Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

OT Under Threat: Dragos’ Robert M. Lee on Navigating Cyber-Physical Risks

Season 2 Episode 0 •

Show Notes

Originally Released September 11, 2024

In this episode of Cyber Focus we’re revisiting the conversation Frank Cilluffo had last September with Robert M. Lee. Rob is the CEO and co-founder of Dragos, a leading firm in industrial control systems (ICS) and operational technology (OT) cybersecurity. Rob unpacks the real-world consequences of cyber-enabled threats to physical infrastructure, including attacks on water systems, energy grids, and manufacturing sites. He shares insights into advanced malware like PipeDream and Frosty Goop, explains the growing risk of scalable OT attacks, and highlights adversaries’ shifting tactics — from state-backed intrusions to criminal exploitation. The conversation also covers lessons from Ukraine, implications of Volt Typhoon, and the importance of visibility, public-private collaboration, and outcome-focused regulation in defending critical infrastructure.

Main Topics Covered:

  • What operational technology (OT) is — and how it differs from IT
  • Why cyber-enabled threats to physical infrastructure are escalating
  • Real-world case studies: Ukraine grid attacks, Saudi petrochemical facility, and U.S. water systems
  • Dragos’ findings on ICS malware: PipeDream, Frosty Goop, and Modbus TCP exploits
  • Emerging adversary trends including Volt Typhoon and the shift to scalable, repeatable OT malware
  • The state of public-private collaboration and challenges facing OT cybersecurity in the U.S. and globally
  • Lessons from Singapore’s regulatory approach and what operators can do today

Key Quotes:
“[Operational technology] is all the stuff you have in IT, plus physics.” – Robert M. Lee
“These are cyber enabled attacks that can have physical consequences.” – Frank Cilluffo
“[PipeDream] is the first time we’ve seen ICS or OT malware that is repeatable, reusable, and scalable across industries. It works in everything from a servo motor on an unmanned aerial vehicle to a gas turbine.” – Robert M. Lee
“There was an attack in 2017 where an adversary broke into a petrochemical facility in Saudi Arabia explicitly to cause an event at a facility that would have killed people if they were successful.” – Robert M. Lee
“Right now in the operations technology community, we deal with low frequency, high consequence attacks. IT deals with high frequency, low consequence attacks. And if we start to see scale, we’re going to start to see medium to then high frequency, high consequence attacks. We’re not ready.” – Robert M. Lee

Relevant Links and Resources:

Guest Bio:
Rob Lee is the CEO and co-founder of Dragos, a cybersecurity company focused on protecting industrial control systems (ICS) and operational technology (OT). With a background in military and intelligence, Rob has worked at the National Security Agency (NSA) and U.S. Cyber Command. He has been instrumental in raising awareness about the vulnerabilities in critical infrastructure and the need for better OT cybersecurity. Rob is widely recognized as a leader in the field, advising government agencies and industry leaders on protecting essential services from cyberattacks.

Transcript

1
00:00:00,000 –> 00:00:01,000
Frank Cilluffo [00:00:00]:
Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and have the privilege to sit down today with Rob Lee. Rob is a Paul Revere. He put OT on the map and is currently CEO and co founder of Dragos, a large industrial control systems and OT cyber company. He serves in various roles for the government, including the Department of Defense and the Department of Energy, is an Air Force Academy grad hua and did stints at the National Security Agency Cyber Command, and advises universities such as Duke, Carnegie Mellon, and we’ll make sure Auburn’s on that map soon too. Thank you. Rob, thanks for joining us today.

2
00:00:01,000 –> 00:00:02,000
Robert M. Lee [00:00:51]:
Thanks for having me.

3
00:00:02,000 –> 00:00:03,000
Frank Cilluffo [00:00:52]:
So, in all sincerity, I think you played a major role as a citizen CEO putting operational technology on the map. I think everyone in the community knew it mattered, but you helped find its real day in the sun. So I think before we jump into some of the threats and some of the issues, you’re looking at, maybe just an explainer, A101 what is operational technology?

4
00:00:03,000 –> 00:00:04,000
Robert M. Lee [00:01:19]:
Yeah, so I usually describe OT as all the stuff you have in it, plus physics. So it’s the side of the business that actually is the reason the business exists. Whether it’s the generation of electricity, the transmission of it, manufactured goods, pipelines, rail, ports, it’s sort of everything that ends up interacting with the physical world. And what I always find so interesting is as we’ve talked about enterprise cybersecurity as an example for years, and all these boards and CEOs and government saw enterprise IT and enterprise IT cybersecurity. They thought it meant the enterprise because there’s no CEO or CFO that’s confused about where they generate revenue. And there’s no serious policymaker in this scene that’s not aware of the critical part of critical infrastructure. But what it meant was just enterprise it. And so there’s been sort of an awakening over the last five, six years, especially at an executive level and policy level, understanding that a lot of the things we thought were getting done were just simply not getting done on the OT side of the house. And so as we look at those specialized systems, sometimes it’s as simple as Windows software and Windows systems with specialized applications, sometimes it’s specialized control equipment and so forth. But as we look at that side of the house, it interacts with our local communities, our physical impact, the ability to impact life instead of just data loss. It’s nice to see it get a.

5
00:00:04,000 –> 00:00:05,000
Frank Cilluffo [00:02:38]:
Lot more focused and in terms of consequences in life, death, it clearly is at the top of the list. But can you delineate the difference between it, OT and sort of give a little bit of legacy? Because a lot of the OT systems that are being deployed now have been around for a long time, right?

6
00:00:05,000 –> 00:00:06,000
Robert M. Lee [00:02:55]:
Yeah. In it it’s not too uncommon to have like a two to five year life cycle. In OT, it’s very common to have a 20 to 40 year life cycle of equipment.

7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:03:03]:
20, 40.

8
00:00:07,000 –> 00:00:08,000
Robert M. Lee [00:03:04]:
20 to 40. And many of them are operated well past 10 as well. Yeah, by far. And so yeah, when you think of typical enterprise it, you’re thinking cloud servers, you’re thinking enterprise systems that are Windows operating systems, domain controllers and so forth. And really it’s about specialized applications for the purpose of managing data and information. And it’s usually a system focus and data focus. In OT or operation technology we might have that stuff too. But we also have more of a systems of systems and physics approach where we will have those specialized equipment, specialized network communications, specialized environments that are really focused around automation. And historically it was very disconnected, very manual. You might have turning a sluice gate by hand to open up a small dam. That’s where we were. Where we quickly got to is a highly automated world where all of that was digitized and connected, getting connected up to enterprise IT systems or directly to the Internet. And now what used to be only done manually can be done remotely and scalably. And of course that’s going to have an impact on what adversaries can reach out, target it and cause consequence. And you mentioned safety and life. You know, there’s an attack in 2017 where an adversary broke into a petrochemical facility in Saudi Arabia explicitly to cause an event at a facility that would have killed people if they were successful. Luckily they weren’t successful. They only cost $300 million in downtime. But what they were trying to do was cause like an over pressurization or release of chemicals that would have killed 30 to 60 people that day. And, and so when you deal in consequence like that, or the water attacks we’ve seen in the United States in this past year where there was the ability to impact chemical levels and water levels and have a local impact on communities, that’s the stuff we freak out a lot about.

9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:04:54]:
And just to put a fine point on it, these are cyber enabled attacks that can have physical consequences. Absolutely. And the Rubicon has been crossed, has it not?

10
00:00:09,000 –> 00:00:10,000
Robert M. Lee [00:05:05]:
In pretty much every industry. So I usually these days the first discussion with a board member or so forth. They’ll be like, yeah, well what’s really going to take, what’s really going to be required is for one of these big attacks to happen. Then people wake up and I’m like, which one do you want? What industry? We’ve taken down the electric systems multiple times across Ukraine. We’ve had multiple.

