a couple interesting takeaways. Robert M. Lee: Number one, the adversary didn't do anything sexy. Cool, whatever it was. Let me run

Robert M. Lee: an effective operation to use native functionality. If an operator can open up a circuit Robert M. Lee: breaker to de energize the substation, so can I. How do I take down 66 Robert M. Lee: or so substations across Ukraine to deny power to, you know, 250,000 plus customers in Robert M. Lee: the dead of winter? And they paired up with information operations to scare the public Robert M. Lee: at the time of sort of the Ukraine and Crimea and Russian crisis. And, and

I think it was a signal. It was absolutely. To us. They talked about it Robert M. Lee: publicly. And it was also a bit of a challenging because the US Government and Robert M. Lee: others were always like, oh, critical infrastructure, red line, it's off limits. Civilian infrastructure off Robert M. Lee: limits. They're like, is it nothing happened next time nothing happened. And I was like, Robert M. Lee: okay, yeah. And, and so actually that's a great deterrence. We, you and I have

had many discussions, a lot. We'll spare our audience for that. But that's a good, Robert M. Lee: that's a good beer conversation. But either way, they just used the native function. It Robert M. Lee: wasn't what all the IT security stuff was worried about. It was what the operators Robert M. Lee: and engineers had been saying for years. They were right in terms of what these

Robert M. Lee: attacks would look like. The other thing is our response. And without the deterrence discussion, Robert M. Lee: the IT security community looked at that went, oh yeah, if they would have just Robert M. Lee: patched, if they would have firewalls, if they would have done this, it would have Robert M. Lee: been fine. I was sitting there and I'm like, what, what instant response did you Robert M. Lee: do? Because I was there and they had all that. And that wasn't the point.

Robert M. Lee: And so that's that bias thing sort of standing out. 2016 is what scared me. Robert M. Lee: And it didn't get much attention at all. Very little. And so in 2016, the Robert M. Lee: adversary had taken all that they had learned in 2015, and I estimated there was Robert M. Lee: probably around 30 adversary operators involved in that operation. And they took that knowledge of Robert M. Lee: 30 experts and codified it into a software package that we'd called Crash Override. And

Robert M. Lee: they deployed it in Ukraine in 2016 at the transmission level. And because it was Robert M. Lee: only an hour outage, nobody like, really reported on it. But it's a three times Robert M. Lee: the power loss of all that happened in Ukraine 2015, because it was at a Robert M. Lee: transmission level. But here was the piece that people missed. The adversary was not trying Robert M. Lee: to cause an hour outage. What the adversary did is they had learned the response

Robert M. Lee: of the humans of Ukraine. Exactly. And they said, okay, well, we'll build that into Robert M. Lee: our attack. And so what they had done is they had intended to take off Robert M. Lee: essentially protective equipment that when the outage occurred, the operators would have gone to the

Robert M. Lee: response plans to reconnect the equipment. But it would have been reconnected under load, and Robert M. Lee: they wouldn't have known it, which means energized, which means they would have burned out Robert M. Lee: their transmission equipment. They would have had six months plus easy of outages across major Robert M. Lee: portions of Ukraine. It would have been a true physical component of that. But the

Robert M. Lee: adversary made a tiny coding error. I mean, it would have worked, but it was Robert M. Lee: a tiny coding error. So it was just an hour outage instead. But that malware Robert M. Lee: still works at any transmission system in the world. And to foot stomp that point, there were other diversionary attacks at that time. Right. So maybe it was also just to test their ability to respond in the event of what we're seeing play out

now. But I'd be curious why we haven't seen more of that. Yeah, well, there's Robert M. Lee: a lot that's going on in Ukraine. Not all of it's getting reported, some of Robert M. Lee: it physical. And there's stuff that happens around the world a lot of times. You Robert M. Lee: know, it's not always the boogeyman. But there's a lot of stuff that. That will Robert M. Lee: get called into that publicly will be like, oh, it was a malfunctioning or whatever.

