Robert M. Lee, founder and CEO of Dragos, told iTWire in Melbourne on Monday that given the government was not coming in to help, such an argument did not make sense. “So the government’s argument is we need to know the whole picture and then share information. But throughout history, the sharing of information from government has been limited at best,” he said.
There are several ways in which Lee differs from the average individual in tech security. For one, his field is a highly specialised one; secondly, he has a way of rather gently insisting on his point of view and making it seem reasonable in an argument, even though someone has just voiced an opposite view.
That was made clear when the conclusions his company put forward about an incident in Florida, where an attacker gained access to a water treatment plant and increased the concentration of caustic soda to a dangerous level, were termed questionable, because an attacker would not have sought to kill people, but rather to test out whether such an intrusion would be detected.
Lee countered by citing an incident at a petrochemical facility in Saudi Arabia. “…the attackers broke in with the explicit purpose of killing people and tried to kill 60 or so people,” he pointed out. “That way, we have had, throughout [the history of] cyber security, a number of instances where attackers have done things that we wouldn’t expect, quite maliciously and quite violently.
“Hence, the idea that somebody broke into a water facility to try to hurt people is not all that surprising to me, especially an operation system. We’ve seen serious state actors do that exact same type of thing before.
“I don’t know if it was a state actor or not. What I am dealing with is the fact that somebody broke in… and tried to hurt people in America. I think that’s quite serious.”
Asked whether it would be far-fetched to say there was a serious lack of security knowledge among people who look after ICS systems, Lee said, “Yes, depending on how you define that. Not the people like the electric companies, the power companies and so forth, the vendors.
“While they do a really good job making equipment, the whole idea of product security is new to them. And so some of the vendors do a decent job at putting out vulnerabilities and analysing them, but a lot of them just don’t.
“If you’re an asset owner, operator, power company, water company, etc you’re dealing with the fact that a lot of the information you get sometimes is inaccurate.”
Elaborating on the rushed manner in which the US government agency TSA published rules following an attack on the Colonial Pipeline, Lee said: “I mean, [it was] like a week’s process for them, and it was a 24-hour comment period… and you just cannot put out good regulation in any field in a rushed process.”
Robert M. Lee: “An over-focus on product security is not industrial security.” Photo: Sam Varghese
He said what made it worse that these regulations were focused mainly on enterprise IT and thus were not of great use when it came to an industrial operations system.
“If you were to follow the TSA guidelines as written, you would be at a risk of bringing down your pipeline, not securing it,” he said. “Why is this apparent lack of knowledge about IT systems there? Because presumably they’ve been in existence for a long, long time, isn’t it?”
While there was a lot of insight about the industrial systems themselves, Lee said the security efforts related to them were fairly new, and one needed to have very specialised knowledge to understand cyber-security measures specific to industrial control systems.
“A lot of times the agencies and governments that are tasked with doing things don’t necessarily have the [necessary] skillset in departments that are writing the regulations,” he added.
“Years ago, at one point, we talked about there being only a couple of hundred ICS cyber-security professionals worldwide. There’s more now. But if you think about that, even just a couple of years ago, only having a couple of hundred people that really know these systems, they’re unlikely to be the ones that are also writing regulations.”
That Lee is a geek to the core, despite all his government connections, is evidenced by the fact that he is very precise when answering questions. He doesn’t drone on and one in the way that many marketing tech people do; it gives one the impression that here is someone who really knows and understands his subject.
He was in Melbourne to inaugurate the Dragos headquarters in the city. En route, he visited Dubai — where Dragos has a branch — and also Sydney. After Melbourne, he plans to visit Perth before returning to his US headquarters in Maryland – where, incidentally, the NSA, Lee’s former employee, is also based.
Asked about the tendency of security firms to attribute incidents and malware to actors in countries that just happened to be on America’s enemies list, Lee had a ready answer, pointing out that his firm never did such attributions.
“If you look at our research, there’s not one time we attribute [things to] the state actors. We stay out of the geopolitics of it. We don’t say it’s Iran, China, Russia, North Korea in the same way we don’t say it’s the US, Israel, UK, Australia; anybody that targets these systems we publish [research] on [them].
“And I think it’s not even a fair assumption. It’s actually correct that the US, Israel, Australia, UK, other countries absolutely target systems as well. So from a Dragos standpoint, we’re not calling out anybody. We just say there’s these groups and here’s what they do because we don’t play those political games.”
He said quite often companies did not name threats from Western countries, because attack groups from such countries did not target their customers, “If you think about it, if you’re a US-based cyber-security company and you’re protecting largely US-based cyber-security firms or cyber firms, you’re going to see compromises from US geopolitical adversaries.”