11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:05:24]:
And we’re going to pull the thread on that.

12
00:00:11,000 –> 00:00:12,000
Robert M. Lee [00:05:26]:
Yeah, multiple water attacks in the US and abroad. We’ve had rail systems go offline, we’ve had ports go offline. It was a cyber attack. They ended up causing port issues in Australia where if you think about it, it wasn’t just oh yeah, my Christmas gifts, it was pharmaceuticals and medicine and food being able to get into that country. These are impacts that are not only national but local security and they matter a whole lot.

13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:05:50]:
And when we look back just to Covid not so long ago, we see how important supply chains are and the ability to get a product from A to B. But when I think ot, I think primarily the grid and the electricity sector and the energy sector writ large and I think water systems. But it’s much more than that, isn’t it?

14
00:00:13,000 –> 00:00:14,000
Robert M. Lee [00:06:13]:
It’s much more. But I do think it’s an appropriate thing to have a risk based discussion. And when we talk about like significantly impactful critical infrastructure to copy from the Solarium commission reports, I think it is right to place the focus there to start with. From a national security lens, business leaders at any company should be looking their ot. But national security, you better care about your energy systems quite a bit if.

15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:06:32]:
You don’t have electricity. Nothing else.

16
00:00:15,000 –> 00:00:16,000
Robert M. Lee [00:06:33]:
Nothing works. Nothing works. The electricity industry would, would tell you it is the critical infrastructure. And it is, I think it probably is. Yeah.

17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:06:39]:
But, but it relies on water.

18
00:00:17,000 –> 00:00:18,000
Robert M. Lee [00:06:41]:
It relies on water and it also relies on transport. Like there’s a lot of infrastructure that if rail goes down, you’re not getting the fuel sources that you need. And so and pipelines and natural gas in this country would, would say that they matter a whole lot for generation of electricity these days. So it’s, it’s just all interconnected and, and yeah, I mean it’s everything from building automation systems to on data centers to ports and infrastructure. It’s quite literally anything that you interact with the world of physics and computers.

19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:07:05]:
You’Re, you’re probably talk be unfair but culturally one community grew up sort of with a technological bent. The other public safe. I think three mile aisle. When I think some of this and when I see some of our OT defenders and quite honestly they need to be at the same tables that all our IT defenders are.

20
00:00:19,000 –> 00:00:20,000
Robert M. Lee [00:07:28]:
Yeah, yeah, absolutely. And I think also there’s always the bias and there’s always the cultural boundaries of getting IT into OT and OT education into it and, and you go to different companies and sometimes they get it right, but a lot of times it’s one or the other that’s getting it wrong. Either the IT folks are coming in going, oh my gosh, why don’t you patch and encrypt? And you know, they throw their IT book at the operations side and the operations side is going, hold on. This plant’s been running for 30 years without any disruption.

21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:07:53]:
Exactly.

22
00:00:21,000 –> 00:00:22,000
Robert M. Lee [00:07:53]:
And the only time it’s ever been.

23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:07:54]:
Taken down when you layer it on. Exactly.

24
00:00:23,000 –> 00:00:24,000
Robert M. Lee [00:07:57]:
And then there’s the OT folks that are like, hold on. Now this has consequence and we matter. And it is focused on their bias of, well, we want to protect our cloud servers and the OT side of the house. Like, hey, we generate all the revenue here. Like, we should do something about this. It’s a bit of everybody sometimes.

25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:08:10]:
Now, can I. And disagree with me. I have a hard time delineating and differentiating that. The cyber physical convergence, we all talk about it, but in the real world it’s one of the same, isn’t it? Obviously you have unique attributes, but at the end of the day, from a blue, from a defender’s perspective, you need to look at your systems in its totality, not in the way you wish they were, but in the way they have to do.

26
00:00:25,000 –> 00:00:26,000
Robert M. Lee [00:08:36]:
Both you have to. I agree with that. You have to look at your risk as an organization and defend your organization. And that’s going to encompass IT and ot and it’s going to encompass your suppliers and third party. But how you do it ends up getting into the. Yeah, that’s the specific.

27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:08:51]:
And, and what, what led you to start Dragos, by the way?

28
00:00:27,000 –> 00:00:28,000
Robert M. Lee [00:08:54]:
So, I mean, I started out in control systems, but not as an engineer. When I first got in the Air Force and had the ability to do like small TDYs, stuff like that, I would go out and do humanitarian missions in places like Cameroon, building control systems for water filtration and wind turbines. And it was cool to see the impact where mom working all day long and all she wanted to do was educate her kid, but she didn’t have lights that was working at night. And so if nothing more than charging a car battery, strong LED lights, and her kid could study to try to get out of that situation. That’s cool.

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:09:23]:
That is cool.

30
00:00:29,000 –> 00:00:30,000
Robert M. Lee [00:09:23]:
And so when I joined the Air Force proper. And they were like, hey, you can go be a pilot. I was like, nah, like, what? And like, my parents are enlisted. I don’t want to be a pilot. And they said, well, you can go. What do you want to do? I was like, go to Africa. And they’re like, go join comm then. And in the way it turned into cyber when I was there, I’m like, what do y’all do on control systems? They’re like, what are, what are control systems? It’s like, oh, boy, it’s everything. You know, those stinky things, you want to stay sunk, and the floaty things, you want to stay fly, you know, floating and the flying things want to stay. It’s all control systems. And so I got it tapped and woke up one morning in Germany in the nsa, and they said, hey, you’re in charge. And I said, what’s charge of what? They’re like, find the unknown unknowns. Like, what does that mean to y’all? They’re like, I don’t know. Rumsfeld’s big into it. Like, okay, we’re doing control systems. And when I got out and saw our, our collective response to Ukraine, because I got to lead up a portion of that investigation, and I saw the bias of let’s just copy and paste IT controls into a power plant, I was like, I called my co founders, like, we gotta, we gotta do something. We gotta start a company. Like, start a company, be a vendor. Like, yeah, I’d like my kids to have lights and water. So that was basically it.

31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:10:26]:
And who’s doing it, right? And this may be an unfair question. Obviously those that are turning to Dragos for support, but in all sincerity, who is doing the IT OT thing, right? From a company’s perspective, first of all.

32
00:00:31,000 –> 00:00:32,000
Robert M. Lee [00:10:40]:
I will say without my bias of do this and do that, and here’s what I think is right. I will say anybody who is taking an informed approach to addressing OT security, what I mean by informed is you’re not leaning on your biases. You’re not, hey, here’s the playbook you ran in it. I’ll copy and paste it. Anyone is looking at what are our unique risks and how are we genuine risk based and genuine risk based approach, and they’re saying, let’s partner together and get something done in ot. I can stand by that. And I would say it’s right. In terms of companies, I do think the electric sector in the United States led the discussion writ large. And, you know, there’s over 3,000 of them and we’re probably talking about the top 150 or so, but, but those top 150 or so have put a lot of work into this. And it’s not just through regulation and NERC SIP and things like that. I think it was a lot of partnership with government over the years. Government comes and goes in ebbs and flows of expertise. But the national security community reached out years ago to the electric sector to say, hey, here’s the classified risk that we actually do see. This is real. And you got wonderful folks, the Tom Fannings of the world at Southern Company, the Bill Furman, these folks that said, hey, we’re going to take a top level leadership approach to say we need to do this. And that mattered.

33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:11:46]:
It does matter. And that’s why I wasn’t blowing smoke when I said you brought the issue to the fore. The reality is Tom Fanning, Furman, they were leaders, CEOs who took this seriously. And then obviously you did the same on a still appreciated but not fully understood set of issues. Before we jump into a couple of reports you guys released recently, I would like to Industrial control systems. What can you shed light on there?

