Skip to navigation Skip to content

Robert Lee: Solving the Industrial Controls Security Challenge

Minute Read

With State-sponsored cyber attacks on the rise, how can we protect the world's most critical infrastructure, and the industrial facilities that underpin national economies?

On this week's episode of The Secure Communications Podcast, guest Robert Lee talks about solving the industrial controls security challenge.

Welcome to the Secure Communications Podcast
Data in motion is complex, chaotic, and unsecure, but the ability to seamlessly communicate is what drives innovation, growth and progress. Discover how the leading minds in the fields of technology, cybersecurity and communications are tackling the challenge of securing data in motion, and gain insights into what’s new and what’s next on the Secure Communications Podcast. Each week, host Kathleen Booth interviews bold thinkers who are developing and/or employing transformational technologies to solve communication security challenges.

In this episode

Robert Lee DragosRobert Lee is a pioneer in the field of industrial controls security.

From his roots in the Air Force and the National Security Agency, where he carried out some of the earliest cyber intelligence missions aimed at preventing State-sponsored attacks on critical infrastructure and industrial sites, Robert went on to found Dragos, an industrial cybersecurity company that focuses on operations technology for industrial control systems.

The organizations that rely on industrial controls span a wide variety of industries, from data centers, to utilities, manufacturing, transportation, real estate and more.

In this episode, Robert shares his insights on the magnitude of the industrial controls security problem, the impediments standing in the way of a solution, and what he sees as the way forward in a world where cyber attacks continue to increase in frequency and sophistication. 

Listen, watch, or read

Want to learn more about Robert's perspective on what it will take to secure industrial controls?

Listen

 

Watch

 

 

Read

Kathleen (00:05):

Thank you for joining today's episode of The Secure Communications Podcast. I'm your host Kathleen Booth. And today my guest is Robert Lee, who is the CEO and founder of Dragos. Welcome Robert.

Robert (00:17):

Thanks for having me.

Kathleen (00:18):

Yeah, I'm really excited to have you here. I've been following Dragos for a while and following what you've been doing. I nerded out and read a few books that you were mentioned in so we can get to that. But before we get into the topic at hand today, for those who might be listening and maybe aren't as familiar with the company or with you, could you give some background on what Dragos does and also your story, how you wound up founding the company and how you got to where you are today.

Robert (00:48):

Yeah, sure. So Dragos is an industrial cybersecurity company, so that means we focus specifically on operations technology for industrial control systems. Those that would be found in anything from data centers, the electric infrastructure, oil and gas manufacturing, things like that. Specifically we're a technology company, but it is my core belief that the best technologies are made by the best people. So we also have a services team that's always going to go get good insights and expertise so that's back to the product. And then we also have an Intel team that can track the adversaries and keep our customers up to date. As for myself, I started out on the Air Force side of the house for a couple of years. I was there. Most of my time was spent over at the National Security Agency.

Robert (01:34):

I was kinda like loaned out to them and passed off to them doing various cyber and intelligence missions. The one that got me most interested, and I sort of was already interested in industrial control systems. I'm not an engineer by trade at all. But I spent time in Cameroon dealing with wind turbines and water filtration systems and similar, and I was always kind of enamored by control systems. And so I ended up building out a mission there and looking at various States breaking into ICS or in these industrial sites, which little known to me was not being done at the time. So it was kind of a first of its kind mission set. And what I kind of took away from that was really questions about visibility and collection requirements and telephones analysis on broader topics. And it just, it was all very, very exciting. But also kind of resonated with me on a personal level as you think about military and why you joined that.

Robert (02:25):

A lot of folks join on this belief of service before self and trying to serve your communities. And what I found with this topic of industrial systems was there was nothing more offensive to me. I mean, nothing that's sort of hurting more of a community than people going after civilian infrastructure. You know, like the lowest of the lowest kind of discussion there. So I ended up dedicating my career to it. I got out of the military when they put me on the offensive side of the house. And I wasn't a really huge fan of that. I think everybody should stay out of everybody's civilian infrastructure. And then I ended up founding Dragos. And as much as I would love to just centralize talent and similar, I think the way that you make these problems scalable is technology. So it's gotta be a combination of people, process, technology. So that's where we are today.

