Navroop Mitter:

[00.00.02.23–00.00.32.10]

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

Matt Calligan:

[00.00.32.12–00.00.52.01]

Welcome back to The Lock & Key Lounge. I am your host today, Matt Calligan. And, as always, our goal is to bring you ideas and concepts in cyber that exist right over the horizon. I like to say we’re talking about things that nobody’s talking about at the moment—or maybe not talking about in an effective enough way.

Matt:

[00.00.52.02–00.01.16.14]

So, again, today’s topic is no exception. When we talk about securing the electric grid, which has become quite a popular topic at the top of everyone’s security risk profile here these days, the conversation usually focuses on preventing outages or protecting the biggest, the most visible assets in large power plants and transmission lines.

Matt:

[00.01.16.14–00.01.46.13]

Control centers. Operators know the harder problem isn’t knocking the grid down. It’s actually bringing it back up. Grid recovery depends on a quite fragile chain in many cases of smaller substations, control systems, communication lines, and auxiliary components that have to be online in a pretty precise sequence. And increasingly, those overlooked components are becoming the targets.

Matt:

[00.01.46.15–00.02.12.20]

So today we’re going to talk about how adversaries think about denying a recovery of our grid, and why attacking the smallest pieces of the grid can actually prevent the biggest ones from coming back online. So, to explore this one, I’m joined by Rob Lee. He is co‑founder and CEO of Dragos. Rob is one of the leading voices in the ICS, SCADA, and OT security universe.

Matt:

[00.02.12.20–00.02.34.13]

And with a background spanning national security, industrial threat intelligence, as well as real‑world work with grid operators—obviously around the globe—and, in my opinion, few people are better positioned to explain how these types of attacks can actually unfold and what resilience should really mean with these kinds of ideas in mind.

Matt:

[00.02.34.13–00.02.37.21]

So, Rob. Hey, appreciate you stopping by.

Rob Lee:

[00.02.37.21–00.02.38.22]

Yeah. Of course. Thanks for having me.

Matt:

[00.02.39.01–00.02.57.02]

All right. We’re going to—I know you are busy. You just had a baby. You’ve got a lot of things sucking up your time right now, so I’m going to jump right in here. The big one that I think, when I heard you speak, it was at the Public Power—the National Public Power Cybersecurity Conference—there.

Matt:

[00.02.57.02–00.03.30.07]

And you were speaking about this topic here. And what struck me is how complex the language is around it. But it’s an easy concept that you can really get your head around, and the way you’re talking about it made it very approachable. And—but I think it suffers from a lot of engineering speak, or overly engineered speak—terms like black start, dependency chains, restoration sequencing, cranking paths, things like that, systems of systems, fragility.

Matt:

[00.03.30.10–00.03.54.10]

These are all things that sound pretty intimidating. But you know what, when you were talking about them, I found it conceptually is easy to get my head around, and to understand where that—how to reevaluate that from a risk perspective. So, for listeners who aren’t engineers, take us through the concept. Explain what a cranking path is, or what a black start sequence is, in just standard terms.

Matt:

[00.03.54.10–00.03.59.09]

And why this is a bottom‑up process from a recovery and resiliency standpoint.

Rob:

[00.03.59.09–00.04.16.11]

Yeah, for sure. I mean, I think the electric system itself is—might as well be a living organism. And it’s always really effective for people that are just starting out to think of a human body. Right. You’ve got generation, which is your heart pumping lots of blood. You’ve got arteries, which is carrying lots of blood throughout your body.

Rob:

[00.04.16.11–00.04.34.18]

That’s a transmission system. And you’ve got your local distribution, which is your veins. And for smaller—small voltage, if you will—the smaller carrying of blood. And as you look at this concept, if you’re down and out, right, you are not working. What are people going to do? They’re going to try to revive you.

Rob:

[00.04.34.19–00.05.02.08]

They’re going to try to get your heart pumping again. And so, you’ve got to bring up generation to be able to bring up the capability to have an electric system. Now, when people talk about a crank path, what they’re referring to is a sort of pre‑identified generation site, and then the transmission system that it’s going to require, and sort of push out electricity—and it takes electricity to create the electricity.

Rob:

[00.05.02.08–00.05.03.07]

Like you can’t just—

Matt:

[00.05.03.07–00.05.04.19]

Need the paddles to jump the heart. Right.

Rob:

[00.05.04.19–00.05.23.22]

Exactly. You can’t just bring up the biggest thing and hope that everything works out. Usually, you’re building a portfolio, trying to meet the load on the system by taking smaller sites up first. Then you get to larger sites, and again, all along the way you’ve identified where are those generation sites, and then how do I communicate between them?

Rob:

[00.05.23.22–00.05.43.17]

Or really, how do I have electricity flow between them with pre‑dedicated transmission lines and so forth. And so, it’s—there’s a lot of sites out there that people wouldn’t expect to be super critical to the overall system. And there might be smaller sites, but they are, in fact, part of a crank path, or they’re part of strategic sites.

Rob:

[00.05.43.17–00.05.53.16]

And the power locations they support—and a lot of those sites, the ones that we’re seeing getting targeted by adversaries, which is what’s causing a lot of concern for folks, amongst other things.

Matt:

[00.05.53.18–00.06.13.14]

Yeah. Yeah. Why do you—I mean, as a novice, you can look at smaller components and think they’re less important than bigger components. But from an actual national planning level, it seems that’s not a—it seems like it’s a commonly held perspective. I mean, what—why do you think that is, given knowledge of the situation?

Rob:

[00.06.13.14–00.06.29.21]

Yeah. I mean, look, if you’re—most countries around the world had some four staff or some team that was told, go figure out what critical infrastructure here is. And they’re like, oh God, what did—I gotta look through all this, and the easy thing to do is look at the big stuff, and you just go, that’s a big manufacturing site.

Rob:

[00.06.29.21–00.06.52.20]

It must be critical infrastructure—not realizing… Pandemic—there were small components in the supply chain that would make it where we actually didn’t get the equipment we needed. Just insane. Yeah. Same thing in the electric systems. A—one small distribution substation might be supporting a really, really key port that, in a time of war, military is going to use to put troops in South China Sea.

Rob:

[00.06.52.21–00.07.12.11]

It doesn’t make anybody’s map. And so, there’s—it’s just a complex value chain where there’s not too much that’s not critical to somebody for something. And really, the way that national leaders are trying to go about it—which is difficult—but trying to go about it, is more scenario planning of, well, what do I need?

Rob:

[00.07.12.11–00.07.35.20]

It’s all critical. Great. But like, of the critical stuff, what do I need for what scenario? You want to be able to launch ICBMs against a foreign adversary. That’s a different set of infrastructure than putting troops inside of China Sea—is a different set of infrastructure than restoring power after a hurricane. And so, identifying that collection of infrastructure based on the use case versus our discussion of what is and isn’t critical is important.

Rob:

[00.07.35.20–00.07.56.10]

And if you look at it, I think there’s some good examples with the Poland attack in December, where it was the first ever cyberattack against a large portion of DERs—distributed energy resources. And in most countries around the world, a wind farm or solar farm would be considered a low‑critical asset, if it was critical at all.

Rob:

[00.07.56.12–00.08.16.15]

And there’s very little cybersecurity that goes into those things, ‘cause they don’t generate a lot of revenue individually, and without any regulation that—it’s just not going to get a lot of focus. And on their own, most of them aren’t that interesting. But if you do what they did in Poland and go after a bunch of them at once, in aggregate, they can be very impactful.