34
00:00:33,000 –> 00:00:34,000
Robert M. Lee [00:12:21]:
Yeah, I mean in industrial control systems in general, which is really a type of ot, I mean that’s, that’s what we talk about a lot in terms of that physical consequence. That’s what we mean. ICS data, ICS data, all that kind of falls under the umbrella of ot. OT has come to include like medical and things like that. And it’s important. But our focus ends up really being ics. We get down to it and again, I think we talk about people doing it right. It’s not only the leadership at those companies, but it’s also when governments do it. And we, I think we’ll talk later about Singapore and so forth, but there are groups and organizations that are using the right terminology to say, hey, let’s go do this. Not it’s all T, but okay, hey, there is an OT side of the House. Let’s figure that out. And again are figuring out what are the threats that actually matter. We’ll talk about some of those and how do we deal with those? Not what do you want to do? Not what would the theory say? Well, not well, hey, I saw this at defcon and you know, we should think about that. But no ground truth, reality, what’s, what are the adversaries actually doing? Let’s learn from that and counter it. And I think that’s what’s really happening in ics.

35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:13:19]:
And you teed up this discussion perfectly. Dragos came out with two recent reports around some of the malware that we’re seeing. And honestly, I never thought I’d have a public discussion around a malware named Frosty Goop. Quite honestly, it makes me want to wash my hands the minute I say it.

36
00:00:35,000 –> 00:00:36,000
Robert M. Lee [00:13:39]:
But we spend too much time, like, I would say, being excited about and praising the adversaries. Oh, they’re so cool. Look what they did. Let’s name them. Really cool stuff. And, like, they’re jerks. They’re civilians. Screw them, you don’t get a cool name.

37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:13:53]:
And honestly, we had that discussion around counterterrorism. I’m glad you brought that up. That’s worthy of a different discussion. But let’s start with sort of pipe dream and the white paper y’all put out recently. What do we need to understand? Yeah.

38
00:00:37,000 –> 00:00:38,000
Robert M. Lee [00:14:04]:
So pipe dream is probably the one that really, really sucks. There’s a brief kind of education recap to get into this. When you look at the. The world of ot, the. The thing that’s really changed, like, why all the focus now. The thing that’s really changed, I mentioned it was kind of manual and disconnected at one point. Then it went digital. And that digitization happened decades ago. That’s not a new thing. But when that happened, it was still heterogeneous infrastructure. So the chemical facility in Saudi Arabia had nothing to do with the chemical facility in Houston had nothing to do with the electric transmission substation anywhere in the world. It was. It was bespoke, it was heterogeneous. It was that site. And when you’re looking at heterogeneous infrastructure, it’s hard as an asset owner and operator to scale your workforce for it. You got to retrain people as they go. It’s expensive, it can be unsafe, because there’s not a whole lot to lean on in terms of expertise. But from an adversary perspective, it costs more. Cost a heck of a lot more. And an adversary perspective, it’s really hard to target it. Yep. When you want to do physical consequence, it’s that site. Not, here’s this malware to hit everybody, it’s that site. When I was on the offensive side of the house, it was like Handcraft Farm to table that side.

39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:15:06]:
Yeah, you needed very.

40
00:00:39,000 –> 00:00:40,000
Robert M. Lee [00:15:08]:
It was very. It was boutique. And that was the world of heterogeneous. For all the right reasons. And we cannot go back, we went to Homogenous, which was more common operating technologies, common network designs, common implementations, common automation, vendors, vendors, buying vendors. And that Homogenous World opened up better margins, better profitability, better safety records, better workforce, all these right things. The consequence though, is now you can have scale. And so we’ve been adversarially.

41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:15:37]:
Yeah, yeah, yeah.

42
00:00:41,000 –> 00:00:42,000
Robert M. Lee [00:15:38]:
So we’ve been talking about it for years, saying, hey, the red lights are blinking. We’re going to, we’re going to get to this point where we start to see attacks that can actually scale. Because right now in the operations technology community, we deal with low frequency, high consequence attacks. It deals with high frequency, low consequence attacks. And if we start to see scale, we’re going to start to see medium to then high frequency, high consequence attacks. And we’re not ready. Combined pipe dream was that. And so in 2022, I got to use my, like legal language, right? The Drag dragos team worked with an undisclosed third party and then the United States government to identify and analyze Pipedream before its employment. All right, so what does all that mean? The adversary built this capability and did not deploy it at their targets yet. In my assessment, this is their wartime capability. But they had already picked out, to our knowledge, like 13 key sites across North America and Europe. And this capability is the first time we’ve seen ICS or OT malware that is repeatable, reusable and scalable across industries. Works in everything from a servo motor on an unmanned aerial vehicle to a gas turbine, to a carbon cracker to any different industry. It’s taking advantage of that homogenous curve and it just works. It’s not like here’s a vulnerability that you patch, it’s just leveraging the native functionality that’s in these systems. And so it hasn’t been operationally leveraged yet. But we sounded the alarm. The White House put out information about it. The community took it pretty seriously. But unfortunately, I don’t know that everyone’s doing enough about it. But the reality is that team is still developing additional capabilities off of it. It’s still out there. And if people don’t prepare, that’s the one I expect we’ll see. In conflict.

43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:17:14]:
How often do we see? Are we able to get something left of click where we can? That’s not an everyday occurrence, right?

44
00:00:43,000 –> 00:00:44,000
Robert M. Lee [00:17:23]:
I’m tracking like twice that we’ve been publicly talking about to boom stuff, which.

45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:17:26]:
Is pretty awesome in some ways. In other ways, pretty discerning and discerning.

46
00:00:45,000 –> 00:00:46,000
Robert M. Lee [00:17:32]:
But this was a really good exam. I mean, people talk public private partnership all the time. And this was the time that I saw it really work where there was private sector expertise and insights in our Own unique collection, third party and then intelligence services and the US government being able to work together. And I think I’m perfectly comfortable to say, like the NSA is ccc really, really on top of this.

47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:17:54]:
We’ve got Dave Luber coming on soon.

48
00:00:47,000 –> 00:00:48,000
Robert M. Lee [00:17:56]:
Good stuff, good stuff. What Morgan and Rob and them did over there was fantastic and it was really that polypride partnership to go amplify it out. Now it’s on the asset owners to do something about it, but the information’s available and yeah, being left a boom.

49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:18:09]:
Is a nice place to be and rare so. And again, disagree with me. If you can exploit, you can attack.

50
00:00:49,000 –> 00:00:50,000
Robert M. Lee [00:18:20]:
If you can exploit, you can attack. But you may not be able to.

51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:18:22]:
Hear it, but you may not necessarily have. This provides the consequence.

52
00:00:51,000 –> 00:00:52,000
Robert M. Lee [00:18:27]:
Exactly. Exactly what? And this is, this is the scary part. I’m usually not this hype fud person, like let’s just stay focused. But here’s where it gets really terrifying. In it we saw a clear, we see a clear trend all the time that state level capabilities eventually proliferate to lesser states and non state actors, criminal networks and so forth. And one of the big issues with ransomware across the enterprise IT community was the availability of democratize it. Yeah, Cobalt Strike as an example.

53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:18:54]:
Exactly.

54
00:00:53,000 –> 00:00:54,000
Robert M. Lee [00:18:55]:
Used to it was I need to have a malware developer, a vulnerability researcher, an infrastructure person, this, that and the other in a criminal group. That’s hard.

55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:19:01]:
Yeah.