Robert M. Lee: I'm like, why were we there responding anyways? But on that point, I think it's Robert M. Lee: an interesting one to make because I get in these conversations with US Generals and Robert M. Lee: policymakers, and they're like, we're the best in the world. I'm like, okay, man, I'm Robert M. Lee: red, white and blued up. Don't get me wrong. But there's only one state actor

Robert M. Lee: that's consistently gotten experience doing this. Like, we've been able to do lots of operations, Robert M. Lee: develop capabilities, and we have really smart people. But there was. We track now 22 Robert M. Lee: state groups that target industrial control systems around the world. And a portion of those

Robert M. Lee: are operating out of Russia and doing operations in Ukraine. And when you look at Robert M. Lee: that, those groups, they used to do things globally and now they're all ISR on Robert M. Lee: in Ukraine in focus. But when that war ends, they're going to go back to Robert M. Lee: their original target sets with a whole lot of experience. And I think that's something Robert M. Lee: to try to forecast. You know, that's well said and I couldn't agree with you

more in that respect. And that gets to a much more complex set of discussions around proxies. Who's the puppet, who's the master safe havens, how do we actually get, how do we touch the limited arm of the law in certain areas? And just had an op ed on that designating state sponsors of cybercrime in part of the safe haven. Well, I was really happy to see the. We did the OFAC against Robert M. Lee: the TRISIS actors which was huge. Yeah, it was the first time we'd seen that.

I was like, okay, so let's talk fast forward to where we are today. And yes, there's so much more going on than meets the eye. And quite honestly, cyber can also be used to enhance the kinetic attacks that Russia clearly, I mean they're blanket bombing. Physical or cyber, it doesn't matter if it has the outcome and the consequence they're seeking. But anything surprise you there? Honestly, it's everything we've been talking over

Robert M. Lee: years of. We're going to see cyber enable physical. We're going to see physical and Robert M. Lee: then follow up with cyber. We're going to see cyber also be used from an Robert M. Lee: information operations perspective to amplify. I think the only thing really surprising is how normalized Robert M. Lee: we've made it all like, yeah, it's happening, but it's over there. It's like, God, Robert M. Lee: why is this not every conversation? Isn't that a movie coming soon to a theater

near you? Yeah. Everyone thinks that the Internet works where it's on the other side Robert M. Lee: of the world and like that's quick, it gets to you quickly. And I. And Robert M. Lee: in government circles there's some that are paying attention, but there's others that it's like, Robert M. Lee: yeah, so that's happening. But what about AI and quantum? But what about what's current? Whatever, the shiniest object. Yeah, yeah, yeah, no, you're absolutely right. Let's transition to Volt

Typhoon. Yeah, that was Taiwan. And I mean when you're talking about pipe dream, if you can access and have the pre positioning in time of crisis or escalation or signaling to deter, dissuade or compel in action, pretty big deal. Right, yeah. The weather Robert M. Lee: forecast isn't very sunny. So I think as I talk to asset owners and operators

Robert M. Lee: and CEOs, there's a lot of them are going, what's different about this one? We've Robert M. Lee: been hearing from the US government for years, our NATO allies about China about pre

Robert M. Lee: positioning malware. And to some extent the US government through various administrations had lost the Robert M. Lee: interest of the U.S. critical infrastructure community by leaning in too much on the there's Robert M. Lee: malware laden across the grid and then the grid operators are going great, show us Robert M. Lee: where. Like well we don't know where. And they're like well stop saying it then

Robert M. Lee: you're scaring our people. You just, if you know where it is, say something, we'll Robert M. Lee: fix it. But if you don't stop getting in the Washington Post, New York Times Robert M. Lee: talk about it. And so they sort of lost some folks in that way. And Robert M. Lee: so when Volt Typhoon came up and everyone's going hey, this is important. A lot Robert M. Lee: of, there was a lot of folks are going yeah, yeah, more of the same.

Robert M. Lee: And we'd work some of these instant response cases and we tracked the sort of Robert M. Lee: the OT offshoot as Volt site and what we, what we saw was verifiably different. Robert M. Lee: For a long time these groups that would go after power companies and public attribution Robert M. Lee: to China and so forth would be almost spray and pray. I mean what power

Robert M. Lee: companies can I get? And if I got them, how do I embed in the Robert M. Lee: enterprise AT networks and is OT a thing, you see that the adversaries didn't quite Robert M. Lee: get it. This we are seeing very strategic target selection of very interesting power sites. Robert M. Lee: Not just the biggest ones that would show up on a map, but the ones Robert M. Lee: that you know are important to certain critical mission functions to deploy forces, project power.