Rob:

[00.08.16.20–00.08.50.11]

Now, Poland has about 50% of their electric power generation done by thermal resources like coal. And anytime you’re doing coal, and you’re spinning big gas turbines or big turbines, or you’re doing gas combined‑cycle turbines, you’re doing hydro, you’re doing nuclear—any time that you’ve got spinning equipment, you’re putting inertia onto the system. And inertia is that natural balancing act for an electric system that if something goes wrong, if a frequency changes, if there’s way more load or way less generation than anticipated, it gives you a couple seconds.

Rob:

[00.08.50.11–00.09.11.15]

We’re not talking minutes, but it gives you a couple seconds of safety. And that is really critical. And those seconds are very, very important to be able to balance an electric system and keep it when you are heavily invested in renewables. So—and this is not putting any one energy source to—I’m just talking physics now—when you’re heavily invested in renewables, they’re inverter‑based resources.

Rob:

[00.09.11.15–00.09.34.01]

They’re just putting electricity directly onto the system. There’s no big spinning equipment, there’s no inertia. So that same style of attack that happened in Poland is impactful. And it sucks. But the system is fine, and I can deal with that ‘cause it’s less than 25% of their system that’s renewable. As you get to other places in the world—Australia, different parts of the United States, Norway, what’s going on in Germany—you get different parts of the world.

Rob:

[00.09.34.03–00.09.57.01]

That same style of attack can now bring down the entire electric system and have a very difficult time trying to recover it. When you’re trying to recover a bunch of small assets only, versus having some big generation capability to bring up online as well. And so, just looking at all of this together, the reality is we in cybersecurity have to still live in the world of physics.

Rob:

[00.09.57.01–00.10.17.16]

And the electric system operates in the laws of physics, regardless of your energy policy and electrons. Still, when—and these changes that we’ve made have consequences that we just have to prepare for. And again, it’s not that this is a good change or bad change, it’s just that the change on the overall system now means we must take a different approach as we try to have that system remain resilient.

Matt:

[00.10.17.19–00.10.21.20]

With the change of the system, you mean shift to renewables or…?

Rob:

[00.10.21.20–00.10.39.17]

Everything. So, I mean any—again, it’s a living system in many ways. If you’re going to change it a bunch, you need to know what the impact is. So, you’ve got a bunch of renewables versus big spinning equipment, okay. You have less inertia in the system. What does that mean? You’ve got a bunch of automation at the plants that we didn’t previously have.

Rob:

[00.10.39.19–00.11.03.10]

Like, automatic generation control. I can send a command from a transmission system operator to a generator and spin up generation remotely. Okay. Well, what does that mean in terms of impact, or I’m rolling out complex systems for automatic metering or smart meters at the edge. Or maybe because of the renewable energy, or just energy in general, that’s privately owned data centers and their sites.

Rob:

[00.11.03.12–00.11.25.03]

I now have generation that’s behind the meter, aka the utility doesn’t manage it. Utility doesn’t actually get to depend on it. It’s just energy that’s flowing on to the electric system that they’ve got to deal with, like your transmission system operator, your control centers. They got to deal with it, but they don’t know what it is, or where it’s going, or how much it is, and how much of it there is.

Rob:

[00.11.25.03–00.11.44.11]

Yeah, there’s zero visibility behind the meter. And so, there’s a lot of stuff getting thrown at our electric system, and it’s becoming more and more complex, more and more interconnected, more and more digital, more and more automated. And it’s just a conversation. Okay. Well, in that world, what is going to change to make sure that we get to maintain the resilience that we have?

Rob:

[00.11.44.11–00.12.04.20]

And this is probably the most actually dangerous political thing I’ll say in this context, which is, if a lot of people want to yell at the utilities for the rising cost, but the system is changing a bunch that I got, I recouped that cost somewhere. But if you look at most electric bills, and the rising electric bills, they’re rising slower than the inflation.

Rob:

[00.12.04.21–00.12.20.01]

And so, everyone’s complaining about a rising electric bill. But if you actually look at a lot of our electric system operators and owners—and I’m not saying every single one of them—but if you look at the majority of them, they’re going way out of their way to be more and more and more efficient, and more and more capital resource efficient.

Rob:

[00.12.20.03–00.12.29.19]

All in the face of big changes—the climate, big changes—the geopolitical sphere, big changes—the cyber discussion, big changes—the AI discussion, big change. Like, there’s a lot going on.

Matt:

[00.12.29.21–00.12.37.16]

Right? Right. Well, and they’re not immune to inflation, right. They have to deal directly with the costs of things going up based on—

Rob:

[00.12.37.16–00.12.42.23]

Yup, your price of oil impacts a lot in terms of energy production, as an example.

Matt:

[00.12.43.01–00.13.11.05]

Right. And yeah, and trying to juggle that cost without incrementally passing it on to the customer, which is going to create a lot of heartburn. Right? Yeah, a lot of pushback from a—you’re talking about sort of this complexity that is scaling out at the same time as the need for resilience, kind of being a common thread through all of this within the OT and threat intelligence side of the house.

Matt:

[00.13.11.05–00.13.44.13]

You talked about the junior associate who was tasked with figuring out what critical infrastructure means from an adversarial standpoint. Do you—especially even like nation states at this point—still are the ones that primarily have this goal, from at least my perspective. Do you see them suffering from that same kind of lackluster attempt at looking at this, or do you see evidence where they’re taking this kind of interdependency more seriously when it comes to disrupting their enemies, from their perspective?

Rob:

[00.13.44.13–00.14.05.23]

You will always have in this discussion the people that, quote-unquote, win as being the people that are investing in the problem and learning the system the most. And it is very clear that adversaries go in that. And we still have a huge component. And I’ve—it’s interesting—I talked to a lot of CEOs these days of power companies and others that are actually having trouble reaching their own CISO.

Rob:

[00.14.05.23–00.14.23.23]

So, they’re like, hey, my CISO keeps focusing on enterprise IT, and I get it, and I’m glad it’s important. But we keep trying to highlight for them the businesses on the operations side. And it’s OT, and it’s different. And it’s funny to me where, like, a lot of CISOs historically have been like, hey, it’s hard for me to reach a CEO, and how do I get budget?

Rob:

[00.14.24.01–00.14.50.00]

And I’m hearing CISOs that have been around the community for a long time, that get it—appalled at some of their peers that are maybe newer or just very set in their ways on IT, that don’t view the OTs differently and are trying to take a different approach to it, and so forth. And so, when you’ve got leadership that goes, IT, OT, it’s all T, and hey, let’s just secure the device and patch it and firewall it—and you’re on it.

Rob:

[00.14.50.01–00.15.05.20]

When they take that approach where the adversary is gone, oh no, it’s different. And here’s how an energy management system operates, and what the interdependency is, or the transmission system operator between the generation site. And actually, I wonder how the electric system is changing now that we’re putting HMI all over it. Like, when they’re investing the time, they’re going to win, and they don’t need to.

Rob:

[00.15.05.21–00.15.27.08]

There’s nothing special about it—like, they’re not brilliant. And it’s not like the adversary actually has the upper hand. But if they invest the time and learn the system better than defenders, of course they’ll win. And we’re seeing that happen. And so, we see both states and non‑state actors now doing this. But state actors are getting to the point where they’re not just getting access to OT or carrying out an attack.

Rob:

[00.15.27.10–00.15.44.18]

Those have existed for a long time, but we’re starting to see the middle‑ground ones where they’re getting access, but they’re going ahead and mapping out the control that they’re getting in there, and trying to understand how does the physical environment work, what’s the parameters around it? What—how is the system operating in a hot summer day?

Rob:

[00.15.44.18–00.16.07.14]

How is it operating in the dead of winter? How is it—how’s the changes that’s a variable frequency drive mattering now that it’s digital? And so, they’re mapping out the actual understanding of the control loops themselves, that the components that influence the physical process. And that is an extraordinary signal of they are there because you’re the target.

Rob:

[00.16.07.14–00.16.09.04]

They’re not just acting just in case.