56
00:00:55,000 –> 00:00:56,000
Robert M. Lee [00:19:01]:
Then it was like oh, here’s an easy to use size fits all click capability and all I got to do is have somebody to use it. Oh, okay. And then ransomware everywhere pipe dream is the cobalt strike of ot. It’s right now only in like three locations that we’re aware of in terms of the vendor, the government and that adversary. But if it gets out or if similar like capabilities get developed and proliferate like we have always seen other capabilities do, we’re going to start seeing criminals going, huh, forget ransom in your IT network. I’ll ransom your city, I’ll ransom your port, I’ll take down the portion of electric system until you pay me. And there’s real, real consequence in having non state actors be able to do the type of consequences that state actors.

57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:19:39]:
Rob, not surprisingly you preempted two questions. I was going to say in terms of why it matter. He couldn’t have answered that better. Clearly significant in that respect. Before we jump to good old frosty goop, explain modbus tcp.

58
00:00:57,000 –> 00:00:58,000
Robert M. Lee [00:19:57]:
Yeah. When we talk about that digitization of infrastructure and more, that ubiquitous technology, one of Those is network communications, how systems communicate across the network. And unlike IT protocols, where the point may be the network protocol, in ot, it’s really about the command data in the network protocol. So it’s not, oh, I have this protocol, it’s here’s the value that changed the value to switch it from an open circuit breaker to a closed one. Here’s the value that switched it from a pump that’s off to on, which.

59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:20:26]:
Is a pretty big deal.

60
00:00:59,000 –> 00:01:00,000
Robert M. Lee [00:20:27]:
Now, the ability to have physical impact.

61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:20:30]:
Yeah.

62
00:01:01,000 –> 00:01:02,000
Robert M. Lee [00:20:31]:
And the most common protocol used cross industry is Modbus tcp. And so that was like really the first one that was just ubiquitous and it allows you.

63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:20:39]:
Is that open source?

64
00:01:03,000 –> 00:01:04,000
Robert M. Lee [00:20:41]:
It has open source versions of it.

65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:20:42]:
Yeah, I thought so.

66
00:01:05,000 –> 00:01:06,000
Robert M. Lee [00:20:43]:
And it essentially allows the interaction with that physical equipment in a variety of places around the world, in a variety of industries. So that Modbus TCP protocol had been used by adversaries before for sort of espionage and pulling and polling data. But surprisingly we’d never seen it used in an attck, which is, I mean, it’s really surprising. It’s like the obvious one to use. And so Frosted Gu was that first time we saw Modbus CC be used in an ability to actually impact or turn off systems and be used in an attack. And it’s on the other side of the spectrum of pipedream. Pipedream is this very sophisticated. You hate to give the adversaries credit, but it’s a good capability. Frostygoop is, wow. This is really basic as a technology. This is really underwhelming. And the important part of that is it’s super underwhelming. And it works. It works super underwhelming and it’s effective. And I think sometimes defenders get trapped into is it cool or not?

67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:21:40]:
Yeah, yeah. Same with the US Government. Right. If it’s not stamped with all the compartments, it’s sometimes not.

68
00:01:07,000 –> 00:01:08,000
Robert M. Lee [00:21:48]:
Oh, absolutely. Some of the best was unclassified.

69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:21:51]:
Yeah.

70
00:01:09,000 –> 00:01:10,000
Robert M. Lee [00:21:51]:
Anyways, but and I, you know, it’s about what works and I think we need to be careful of that because most of my time was on the defense, but when I was on the offense in the US government, there was never a point in my career that was like, man, how am I going to impress the defenders today? Like that wasn’t it. It’s like, how do I get the mission done? I got five more to do and I got management to go talk to.

71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:22:09]:
Well said.

72
00:01:11,000 –> 00:01:12,000
Robert M. Lee [00:22:10]:
And so we need to gear up towards what are the adversaries doing and how do we counter them? Not do we appreciate that it’s finesse.

73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:22:17]:
Exactly.

74
00:01:13,000 –> 00:01:14,000
Robert M. Lee [00:22:18]:
And it was the ninth ever ICS malware. So we don’t. We have a lot of ICS adversaries. OT adversaries, but they don’t always have to use malware to achieve their effects. And so when new malware comes along, we need to learn from it. Especially since it’s only the 9th and given that it was the first one ever to use modbus TCP in an effect to cause disruption, it’s something for people to start taking into consideration, going, well, what would that look like in my environment? And it impacts a lot of folks.

75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:22:43]:
And Net net the outcome and the consequence is what we’re defending against and hope to prevent preempt, you know, before we get further into frosty goop. And it’s not to throw buzzwords out here, but the Internet of Things and industrial Internet of Things that is sort of netting together IT ot, is it not for sure.

76
00:01:15,000 –> 00:01:16,000
Robert M. Lee [00:23:06]:
And I think the easy way to. And who you ask a different answer sometimes on this. But the way that I think about it and the way a lot of folks think about it is it is more of like, that’s the mission function. And it may have a variety of technologies in it. OT is that’s the mission function. It may have a variety of technologies. We have printers in an OT environment. Is that printer really just a normal printer? Then it’s like an IT device showing up in an OT network. Is it printing off the manufacturing labels that the manufacturing process gets shut down. If I don’t have those labels, then it’s part of the OT environment. So its ability to impact the mission is more of the qualifier and less of the tech stack. But we’re seeing a lot of IoT and IIoT pop up. And if it’s sort of thinking the classification here, if it’s more of just reading data and that’s interesting, then it’s like, that’s fair game. Yeah, go for it’s Iot. If it’s, oh, I’m taking the values off that smart sensor and then feeding it back into a control loop to have a temperature change inside of a combustible process. Well, now that’s ot, and it might be an IIOT device, but it’s important.

77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:24:06]:
And not to go adrift. But we talked water energy. What about advanced manufacturing? I mean, this is all over because at the end of the day, it pumps or pumps or pumps.

78
00:01:17,000 –> 00:01:18,000
Robert M. Lee [00:24:17]:
Absolutely. And fabs and microchips and all of that. And I think a lot of folks think Their intellectual property is stored in their enterprise IT networks only. And the reality is the most interesting parts of your intellectual property are usually in how you’re doing something. Not the recipe. Recipes can matter, but it’s usually in how do I take Coca Cola would say, yeah, Coca Cola would depend it, but even KFC would care. But at the end of the day, usually it’s how do I take cheaper quality inputs and make higher quality outputs? And the way I gear and implement that manufacturing process, the way that I can develop certain, you know, micro technologies and nano chips and yeah, interesting things that happen in Taiwan and other places, the how you do it is actually way more interesting. And so not only can you do physical consequence and disruption, but you can also do intellectual property theft. And what, what U.S. government has been concerned about for a while too is in advanced manufacturing and also in sort of civilian owned, government operated or vice versa, infrastructure, could an adversary not disrupt, not steal, but manipulate? Could a munition that I’m supposed to get a 0.5% failure rate on actually be manipulated to have a 6% failure rate? And what does that mean in terms of combat? And so there’s very interesting scenarios when it comes to advanced manufacturing and I’m.

79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:25:34]:
Glad you kind of brought that up because at the end of the day, cyber is its own domain, but it’s an enabler to pretty much everything else. It enhances lethality, it improves collection, target selection. Like since you brought up Taiwan, and I hope you don’t want to roll that back, but let’s get into a discussion around not only Volt Typhoon, but let’s start with Ukraine and some of the lessons you’ve gleaned there. I mean, that was the first Rubicon I was aware of in terms of a cyber attack that had a physical consequence and took power offline twice. People normally forget the one. Second year.

80
00:01:19,000 –> 00:01:20,000
Robert M. Lee [00:26:21]:
Yeah, the second year was scary.

81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:26:22]:
It was actually scarier. Yeah. So what are your thoughts there and what insights can you share?