Robert M. Lee: You can have a small distribution substation support your entire ability to put troops in Robert M. Lee: South China. Roger that. And, and they're getting into the OT networks and they're stealing Robert M. Lee: the right information. They're not just cool, what can I grab? It's the right engineering Robert M. Lee: drawings, it's the right human machine interface screenshots. It's the right information to develop their

Robert M. Lee: own capabilities to do kinetic. And so it's not espionage. It is very clearly the Robert M. Lee: type of activity used to pre position and develop capabilities to do disruption at the Robert M. Lee: right targets. And that's obviously very concerning, especially in the context of Taiwan. And are we doing enough to rooted out the companies? And I know that's an unfair question. Robert M. Lee: No, I don't, I don't think it's actually unfair. And, and so this is where

Robert M. Lee: I. Don'T want to be unfair, but this isn't science fiction. This is happening. I've Robert M. Lee: spent years testifying to Congress defending the asset in our community. And so I'm comfortable Robert M. Lee: to go. No, y'all could do more sometimes too. And so we should not distract Robert M. Lee: our operators with the next shiny object. What do you like? We have testimony. The Robert M. Lee: last testimony I gave one of the Congress, like, what is the water sector doing

Robert M. Lee: about quantum encryption? I was like, y'all, they need a firewall. Stop this. Yeah, yeah. Robert M. Lee: And so we don't want to distract them with silliness, but when we know this Robert M. Lee: is what it looks like and this is how it operates and you're not prepared, Robert M. Lee: we should be calling that out. And if you look at some of your major

Robert M. Lee: electric companies and I should actually, I shouldn't say it that way. When you look Robert M. Lee: at power companies that have been paying attention and putting the resources to play, which

Robert M. Lee: they're small, medium, large, that do that, they are winning. One of the cases that Robert M. Lee: we worked, Volt Typhoon broke into this mid sized electric utility and for over 300 Robert M. Lee: days been trying to get into the operation inside of the house and failed because Robert M. Lee: that team had been putting in the right security controls, have been listening to the

Robert M. Lee: guidance and doing the journey. There you go. But for all the others that aren't, Robert M. Lee: I think that is negligent at this point because you can own risk inside of Robert M. Lee: your company, no questions asked. The moment it goes outside your fence line, impact, that's Robert M. Lee: not risk that you get to go. I don't care about it. And so again, Robert M. Lee: if they're not going after and doing security against made up scenarios, God bless them.

Robert M. Lee: But if they're looking at real intel and real insights and going, I don't want Robert M. Lee: to, I don't do anything about it. That to me is shameful. Yeah, yeah, I couldn't agree more. And that gets to a discussion that I've been a little bit of a broken record. Long on nouns, short on verbs in terms of the public

private partnership. But there are some successful initiatives and I'm a big proponent of operationalizing all of this, whether it's Project Fortress out of treasury, whether it's JJCDC out of CISA or whether it's the CC out of some of the work you're seeing come out of the Fort Meade. Any thoughts there? Since you and I both been around

this issue for a while, I continue. To amplify the fact that the people that Robert M. Lee: Sign up to serve in civilian or uniform clothing in the government ought to be Robert M. Lee: praised for doing so. So it's usually not an easy job. It's usually not the Robert M. Lee: highest paying jobs. So they are good people. And you only get recognized when something

goes wrong. Exactly. And there's some good wins happening. Don't get me wrong. That being Robert M. Lee: said, there is bureaucracy and policy structure limiting, very clearly limiting success in a way Robert M. Lee: that is equally shameful. As we talk about the asset owners operators as an example Robert M. Lee: there, we know there are things that work and things that don't work. We know

Robert M. Lee: there's technologies that work and don't work. We know there's processes that work and don't Robert M. Lee: work. And the US government is incapable of getting out and saying, here's what works Robert M. Lee: and what doesn't. And you go talk to any of them at any senior level Robert M. Lee: and they go, wow. But Rob, we don't want to pick winners and losers. Like Robert M. Lee: what? We don't give perception. I'm like, guys, I'm not saying you like this vendor