Kathleen (03:15):

I love your story and it really resonates personally with me because funny enough, way back in my professional history, I spent the first 10 or so years of my career doing something totally different. I used to do work in international development consulting and I specialized in public private partnerships for the management of water and wastewater utilities in the developing world. So I went to 54 countries, lots of countries in Africa. Basically by definition any place where the water was dirty is where I would go. And I spent a lot of time touring those facilities and I spent a little bit of time in some other utility areas as well, but my heart was really in water. And so, I totally agree with you, especially, you know, here in the US we're very fortunate that we have 24/7, in almost every place, 24/7 access to clean water.

Kathleen (04:06):

But so much of the world that is not the case. They might have a few hours a day, they might not have it at all. You know, and you're talking about people's basic health and their ability to lead their lives. I could go on and on. I mean, it affects everything from like, one of the reasons a lot of girls don't go to school throughout some of the developing world is it's their job to get the water for their family so they can't get an education. So the, the ripple effect of not having access to basic infrastructure and services is tremendous. Obviously, the canvas of that across the world is different, you know, in the US versus some of these countries.

Robert (04:42):

I think you're spot on though. And then, and then the audacity of somebody to come along and make that harder through their actions, you know, like to be an adversary and create capabilities. I mean I just, yeah, the, the point about a young girl not being able to go to school I think is very poignant. And, then again, you have somebody on top of that that's just complicating things like just, I don't know, it's a level of asshole nature that I'm happy to not have to deal with in life.

Kathleen (05:16):

There's a special place in hell for people who take advantage of those things. So when it comes to, I guess I want to start by by asking you one question, because when we first spoke, you mentioned something that I thought was interesting where you said, I take issue with the fact that people lump industrial control security and with IOT. So can we start there and can you explain like what is, what is it about ICS that makes it its own category?

Robert (05:41):

Absolutely. This probably seems uber pedantic to like argue about lexicon, words and definitions, but I think it's really important and I think if we're going to have a professional practice, we're gonna have people that are dedicating their careers to learning and being professionals, then words meaning and matter. Very important. And what IOT is on one hand, as you deal with organizations that have security cameras and IOT type devices like Alexa, you know, they are definitely challenges worth looking into and I think they have their own place. And right. What I've seen is that IOT gets broadly applied to operations technology or ICS, not because of an understanding of IOT specific drivers and requirements, but as a catch all of, well, I don't understand that stuff in the plant. So it's just all IOT.

Robert (06:37):

So it's not only inaccurate but sometimes even if, not maliciously intended, it comes off as very dismissive when in reality that water plant, that manufacturing side of the house, the gas turbine, like that's why your business is there. Like that's generating revenue for that company and also doing the service, the community. But, to go, without being pedantic about it, to go one step further, operations technology deals with physics and it deals with the world around us. And so the way that I want to deal with that is going to be different. And to say it very cleanly, the mission in industrial is different. The threats we face are different. The systems and the communications are different, the risks are different. Therefore, the strategy and the way that we approach it needs to be different. And I think a lot of people go, well, they're just embedded systems sometimes. Or maybe it's just windows software anyways.

Robert (07:25):

And that misses the whole point. It's the mission and the risk to them and what you have to actually deal with them. And I've joked before, but somewhat seriously that, but the moment we compare Alexa to a gas turbine, we're all gonna die. You know, like we do need to keep those things a little bit differentiated and protect them differently. So to me, operations technology is, if anything, a broader category as it relates to the systems, computers and parts and similar around the world that are dealing with physics and the mission and yeah, it needs to be treated differently.

Kathleen (07:59):

So this obviously is an incredibly, it's an area of incredible strategic importance for, you know, for individuals in their daily lives, but all the way up to nation states. You know, when you think about electric power grids and, and you mentioned natural gas and water, this goes right to the heart of the issue of national security. Given the strategic importance of operations technology and industrial controls, why is this not something that has already been solved? What is it about it that makes it so difficult to solve?

Robert (08:33):

Oh man, that's a good question. So I think it's a lot of things. So one part is the education of the topic of what is the real risk? Is this worth investing in? Do we have a problem? And I think when we look at the industrial security community, you know, even dating back to 1998 when it was like PDD 63 from president Clinton saying, cyber attacks can happen on electric infrastructure and we should think about this. That was, you know, well over 20 years now that we're talking about cybersecurity with relation to industrial, but I don't know that a lot of folks had the visibility, in fact they didn't have a lot of visibility or insight into what was happening in the operations technology environments. We'd hear about breaches at like Dow chemical or others and like the APT one case is a really good example.