82
00:01:21,000 –> 00:01:22,000
Robert M. Lee [00:26:28]:
So 2015 was the first ever cyberattack takedown. Richard Power, to your point, in Ukraine, I always remember it easily on the date and all because right before Christmas, right before Christmas. And I got married that morning.

83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:26:41]:
Oh no.

84
00:01:23,000 –> 00:01:24,000
Robert M. Lee [00:26:41]:
And I got the phone call and it was, we need your help. Because I just got out of the military, but I knew all the folks over there and been training at Sands and so forth, and I got the call saying, hey Rob, can you come and respond and help us? We had a cyber attack, took down the power and I was like, it’s probably squirrels, man. I hung up. I was like, I’m not interested in this. I’m getting married. And then I got a secret.

85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:26:59]:
Squirrels. Yeah.

86
00:01:25,000 –> 00:01:26,000
Robert M. Lee [00:27:00]:
And I got a phone call from Mike Asante and he was like, no, dude, it’s real. I was like, let me wrap this wedding up, by the way.

87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:27:05]:
Yeah.

88
00:01:27,000 –> 00:01:28,000
Robert M. Lee [00:27:05]:
Yes, indeed. And so I ended up getting involved and helping lead the investigation. And there was a couple interesting takeaways. Number one, the adversary didn’t do anything sexy. Cool, whatever it was. Let me run an effective operation to use native functionality. If an operator can open up a circuit breaker to de energize the substation, so can I. How do I take down 66 or so substations across Ukraine to deny power to, you know, 250,000 plus customers in the dead of winter? And they paired up with information operations to scare the public at the time of sort of the Ukraine and Crimea and Russian crisis.

89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:27:40]:
And, and I think it was a signal.

90
00:01:29,000 –> 00:01:30,000
Robert M. Lee [00:27:42]:
It was absolutely.

91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:27:43]:
To us.

92
00:01:31,000 –> 00:01:32,000
Robert M. Lee [00:27:44]:
They talked about it publicly. And it was also a bit of a challenging because the US Government and others were always like, oh, critical infrastructure, red line, it’s off limits. Civilian infrastructure off limits. They’re like, is it nothing happened next time nothing happened. And I was like, okay, yeah. And, and so actually that’s a great deterrence.

93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:28:00]:
We, you and I have had many discussions, a lot. We’ll spare our audience for that.

94
00:01:33,000 –> 00:01:34,000
Robert M. Lee [00:28:04]:
But that’s a good, that’s a good beer conversation. But either way, they just used the native function. It wasn’t what all the IT security stuff was worried about. It was what the operators and engineers had been saying for years. They were right in terms of what these attacks would look like. The other thing is our response. And without the deterrence discussion, the IT security community looked at that went, oh yeah, if they would have just patched, if they would have firewalls, if they would have done this, it would have been fine. I was sitting there and I’m like, what, what instant response did you do? Because I was there and they had all that. And that wasn’t the point. And so that’s that bias thing sort of standing out. 2016 is what scared me. And it didn’t get much attention at all.

95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:28:39]:
Very little.

96
00:01:35,000 –> 00:01:36,000
Robert M. Lee [00:28:39]:
And so in 2016, the adversary had taken all that they had learned in 2015, and I estimated there was probably around 30 adversary operators involved in that operation. And they took that knowledge of 30 experts and codified it into a software package that we’d called Crash Override. And they deployed it in Ukraine in 2016 at the transmission level. And because it was only an hour outage, nobody like, really reported on it. But it’s a three times the power loss of all that happened in Ukraine 2015, because it was at a transmission level. But here was the piece that people missed. The adversary was not trying to cause an hour outage. What the adversary did is they had learned the response of the humans of Ukraine.

97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:29:15]:
Exactly.

98
00:01:37,000 –> 00:01:38,000
Robert M. Lee [00:29:16]:
And they said, okay, well, we’ll build that into our attack. And so what they had done is they had intended to take off essentially protective equipment that when the outage occurred, the operators would have gone to the response plans to reconnect the equipment. But it would have been reconnected under load, and they wouldn’t have known it, which means energized, which means they would have burned out their transmission equipment. They would have had six months plus easy of outages across major portions of Ukraine. It would have been a true physical component of that. But the adversary made a tiny coding error. I mean, it would have worked, but it was a tiny coding error. So it was just an hour outage instead. But that malware still works at any transmission system in the world.

99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:29:55]:
And to foot stomp that point, there were other diversionary attacks at that time. Right. So maybe it was also just to test their ability to respond in the event of what we’re seeing play out now. But I’d be curious why we haven’t seen more of that.

100
00:01:39,000 –> 00:01:40,000
Robert M. Lee [00:30:11]:
Yeah, well, there’s a lot that’s going on in Ukraine. Not all of it’s getting reported, some of it physical. And there’s stuff that happens around the world a lot of times. You know, it’s not always the boogeyman. But there’s a lot of stuff that. That will get called into that publicly will be like, oh, it was a malfunctioning or whatever. I’m like, why were we there responding anyways? But on that point, I think it’s an interesting one to make because I get in these conversations with US Generals and policymakers, and they’re like, we’re the best in the world. I’m like, okay, man, I’m red, white and blued up. Don’t get me wrong. But there’s only one state actor that’s consistently gotten experience doing this. Like, we’ve been able to do lots of operations, develop capabilities, and we have really smart people. But there was. We track now 22 state groups that target industrial control systems around the world. And a portion of those are operating out of Russia and doing operations in Ukraine. And when you look at that, those groups, they used to do things globally and now they’re all ISR on in Ukraine in focus. But when that war ends, they’re going to go back to their original target sets with a whole lot of experience. And I think that’s something to try to forecast.

101
00:01:40,000 –> 00:01:41,000
Frank Cilluffo [00:31:11]:
You know, that’s well said and I couldn’t agree with you more in that respect. And that gets to a much more complex set of discussions around proxies. Who’s the puppet, who’s the master safe havens, how do we actually get, how do we touch the limited arm of the law in certain areas? And just had an op ed on that designating state sponsors of cybercrime in part of the safe haven.

102
00:01:41,000 –> 00:01:42,000
Robert M. Lee [00:31:41]:
Well, I was really happy to see the. We did the OFAC against the TRISIS actors which was huge. Yeah, it was the first time we’d seen that.

103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:31:48]:
I was like, okay, so let’s talk fast forward to where we are today. And yes, there’s so much more going on than meets the eye. And quite honestly, cyber can also be used to enhance the kinetic attacks that Russia clearly, I mean they’re blanket bombing. Physical or cyber, it doesn’t matter if it has the outcome and the consequence they’re seeking. But anything surprise you there?

104
00:01:43,000 –> 00:01:44,000
Robert M. Lee [00:32:15]:
Honestly, it’s everything we’ve been talking over years of. We’re going to see cyber enable physical. We’re going to see physical and then follow up with cyber. We’re going to see cyber also be used from an information operations perspective to amplify. I think the only thing really surprising is how normalized we’ve made it all like, yeah, it’s happening, but it’s over there. It’s like, God, why is this not every conversation?

105
00:01:44,000 –> 00:01:45,000
Frank Cilluffo [00:32:37]:
Isn’t that a movie coming soon to a theater near you?

106
00:01:45,000 –> 00:01:46,000
Robert M. Lee [00:32:40]:
Yeah. Everyone thinks that the Internet works where it’s on the other side of the world and like that’s quick, it gets to you quickly. And I. And in government circles there’s some that are paying attention, but there’s others that it’s like, yeah, so that’s happening. But what about AI and quantum? But what about what’s current?