Matt:

[00.16.09.04–00.16.09.15]

Right. Not a smash and grab.

Rob:

[00.16.09.15–00.16.32.20]

And they have the intent, they have the desire to be able to disrupt or destroy that site based on their knowledge gain. And then we also see those very similar, or same, state actors transferring knowledge to non‑state actors. And so, historically, it wasn’t non‑state actors that we were very worried about—no team outside of you having, like, an internet‑connected HMI, getting it defaced or something.

Rob:

[00.16.33.02–00.16.54.06]

It wasn’t like a non‑state actor really had the resonant knowledge to do operational damage. We’re now seeing non‑state actors where state actors are sharing the same infrastructure with them. It’s very clear that they’re transferring knowledge, and maybe more, to them. And we’ve seen—had one non‑state actors, an example that was doing just that, defacing internet‑facing HMIs.

Rob:

[00.16.54.08–00.17.20.06]

And then, like a month later, after somebody knocked on the door, they started having, like, PLC‑level implants and a lot of manipulation capabilities and physical process disruption. And, like, that’s not something you learn in a month. That’s something that somebody shows up and starts working with you, or giving you capabilities, and that will—the risk with that is state actors kind of know how to shut up depending on your state.

Rob:

[00.17.20.08–00.17.40.16]

But your non‑state actors proliferate things like crazy. So, you are going to start seeing, at a time that we’re creating more complex internet system than ever—more digital, more connected than ever—fighting our own community about whether IT and OT are different. I mean, you’re then going to get state actors and non‑state actors that are very well adapted, disrupting this infrastructure.

Matt:

[00.17.40.18–00.18.16.06]

Do you—this is a conversation I had—you probably know Patrick Miller. He and I talked on this podcast about the way air gaps have been used traditionally between physical and cyber. IT/OT—we’ll just—nomenclature. That divide has been really reliant on the presumption of biology, of humans leading the attack, because humans—there’s only a certain capacity that a group of humans can have, that move at a certain speed and have a certain specialized knowledge of all the layers of your environment.

Matt:

[00.18.16.08–00.18.46.02]

And his concern was that AI is going to supplant that and allow humans who aren’t these experts to suddenly to launch a very expert‑driven kind of attack that kind of crosses these barriers with this Intel you talk about—transfer of knowledge to non‑state actors. Do you see that still being the problem, or do you see it—do you see that just proliferating from a human‑based approach, or do you see AI contributing to the speed of that uptake and scale?

Rob:

[00.18.46.04–00.19.06.02]

AI, when you have the training data, is very effective at assisting humans. This idea of replacing humans, and a lot of the different discussion that we’re talking about, is still hype today. Yeah. But my Intel analysts will use AI, and it speeds up their work, but they’re not going to vali—they’re not going to depend on AI to write an Intel report.

Rob:

[00.19.06.02–00.19.29.19]

It’s going to be visual hallucination drift and issues and all sorts of things. I’m saying there’s my detection engineers. They’re still coming up with the idea. They’re still validating at the end, but they’re using prompts along the way to create more detections than ever before. Your adversaries are going to do the same thing. And, where possible, their initial research, their initial mapping out of an interdependency, their understanding of finding vulnerabilities and edge devices to get access into the environment.

Rob:

[00.19.29.19–00.19.56.11]

In the first place—all of that is going to be rapidly accelerated, it is becoming rapidly accelerated. The once‑on‑target doing operations piece, I don’t see anything to suggest that AI is playing a real role there today. And so, I mean, I’m involved in—without getting, I mean, it’s obvious but it—whatever, I’m not supposed to name the project—wherever I’m involved in the big, I’m involved in a big AI project that everyone’s freaking about, thinking about it from an OT perspective.

Rob:

[00.19.56.11–00.20.21.05]

And they’re—people should be concerned. It’s not, oh my God, we’re going to see AI‑generated attacks taking down power plants. No, what we’re going to see, though, is almost like the death of edge device vulnerability management. Like the idea that you’re going—it, like we already deal now where it’s like a new vulnerability comes out for the gate or whatever else kind of device.

Rob:

[00.20.21.07–00.20.47.23]

It’s—we have adversaries that are, within two days, mapping out the infrastructure, reverse engineering that vulnerability, and exploiting and getting access to sites. Two days is already fast for most security teams. What we’re seeing with AI‑assisted, that kind of work—we’re talking like two hours. And so the—and then a bunch of vulnerabilities being found. And so, if you equate vulnerability management and product security to OT security, you would—you’d be scared.

Rob:

[00.20.48.01–00.21.09.17]

They’re not the same thing. But where product security matters and edge security matters, it’s getting destroyed. And so, I do think it’s impactful. I think—I mean, yeah, look, I think all the talk, like I think many of us, for the last, like 15‑plus years, have been saying prevention is great and you want to try to do prevention, but you better be doing detection response.

Rob:

[00.21.09.17–00.21.23.01]

You better be hunting. I think a lot of companies are about to learn the hard way that their prevention is going to fail. And, if they didn’t have a more balanced program that’s like identify, detect, respond, recover, etc., they’re going to be screwed real fast.

Matt:

[00.21.23.03–00.21.53.03]

Yeah. Why do you—I mean, from a—that smaller and below—the most common or most well‑understood line is the bulk electric system definition here in the US. For those organizations, whether it’s a utility or not, but any OT‑heavy environment that sort of falls on that small end of that scale, do you see—is—are all of them attractive targets, or is it still very specific to how they’re—that critical path, right?

Rob:

[00.21.53.05–00.22.10.15]

It depends on adversary. And so, I just got in this discussion with a security analyst at a large company this past week, where we were having very thoughtful discussions about requirements and scenario setting and all that sort of stuff. But he seemed—and I don’t want to misrepresent his position—but he seemed pretty defiant on this. Yeah, but we’re not a good target.

Rob:

[00.22.10.17–00.22.19.00]

And like, who cares about us, and that’s like one of the very few things that I have to try to calm my blood pressure down when I hear. It’s a very fair thing.

Matt:

[00.22.19.02–00.22.19.11]

Legal fight.

Rob:

[00.22.19.13–00.22.42.09]

Yeah. It’s a very fair thing. And I totally get where he’s coming from, and it’s very reasonable, but it’s the one thing you don’t get to vote on. You can’t actually control your security. You get to understand your environment. You get to own what the policies, and the adversary has to live in your world. The defender has the upper hand, but whether or not the adversary cares about you is irrelevant to you.

Rob:

[00.22.42.09–00.23.06.00]

Like, you don’t get to vote on that. Now, the right question is, hey, from a threat‑model perspective, what types of attacks have our peers dealt with, and we should be prepared to deal with. That makes sense. And, from that basis, you got a lot of them. But then, to sit back and go, hey, I see other stuff happening to other industry or other people in my community, but not me.

Rob:

[00.23.06.03–00.23.36.22]

That just seems like a misrepresentation of risk. And the reason that gets me a little fired up is, in our world and in OT, and especially in manufacturing, utilities, pipelines, etc., the risk isn’t just carried by the company. We are carrying the risk of everybody we live and work with. And so, all these people outside the fence line are going to be impacted when that plant goes down, or when the water gets poisoned, or when the electric system in the hospital goes down.

Rob:

[00.23.37.00–00.23.55.11]

And so, there’s a greater responsibility than just normal risk management and profitability of a company. And therefore, without trying to be offensive, I usually just get a little heated on the, “Yeah, but I mean, what’s the likelihood of that?” And it’s like, dude, you are making bad assumptions, and the risk is being carried by people outside the fence line.

Rob:

[00.23.55.12–00.23.55.18]

You can’t.