Robert (09:23):

No one had ever talked about, well, was there anything on the ICS side? Was it anything in the operations networks? It was always, its data loss at the company. So hyper focused on enterprise security. So to just shorten the answer, I would say the first problem we've had is getting visibility on the problem and having the right people, process and technology to get into those networks to even see the problem first. It has been a long struggle actually I would say probably until 2014 and 2015 it wasn't even really feasible at scale and that's just when like the market started picking up on the technology side. On the second challenge is I think there's also been a longstanding debate of who owns the problem. Should governments protect companies against state actors or are the companies on their own? And honestly, the narrative gets spun and it's confusing. I've seen many government representatives saying onstage, when you have an attack, call me, we're here for you.

Robert (10:19):

Hey, we will provide you intel. We will provide incident response. We will do this for you. But what the government means as an attack is not the same thing that private sector usually means as an attack. They mean, Hey, when the lights go out across the Eastern interconnect, we're probably going to war. Let us know. We'd like visibility but not, Hey, you're broken into and your property was stolen off the manufacturing lines. You know, even so government, they have a lot of good roles and responsibilities, but they've equally struggled with the cybersecurity issue, talent, people, tech innovation, everything. And what happened long ago was government, right, wrong or indifferent, doesn't matter. You're not talking about intent here. But they abdicated the responsibility on this domain and the private sector picked it up and ran with it. Independent companies, product, services, et cetera, doing a lot of amazing work so they can't really force themselves back in now.

Robert (11:14):

And that's where some of that conversation comes and it goes back to what you mentioned, which it has to be a partnership. We have to take, especially when you look at the United States. I think this is for everybody, most countries, but we have an amazing private sector that's just overflowing with expertise and talent you can't find anywhere else in the world. And the same time you have a government, when it focuses, can be an extremely powerful tool. We shouldn't be doing the who's on first, who's on second. It should be what's the roles and responsibilities and how do we work and play together. And some countries are nailing that. When you look at the work in Australia, when you look at the work in the UK, and there's Norway. When you look around the world, some of the, some of these countries are really nailing the let's play with a full hand by picking the best out of every section that we have versus the debates that sometimes we get a little locked into here in the United States about who owns this.

Robert (12:10):

And then lastly, I know it was a very long answer but lastly I think after the, you know, what's the problem? Who owns this? Then it's how do you actually put a strategy together? And I see a lot of companies making choices around services or products or training or similar without a real strategy. And there's a desire by a number of executives to have a single pane of glass with a single governance strategy. And if ICS is different and our threats are different, and everything else, then your cybersecurity strategy for ICS needs to be different as well. And you can't just have the same patch program or vulnerability management program that you're trying to run on the IT side with one set of values on the operations side, which has different challenges and also may not be that valuable.

Kathleen (12:51):

So how big is the problem? Because I think for a lot of people maybe who aren't really embedded in that world that it could be easy to think that in the US because we're a pretty advanced country that we don't have a huge attack surface or the problem isn't enormous. How big is it really? Yeah,

Robert (13:10):

And this is, this is a good one as well. This is where like the nuance always gets argued. The problem is huge and we're also okay, and like that's the piece that's always confusing to folks. Like you said, the threats real bad. I'm like, they're real bad, but we don't have to worry about the lights going out anytime soon. You know, like there's a, there's like what, it's almost like conflicting messages and the narrative is, our infrastructure providers have done amazing work and they've made safe and reliable systems even when they weren't doing it for security. So there's an inherent security value in the way that a lot of our systems are just resilient and we have really good infrastructure and our companies have paid attention to that over the years. However, the threats we do face are getting more numerous and far more aggressive and our landscape is changing. You know, the, the different buzzwords get thrown out.

Robert (14:00):

Digital transformation. Industry 4.0, or whatever you wanna call it. But we are getting to a homogenous and hyperconnected world, even on the industrial side. And that changes the attack surface. So that landscape change with the changing threat landscape and the progressive and numerous aspects relates to a position that regardless of all the good work done before we have gaps. And we have real gaps, especially on the cybersecurity component of operations. And so our infrastructure is actually pretty awesome. We shouldn't have people freaking out or building bunkers or you know, read the Ted Coppell book and you know, freaking out. But, at the same time, asset owners and operators or infrastructure providers have gotta do a lot more, not because they suck, but because things suck around them.