107
00:01:46,000 –> 00:01:47,000
Frank Cilluffo [00:32:53]:
Whatever, the shiniest object. Yeah, yeah, yeah, no, you’re absolutely right. Let’s transition to Volt Typhoon. Yeah, that was Taiwan. And I mean when you’re talking about pipe dream, if you can access and have the pre positioning in time of crisis or escalation or signaling to deter, dissuade or compel in action, pretty big deal. Right, yeah.

108
00:01:47,000 –> 00:01:48,000
Robert M. Lee [00:33:23]:
The weather forecast isn’t very sunny. So I think as I talk to asset owners and operators and CEOs, there’s a lot of them are going, what’s different about this one? We’ve been hearing from the US government for years, our NATO allies about China about pre positioning malware. And to some extent the US government through various administrations had lost the interest of the U.S. critical infrastructure community by leaning in too much on the there’s malware laden across the grid and then the grid operators are going great, show us where. Like well we don’t know where. And they’re like well stop saying it then you’re scaring our people. You just, if you know where it is, say something, we’ll fix it. But if you don’t stop getting in the Washington Post, New York Times talk about it. And so they sort of lost some folks in that way. And so when Volt Typhoon came up and everyone’s going hey, this is important. A lot of, there was a lot of folks are going yeah, yeah, more of the same. And we’d work some of these instant response cases and we tracked the sort of the OT offshoot as Volt site and what we, what we saw was verifiably different. For a long time these groups that would go after power companies and public attribution to China and so forth would be almost spray and pray. I mean what power companies can I get? And if I got them, how do I embed in the enterprise AT networks and is OT a thing, you see that the adversaries didn’t quite get it. This we are seeing very strategic target selection of very interesting power sites. Not just the biggest ones that would show up on a map, but the ones that you know are important to certain critical mission functions to deploy forces, project power. You can have a small distribution substation support your entire ability to put troops in South China.

109
00:01:48,000 –> 00:01:49,000
Frank Cilluffo [00:34:53]:
Roger that.

110
00:01:49,000 –> 00:01:50,000
Robert M. Lee [00:34:55]:
And, and they’re getting into the OT networks and they’re stealing the right information. They’re not just cool, what can I grab? It’s the right engineering drawings, it’s the right human machine interface screenshots. It’s the right information to develop their own capabilities to do kinetic. And so it’s not espionage. It is very clearly the type of activity used to pre position and develop capabilities to do disruption at the right targets. And that’s obviously very concerning, especially in the context of Taiwan.

111
00:01:50,000 –> 00:01:51,000
Frank Cilluffo [00:35:19]:
And are we doing enough to rooted out the companies? And I know that’s an unfair question.

112
00:01:51,000 –> 00:01:52,000
Robert M. Lee [00:35:26]:
No, I don’t, I don’t think it’s actually unfair. And, and so this is where I.

113
00:01:52,000 –> 00:01:53,000
Frank Cilluffo [00:35:29]:
Don’T want to be unfair, but this isn’t science fiction. This is happening.

114
00:01:53,000 –> 00:01:54,000
Robert M. Lee [00:35:32]:
I’ve spent years testifying to Congress defending the asset in our community. And so I’m comfortable to go. No, y’all could do more sometimes too. And so we should not distract our operators with the next shiny object. What do you like? We have testimony. The last testimony I gave one of the Congress, like, what is the water sector doing about quantum encryption? I was like, y’all, they need a firewall. Stop this.

115
00:01:54,000 –> 00:01:55,000
Frank Cilluffo [00:35:51]:
Yeah, yeah.

116
00:01:55,000 –> 00:01:56,000
Robert M. Lee [00:35:51]:
And so we don’t want to distract them with silliness, but when we know this is what it looks like and this is how it operates and you’re not prepared, we should be calling that out. And if you look at some of your major electric companies and I should actually, I shouldn’t say it that way. When you look at power companies that have been paying attention and putting the resources to play, which they’re small, medium, large, that do that, they are winning. One of the cases that we worked, Volt Typhoon broke into this mid sized electric utility and for over 300 days been trying to get into the operation inside of the house and failed because that team had been putting in the right security controls, have been listening to the guidance and doing the journey.

117
00:01:56,000 –> 00:01:57,000
Frank Cilluffo [00:36:29]:
There you go.

118
00:01:57,000 –> 00:01:58,000
Robert M. Lee [00:36:30]:
But for all the others that aren’t, I think that is negligent at this point because you can own risk inside of your company, no questions asked. The moment it goes outside your fence line, impact, that’s not risk that you get to go. I don’t care about it. And so again, if they’re not going after and doing security against made up scenarios, God bless them. But if they’re looking at real intel and real insights and going, I don’t want to, I don’t do anything about it. That to me is shameful.

119
00:01:58,000 –> 00:01:59,000
Frank Cilluffo [00:36:58]:
Yeah, yeah, I couldn’t agree more. And that gets to a discussion that I’ve been a little bit of a broken record. Long on nouns, short on verbs in terms of the public private partnership. But there are some successful initiatives and I’m a big proponent of operationalizing all of this, whether it’s Project Fortress out of treasury, whether it’s JJCDC out of CISA or whether it’s the CC out of some of the work you’re seeing come out of the Fort Meade. Any thoughts there? Since you and I both been around this issue for a while, I continue.

120
00:01:59,000 –> 00:02:00,000
Robert M. Lee [00:37:37]:
To amplify the fact that the people that Sign up to serve in civilian or uniform clothing in the government ought to be praised for doing so. So it’s usually not an easy job. It’s usually not the highest paying jobs. So they are good people.

121
00:02:00,000 –> 00:02:01,000
Frank Cilluffo [00:37:49]:
And you only get recognized when something goes wrong.

122
00:02:01,000 –> 00:02:02,000
Robert M. Lee [00:37:52]:
Exactly. And there’s some good wins happening. Don’t get me wrong. That being said, there is bureaucracy and policy structure limiting, very clearly limiting success in a way that is equally shameful. As we talk about the asset owners operators as an example there, we know there are things that work and things that don’t work. We know there’s technologies that work and don’t work. We know there’s processes that work and don’t work. And the US government is incapable of getting out and saying, here’s what works and what doesn’t. And you go talk to any of them at any senior level and they go, wow. But Rob, we don’t want to pick winners and losers. Like what? We don’t give perception. I’m like, guys, I’m not saying you like this vendor better than that one.

123
00:02:02,000 –> 00:02:03,000
Frank Cilluffo [00:38:29]:
Exactly.

124
00:02:03,000 –> 00:02:04,000
Robert M. Lee [00:38:29]:
I’m saying if you were to say this thing works or this strategy works, or this type of technology work, or this thing works in this use case, can you do that? Ooh, we’d get a cease and desist letter. I’m like, but did you break a law? Well, no, but what’s the issue? Well, but the perception, it’s like, oh God, we don’t have time for perception. You can’t talk national security the way that you do it and then cry over perception. And so I see the day to day work happening in some of those groups and I go, man, that’s awesome. And then I see the fear of saying anything in those circles by government. That JCDC is a good example. It set up with all the right intent, had a lot of good stuff going on. And the vendors would send their security analyst and then the government started sending like lawyers and the analysts were like, we’re here to share.

125
00:02:04,000 –> 00:02:05,000
Frank Cilluffo [00:39:13]:
Exactly.

126
00:02:05,000 –> 00:02:06,000
Robert M. Lee [00:39:14]:
We need technical counterparts. We know you have them. And they’re like, yeah, but we need to be careful about what we say with who and whatever. It’s like, it’s not classified. We’re talking about open source stuff. Yeah. But again, what if we give it to this vendor and this vendor set? And it’s like, oh my gosh. And so I just, I can’t have a serious conversation without acknowledging that we’re hurting ourselves because we just don’t want to do something and we’re fear of the perception.