Robert M. Lee: better than that one. Exactly. I'm saying if you were to say this thing works Robert M. Lee: or this strategy works, or this type of technology work, or this thing works in Robert M. Lee: this use case, can you do that? Ooh, we'd get a cease and desist letter. Robert M. Lee: I'm like, but did you break a law? Well, no, but what's the issue? Well, Robert M. Lee: but the perception, it's like, oh God, we don't have time for perception. You can't

Robert M. Lee: talk national security the way that you do it and then cry over perception. And Robert M. Lee: so I see the day to day work happening in some of those groups and Robert M. Lee: I go, man, that's awesome. And then I see the fear of saying anything in Robert M. Lee: those circles by government. That JCDC is a good example. It set up with all

Robert M. Lee: the right intent, had a lot of good stuff going on. And the vendors would Robert M. Lee: send their security analyst and then the government started sending like lawyers and the analysts Robert M. Lee: were like, we're here to share. Exactly. We need technical counterparts. We know you have Robert M. Lee: them. And they're like, yeah, but we need to be careful about what we say

Robert M. Lee: with who and whatever. It's like, it's not classified. We're talking about open source stuff. Robert M. Lee: Yeah. But again, what if we give it to this vendor and this vendor set? Robert M. Lee: And it's like, oh my gosh. And so I just, I can't have a serious Robert M. Lee: conversation without acknowledging that we're hurting ourselves because we just don't want to do something Robert M. Lee: and we're fear of the perception. And you know, one of the. And please disagree

with this as well. But I notice when we have a rallying crisis to respond to, these things work great. But it's in the day to day, which is 90% of it. Right. I mean, you sort of mentioned actually using these tools. You got to put the reps in if you want to be a better. It's workshop focused, Robert M. Lee: the ccc. And maybe this is my NSA bias, but I love them to death. Robert M. Lee: Work very closely with them. But when do we work together? When there's something. When

there's something. It's like, let's show up to an every Thursday meeting now. But what does it look like in the days of. If there were such a thing as pipe dreams. Yeah, but a pipe. Oh, and okay. Days of peace. Yeah. It shouldn't. Robert M. Lee: It's okay to say I don't have anything to say when you have a meeting. Robert M. Lee: Yep. And that's on like those work groups now. That's a different discussion on wartime

Robert M. Lee: planning and scenario planning and things like that. And I think there's a whole exercising Robert M. Lee: function of what does that look like? I remember, and I'll keep the names out Robert M. Lee: of it for a variety of reasons, but I remember there was an event that Robert M. Lee: took place that there was a serious concern that we were going to get kinetic

Robert M. Lee: with a strategic adversary. And I got called in by some senior folks with Dimitri Robert M. Lee: alprovich over at CrowdStrike at the time and Kevin Mandia, legendary, awesome Kevin over at Robert M. Lee: Mandia. And the question was, all right, Kevin, Rob, Dimitri, we're going to not worry Robert M. Lee: about this perception stuff. We know it's your three firms that are getting called in.

Robert M. Lee: The critical infrastructure tax, Mandiant and Crosstrek and all the IT stuff and all the Robert M. Lee: OT stuff. Dragos is going to be all. And this event happened at 5:23 this Robert M. Lee: morning. And we're thinking we're going. And I'm just making up the 523, but we're Robert M. Lee: thinking we're going. We got to give the president options. And so we need to Robert M. Lee: know, what do you need? Because we expect blowback on critical national infrastructure. What do

Robert M. Lee: you need from us? I was like, respectfully, a call six months ago, like, there's Robert M. Lee: nothing today that we're gonna magically learn to work together and figure this out. And Robert M. Lee: so this idea that you can just like flip on a cyber switch is honestly Robert M. Lee: ridiculous. Yeah. And. And it's not just a cyber switch. It's a switch. Because at the end of the day, cyber is a Means and the people. Working together and

Robert M. Lee: the, and the, hey, the collaboration. That's why I get excited about these projects. Pipe Robert M. Lee: dream comes out and it's CCC analysts with Dragos analysts and the CISA folks and Robert M. Lee: they get to know each other. Yeah. And you don't want to be exchanging business cards when the balloon does go up. Right. Or the bomb goes off or whatever.