Kathleen (14:44):

One of the things I thought was really fascinating was, I mentioned when we started that I read book where you were mentioned and that was the book Sandworm which I thought was a fascinating read. And the thing that stood out to me from reading that was when it talked about the power grid in Ukraine being brought down, it talked about how because that grid was not as modern as ours, they still literally had like a lever that they could pull and turn it back on again at certain points, you know, because there were still very manual processes involved. Whereas here in the US as you mentioned with digital transformation, we're, you know, it's almost like we've become, we can become a victim of our own innovation in the sense that it is all software. There isn't a lever we can pull like there might be in a place like that. Could you talk about that a little bit?

Robert (15:41):

Sure. So the Ukrainians didn't have as much automation. They do, but it wasn't, it was later in their sort of journey. I think it was like last 10 years that they really went to much more automation. And you're spot on with the fact that they were able to go back to manual operations in a much better, coordinated way than we would be able to do. So we do have manual operations. We can go back to manual operations and we do this for like hurricane season in similar and different parts for electric infrastructure. You go out to the switch yard and you're literally throwing switches and connecting power to customers. And that can happen but the workforce that we have is not well trained at sustaining that at scale like the Ukrainians who still have that expertise. And the makeup of our electrical infrastructure is different enough that the scale of the problem is much larger for us.

Robert (16:37):

Where a line, you know, a lineman in Ukraine could probably cover six or seven substations. For us, it wouldn't, you know, two or three in that kind of scenario. Not every utility is going to be different on those numbers, but the scale is much worse. And if that experience is leaving our workforce and we are relying a lot more on automation. So I think the natural thing, and I've seen some well-informed Congressman and similar come out and go, well we should go back to manual operations. No, you don't want to go back in time, but we want to understand what we're doing and design compensating controls around it. We want to get the value of automation. We want to get the value of digital transformation. But we want to offset the risk with cybersecurity but not cybersecurity that's applied from a framework or a checklist, check the box, but to specifically and uniquely understand that industrial environment and what we are trying to offset with the changes that environment has seen.

Robert (17:31):

And I think that's also what makes industrial security pretty difficult. And this is, this is going to come off, I'm going to come off very dismissive now folks when I say this and it's not intended to be, but because of the progress of education and training, and because of the advancement in technology and process, you can be an entry level security person and do a lot of good in the company. And we sort of have this base foundation that a decent security person can be really impactful and everybody can make really wonderful chains and you can do an eight to five kind of job and not have to have your life be dominated by InfoSec. Although many of us do. You don't have to do that. You can have the balance. In ICS security, we don't really have that level of foundation. There's a lot of things to figure out.

Robert (18:22):

There's a lot of nuance to it. Also there really isn't -- we say ICS or OT security, but that's almost a made up term as well just to say not IT. The difference in distribution electric power is way different than upstream, you know, oil and refinery oil work in the oil and gas industry or downstream refinery. So the, the reality, and again, not to be in any way harsh, is you can't just walk in and be contributing to ICS security with the security that you have. Many of them can be dangerous in an operations environment or cause more harm. If I told you that you had a vulnerability and I didn't want you to patch it, that would seem like I was being a jerk. But patching the vulnerability on the operations side of the house may not reduce any risk whatsoever, and may introduce more than the way that you're going about it.

Robert (19:12):

Or maybe I find that I'm infected with something, but it's not having an operational impact and we're not losing anything. Maybe I decide to monitor it and keep it for three months until a down period or a maintenance period when I can go clean it up. So there's a lot of ambiguity at times and I think the necessity in ICS security right now is to demand much more senior folks. We want to change that, and I think there's a lot of work around the community to try to bring it down. And again, it's not like bring it down to be dismissive, but to make it more approachable and to have more, this is what right looks like, and here's playbooks for these things. And then in that way we can make it more approachable to the industry. I've seen new people do really well in this industry and really make a lot of change, but they also have really a high level of mentorship and wonderful folks around them, and that's awesome, but shouldn't be required to do a job.

Kathleen (20:05):

Yeah, it sounds like training and education is going to play a big part in how we're mobilized to address this going forward.

Robert (20:12):

Absolutely.