And Lee added: “If I am a Chinese based security firm protecting Chinese companies, I [would] see largely US-based intrusions. Many of those firms just don’t have the collection in the places that the US is targeting to call out the US. The same thing applies to other Five Eyes countries. But for us, we call out everybody, we just don’t ever talk about who it is.”
Asked whether digital transformation, in the ICS/OT context, always carried the increased risk that is typically associated with Internet-connected things, Lee had a one-word answer: “Yes.”
“Folks in the community would probably argue that it’s not Internet-connected, that it’s just connected, but that’s semantics. You might be connecting up to a vendor who then connects to the Internet,” he said.
“The whole point is, as this digital transformation takes place, these systems become more connected, whether it’s directly or indirectly to the Internet, it’s connected. And those connections create an attack path for adversaries.”
But he did not agree that this increased exposure to attacks was caused by operators taking shortcuts or failing to take security seriously. “No, I don’t think those are correlated. Are there some asset owners who are not taking security seriously? Not sure. And there are some that do a very good job.
“But the correlation there is if you’re going to take advantage of the digital transformation, a lot of the advantages in cloud resources, analytics, it’s in vendors like GE who are creating new models for performance on gas turbines.
“The reason for the connectivity is to take advantage of digital transformation resources like cloud and analytics. You have to connect to somebody else. So has the level of security consciousness increased in recent years? Oh, absolutely.”
Lee agreed that education had a major role to play in keeping attacks on ICS systems at bay. “It has a great role. One of the things that governments do very well is amplifying this topic of industrial security. We’ve seen a lot of great movement here in Australia and the US by government partners specifically talking about operations, technology-specific security,” he noted.
“And as a result, boards of directors, members, CEOs, the executive staff [at] these companies are going, oh, okay, what should we do about that? And if you think about it starting back 20 years, people are always saying, do cyber security, do cyber security.
“But the nuance of that, what to do, all the different ways to do it, and whether it’s IT or OT, that can be overwhelming and confusing. I don’t know that the external groups, government standards etc, have ever really been specific on IT versus OT. They are [now] starting to be specific about the necessity of operations security.”
Asked about the use of air-gapping to improve security for ICS systems, Lee said it was only used in the nuclear industry. Iran’s nuclear plant at Natanz was air-gapped but as is well-known that did not shield it from attack by the Stuxnet malware.
Dragos gets hardware appliances from different vendors but writes its own software, including firmware. Lee waltzed around a question as to whether the software was Linux-based.
He laughed when asked about the company’s stated mission — safeguarding civilisation — whether that was not best left to the likes of Batman and whether the stakes were really that high.
“Absolutely. When you’re talking about adversaries that are trying to kill people, you’re talking about adversaries that are trying to disrupt, [things] like electric power, etc. I do think it’s that high.”
The slogan was a reminder “not to just take care of the big players, because a lot of our societal value is also in the smaller electric co-operative, water utilities, that’s your day-to-day [providers]”.
“If we build a big company on only protecting big players with big budgets, that’s not safeguarding civilisation. We have to take care of the smaller players too, I believe.”
Lee said he would place himself in the technology bracket, when asked whether he considered himself more of a marketing sort or a tech sort. “I see myself as a teacher first, and sometimes that’s a marketing kind of function. To help educate people. Sometimes it’s in the technology type function, but I’m a very technical person by trade.”
In Dragos’ annual report for 2021, the company had stated that the design of ICS products meant they could rarely be secured from the risk of rootkit installation. Lee explained: “In enterprise IT security, you normally have a very big focus on product security and data security. Encrypt the data, secure the product. And that makes sense for the world we live in there.
“But on industrial security, it’s a system of systems and physics. And there is native functionality required in those products to even have them do the systems assistant functionality that you can’t secure against.
“As an example, if I have a product the entire job of which is to open and close a circuit breaker, that can be used by an adversary [and also] by an operator. There’s no way to secure that because it’s doing its job.
“And so there are plenty of products… where the functionality that’s demanded of them for that environment is, of itself, available to anybody. Hence, it’s silly to say that it can be secured or not.
“An over-focus on product security is not industrial security. That’s usually [the case] with the vendors, even when they sometimes make mistakes, these advisers and so forth, I think we kind of yell at them a little too much. Their product security is not the same thing as industrial security.”
Lee laughed again when asked why he wore such a long beard, but took no offence at the query. He has a simple reason for doing so: when he was in the army, he had to look very neat and clean on top. Now, given he can do what he likes, he just lets the facial hair grow.