Matt:

[00.23.55.18–00.23.59.05]

Yeah. You’re—yeah. Other people you’re betting on—

Rob:

[00.23.59.05–00.24.14.16]

And so, there are plenty of adversaries that will go access anything they can get access to. Right. Adversaries that are going to map out only the interdependence. There’s plenty of adversaries that are going to go to wherever they can make money. There’s some that are going to go and launch property. At Dragos, we tracked 27 different threat groups, and that’s just from what we can see.

Rob:

[00.24.14.18–00.24.36.00]

And they have a wide variety of different motivations, and some of them have different, changing motivations—where, like ELECTRUM, as an example, you never saw them inside of Ukraine taking down electric systems. Then we started seeing them in Poland. Then we started seeing them map out internet‑connected VFDs and getting into scanning of equipment to get access across North America.

Rob:

[00.24.36.00–00.24.40.11]

It’s like, cool, but their motivations changed. You got to deal with that.

Matt:

[00.24.40.13–00.24.45.16]

Well, and the motivation changes with access to new information. As you—as they learn.

Rob:

[00.24.45.16–00.24.54.19]

Yup. And also just requirements—like a lot of these teams, or intelligence agencies, or militaries, and somewhere, their boss walks in and goes, “Here’s the new mission.” No, it’s not, it’s—

Matt:

[00.24.54.20–00.24.56.04]

Not them anymore.

Rob:

[00.24.56.06–00.25.13.11]

Exactly. It’s like, all right. So, we updated the profile—like, intelligence agencies don’t set their own intelligence requirements. They serve customers, internal customers. If its decision pen says, “Hey, I want my MSS folks going out and stealing intellectual property related to aerospace technologies,” guess what? They care about aerospace now.

Matt:

[00.25.13.13–00.25.21.07]

Yup. Yeah. What’s—you—you’ve done a case study. I forget the name of the utility, but there’s—yeah, yeah.

Rob:

[00.25.21.11–00.25.23.04]

Littleton. I love it, guys.

Matt:

[00.25.23.04–00.25.27.01]

Yeah. I thought we talk about all the bad examples here, but walk through that too.

Rob:

[00.25.27.02–00.25.49.05]

Yeah. It’s my absolute favorite case. It’s this guy—like, the GM down there—and his team. And I mean this with all the respect in the world. But they’re a small company, okay. Like, a small water and electric company—Littleton Electric and Public Power—which I love all my customers. I love all the industries. But there’s just something special about public power, like, “Hey man, we’re doing this with no money involved.”

Rob:

[00.25.49.05–00.26.05.15]

We’re just trying to take care of our local community—like, that’s a feel‑good. All right. And so, a public power player, and they cared about security. They had no—none of the resources and stuff to care about it. It was just a GM—a general manager—who was like, no, this matters, and came from the operations side.

Rob:

[00.26.05.15–00.26.26.13]

Everything else is like, no, this matters. So, let’s take it seriously. And so, they invested in the fundamentals, not AI, not whatever. I’m not putting down those things. I’m just saying, like, they invested in fundamentals. Good segmentation, good access controls, good identity. Just whatever they could do with a tiny little team and very little resourcing, they did.

Rob:

[00.26.26.13–00.26.49.03]

And then they applied for a grant to the Department of Energy. Congress allocated some funds through the Department of Energy to go support technology adoption inside of public power companies. They applied for the grant. They got it. They chose our technologies. They threw in the Dragos platform. At the same time the install’s going on, they got a reach‑out from the FBI that says, “Hey, I think you might be compromised already.”

Rob:

[00.26.49.05–00.27.06.22]

And you’re talking to IP addresses related to Volt Typhoon. And they’re like, googling what’s Volt Typhoon. And nothing at the time was really out there. And so, they’re like, “Hey Dragos, I don’t know if the—can you go ahead and turn on the system and let’s just look.” Turned it on, and there it is.

Rob:

[00.27.07.01–00.27.24.17]

It’s just like a Christmas tree. It lights up. And what they had done is they deployed us in the OT networks, but they also put us into the boundary, like the DMZ, of IT into trying to get into OT. And it was very clear, and incident response kicked off and says, an FBI and Dragos just high‑fiving each other. It’s one of those perfect case studies you want.

Rob:

[00.27.24.19–00.27.50.00]

And all credit to the Littleton folks, and they found that they’d been compromised for over 300 days on the IT side. But—and the adversary was constantly trying to get into the operations side of the house. That was their motivation and goals. And based on the fundamentals, they’re just like, “No.” And so, without even knowing they were winning, Littleton’s running circles around this really apex‑predator kind of adversary by having done the fundamentals.

Rob:

[00.27.50.01–00.28.11.02]

And then, as they continued that journey to get into detection and response, you got to see government and private sector come together with roles and responsibilities. And the asset owner—and then plural, I mean the general manager—man, he decided to talk about it, which you don’t do, right? You just—you know you don’t do that in the electric industry.

Rob:

[00.28.11.04–00.28.28.01]

We always want people to do it—or it’s like, all right, you do it. And so, this guy goes, “Screw it, I’m going to go talk about it. People need to know about this.” You did the right thing by going and talking about it, and immediately he starts getting dragged. Press, media is like, “Oh my God, you were a victim of a cyberattack.”

Rob:

[00.28.28.01–00.28.43.15]

How bad was your program? Like, dude, you had one of the best programs I’ve seen. What are you talking about—the guy that ran for reelection, or ran for election to take his job, on the basis that he was making his community vulnerable ’cause they were attacked by China. And I mean, like, he got raked over the coals.

Rob:

[00.28.43.15–00.28.59.02]

But he knew it was important to get out there and tell his community and raise awareness. And so, a bunch of other utilities ended up doing the right thing as a result as well. And so, it’s one of my favorite case studies because it shows so much of the complexity of what our asset owners and operators have to deal with.

Rob:

[00.28.59.04–00.29.11.00]

It shows that defense is doable. It shows the fundamentals work. It shows what public and private partnership can look like when it’s got—there’s every aspect of this story. Even the sad parts are extraordinarily interesting.

Matt:

[00.29.11.02–00.29.35.00]

Yeah, I was talking to an analyst about—it was a rather large hack, and it was a big company with a pretty heavy investment in all the latest bells and whistles and technical—the cyber tools that were trendy and things. And they had forgotten to set up proper firewall rules, and that was it.

Rob:

[00.29.35.03–00.29.49.00]

It’s like everywhere, man. It’s always when people are like, “I have an air gap.” I’m like, “What does that mean to you?” Maybe like, “I have a firewall,” and I’m like, “That’s not an air gap.” And then you go and look at the firewall, and then, “Oh, it’s the—any rules are still in there.” And this is—this isn’t—this is not good for you.

Matt:

[00.29.49.04–00.30.07.16]

Not only are you not air‑gapped. Yeah. It’s you—no, it’s interesting, I’ve heard some folks argue, talking about coordination and the sharing of this kind of intelligence. I’ve heard some folks argue that OT attacks are so rare because it’s so much easier to hack IT, that actual threat intelligence doesn’t really matter.

Rob:

[00.30.07.16–00.30.23.02]

And let me ask you, do you find that these people are involved in incident response cases in OT, or have intelligence teams? Or do they seem like pundits sitting on the side with no access to data? ’Cause that’s one I see. I’m getting—I’m starting to get, like, crispy about this. And I—again, I like our community.

Matt:

[00.30.23.02–00.30.23.10]

We’ve found the topic.

Rob:

[00.30.23.10–00.30.44.04]

But the—yeah, you did. The I—and here’s why. I went on a podcast recently with a buddy and did this discussion as well with him, ’cause he was one of the ones that pushes against it. If you are running a site—your manufacturer, electric, whatever—and you choose not to do something, that’s your choice, okay? And I can debate it, and you can debate it, and I can say, “Hey, it’s outside the fence line.”

