Welcome to The Chemical Show, the podcast where chemical means business. I'm your host, Victoria Meyer, bringing you stories and insights from leaders, driving innovation and growth across the chemical industry. Each week, we explore key trends, real world challenges, and the strategies that make an impact. Let's get started.
Welcome back to The Chemical Show. I am here with Rob Lee, who is the CEO of Dragos, one of the most premier cybersecurity firms in the U. S. and maybe globally. Rob regularly gets called in to consult with companies, with countries. and probably more on cyber security issues. So we're here again at the Marsh North American Energy and Power Symposium having this conversation. So when you hear a little background noise, you know why. But anyway, glad to have this conversation with Rob.
Thanks for having me.
Absolutely. So tell us a little bit about yourself and how did you get into cyber security?
security? Sure. So I started my career on the U. S. Air Force side of the house. It was building control systems. When we talk about cyber security, sometimes we talk about the information technology side of the house, which is more of like your email servers and computers and things like that.
And we also have the operation technology side of the house, what we call OT, which is really your, chemical facilities, your water treatment facilities, your power grids, like the physics side of the house, right? And so all my work is really focused on the OT side.
And I enjoyed doing humanitarian work in the Air Force, building control systems, building wind turbines in places like Cameroon, and then I realized that cyber could be used to impact those systems, got recruited into the National Security Agency, and ended up building out the U. S. government's mission, looking at various states and criminals breaking into infrastructure around the world. And then after that, started a company called Dragos. Okay, so
why leave the NSA?
Yeah, uh, lots of discussions and the wrong liquid in the cup, but, I enjoyed my time at the NSA, and, and surprisingly, we actually did a lot of like interesting defensive and cool work in that way. It was actually when I got sort of rerouted back to Cyber Command and looking at the offensive side, and I got to be other people's adversary for a while. I just didn't really agree with what I was doing. Like, countries should have military capabilities to impact others, no, don't get me wrong.
Uh, generally though, I think everybody should stay out of each other's civilian infrastructure. And every 35 year old mom should be able to go home to her 5 year old kid regardless of nationality. And I don't think that's not typically the view.
Yeah, well. Different points of view everywhere. Everywhere. So, tell us a little bit about Dragos. Oh,
identifying vulnerabilities and threats and things like that. But a lot of the big incidents that take place, they'll call us in, hopefully ahead of time, but if at worst, sort of after the incident to try to deal with it. So like, we did the Colonial Pipeline incident, we've been involved in a lot of the Ukraine attacks and, and, and analyzing the cyberattacks and electric infrastructure there.
So, kind of any of the big things you've heard of before, may have heard of in, in cyberattacks and infrastructure, usually there trying to
this all computer related? When I think cyber security and cyber attacks, I think computers is that what you guys are working on?
think a lot of, you know, probably one of the more surprising things is a lot of business executives of these companies feel, hey, we're doing a lot on cyber security. But there's so many different things in cybersecurity and the minimum there's that big IT versus OT bucket.
And most governments, most board of directors, most business leaders are surprised to find that 95%, not a made up statistic, about 95 percent of all the budget to cybersecurity efforts is going to the IT side of the house, not the OT side of the house. But you generate all your revenue and have all your safety impact and your business impact and national security impact on the other side of the house.
So about 5 percent of all of the efforts in the community and the resourcing is going to the side that actually generates all the revenue and national security impact.
so the actual asset, the infrastructure, the operating plant, et
Correct, correct. So for all your chemical engineers and business folks. What cyber security is to them is probably, oh, uh, secure my password, secure my data. That's cool. The cyber security that actually impacts them is as our industry has become more digital. We've become more complex, more control systems and automation. That digital network with the physics impact, the physical world, that's cyber security now. And it probably wasn't true 15 years ago.
Absolutely. Right. Because we're relying on computers, more efficient operating systems, et cetera, to run everything. In
If an operator can open up a circuit breaker through a computer, now an adversary can
Yeah, absolutely. In fact, I'm gonna say this for our listeners. Brad Amp, who's CEO of Carpenter, was on the podcast a couple years ago. We will link to that episode, and he talked about the cybersecurity attack that they had, how it took down their operations, and how they recovered from it. And they were able to recover. they found a solution. But it's an interesting story and conversation. So I will, I will link to that for people to hear
you know, one of the, one of the scary things for a lot of companies, so good on 'em because one of the scary things that a lot of the boardrooms I get in is most companies don't have the investments ahead of time into the cybersecurity of OT to even know when something goes wrong. Was it cyber or not?