Kathleen (20:13):

So you mentioned earlier this push and pull between government and the private sector in terms of who owns the problem, how's it going to get solved? I want to talk about one specific aspect of that, which is the financial aspect. You know, how is it gonna get paid for? My understanding is that there's a lot of real kind of legacy equipment issues to deal with if we're really gonna address this. And there's a price tag attached to that. And I'm kind of now harkening back to my, to my prior career and remembering, you know, there, when you talk about utilities, these are regulated entities and tariffs, you know, the price we pay for utility services are regulated, whether it's the Federal Energy Regulatory Commission or what have you. I guess my question is how, how do we navigate that process of, of covering the price tag that's necessary to really fix the problem? And do you think there's really a two part question. One of them is would it get approved at the regulatory level? But the other is, would consumers have an appetite to pay for it? Because ultimately I'm assuming that would be passed down to the end customer in the form of their fee that they're paying.

Robert (21:24):

Absolutely. Yeah. It's got to come from somewhere and I think it will ultimately come from the consumer one way or the other. Taxes or otherwise. But I think anybody living in a town that has a chemical plant or has a water filtration system or electric power or whatever, has general expectations and those expectations have to be met. So I'm usually a big advocate of what the companies themselves and, because I see a lot of good work they're doing and, and like an electric utility, even if there's not money in it, we'll go do the right thing just because they want to have safe and affordable power that we need to live and work in the communities that they serve. But if I stepped back from that for a second and go, what does the answer have to be, it is a combination of regulation and incentives.

Robert (22:09):

Right now, some industries are over regulated and the electric sector is one of those industries that has more regulation than I think probably actually makes sense. But instead of arguing that, I usually say, well, the regulation has put us into a good place. So now let's look at incentives instead of just regulation. It can't always be the stick, but some industries have to have some regulation. Look at gas pipeline industries. For the ability of the natural gas community, the natural gas pipeline community to impact national security and those electric abilities is significant and there are very clear gaps. But I don't think it should be a regulation for security. That just doesn't work. And so there's always a nuance of how do you do it. In My opinion on some of these topics like with natural gas, tell the community what you want because you can, if you're an executive of these companies, everybody we talked to, there's a different opinion about how you see the business and different government agencies have different views on it.

Robert (23:09):

So you hear from DOD, FBI, DHS, DOE, and you get four different answers. And so in my view there should be a, we expect if you're a natural gas pipeline operator in this country to be able to do these things and usually it's performance based. A lot of regulations have been very prescriptive. You will have, you will have patching, but it should be much more performance. So while I'd like to know that if we found the threat and we informed you about it, that you'd be able to answer whether or not you'd have that threat in your environment within a two hour window. Or if you had an incident, I would expect that you were able to have, regardless if you outsource or not, however you deal with it, be able to have a recovery plan and to get you back up and running within a 48 hour window

Kathleen (23:50):

Basically like an SLA.

Robert (23:52):

Yep.

Robert (23:52):

We should basically have SLAs around things like safety as well. Which the safety community has done a pretty good job of actually. And then that kind of performance of here's what we think right looks like to be an infrastructure provider. And to live and work in those communities. I think those would be much more palatable as well for companies and saying, these are what you got to sign up for however you do it is up to you, but we're going to hold you accountable for this is as a combination of regulation. And then if you exceed these things or you do these things that we're not gonna regulate you against, but we really would like to see you up in this top quadrant, and whatever we want to hold companies sort of accountable for, here's the incentives to make it happen. Good example. I've been along, I've been a big proponent of education and training incentives, where a SANS class, so SANS in my opinion, is by far the best training in the world for cybersecurity skills, especially as it relates to things like digital forensics and incident response and pen testing and those kinds of things.

Robert (24:45):

But there's a lot of wonderful classes out there. If we want to talk about rinse and repeatability, like any individual class would be much better than any given SANS class, but SANS can do it at scale like nobody has ever been able to do. And they can train an entire workforce. And so when I think about like an ICS SANS class, your SANS classes are six, 7,000 bucks a pop, and that's five days, and they shouldn't be your entire curriculum. It should be the year I'm gonna sharpen certain skills or get you going. If an electric utility is doing things for Cisco training to take better advantage of networking skills that they're benefiting from business standpoint, I think that's on them. If the state is saying we're not going to protect you against threats from other foreign States, then we should like, the incident response skills that they want to go pay a $7,000 class for whatever. It, it shouldn't be on them.