Rob:

[00.30.44.04–00.31.01.06]

This, that, and the other, but it’s still your choice. That’s your program to run. And if you’re in a company like mine that does a lot of incident response and has telemetry of customer environments, and we get five petabytes of data a day from OT environments, and we’re not even trying to collect the lot. And we have all these incident response cases and teams and Intel teams. So, for—if you’re a company like mine, and you choose to talk, great on you.

Rob:

[00.31.01.08–00.31.19.19]

If you choose not to talk, that’s okay too. There’s a lot of times we don’t talk about cases, but if you’re on the sidelines, you’re not in any one of those, and you just want to write blogs or complain to people, please make sure whatever you’re doing is not hurting the very people that you claim to support.

Rob:

[00.31.19.21–00.31.35.08]

What I mean by that is, if there’s an asset and it says, I do see the risk, I do see the incidents. I am getting the briefings. I’d like to invest in this. The last thing they need is that person to go out publicly, “there is no such thing. And this is a bad investment. This doesn’t make sense.”

Rob:

[00.31.35.08–00.31.54.14]

And I wouldn’t do that, ‘cause then they get hit over the head with their leadership, or other people be like, well, so‑and‑so said this wasn’t good. So the guy that doesn’t have any skin in the game, and the guy that doesn’t have any access to any unique insights, gets to determine if your investments are good or not. That’s insane to me.

Rob:

[00.31.54.16–00.32.09.14]

And so, I’m not here to say I’m smarter or better or this. I’m just saying there are people in the community that are getting all of the briefings, and they want to be able to do security, and I’m just trying to say they should be allowed to do that.

Matt:

[00.32.09.18–00.32.15.19]

Right. Don’t create a cultural—yeah. So, make it a cultural pariah to be a—

Rob:

[00.32.15.23–00.32.32.01]

Correct. I’m tired. I got back in the military, my nights‑and‑weekend job. Right. Been in the army, and I told my commander that. I was like, I was on the XO, a brigade‑level staff, and looking at—we got, like, a thousand soldiers and try to train them up on OT and all those other stuff.

Rob:

[00.32.32.03–00.32.48.04]

And, I was like, all right, boss, well, I’ll let you know, I’ll come back in, but I’m going to piss a lot of people off, because I’m going to say this is the direction we’re going. I’m going to listen for anybody’s input, and we’re going to lock it down and go. And it’s going to upset people that we’re making a choice, because it just—that’s just how life works.

Rob:

[00.32.48.06–00.33.08.16]

And I said, but I don’t have time to fight China, Russia, Iran, and the US Army. So, you got to pick three. And he’s like, China, Iran, and Russia it is. All right. Let’s go. That is an issue in OT security community today, where I’ve got IT security companies publishing papers that OT isn’t different.

Rob:

[00.33.08.18–00.33.30.07]

Or there was one that came out at Palo Alto at—I mean, this is way too early to drink in the day, but there’s just one that came out. They’re a firewall company, and I love them to death, actually. I think they’re fantastic people, but they’re a firewall company. And they came out and said, turns out all the attacks against OT actually originate in IT, and you should protect your IT if you want to protect your OT.

Rob:

[00.33.30.07–00.34.01.01]

First of all, yeah, of course, no one in OT security is saying IT sucks, don’t do security. For some reason, people on that side of the fence is like, OT security sucks and don’t do it. And like, I didn’t come into your yard and, like, start making a mess. But what’s the issue there? They’re an IT firewall company, as they look in their data sets—which are only IT data sets—the only possible conclusion they could have is either it doesn’t exist, or when it does, it goes through an IT network.

Rob:

[00.34.01.03–00.34.08.06]

So, by the very nature of their collection, they could never get to a determination of attacks that originate outside their data sets.

Matt:

[00.34.08.08–00.34.08.19]

Yeah.

Rob:

[00.34.08.21–00.34.30.14]

And so, it’s just that kind of collection bias exists all over. And while I’ve got seven incident response cases that came in, like, last week that we’re dealing with. All right. Like, it’s not a small number in a week. And dealing with seven different incident response cases in North America right now. At the same time that I see posts from people, like, there’s no such thing as ICS, right?

Rob:

[00.34.30.14–00.34.32.08]

And I’m like, what? What the hell are we doing here, then?

Matt:

[00.34.32.08–00.34.34.19]

I’m just making the stuff up over here.

Rob:

[00.34.34.21–00.34.36.11]

And just shut it down. We’re done.

Matt:

[00.34.36.11–00.34.37.12]

Great. I’m going drinking.

Rob:

[00.34.37.12–00.34.40.04]

Yeah, incident response and drinking are not mutually exclusive.

Matt:

[00.34.40.06–00.34.52.10]

Yeah, exactly. Exactly. Well, and even to your point, like the—if, like, with [inaudible] mandates, it’s like you’ve got to share incident happens, but your point of, there’s no one hunting for it.

Rob:

[00.34.52.12–00.35.13.08]

Yeah, yeah, that’s the other thing. Sub—anybody can tell me the number is wrong, but it’s directionally accurate, because it’s all nobody knows for sure. But anecdotally speaking, and what we know from government data around regulations, everything else too, sub‑10% of OT networks worldwide are being actively monitored. And we want to say that there’s no such thing as ICS?

Rob:

[00.35.13.08–00.35.29.03]

Right. Sorry. Wait. Hold on. We got, like, Schrödinger’s OT, right? Like, let’s at least turn the lights on before we declare that, in the empty dark room, nothing is going on. You take more care at night when you come home to flip on the lights than we do with our power companies.

Matt:

[00.35.29.08–00.35.34.19]

That’s incredible. And I—my—I have a list of questions, but my head is going in three other directions.

Rob:

[00.35.34.21–00.35.50.22]

The last thing I’ll say on that, too, is, if we were having a dollar‑by‑dollar risk reduction discussion, I would then much more understand it, right? I would still argue it, because it’d be like, hey, you’re talking about human life. Do we really want to put it—like, you’re talking rounding‑error dollars again—to protecting human life?

Rob:

[00.35.50.22–00.36.11.03]

But cool. Let’s just say, if we were talking risk reduction, we had that conversation. We’re not at risk reduction yet in OT. We’re talking fundamental capabilities that are important for the business. The same segmentation that you’re going to put in place, thinking that it’s going to help you with cybersecurity—which it will—also makes sure that we have network storms somewhere that bring down the plant anyways.

Rob:

[00.36.11.03–00.36.37.18]

The very same visibility and monitoring that we want to do to detect adversaries is just an understanding of what’s happening across the system of systems and complex automation environments. Do root‑cause analysis. When an operator, an engineer, an OEM, or somebody makes a change and makes a process change across the network—like, we’re talking about things that, when a plant has an explosion or a system goes down, the CEO is going to turn around and go, what happened?

Matt:

[00.36.37.20–00.36.38.17]

Right.

Rob:

[00.36.38.19–00.37.05.06]

And that determines what their playbook is on insurance, cyber contracts, military—not… We can’t answer that today without doing some of these fundamental investments. So, there is a regulatory layer. Then there is a business‑capability layer. Then there’s risk reduction. And most companies aren’t even at risk reduction. And we’re having a, well, what’s the next dollar we should spend on, like, doing the actual things required by law and business.

Rob:

[00.37.05.08–00.37.25.12]

Then we can have your discussion about cyber adversaries all day long. I—yeah. Anyways, it’s interesting to me. And again, I’m not trying to come off criti—I love this community. I just—I’m so tired of—I’m exhausted, man. Like, I just gotta be honest with you. When I get out and do the mission, I have fun all day long—military, Dragos, asset owners.