Yeah. And so, you know, a lot of the national security conversations I get in with various government leaders, they have the question of like, well, when a cyber attack happens and does this, what do we do? I'm like, how do you know that it's cyber or not? And they go. Oh, I don't, I don't know. And it's like, that's, that's the starting discussion. And so we've seen chemical mishaps, safety issues, et cetera, where people look at it and go, we don't, we don't know.
We, like, I guess it's a maintenance issue. And you're like, okay. And that kind of ruins your ability to respond
Yeah. I will say on a personal level, you know, if I think about the internet of things and just the home internet of things, like, you know, we have a ring doorbell. We have a. I don't know if it's an, I don't know what it is. It's a nest. It's one of the, thermostats, whatever. And I do worry about the fact that, you know,
Somebody
somebody outside of our control can control it. And that's on a microcosm, on a home
example, though. Like, think for a second, you've got an internet connected thermostat, you've got an internet connected alarm system, and then you've got an internet connected toaster, right? And then one day you have a fire in the house. Did somebody hack your system, disable the alarm system and cause a fire in the toaster, or was it just a mechanical mishap? That question, take that now into any digital infrastructure that we have, that's really hard to
if you don't do
if you don't do the work ahead of time.
so like, I think it's,
Yeah. So like, it's, I think it's, I think it's easy, but you know, that's, that's maybe the,
coming off the edges,
yeah, yeah, maybe, maybe that's like coming off pretentious, but I think number one, we're all good at scenarios, right? So in the chemical industry, as well as infrastructure in general, we have a very good safety community. And so understanding safety process, process hazard analysis, HAZOPS processes, like going through a safety scenario, we don't sit there and go, I want a better valve. I want to better pressure it and go, what's the scenario that
it. And so I think cybersecurity
look at all the controls across it. And so I think cyber security sometimes comes out with like, you should deploy this thing, or you should have this tool, or a complex password, but they're not looking at the scenario. So one of the things I generally advise is, first off, look at the real scenarios. Your company doesn't have unlimited budget. It doesn't have the ability to go, how do we reduce cyber risk? Well, what does that mean?
But we could say, Hey, here's three scenarios we've seen that have caused impact in the chemical or energy or water industries before. Are we ready for those three scenarios and across our 50 sites, three, three sites, 300 sites, what would it look like? Well, what are the abilities to try to prevent it, to try to detect it, and try to respond and recover to it? And you look at those controls across the scenario, and you can very easily get to something that you cannot measure.
Now it's not some random presentation in a boardroom of like, High risk, low risk, is it 33. 5, is it 40, and it's like, what does that mean? It's like, if that happened to us, would we be okay? Like, oh yeah, we could actually deal with that one.
okay? Oh yeah, we gotta actually deal with that one. Ultimately, the CEO owns the
mean, ultimately, the CEO owns the risk. So this idea that like the chief information security officer, the chief risk officer owns the risk, their advisors, the CEO owns the risk with oversight from the board, depending on your corporate structure, and the rest of it about advice. So the CISO or the chief information security officer sometimes is rolled under a CIO, which is debatable if it should be or not, is presenting me, here's what I think the risk is.
You need to challenge those folks because a lot of the ways the careers have developed for chief information security officers is out of the help desk, out of IT, etc. They don't know your plans. So, they really need to understand what's your OT cybersecurity risk. Don't just speak about cyber. Like, challenge them. Like, is that the enterprise or is it enterprise IT? Okay, you're talking the enterprise or you're talking OT then?
And so, are you talking about enterprise OT, chief information security officer? Great. What do you advise against real scenarios? And then it's up to the CEO, usually also the CFO or Chief Operations Officer, to sort of delegate that down. And the ultimate, especially in the chemical industry, ultimately you're coming to the plant manager.
from
if I operate that asset, I am responsible for everything that happens at that asset. And I am responsible for the cyber risk that goes into it as well, but I'm not responsible to know all the possible cyber risk. I need advisors in my organization for
Right. I was going to say, because a plant manager, they're often an engineer, a scientist of some variety that that's grown up through the system. They would say, I'm not actually equipped to, to handle cybersecurity. However, risk management is absolutely one of their remits.
remits. 100%. And again, at a board level, really, if you're talking a lot of these like cybersecurity scenarios on an operations impact, you are talking safety, you're talking massive financial impacts for public company. This is like your eight K and 10 K filing discussions. You're talking national security, depending on the size of your company. It should be an elevated conversation. And once that elevated conversation happens, it's really just binary. Are we going to address this risk?