127
00:02:06,000 –> 00:02:07,000
Frank Cilluffo [00:39:34]:
And you know, one of the. And please disagree with this as well. But I notice when we have a rallying crisis to respond to, these things work great. But it’s in the day to day, which is 90% of it. Right. I mean, you sort of mentioned actually using these tools. You got to put the reps in if you want to be a better.

128
00:02:07,000 –> 00:02:08,000
Robert M. Lee [00:39:57]:
It’s workshop focused, the ccc. And maybe this is my NSA bias, but I love them to death. Work very closely with them. But when do we work together? When there’s something.

129
00:02:08,000 –> 00:02:09,000
Frank Cilluffo [00:40:06]:
When there’s something.

130
00:02:09,000 –> 00:02:10,000
Robert M. Lee [00:40:06]:
It’s like, let’s show up to an every Thursday meeting now.

131
00:02:10,000 –> 00:02:11,000
Frank Cilluffo [00:40:08]:
But what does it look like in the days of. If there were such a thing as pipe dreams.

132
00:02:11,000 –> 00:02:12,000
Robert M. Lee [00:40:14]:
Yeah, but a pipe. Oh, and okay. Days of peace. Yeah. It shouldn’t. It’s okay to say I don’t have anything to say when you have a meeting. Yep. And that’s on like those work groups now. That’s a different discussion on wartime planning and scenario planning and things like that. And I think there’s a whole exercising function of what does that look like? I remember, and I’ll keep the names out of it for a variety of reasons, but I remember there was an event that took place that there was a serious concern that we were going to get kinetic with a strategic adversary. And I got called in by some senior folks with Dimitri alprovich over at CrowdStrike at the time and Kevin Mandia, legendary, awesome Kevin over at Mandia. And the question was, all right, Kevin, Rob, Dimitri, we’re going to not worry about this perception stuff. We know it’s your three firms that are getting called in. The critical infrastructure tax, Mandiant and Crosstrek and all the IT stuff and all the OT stuff. Dragos is going to be all. And this event happened at 5:23 this morning. And we’re thinking we’re going. And I’m just making up the 523, but we’re thinking we’re going. We got to give the president options. And so we need to know, what do you need? Because we expect blowback on critical national infrastructure. What do you need from us? I was like, respectfully, a call six months ago, like, there’s nothing today that we’re gonna magically learn to work together and figure this out. And so this idea that you can just like flip on a cyber switch is honestly ridiculous.

133
00:02:12,000 –> 00:02:13,000
Frank Cilluffo [00:41:34]:
Yeah. And. And it’s not just a cyber switch. It’s a switch. Because at the end of the day, cyber is a Means and the people.

134
00:02:13,000 –> 00:02:14,000
Robert M. Lee [00:41:42]:
Working together and the, and the, hey, the collaboration. That’s why I get excited about these projects. Pipe dream comes out and it’s CCC analysts with Dragos analysts and the CISA folks and they get to know each other.

135
00:02:14,000 –> 00:02:15,000
Frank Cilluffo [00:41:52]:
Yeah. And you don’t want to be exchanging business cards when the balloon does go up. Right. Or the bomb goes off or whatever. Bad analogy I can come up with. Hey, let’s talk Singapore. You just did that long flight and they did just launch and update a. I think they call it a master plan. I always get concerned about master plan, but that’s okay. But a master plan around ot.

136
00:02:15,000 –> 00:02:16,000
Robert M. Lee [00:42:22]:
So them, I love them. So I get, I get to, for whatever reason, I get to work with governments around the world and a lot of times it’s okay. All right, happy to support you. If you, if you get it right, good on you. But you know, kind of from the offset that they’re not taking it seriously or whatever. Singapore years ago contacted me and said, look, we’ve taken a lot of your training. We’re, we’re partners of the sands. Do we see it? Singapore is OT. Yeah, like we’re an island country of like 5 million people. It’s ports, it’s water, it’s electricity. And goes down. Like if it goes down, we’re done. And we are a target and of geopolitical interest. And they’re like, so OT security is national security of Singapore. And I was like, okay. I was like, sure, sure. And they’re like, no, seriously, we want to convene a group of OT experts. And so they called it the OT Cyber Expert Panel OT sep. And we’re going to put real resources on this and it’s going to be a minister level thing. I was like, okay. And they said, we want you to be on it and help pick out, you know, who’s going to be here and so forth. And so we put together this group and it kicked off official. The first one was four years ago and they had the Master Plan 1.0. And it wasn’t here’s 30 things we want to do. It was here’s four thrusts, here’s four efforts. We want to go influence the community to do. We don’t expect that we’re going to pop bottles of champagne called Mission accomplished in a couple years. We want to start the community on those where you get it to a good place and then we’re going to start the next. And they wanted to run it out of the cybersecurity agency. So kind of their CISA equivalent who also has regulatory authorities. And they said, look, we’re going to, we’re going to lead this up. So Minister Josephine Tiao got involved. So she’s reports to the Prime Minister and she under her is David Koh, who’s the CEO of csa, who’s a rock star, he’s amazing for background, military intelligence, everything, real sharp dude. And then rallied all their folks on them and said, look, csa, we’re going to take these OT security experts, they’re going to help us form a strategy and we’re going to work with the regulators and everybody else and we’re going to do it. I was like, okay, well let’s see. I got to tell you, four years later it’s working. And so this fourth one has got back from, has gotten to the place where it’s this Master Plan 2.0 where they say, look, those four thrusts, we’re not saying mission accomplished but keep doing those. But here’s this updated view of where now we also need to layer on this additional four kind of efforts and they’ve worked to put regulation that’s actually outcome focused, not prescriptive, but it’s actually performance based outcome focused on saying, hey, OT is different, let’s take a look at it. And I think they’re having a real.

137
00:02:16,000 –> 00:02:17,000
Frank Cilluffo [00:44:42]:
Impact, good on them and important for the US to participate and lead on some of these.

138
00:02:17,000 –> 00:02:18,000
Robert M. Lee [00:44:49]:
We see regulations out of the US that work and those that don’t and there’s a very clear line between them of is it outcomes focused or is it prescriptive? And there is no prescriptive regulation, especially ones where the regulator talks at the regulated, that’s worked. I give a lot of credit to TSA for showing up and adapting. But that original version of TSSD2 to the pipeline sector with a 24 hour heads up sector where it regulates you, that’s not what success looks like. And so it looks more like what TSA did on the update of well, here’s the outcomes we’re trying to solve for you. Tell us how to solve for them. We don’t know how to operate a pipeline. You tell us how to operate pipelines, we’ll tell you why we care and what we’re trying to accomplish. I think Singapore took more of that.

139
00:02:18,000 –> 00:02:19,000
Frank Cilluffo [00:45:30]:
Focus and I think it’s small enough that it’s manageable because there are countries that I always say punch above their weight. Singapore, Estonia, Israel. These are small countries but they kind of live in tough neighborhoods. They don’t have a choice. Right? The Failure is not an option.

140
00:02:19,000 –> 00:02:20,000
Robert M. Lee [00:45:49]:
It’s small. And that’s the failure is not an option. So that whole perception thing I was talking about, they’re like, I don’t care. Flips csa. Years later, did a partnership with Dragos and. And they government level one of like, hey, Dragos is our national strategic partner on this topic. I was like, guys, like, there’s no contracts involved in that. Like, aren’t you gonna get in trouble or whatever. And like, what are you talking about? You’ve shown up here. We’ve worked with you for years. The others hadn’t your. Your fit these capabilities. If the others want to be involved, if they’re this tall to ride the ride, they can do so. Otherwise, you’re a partner. And I think those small countries that have the IT matters and conflicts coming, go, forget your perception. We got to do something. And it. It works.