Robert (25:36):

And so I think it's completely appropriate then for us to say, well, it should be on you. I do think it has to be on you. It's the only way it works. But you know what? We're going to do tax credits, that if your a, if you're investing up to this level and security skills to relate to these challenges that we from a national security perspective think are interesting, these classes qualify for a tax credit so that you can actually train your workforce and then you get workforce development. And some of the things like that in terms of a combination of regulation and incentives has to be the answer. And so far we have much more regulation than we have incentives.

Kathleen (26:16):

That's interesting. So you know, when you think about the challenges that we're currently experiencing and then you think about all the innovation that's happening, what do you see as the biggest challenge we're gonna face in the next few years looking forward?

Robert (26:32):

Yeah, there are a lot of, and I'm going to scope it specifically to operations technology and whatnot. But there are a lot of companies making a lot of investments right now and they're going to need to get wins. And winning is a lot about how you measure things. And what we don't want to do and what I'm hopeful won't happen if done correctly is that people do things, or I'm hopeful that people don't do things, think that they're not worth doing and don't do them again. And so good example is there's a couple of approaches to ICS security that I just vehemently disagree with and I'm okay with that. I like that there's different opinions and I'm hopeful that we can all like, no person should be able to dictate these things. But why I vehemently disagree with them is, I don't think they're going to result in anything positive. And I worry about some of the massive companies that are doing those approaches and if their strategy isn't validated or invalidated, you know, kind of where does the business stand and, and there is the, there are some companies that essentially bury their head in the sand and if they don't have a major breach or something to be able to know it, they never really know the risk that they're taking for their community or they did something, they know the risk, they took an approach.

Robert (27:46):

It was a very extensive approach. It resulted in no value. So they go, well this problem is just too hard to solve anyways. And so I think about those kinds of extremes a lot. And, and I think that as we go forward, there's going to be this driver to do the easy answer and we as a community have to dig deeper. It goes back actually to kind of like the IOT comment. I meet with a lot of executives these days and brief a lot of boards, which is odd for me in a lot of ways. It's like why are you having me brief the board? But yeah, sure. And so I think the last two years I've probably been in front of 20 or so boards of some of the most significant companies on the planet. And they kind of all fall into either the believers and the nonbelievers.

Robert (28:28):

And actually there's not so much opposition from the board. The board gets it all. I was surprised. I thought the board would be kind of the harder one. The boards get it. Oh yeah. All the businesses on that side of the house. What are we doing to protect it? But it's commonly at the CISOs office that I'll see either the, we need to take a unique approach and do this and we need to, we need to dig deep and think about what we're doing and why we're doing or at all are. And can you just import it all into one pane of glass and have one strategy and we'll GRC it to death. And what we've done. And, and again, I, I worry about the, the easy answer of, let's call it IOT. Let's pretend that a big major company is going to handle it for us or is going to handle, there's a silver bullet.

Robert (29:09):

It's like the silver bullet aspect of this of, either they've got it or they've got it, or we're going to have this framework and we're done, or we're going to follow NERC CIP with electric guidance and we're done, and it doesn't work. And I hope that we see an upwinds elsewhere in the community to balance against that. And I think we are, we're starting to, which is good, but it's also going to mandate that people are talking about it. And our community, especially in industrial is one that we don't really talk about things a lot publicly, and we're very quick to be able to be critical of something, but if something's working, we don't want to sort of reveal what we're doing for security and we worry about the offensive-defensive aspect of that. And we've got to build the community more than we build our companies.

Kathleen (29:52):

That makes sense. So speaking of the community, Dragos is obviously doing a lot of really great work in ICS security. Are there any new technologies that you're really excited about?

Robert (30:04):

At Dragos or like outside of us and for like ICS security related and stuff?

Kathleen (30:10):

Anywhere.

Robert (30:10):

So not ICS security related?

Kathleen (30:10):

No, ICS specifically.

Robert (30:13):

So I, I think yeah, there's, there's quite a bit that's happening in ICS security, one of which isn't necessarily technology, although I think technology is enabling some of it, but like rings access and similar. You know, if we want to get people really understanding industrial it can't just be academic. It really is important to get hands on equipment and see the physics of it. Oh that valve opens and closes and these things happen. And so we're starting to see a lot more from universities as well as some companies and government is doing it well to get access to ranges out to people. We try to play our part in that as well, where people can get hands on with the industrial world around them. So when you say industrial, you think electric utilities, oil and gas, maybe manufacturing. Then you realize like, no, it's rail and this data centers and it's, it's literally everything outside of like financial services and even they have building automation. Know it's, it's, it's, it's kind of interesting.