Yes or no? Not like, what level of it? No, no. Are we going to try to address this risk? Yes or no? Because then there's got to be funding. And that was what was really useful in the chemical industry after the Bhopal incident, right? So from a safety perspective, used to, for many companies it was, safety comes out of your budget, and do it or don't. And then we looked at it as an industry and went, Oh, that's, that's not good. Like we, as a company shouldn't be able to like deal with that.
Let's just say there's a corporate budget for mitigating the safety risks. And if you want to go beyond that, feel free to plant budget, but the minimum we'll take that out of the budget overall. And those same kind of mechanism that you have in long story short, there should be a company understanding of what are the risks we want to mitigate. There should be a company understanding of to this level, we'll resource it. And then underneath that and the how to do it should be the plant
underneath that and how to do that should be plan. It's starting to become, it may
become, it may become federally required in the U. S. actually. So, so what's, what we're seeing from, so SEC, right, has made this determination that you need to talk about material events in your company. And, and material event, obviously that, that's true regardless of cyber. Usually a 10K that you file with the SEC saying here's the things that can be material. And then when something happens that is material, you find out a file on 8K to say something changed.
And it's required by law for any of these public companies. They have designated that cyber can be material and they expect to see the cyber components do that. So, it's already being mandated that you have to have the conversation. What we're seeing sort of as best practice is these companies are getting together saying, Well, what could be material? Instead of waiting for something to happen and filling out the 8K, go reverse engineer the 8K. Hey, I'm a chemical company.
What happened to make an eight K at the other three chemical companies that did it, let's take that eight K and reverse engineer it. And usually how that's done as a tabletop exercise. So you get around the room with the appropriate people in the room, whether security people, operations people, whoever, and go. Cool. Here's a fake scenario, but it's, it really happened for not just like lasers from space. Like do something real, right? Like here's what we saw happen before, respond.
And then they kind of work through it like a game of sorts. And then they determine, oh, actually we're not in a good place to deal with this or we think we are. And that we think we are then should be followed up with technical assessments of, are you really? Did you really have those investments? And that should be reported back to the executive group to be able to say, yeah, we're actually as good as we are. No, we're not. We have these gaps. Let's go address
And you guys support companies on those exercises, is that something that you do as part of Dragos?
So even though we're a tech company that's like our bread and butter that preparation ahead and that tabletop exercise is where we get called in a lot and then unfortunately a lot on the response side as well. And we're,
Okay, so I like to always talk about leadership. You're a relatively young CEO, working with probably a lot of older CEOs. How has that played out for you? I'm just gonna ask that as a broad question.
Uh, really well, so far and surprising. I used to go in. I'd like have these meetings with these serious companies and like, Hey, I know I'm just a young CEO or whatever. And they're like, and eventually one of them told me, and this isn't really a question, but I think this is funny. Anyways, um, one of them told me like, stop it because I always played the card like, Hey, I'm first time founder, CEO, young guy, whatever. They're like, stop it. How long have you been CEO of Dragos?
And I was like, at the time, it was like seven years. I was like, yeah, seven years. He's like, great. I've been a CEO for three. So you tell me, I was like, Oh, okay. And so I think a lot of the CEOs I meet are really humble in the position. I'm not saying like everybody else, but like most of them are very humble in the position to go. It doesn't matter how many years it took me to get here. I'm here and here's my base of expertise. You have a base of expertise and I'm calling on it.
You tell me what your expertise is. So I found that to be pretty open on that. But it is, it's been fun on the infrastructure side because in cybersecurity, a lot of the cybersecurity executives, Chiefs, and Rescue Officers are always yelling like, How do I get the business to take me seriously? How do I get them to take seri And like, I don't have that problem.
Because when I go talk to President Well, not like that, but when I go talk to No CEO, no President, no Parliamentary Member is confused about where their country generates revenue. Or risk, like it's just, I don't have the, well, how do you secure your data? I'm like, Hey, if there's a plant fire over there, it's 300 million of lost productivity. They go, yeah, yeah, we get that. And so the impact allows it to sort of be the, yes. Now, how do we want to deal with that?
And I think that allows the conversation to go pretty smoothly.
Well, this has been great. Thank you very much for the conversation. I know that people are gonna love it. And looking forward to hearing your speech
Yeah, good. Hopefully no one in this group ever has to call me. But if you do, do it in advance. Yeah,
Thanks for joining us today on The Chemical Show. If you enjoyed this episode, be sure to subscribe, leave a review, and most importantly, share it with your friends and colleagues. For more insights, visit TheChemicalShow. com and connect with us on LinkedIn. You can find me at Victoria King Meyer on LinkedIn, and you can also find us at The Chemical Show Podcast. Join us next time for more conversations and strategies shaping the future of the industry. We'll see you soon.