Rob:

[00.37.25.12–00.37.32.08]

It’s great. Then I go to a cybersecurity conference, and, like, I just—I just get so deflated so fast.

Matt:

[00.37.32.10–00.37.42.15]

Yeah. Do you think that the lack of evidence of these kinds of OT‑specific attacks, this lack of scanning, lack of reporting, what—

Rob:

[00.37.42.15–00.37.43.13]

The evidence exists. What are we missing?

Matt:

[00.37.43.13–00.37.45.02]

Well, no, I mean, I’m talking about scale.

Rob:

[00.37.45.04–00.37.58.16]

You want to an electric case study. I got it. Three states come out publicly saying they’re going to take Taiwan—which one you want. And so, I guess that’s the funny thing to me is, I ask this to some of these folks, they go, oh, well, there’s—it doesn’t exist.

Rob:

[00.37.58.16–00.38.17.07]

I’m like, cool. What would be compelling to you? Let me know the bar, because when I joined this community, I started on the Air Force side of the house but spent my time over at the National Security Agency. I was told there is no such thing as ICS. They don’t exist. I was like, okay. And I went and found a bunch.

Rob:

[00.38.17.09–00.38.33.05]

And then it was, well, those aren’t very compelling. I mean, what was the real impact? I’m like, well, you said none existed, and I found them. And yeah, they’re doing espionage, but they’re there. All right. Well, they didn’t take anything down. Then Ukraine happens, and I respond to Ukraine. I’m like, okay, well, they took down the electric system, and they’re trying to do it again.

Rob:

[00.38.33.06–00.38.56.02]

Like, well, I mean, that was in Ukraine. And, like, I’ve never had a single person sign up for a goalpost that doesn’t move when they’re already entrenched in the idea that they shouldn’t care about OT security. And so, I’m just getting to a point where I’ve said, no problem. You live your life, you do your thing. But for the coalition of the willing—for the rest of us that are right—I need to go get work done, because—

Matt:

[00.38.56.05–00.38.56.21]

Pushing on the strength.

Rob:

[00.38.56.23–00.39.20.02]

We’ve found religion on this topic. Let us go do it. And if you want to sit in your corner and complain about it, that’s fine. Just don’t be yelling at my 22‑ to 29‑year‑old guys and gals and others at the water facility that are bustin’ their ass and working 12‑hour shifts, ’cause they do care, and they want to make sure this actually gets done correctly.

Rob:

[00.39.20.04–00.39.32.22]

Don’t go yelling at them. You want to yell at the vendor, yell at the vendor. I don’t like your Dragos, your interview report, because you don’t publish census‑level data. You just freely publish all the insights that you see. Okay. My bad. Go write your own report. Like, man, I had somebody yelling at me about the OT-CERT.

Rob:

[00.39.32.22–00.39.55.07]

We, at cost—at Dragos cost—with $0 back. We have an OT‑CERT with thousands of organizations in and across the world, where Dawn Cappelli and a number of our folks—she was the global CISO at Rockwell, now she’s the OT‑CERT director—put on free webinars, have meetings with them, Slack channels with them, free resource guides.

Rob:

[00.39.55.07–00.40.11.22]

Here’s how to implement secure passwords. We don’t sell secure passwords at Dragos—that’s not what we do. It’s just, hey, here’s what you could do. Here’s how to help. Let’s go forth and conquer. Then somebody posts on LinkedIn, happening angrily, like, why is OT sort of a vendor thing? Why isn’t there a neutral one?

Rob:

[00.40.11.22–00.40.29.17]

I’m like, go build it. I don’t know—why are you yelling about the one that exists? Like, it’s just—you can’t make people happy. Period. Full stop. So, go find the people that you’re happy around, get mission done, and go do it, ’cause there are some real assholes out there trying to hurt infrastructure, and they’ve got to be countered.

Matt:

[00.40.29.19–00.40.35.03]

Or oblivious. It’s more about digging heels into a certain dogma.

Rob:

[00.40.35.05–00.40.38.01]

No, I’m not saying, like, those people are assholes. I’m saying, like, actual assholes, like—

Matt:

[00.40.38.02–00.40.40.06]

Oh, the assholes that are, like, actually, yeah.

Rob:

[00.40.40.06–00.40.43.20]

People that just happen to disagree. I don’t think they’re actual assholes. The state assholes—

Matt:

[00.40.43.20–00.40.45.06]

You’re getting spicy, man. I’m having a hard time telling the difference.

Rob:

[00.40.45.06–00.40.56.08]

The state actors that are like, I’m going to kill kids. I don’t know any other words. I’m sorry. It’s not PC. But you wake up one morning, you’re like, I’m going to kill civilians. You’re an asshole. That’s all it is.

Matt:

[00.40.56.08–00.41.06.13]

Yeah, kind of a dick move. Yeah, absolutely. Talk about the—I love the OT‑CERT story. We kind of dovetailed into it.

Matt:

[00.41.06.14–00.41.08.11]

Explain kind of how that came about.

Rob:

[00.41.08.16–00.41.33.20]

The spicy side of how it came out. There’s a lot of success in my life that originated with getting angry at something. And I loved the ICS‑CERT—like, the original Industrial Control System CERT launched at Idaho National Labs. And it was a great group of people that were trying to—they put on the ICSJWG conference, which was free and moved around the country to try to capture new people in the field.

Rob:

[00.41.33.20–00.41.52.17]

Like, it was just a lot of good—why I say free, it was taxpayer‑funded—but there was a lot of good work that was coming out of that. And when CISA got stood up, there was some infighting about brands and this and that, and US‑CERT and ICS‑CERT and Idaho National Lab and DHS and all this drama. And I don’t know who started the fire.

Rob:

[00.41.52.19–00.42.09.22]

I just know that it led to them basically shutting it down. And they didn’t tell anybody. So, the brand was on the website, the number was active, but there was nobody home. They just shut it down. And I was like, God bless, ’cause I always looked at government as being the long‑term player. Vendors come in and leave and whatever else.

Rob:

[00.42.09.22–00.42.29.13]

But if you want stability and durability and long‑term, it’d be government—and that’s before everyone got furloughed. But anyways, all right. And so when that happened, I was like, oh man, we gotta do it ourselves. And, like, what I was like—Dragos would be here. I’m building a hundred‑year college. I mean, I’m not—and we’re not—I’m making sure that we’re autonomous going forward.

Rob:

[00.42.29.15–00.42.49.20]

We’ll be here. I’ll bet you I’ll outlast the next administration. I was like, we’ll do it ourselves. And so we built OT‑CERT, and I called up Dawn, who retired at Rockwell. I was like, you want to come do this? She was originally playing colder over at Carnegie Mellon CERT and stuff, and she’s like, what’s my resource? And I was like, not a lot. I can’t go to my investors and say, I’m going to let you willfully lose money.

Rob:

[00.42.49.20–00.43.08.09]

I just—we just need to lose a little money. I can lose a little. I can’t lose a lot. And she’s like, all right. And so there’s a bunch of volunteering at Dragos that happens to go support. So we’ve got a bunch of people active in it. But it’s all people that are taking some time out of their workday, or maybe after hours, or whatever—just good people.

Rob:

[00.43.08.11–00.43.26.04]

And so, like, I forget how many are in there now. It’s well over 3,000 organizations. And so it’s just—and then we’ve got the Community Defense Program, that if you’re an electric, water, or gas provider in North America—and we’re trying to expand it, but North America—that makes under $100 million in revenue, which is just about 97%‑ish of all the utilities.

Rob:

[00.43.26.06–00.43.42.16]

Then you can have our software, you can have our training academy. You can have kind of high‑level hunting through Neighborhood Keeper. You can have all that stuff for free, forever. And we’ve got over a hundred‑and‑something of those players on board, and then a bunch more that want to get in but need resources for hardware or implementation.