Bad analogy I can come up with. Hey, let's talk Singapore. You just did that long flight and they did just launch and update a. I think they call it a master plan. I always get concerned about master plan, but that's okay. But a master plan around ot. So them, I love them. So I get, I get to, Robert M. Lee: for whatever reason, I get to work with governments around the world and a lot Robert M. Lee: of times it's okay. All right, happy to support you. If you, if you get

Robert M. Lee: it right, good on you. But you know, kind of from the offset that they're Robert M. Lee: not taking it seriously or whatever. Singapore years ago contacted me and said, look, we've Robert M. Lee: taken a lot of your training. We're, we're partners of the sands. Do we see Robert M. Lee: it? Singapore is OT. Yeah, like we're an island country of like 5 million people. Robert M. Lee: It's ports, it's water, it's electricity. And goes down. Like if it goes down, we're

Robert M. Lee: done. And we are a target and of geopolitical interest. And they're like, so OT Robert M. Lee: security is national security of Singapore. And I was like, okay. I was like, sure, Robert M. Lee: sure. And they're like, no, seriously, we want to convene a group of OT experts. Robert M. Lee: And so they called it the OT Cyber Expert Panel OT sep. And we're going Robert M. Lee: to put real resources on this and it's going to be a minister level thing.

Robert M. Lee: I was like, okay. And they said, we want you to be on it and Robert M. Lee: help pick out, you know, who's going to be here and so forth. And so Robert M. Lee: we put together this group and it kicked off official. The first one was four Robert M. Lee: years ago and they had the Master Plan 1.0. And it wasn't here's 30 things Robert M. Lee: we want to do. It was here's four thrusts, here's four efforts. We want to

Robert M. Lee: go influence the community to do. We don't expect that we're going to pop bottles Robert M. Lee: of champagne called Mission accomplished in a couple years. We want to start the community Robert M. Lee: on those where you get it to a good place and then we're going to Robert M. Lee: start the next. And they wanted to run it out of the cybersecurity agency. So Robert M. Lee: kind of their CISA equivalent who also has regulatory authorities. And they said, look, we're

Robert M. Lee: going to, we're going to lead this up. So Minister Josephine Tiao got involved. So Robert M. Lee: she's reports to the Prime Minister and she under her is David Koh, who's the Robert M. Lee: CEO of csa, who's a rock star, he's amazing for background, military intelligence, everything, real

Robert M. Lee: sharp dude. And then rallied all their folks on them and said, look, csa, we're Robert M. Lee: going to take these OT security experts, they're going to help us form a strategy Robert M. Lee: and we're going to work with the regulators and everybody else and we're going to Robert M. Lee: do it. I was like, okay, well let's see. I got to tell you, four

Robert M. Lee: years later it's working. And so this fourth one has got back from, has gotten Robert M. Lee: to the place where it's this Master Plan 2.0 where they say, look, those four

Robert M. Lee: thrusts, we're not saying mission accomplished but keep doing those. But here's this updated view Robert M. Lee: of where now we also need to layer on this additional four kind of efforts Robert M. Lee: and they've worked to put regulation that's actually outcome focused, not prescriptive, but it's actually Robert M. Lee: performance based outcome focused on saying, hey, OT is different, let's take a look at

Robert M. Lee: it. And I think they're having a real. Impact, good on them and important for the US to participate and lead on some of these. We see regulations out of Robert M. Lee: the US that work and those that don't and there's a very clear line between Robert M. Lee: them of is it outcomes focused or is it prescriptive? And there is no prescriptive Robert M. Lee: regulation, especially ones where the regulator talks at the regulated, that's worked. I give a

Robert M. Lee: lot of credit to TSA for showing up and adapting. But that original version of Robert M. Lee: TSSD2 to the pipeline sector with a 24 hour heads up sector where it regulates Robert M. Lee: you, that's not what success looks like. And so it looks more like what TSA Robert M. Lee: did on the update of well, here's the outcomes we're trying to solve for you. Robert M. Lee: Tell us how to solve for them. We don't know how to operate a pipeline.