Robert (31:03):

So I think that's really exciting. I also think it's really exciting what we're seeing kind of in the supply chain discussions. There are different ways to take the supply chain challenge and there's different things. We mean when we say supply chain. Do we mean interconnection with the vendors? Do we mean the actual products itself, hardware, software, R and D, whatever. But there's companies that are making products along validation of firmware and understanding like what's getting loaded on our systems. And it is, is it what we expected? There's companies that are doing really cool things with helping the vendors themselves take accountability for their bill of goods and bill of materials and Hey, can we more accurately understand the software and supply chains that we're using at like a GE as an example. There's some that are working on even like software development life cycle work. And so there's a lot of different elements coming at this that I think are pretty exciting. We kinda got the segmentation thing good. We know how to do segmentation and industrial companies like mine are all around like asset identification and threat detection, and responding to attacks. And I think if after you take the, we can watch it once it's there, your questions are well what happens before I got there and what happens sort of over time as things change and those are kind of the areas I'm seeing some, some pretty cool things.

Kathleen (32:15):

Got it. Now outside of yourself and the team at Dragos, is there a particular person that you think is doing really interesting work in this area?

Robert (32:23):

In industrial there are a lot of them. So I'm always a huge fan of just anybody that's trying to take more of an educational based approach. And like I said, there's a, there's a bunch of them out there. I think that you have your folks, it's funny, I keep thinking of names like, no, we hired that person, no. I sound really arrogant, but like we try to really hard to pull a bunch of talent together. But there's, I think a lot about the folks that don't have profiles. And so yeah, I think a lot about like the, the Mark and Brent at Salt River Project. I think of, you know, Jason and Mason at Oklahoma gas and electric. I think of, two of them like repping their shirt today just cause it's comfortable. I think about, you know, the Kevin's and Jason's in Southern California Edison, the Curlys at Southern company, like, you know, Glenn Ibel at BSF. Like I think about all these practitioners and leaders inside these companies that don't get celebrated, that don't get the podcast interviews that similar, but they're doing all of the mission.

Robert (33:25):

And so like you talked about like the Sandworm book. I have not read it. I refuse to read it. I, Andy is awesome. I'm sure it's an amazing book. It is so awkward. Like he messaged me and was like, yeah, you're in the book. And I'm like, Oh cool, can I check the quote or whatever. And he was like, Oh, you're a main character and I'm like, what?

Robert (33:44):

And like I find that I can't read about myself like that. Just also as a, as a technology provider, like we're the digital janitors, you know, like we're the service providers. Here's the mission or the mission. And so you asked about like who's educating and who's doing like the really hard work. I honestly think it's most of the people that are actually at these companies that never get celebrated. There are other people out there. I'm Chris [last name] is a long time friend of mine. He's over there at Fireye doing amazing things to educate the community, you know, that that type of behavior exists in a lot of places. But the ones I, I sort of adore the most are the ones that are with those companies,

Kathleen (34:18):

That's great. Well there's no reason we can't have an operator on the podcast. So yeah, no, I always love, I always love hearing the names that are mentioned cause you never know, those could be the next people we interview. So that's a great list

Robert (34:34):

It's a good list of people.

Kathleen (34:36):

This has been fantastic. Thank you so much for joining me this week, Robert.

Robert (34:40):

Yeah, of course. Absolutely. I'd probably just end in saying like, you know, your, your company does a lot of interesting things. And so for whatever positioning you could do for folks listening in and part of that supply chain challenges, is that connected to the issue and how do you actually connect to these sites and how do you do it correctly? And kind of in this random COVID time and all the things that people are dealing with, I would highly encourage people to be looking at those remote connections and specifically how they're thinking about securing because all of the adversaries that we are tracking are happily taking advantage of the moment. So thanks for your time. Thank you for having me on and good luck there when listening.

Kathleen (35:18):

Yeah, and I certainly appreciate the plug and the shout out for Attila. If you're listening and you enjoyed this episode, please consider leaving the podcast a review on Apple podcasts or wherever you choose to listen. And we want to hear from you. If you have an idea for a future episode or a guest, tweet us @AttilaSecurity. That's it for this week. Thanks so much.