Rob:

[00.43.42.16–00.43.58.07]

I’m like, I can’t—I don’t make hardware, I can’t help you there. It’s like, with my software and stuff, we can give that away for free. My investors are like, what are you doing? I’m like, well, it’s just, you see, it’s a—and I was like, all right, I’m not gonna lie to you. There’s no reason to do this, but it’s mission, like, it’s really cool, and then luckily—

Matt:

[00.43.58.07–00.43.59.23]

Do you care or do you not care? That’s the difference.

Rob:

[00.44.00.00–00.44.12.04]

Luckily, I got some good investors that are like, all right, man, you get to do that. But you better hit your numbers and all that other stuff. I’m like, all right, no problem. I was like, I’ll blow my numbers out of the water, but we’re gonna do a bunch of free stuff for people, too. You can’t be the safeguarding‑civilization company and then charge everybody for everything.

Rob:

[00.44.12.04–00.44.13.07]

That’s not how it works.

Matt:

[00.44.13.07–00.44.13.20]

Paywall and all.

Rob:

[00.44.13.21–00.44.15.09]

Yeah, I can’t do that.

Matt:

[00.44.15.11–00.44.25.08]

Yeah, exactly. It’s—I’m just—in my head, I’m laughing at the irony of this. The comment about, well, we just—why can’t the OT‑CERT be non‑vendor‑driven. I was, like, well, there was one.

Rob:

[00.44.25.10–00.44.47.04]

Yeah. They killed it. And again, you want to go build a consortium, I’d pay at least $1 million a year to run OT-CERT. You want to go find the funding? You want to go do it? Go do it. To—and there’s not—I just find that so interesting. Again, well, there’s nothing stopping you from doing anything you want just because somebody else is doing something.

Rob:

[00.44.47.09–00.44.51.03]

Why? Just say thank you or move on or block me on LinkedIn.

Matt:

[00.44.51.05–00.44.51.14]

Get off your armchair.

Rob:

[00.44.51.15–00.45.14.07]

Or whatever you want. But just, like, it’s so weird, this human nature aspect. This is also where I love OT security. IT got a lot of users. OT, we got equipment. I love equipment. It’s so easy to deal with. Not people. You deal with linemen who are recovering power systems after a hurricane, who are some of the best people in the world.

Rob:

[00.45.14.08–00.45.15.08]

And it’s like equipment.

Matt:

[00.45.15.14–00.45.17.00]

Real people.

Rob:

[00.45.17.00–00.45.36.22]

Operations [inaudible] have this drama. There’s all this funny little case about it in the height of pre—right before DEI became a real big topic. At the height of that, there was a lot of toxicity that was happening at cybersecurity conferences. You go to DEF CON or whatever else, you saw racism, sexism, this, that. Oh, girl hackers. Well, there’s a booth babe and all this other stuff.

Rob:

[00.45.37.00–00.45.54.21]

You know what didn’t exist on the OT side? Any of that. Like, we were like, you can have a female engineer. You know that, right? And so it was all this drama and toxicity and nastiness that happened at these cybersecurity conferences that were IT. And I go to GridSecCon or somebody else, or NPPE’s conference or whatever else.

Rob:

[00.45.54.21–00.46.03.10]

And we’re all high fiving each other. It’s like a high school reunion, with the good version of it. And I was like, I don’t know what’s happening over in that community, but, I mean, we’re gonna stay in OT, man.

Matt:

[00.46.03.12–00.46.13.14]

It’s still cool. Yeah. Yeah, absolutely. Well, all right, so there’s a couple of questions I wanted to ask—the sort of broader than the topic we’ve been kicking around here. So—

Rob:

[00.46.13.16–00.46.16.18]

How are you more broad in this last, like, five—right, go ahead.

Matt:

[00.46.16.19–00.46.33.04]

I mean, yeah, no, no, I get you. But no, more about sort of your focus. From within these topics that you got to stay on top of, what’s—what are you learning about right now? What’s got—what’s something that’s got you pulling on a thread, excited about?

Rob:

[00.46.33.04–00.46.37.12]

That’s—yeah—stuff. I went so long avoiding AI.

Matt:

[00.46.37.13–00.46.38.05]

Yeah?

Rob:

[00.46.38.05–00.46.53.16]

I mean, one thing that people generally associate with Dragos is, whether you like us or not, or whether you agree with us or not, you know where we stand. Like, we’re a pretty authentic company. And so, my marketing team years ago was like, hey, AI is really big. If you put it on the RSA booth, we’ll probably get more traffic. Should we do it?

Rob:

[00.46.53.16–00.47.15.06]

And I was like, I’ll flip the question. Should we do it? And, like, no, it feels off brand for us. And, like, that’s right. Unless we have something authentically to say about it, don’t have it. And we didn’t have an AI story. I was like, don’t do it then. But why? And so I pushed back for years, and then, my engineering team shows up, and they’re like, hey, by the way, here’s this module we’ve been playing around with, like, add on the technology, and here’s what it does.

Rob:

[00.47.15.06–00.47.28.22]

And also, here’s what we’re doing on this side, and this side, and this side. I was like, holy crap. I was like, is this a prototype? They’re like, actually, we launched it already, but privately, and you should take a look at it. And I was getting stuff that was taking people 20 hours, taken in, like, 20 minutes.

Rob:

[00.47.29.03–00.47.54.06]

And I was like, “Holy crap!” And then I get wrapped in some of these projects of, and here’s what the adversary is trying to do on the vulnerabilities. I’m like, “God damn it!” And so I’m pushing my own expertise on what are the actual overlays of AI and OT that matter. And some of it is just self‑inflicted wounds, where we’re putting a lot of AI into operations environments.

Rob:

[00.47.54.06–00.48.16.00]

Forget the security discussions. It’s just adding complexity and difficult to get root cause analysis when something goes wrong and similar. So I find myself more interested in that right now. I mean, I’m always interested in the business aspect, like, I—this is probably the biggest pet peeve. One of the ways, like, truly, if anybody just wants to troll me in an airport, like, people every now and then walk up and be like, Rob, real technical.

Rob:

[00.48.16.00–00.48.30.19]

And you designed incident responses. I was like, yeah. They’re like, who really runs the company? Then I’m like, sorry, what? Like, what are you talking about? It’s like, I’ve built a multi‑billion‑dollar company, and somehow I still don’t get credit for knowing what business is. It’s like I moved these deals.

Matt:

[00.48.30.20–00.48.31.11]

It’s too technical.

Rob:

[00.48.31.11–00.48.49.07]

Yeah. Actually, too technical. Can’t possibly understand GAAP revenue accounting. Anyways, and I say that to say, oh, I’m always interested in the markets in development. The business is just another interesting puzzle. And I really like the AI discussions these days of understanding the impact of discussion and still being able to find that 90% of the time.

Rob:

[00.48.49.12–00.48.50.23]

But that 10% is pretty interesting.

Matt:

[00.48.51.03–00.49.04.14]

Yeah, yeah. What’s—this might actually be the same answer here. Flipping this around, what’s something that you’ve changed your mind on, like, this? Something you’ve wrestled with or kind of decided to have a different perspective on?

Rob:

[00.49.04.19–00.49.10.06]

I mean, AI is there, but I’ll give you a different one, since you’re going for more esoteric kind of questions.

Matt:

[00.49.10.08–00.49.11.03]

Ah.

Rob:

[00.49.11.05–00.49.28.21]

I genuinely didn’t think there was evil in the world. Like, if—when I was growing up, it was like, hey, maybe even the murderer got abused as a kid—everything else. So you just don’t know what goes—I would—I try to have this super Christian empathy aspect of “love thy neighbor,” and I don’t want to judge anybody.