Robert M. Lee: You tell us how to operate pipelines, we'll tell you why we care and what Robert M. Lee: we're trying to accomplish. I think Singapore took more of that. Focus and I think it's small enough that it's manageable because there are countries that I always say punch above their weight. Singapore, Estonia, Israel. These are small countries but they kind of live in tough neighborhoods. They don't have a choice. Right? The Failure is not an option.

Robert M. Lee: It's small. And that's the failure is not an option. So that whole perception thing Robert M. Lee: I was talking about, they're like, I don't care. Flips csa. Years later, did a Robert M. Lee: partnership with Dragos and. And they government level one of like, hey, Dragos is our Robert M. Lee: national strategic partner on this topic. I was like, guys, like, there's no contracts involved Robert M. Lee: in that. Like, aren't you gonna get in trouble or whatever. And like, what are

Robert M. Lee: you talking about? You've shown up here. We've worked with you for years. The others Robert M. Lee: hadn't your. Your fit these capabilities. If the others want to be involved, if they're Robert M. Lee: this tall to ride the ride, they can do so. Otherwise, you're a partner. And Robert M. Lee: I think those small countries that have the IT matters and conflicts coming, go, forget Robert M. Lee: your perception. We got to do something. And it. It works. And I actually am

a big proponent of their labeling concept as well. So sometimes they're. They're there. They are ahead of the curve, which is. Which is good to see. Hey, anything on the recommend? So what should OT owner operators and just those that are impacted by ot? What. What are some steps they should be taken right now? Yeah. So Tim Robert M. Lee: Conway and I at the SANS Institute wrote a paper called the five critical controls,

Robert M. Lee: and we'll make that. Available on our show notes. So that years ago, SANS put Robert M. Lee: out the 20 critical controls that was used for the enterprise IT community. And we Robert M. Lee: were always asked, what about the ICS ones? And so we wanted to build it Robert M. Lee: more as a strategy instead of like a specific control. And so we looked at Robert M. Lee: every single attack to ever take place against any OT or ICS systems and just.

Robert M. Lee: And the ones we had private access to as well as public. And we just Robert M. Lee: asked the question of like, what controls worked in all of them. Not one off, Robert M. Lee: not theoretical, not 30% of the data, but what worked in all of them. And Robert M. Lee: it was those five. So we put together and said, okay, here's the methodology, here's Robert M. Lee: the insights, but here's the five to take as a strategy that you can then

Robert M. Lee: map to this CyberSecurity framework or 6443 or whatever in the specifics controls. And that Robert M. Lee: first control is the one that I would recommend out most. I mean, you got Robert M. Lee: to do all five. But that first control is definitely a place to start. There's Robert M. Lee: an order reality to it, but it's a true board level, policy level, whatever one Robert M. Lee: as well, which is you start with an ICS incident response plan. What am I

Robert M. Lee: reverse Engineering into all my other that's unique. Don't start with the other and go Robert M. Lee: the other direction. Don't, don't hope that it all aligns at the end. What does Robert M. Lee: a bad day look like? What data you're going to need for your SEC 8K Robert M. Lee: and 10K filings? What are you going to need for operations? What are you going Robert M. Lee: to need for safety? What's the data you're going to need? The environment, what's it

Robert M. Lee: going to support? What does this look like? And most importantly what are the scenarios Robert M. Lee: you want to plan for? Should a mining company be prepared for the 2015, 2016 Robert M. Lee: electric attacks? No. Is there things we can learn from that if we have spare

Robert M. Lee: time and resources? Absolutely. But I should probably start with the things that actually happened Robert M. Lee: in the mining industry or if I'm an electric power company, I shouldn't be preparing Robert M. Lee: for forward leaning scenarios of what happens if Iran, China and Russia team up and Robert M. Lee: form a super crew. If you got resources, go for it. But start with what Robert M. Lee: did Ukraine 2015, 2016 look like? What did pipe dream look like? Are we prepared

Robert M. Lee: to prevent, detect, respond, recover to those scenarios then go do the other stuff. And Robert M. Lee: so setting that scenario level also lets you communicate board and policy levels of what Robert M. Lee: are we trying to accomplish? It's not well we have these 33 controls and green Robert M. Lee: KPIs. It's here's what we as an organization are aligned around. Here's why, here's what

