CyberWire Daily - Robert Lee: Keeping the lights on. [ICS] [Career Notes]
Episode Date: August 18, 2024Enjoy this special encore with CEO and co-founder of Dragos Robert Lee, as he talks about how he came to cybersecurity through industrial control systems. Growing up with parents in the Air Force, Ro...bert's father tried to steer him away from military service. Still Rob chose to attend the Air Force Academy where he had greater exposure to computers through ICS. Robert finds his interest lies in things that impact the physical world around us. In his work, Dragos focuses on identifying what people are doing bad and helping people understand how to defend against that. Rob describes the possibility of making a jump to control system security from another area recommending you bring something to the table. Rob talks about the world he would like to leave to his son and his hopes for the future. We thank Rob for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hi, I'm Robert Lee, and I'm the CEO and co-founder of Dragos.
My earliest memories weren't related to security or computers at all.
My mother and father were both enlisted Air Force folks, and they ended up retiring after 25 years of service each.
And my earliest memories were around planes and Air Force.
And, man, I want to be like my dad.
And credit to my dad, he tried to push me away from that.
Hey, go be a lawyer.
Go do something different than I did, son.
You know, don't join the military.
Go do whatever.
And he couldn't talk me out of it.
And so that's the direction I went and ended up going off the Air Force Academy and commissioning into the service.
But, you know, I'd always liked computers and I'd always played games and been a computer junkie, but it wasn't as drenched in it as a lot of other people in our community.
It wasn't until I got into the Air Force Academy that the topic of computers became interesting.
And it was only that they became interesting because of industrial control systems.
So I was into industrial control systems
and working with water filtration units and wind turbines and similar.
Heck, even getting from the Air Force Academy perspective,
getting access to control systems that were on planes
that were being developed like the F-22
and seeing the engine work and the engineering of it,
that was my draw before computers or computer security ever was.
Even today, when I look at security as a whole, the idea of protecting data or information,
it's a very important thing that does not interest me at all.
To me, the interest is in things that impact the physical world around us, and that's very exciting to me.
Interest is in things that impact the physical world around us.
And that's very exciting to me.
And so I joined an organization called Engineers Without Borders and ended up going to Cameroon and doing humanitarian work there.
And it was in building water filtration units and wind turbines
to store electricity and car batteries to provide lights for folks
so they could continue to work into the evening and be more productive.
And that idea, not only the physical world around us, but this ability for control systems
to make life better for people.
That's something really, really special.
We try to focus on identifying what people are doing bad and helping people understand how to defend against that
while also thinking of the art of the possible
so that we can get ahead of the challenge.
And doing that in a system of systems world
where everything is connected, everything is impactful,
and a lot of the security and insights and protections or whatever were developed on a system level.
But the moment you start deploying things in a systems of systems context,
like we do in industrial control systems, all that goes out the window.
And we get to be the puzzle makers that sit there and document what others have done
and come up with new ways to do it and make sure that we're empowering folks to go keep the lights on, the water running,
the manufacturing goods producing, and the Accela running on time.
I tend to believe that anybody can do anything, and I don't think you have to do one path,
but I do like the idea of bringing something to the table to get started.
And so that might mean maybe starting out in IT before you pivot into security.
Or maybe it means starting out in control systems before you go into security, or starting
out in security before you go into control systems security.
But I want to be careful that folks that want to start out have a community and have a foundation
of knowledge available to them so they don't get discouraged.
Find something that drives you from a passion perspective.
Maybe it's network security.
Maybe it's memory security.
Maybe it's the physical process of electric transmission.
But do that first.
Then let's talk about the other piece of it and form it together.
talk about the other piece of it and form it together.
My hope of what I'm doing at SANS, what Dragos is doing,
what our community is doing, what I'm hoping is we move it into a foundational topic so that five, ten years from now, people
do walk directly into ICS security because it's more documentation,
a common language, a professionalization around it. It's more accepting
and capable for someone new to start out in kind of a sandbox
versus, you know, no floor underneath you, no ceiling above you.
I think a lot about my son, and I want my son to grow up in a community that has safe and reliable electric power and water and transportation and similar.
And today, that would be true.
Actually, our infrastructure is pretty awesome.
We have some of the most safe and reliable and affordable infrastructure in all of history.
The problem is the trend that we're on, that trend doesn't look so good five to ten years from now.
I would love to make it impossible to kill people through cyber in industrial environments.
I think that's an achievable goal.
It's a hard one, especially with the trend of the community, but I think it's achievable.
And I would like to leave the world in a better place, but definitely no worse for my son. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.