Rob:

[00.49.28.23–00.49.43.01]

And even when I was in the military and doing counter‑terrorism and signals development, all that kind of stuff, I was still, like, probably psychotic about it in the sense of, like, hey, the drone strike. Like, your team. My team. I just don’t hate you. I don’t mind, like, your team, my team. But I don’t hate you for it.

Rob:

[00.49.43.03–00.50.01.20]

And I try to have that mentality, and then I saw adversaries and what they were trying to do during the pandemic, and saw groups trying to break into pharmaceutical companies—not to steal intellectual property, which would have been a totally valid intelligence requirement—but to try to modify the vaccine. And they didn’t, and there’s no evidence of that whatsoever.

Rob:

[00.50.01.20–00.50.03.16]

But trying to do it just…

Matt:

[00.50.03.22–00.50.04.02]

The intent.

Rob:

[00.50.04.02–00.50.21.17]

And I was like, that’s not my team‑your team stuff. That’s just evil. And then I’m watching some of the stuff unfold these days in China and Taiwan. You can understand 99% of it. So it’s culture and identity and this and that. And then there’s the 1% of, like, but then you’re going that far and doing that too? What the heck?

Rob:

[00.50.21.17–00.50.33.17]

And so, I just—esoteric sort of question—I would say that my value structure is to believe that there is, honestly, the 1% that is evil and needs countered. I’m—I’ve crossed that bridge now.

Matt:

[00.50.33.22–00.50.41.08]

Yeah, yeah. It’s real. Interesting. All right. So, I’ve talked about the drinking thing. Then we’re going to get to it here. So.

Rob:

[00.50.41.08–00.50.57.13]

I don’t drink. I got coffee with—no, I—anybody who knows me knows I like a good beverage, but I’m maniacal about, like, take an Uber. You can eat. But if you drink, it’s no excuse—like, sorry man, I was drunk. No, that’s doubly bad. I think that’s—

Matt:

[00.50.57.17–00.50.59.03]

That’s just—that’s a worse answer.

Rob:

[00.50.59.03–00.51.00.05]

Actually worse.

Matt:

[00.51.00.07–00.51.17.23]

Well, the question—so I’ve started asking this question a little differently. The setup is this. You’re at a really nice bar, the kind that you don’t have to talk loudly at, and you’re on one end and somebody that you’ve been dying to talk to in securities at the other end of that. So.

Rob:

[00.51.18.01–00.51.19.23]

Does not exist. Okay.

Matt:

[00.51.20.01–00.51.26.17]

What’s your cocktail? Right. Because that says something about who you are, and who do you want to be at the end of the bar?

Rob:

[00.51.26.19–00.51.47.14]

Yeah. No. Zero people in security. So this happened to me recently. I got invited to this dinner or something, whatever. And I was having a gin and tonic, and Prince Harry was there. I was like, oh, that’s interesting. I got to, like—I hate to do this—I got to—I walked up to him, I was like, hey, man. I was like, you’re supposed to be, like, Your Royal Highness or something.

Matt:

[00.51.47.14–00.51.48.12]

I don’t know if you have to.

Rob:

[00.51.48.12–00.51.58.15]

Excellency, I don’t know. I was like, hey, man, you are Army. I’m Army. I’m positive I’m not supposed to take selfies with you by protocol, but want to grab a selfie? He was like, yeah.

Matt:

[00.51.58.17–00.51.59.17]

Nice.

Rob:

[00.51.59.19–00.52.16.04]

Grabbed a selfie and then had conversations, and he started getting deep and everything. I liked him, I was like, he’s—so I—if there’s somebody, like, did that with Ed Sheeran, right? You’re just like, I just want—hey, there he is. Like, hey, how you doing? Just—I don’t want to geek out with anybody on that stuff.

Rob:

[00.52.16.04–00.52.28.20]

I just want to, how were you in real life? Like—oh, the nicest guy I got to meet. I got to hang out with—can’t think of the guy’s name—but he’s on Arrested Development. He was the voice actor for BoJack Horseman. Like Bateman or something.

Matt:

[00.52.28.22–00.52.31.02]

Oh. Jason Bateman and—

Rob:

[00.52.31.04–00.52.32.21]

Yeah. Yeah. Jason Bateman.

Matt:

[00.52.32.21–00.52.33.18]

Okay. We learn that.

Rob:

[00.52.33.18–00.52.48.06]

Like, nobody even recognized him. He’s just hanging out—kind of looked sad—and I was like, I just walked up to him, “How you doing, man?” And he’s like, “Yeah, doing good. Right.” And we start talking, hung out for a while. He was just a nice guy. It’s like that kind of stuff I think is funny.

Rob:

[00.52.48.08–00.53.01.04]

And so, those are—I like getting to know people at that place. If you’re a high‑visible person, I don’t want to fangirl. I just want to know, are you doing okay, man? I bet most people don’t talk to you like a human. Are you okay? How are you doing today?

Rob:

[00.53.01.04–00.53.21.15]

That’s, to me, absolutely zero people in security. And it’s not against security. I’m not the self‑hating security person. It’s just everybody in security is interesting. Everybody’s doing their thing. It’s like, there’s nobody that I’m chastened to go see. It’s just I’m happy to talk to anybody. I’m a massive introvert by trade, but so many people come up to me to talk.

Rob:

[00.53.21.15–00.53.26.02]

And I’m always grateful that they share their stories with me. It’s always good people. But—

Matt:

[00.53.26.02–00.53.30.16]

So you would be the guy at the other end of the bar that you want someone coming up to.

Rob:

[00.53.30.18–00.53.41.17]

Yeah, sure. I don’t know how many people actually want to come talk to me, but if I—that would be fine for me. Every now and then, I get the one where someone—you can tell someone is looking at me. I’m like, all right, do you want to come up? They’re like, “I read Sandworm.”

Rob:

[00.53.41.21–00.53.53.16]

I’m like, that’s cool, man. What’s your question? And they’re good people. And—but you can see the little nervousness every now and then. I’m like, you do know I’m in cybersecurity. There’s no rockstars in cybersecurity, okay? It’s like we’re all equals.

Matt:

[00.53.53.20–00.53.55.11]

I’m not going to autograph anything. No.

Rob:

[00.53.55.11–00.54.08.15]

No, it’s just, let’s be real. We’re all down here. Just do your job. We’re all awesome. Be a good family person. Nobody’s more special than others just because they got put up on a billboard somewhere, right?

Matt:

[00.54.08.19–00.54.20.05]

Right, right. No—never truer words have been spoken. Rob, thank you for this. I’m glad we got to jump on some topics that you got crispy about. I always like to find those things.

Rob:

[00.54.20.07–00.54.22.08]

Yeah. Fun times, man. Thanks for having me on.

Matt:

[00.54.22.08–00.54.41.22]

Yeah, absolutely. And thank you, listener, for joining us on another episode here. Yeah. Lots of things you could be doing, and you chose to spend this time with us, so that’s really cool of you. One of the clearest takeaways from this conversation—resilience isn’t about stopping, or just stopping, an attack. It’s about having the plan for recovery.

Matt:

[00.54.41.22–00.55.06.13]

And when you’re talking about physical things—interconnected grids and manufacturing—recovery isn’t—it’s not just switching on a light. It depends on these components and systems, and systems, and operators that rarely make headlines, to Rob’s point, but are still essential in the process. And conversations like this matter, because they force us to rethink how we prioritize risk, where we invest time and assets, and responsibility.

Matt:

[00.55.06.13–00.55.55.09]

And we encourage everyone to keep the conversation going within your organizations and communities. Because, really, resiliency depends on how well we prepare, not just to defend, but to recover. So, until next time. Be well, stay curious, and do good work.

We really hope you enjoyed this episode of The Lock & Key Lounge. If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website: armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.