141
00:02:20,000 –> 00:02:21,000
Frank Cilluffo [00:46:27]:
And I actually am a big proponent of their labeling concept as well. So sometimes they’re. They’re there. They are ahead of the curve, which is. Which is good to see. Hey, anything on the recommend? So what should OT owner operators and just those that are impacted by ot? What. What are some steps they should be taken right now?

142
00:02:21,000 –> 00:02:22,000
Robert M. Lee [00:46:49]:
Yeah. So Tim Conway and I at the SANS Institute wrote a paper called the five critical controls, and we’ll make that.

143
00:02:22,000 –> 00:02:23,000
Frank Cilluffo [00:46:56]:
Available on our show notes.

144
00:02:23,000 –> 00:02:24,000
Robert M. Lee [00:46:58]:
So that years ago, SANS put out the 20 critical controls that was used for the enterprise IT community. And we were always asked, what about the ICS ones? And so we wanted to build it more as a strategy instead of like a specific control. And so we looked at every single attack to ever take place against any OT or ICS systems and just. And the ones we had private access to as well as public. And we just asked the question of like, what controls worked in all of them. Not one off, not theoretical, not 30% of the data, but what worked in all of them. And it was those five. So we put together and said, okay, here’s the methodology, here’s the insights, but here’s the five to take as a strategy that you can then map to this CyberSecurity framework or 6443 or whatever in the specifics controls. And that first control is the one that I would recommend out most. I mean, you got to do all five. But that first control is definitely a place to start. There’s an order reality to it, but it’s a true board level, policy level, whatever one as well, which is you start with an ICS incident response plan. What am I reverse Engineering into all my other that’s unique. Don’t start with the other and go the other direction. Don’t, don’t hope that it all aligns at the end. What does a bad day look like? What data you’re going to need for your SEC 8K and 10K filings? What are you going to need for operations? What are you going to need for safety? What’s the data you’re going to need? The environment, what’s it going to support? What does this look like? And most importantly what are the scenarios you want to plan for? Should a mining company be prepared for the 2015, 2016 electric attacks? No. Is there things we can learn from that if we have spare time and resources? Absolutely. But I should probably start with the things that actually happened in the mining industry or if I’m an electric power company, I shouldn’t be preparing for forward leaning scenarios of what happens if Iran, China and Russia team up and form a super crew. If you got resources, go for it. But start with what did Ukraine 2015, 2016 look like? What did pipe dream look like? Are we prepared to prevent, detect, respond, recover to those scenarios then go do the other stuff. And so setting that scenario level also lets you communicate board and policy levels of what are we trying to accomplish? It’s not well we have these 33 controls and green KPIs. It’s here’s what we as an organization are aligned around. Here’s why, here’s what we’re trying to accomplish. Let’s figure out how to go do that.

145
00:02:24,000 –> 00:02:25,000
Frank Cilluffo [00:48:56]:
And I think that makes abundant sense because it’s cyber, whether it’s ics, whether it’s cyber, whether it’s physical, it’s managing risk at the end of the day and companies and executives know how to do that. On the financial side in this case that, that needs to be part of that. But, but let me ask a very simple question.

146
00:02:25,000 –> 00:02:26,000
Robert M. Lee [00:49:22]:
Sure.

147
00:02:26,000 –> 00:02:27,000
Frank Cilluffo [00:49:23]:
How many companies actual have actually have visibility across their OT systems? I, I think before you can start doing all that you need to know what you got.

148
00:02:27,000 –> 00:02:28,000
Robert M. Lee [00:49:33]:
You need to know what you got, you got to do. Asking visibility. I would say a lot of folks are going down that journey and if you threw the logos on the wall there’d be a lot of logos and companies that we get to work with and so forth but not a lot of penetration in those logos. And so I would, I would estimate that sub 5% of the global infrastructure is actually monitored and which is scary, which is terrifying. And I’ve had to and there’s Some companies getting it right and doing a lot and doing the crown jewels, they don’t need to do 100%. They’re doing all the stuff that matters to them. There’s definitely those companies. But I’ve been in boardrooms where people have been like, yeah, we have have CEOs talking about, we have Dragos, we’re okay, we’ve got visibility. I had to go back and be like, check the box.

149
00:02:28,000 –> 00:02:29,000
Frank Cilluffo [00:50:07]:
Yeah, yeah, yeah.

150
00:02:29,000 –> 00:02:30,000
Robert M. Lee [00:50:08]:
You have us at 1 out of 500 transmission substations. That ain’t gonna cut it. And so I would say the visibility is sorely lacking. And this was, you know, talking learn.

151
00:02:30,000 –> 00:02:31,000
Frank Cilluffo [00:50:18]:
That on the supply chain issues and on steroids.

152
00:02:31,000 –> 00:02:32,000
Robert M. Lee [00:50:21]:
This came up a lot with the NSC when SolarWinds happened and folks were focused on the IT portion of SolarWinds. But SolarWinds was embedded in some really interesting places in critical national infrastructure on the OT side. And Congress was ready to kill the industry over this because Congress’s view, which was actually pretty fair, was we’re going to get punched and prevention is going to fail at some point, that’s fine. But if we tell you exactly what to look for, exactly what the software package is, exactly what the version is, exactly what the network. Exactly, exactly, exactly. And you tell us you still can’t see it and you don’t know what it is, how are we resilient? And so there was a lot of companies are like, we don’t know if we have it on the OT side. And that means that you can’t ever defend anything.

153
00:02:32,000 –> 00:02:33,000
Frank Cilluffo [00:51:01]:
Fair point. And not to bring up SBoM and the like, but the reality is a lot of these are analog solutions to digital problems and we talk about a lot of these things. Actually doing the do is where I think we ought to put emphasis. Rob, what questions didn’t I ask that I should have?

154
00:02:33,000 –> 00:02:34,000
Robert M. Lee [00:51:23]:
No, I think this was fantastic. I enjoyed it. I. I think these are the right conversations that folks are having. Again, what is our risk? What are the scenarios? How do we deal with something about it? I think the policy level, it really is how to accelerate the things that we know work. Before we start talking about the shiny objects, why can’t we just at least openly talk about it? Even if there’s no resources allocated towards it, which there should be, how do we talk about it? I don’t mean to be too promotional, but we launched a program called Community Defense, which was if you’re a water, gas or an electric company under 100 million in revenue, just take our technology and stuff for free forever. So just let’s get it done for the community. And I have conversations with the government on, hey, I see promoting a lot of stuff. There’s no money aligned on this. Can you say something about it? Like perception?

155
00:02:34,000 –> 00:02:35,000
Frank Cilluffo [00:52:07]:
Well, you had a great piece in cnn. We’ll make that available on the show.

156
00:02:35,000 –> 00:02:36,000
Robert M. Lee [00:52:11]:
Notes I think the questions are good. I think the result is we know what to do. We don’t need to come up with the next gen thing. We know what to do. Let’s just go do it.

157
00:02:36,000 –> 00:02:37,000
Frank Cilluffo [00:52:19]:
Rob, thank you for spending so much time with us today. Thank you. I hope you’ll agree for being a friend. Thank you for continuing to fight the good fight.

158
00:02:37,000 –> 00:02:38,000
Robert M. Lee [00:52:28]:
Thanks for all your work over the years.

159
00:02:38,000 –> 00:02:39,000
Frank Cilluffo [00:52:29]:
Most importantly, leading.

160
00:02:39,000 –> 00:02:40,000
Robert M. Lee [00:52:30]:
You gave me a lot of, like, kudos, but I’ve seen you in all the same conversations, so thank you to you as well.

161
00:02:40,000 –> 00:02:41,000
Frank Cilluffo [00:52:35]:
Keep fighting the good fight indeed. Thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.

Related Content