Robert M. Lee: we're trying to accomplish. Let's figure out how to go do that. And I think that makes abundant sense because it's cyber, whether it's ics, whether it's cyber, whether it's physical, it's managing risk at the end of the day and companies and executives know how to do that. On the financial side in this case that, that needs to be part of that. But, but let me ask a very simple question. Sure. How

many companies actual have actually have visibility across their OT systems? I, I think before you can start doing all that you need to know what you got. You need Robert M. Lee: to know what you got, you got to do. Asking visibility. I would say a Robert M. Lee: lot of folks are going down that journey and if you threw the logos on Robert M. Lee: the wall there'd be a lot of logos and companies that we get to work

Robert M. Lee: with and so forth but not a lot of penetration in those logos. And so Robert M. Lee: I would, I would estimate that sub 5% of the global infrastructure is actually monitored Robert M. Lee: and which is scary, which is terrifying. And I've had to and there's Some companies Robert M. Lee: getting it right and doing a lot and doing the crown jewels, they don't need Robert M. Lee: to do 100%. They're doing all the stuff that matters to them. There's definitely those

Robert M. Lee: companies. But I've been in boardrooms where people have been like, yeah, we have have Robert M. Lee: CEOs talking about, we have Dragos, we're okay, we've got visibility. I had to go Robert M. Lee: back and be like, check the box. Yeah, yeah, yeah. You have us at 1 Robert M. Lee: out of 500 transmission substations. That ain't gonna cut it. And so I would say Robert M. Lee: the visibility is sorely lacking. And this was, you know, talking learn. That on the

supply chain issues and on steroids. This came up a lot with the NSC when Robert M. Lee: SolarWinds happened and folks were focused on the IT portion of SolarWinds. But SolarWinds was Robert M. Lee: embedded in some really interesting places in critical national infrastructure on the OT side. And Robert M. Lee: Congress was ready to kill the industry over this because Congress's view, which was actually Robert M. Lee: pretty fair, was we're going to get punched and prevention is going to fail at

Robert M. Lee: some point, that's fine. But if we tell you exactly what to look for, exactly Robert M. Lee: what the software package is, exactly what the version is, exactly what the network. Exactly, Robert M. Lee: exactly, exactly. And you tell us you still can't see it and you don't know Robert M. Lee: what it is, how are we resilient? And so there was a lot of companies Robert M. Lee: are like, we don't know if we have it on the OT side. And that

Robert M. Lee: means that you can't ever defend anything. Fair point. And not to bring up SBoM and the like, but the reality is a lot of these are analog solutions to digital problems and we talk about a lot of these things. Actually doing the do is where I think we ought to put emphasis. Rob, what questions didn't I ask that I should have? No, I think this was fantastic. I enjoyed it. I. I Robert M. Lee: think these are the right conversations that folks are having. Again, what is our risk?

Robert M. Lee: What are the scenarios? How do we deal with something about it? I think the Robert M. Lee: policy level, it really is how to accelerate the things that we know work. Before Robert M. Lee: we start talking about the shiny objects, why can't we just at least openly talk Robert M. Lee: about it? Even if there's no resources allocated towards it, which there should be, how

Robert M. Lee: do we talk about it? I don't mean to be too promotional, but we launched Robert M. Lee: a program called Community Defense, which was if you're a water, gas or an electric Robert M. Lee: company under 100 million in revenue, just take our technology and stuff for free forever. Robert M. Lee: So just let's get it done for the community. And I have conversations with the Robert M. Lee: government on, hey, I see promoting a lot of stuff. There's no money aligned on

Robert M. Lee: this. Can you say something about it? Like perception? Well, you had a great piece in cnn. We'll make that available on the show. Notes I think the questions are Robert M. Lee: good. I think the result is we know what to do. We don't need to Robert M. Lee: come up with the next gen thing. We know what to do. Let's just go Robert M. Lee: do it. Rob, thank you for spending so much time with us today. Thank you.

I hope you'll agree for being a friend. Thank you for continuing to fight the good fight. Thanks for all your work over the years. Most importantly, leading. You gave Robert M. Lee: me a lot of, like, kudos, but I've seen you in all the same conversations, Robert M. Lee: so thank you to you as well. Keep fighting the good fight indeed. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please

consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you'd like for us to host. Until next time, stay safe, stay informed and stay curious.