Going into OT (Operational Technology) with Robert Lee

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth. And I'm Rob Leon. It is great to have you on today, everyone. We have Rob Leon, Robert Lee, the CEO of Dragos, which is a very cool and interesting company. And we're glad you can make it because I was looking stuff up. You have been to Davos and testified before Congress and everything. And I'm, I'm, I'm glad you accepted our invitation to come up to the big time on the security.

I'm looking forward to what this is going to do for me. I appreciate it. And I always, I always like spending time with folks that are out trying to do stuff in the community. Um, if, um, Yeah, I like the community piece of it. You guys are out talking to a lot of folks and again, keeping it real and trying to have some fun. Security's a grind, everyone knows it, and people get burned out way too easily. So to have a little fun and talk about it all and not let it be so overbearing, that's good. So I appreciate the invite.

Thanks for coming. And we try to keep it interesting too, because your field is something a little bit different from what a lot of security people and what people like us are usually into. operational technology side. Um, so we're going to hear a bit about that, but first let's do a little business on the cocktail side. What do we, what do we got today?

Hmm.

Yeah. Well, for me, it's a, so I'm always a gin and tonic fan today is botanist, which is super classic. I think my like go-to is more like Brockman's, but, um, botanist is a, is a great one. As long as it's fever tree tonic, it's all good. Cool.

Okay. I've got something, it was a,

I forgot what it was. It came in a blue bottle.

Harman or not Harman?

There's a bunch of different ones in a blue bottle. Is it like, was it like a craft one? Yeah, it was kind of fancy. Yeah, okay. I mean, there's like the whale ones in a blue bottle.

Did you say blue bottle, Joe, or blue pill?

No, not the blue bottle. It's a blue bottle with like an elk or something on it.

I don't know.

Okay. No, I don't think I've seen that one. Anyway, if you're, if you're interested, like, like, look, there's a lot of good gin out there. Don't get me wrong. But, um, my favorite in the world for G and T's would be Brockman's. It's out of London. Um, and it's, it's got like a Blackberry current to it. It's just, it's perfect for a G and T. If you want like a really good cocktail one, I would go for bees knees. It's out of Vermont, surprisingly. And it's just, it's just honey and juniper. So it's real crisp. Wow. Wow. That's intense.

So, so what do you got there, Adam? Yeah.

Yeah. I listen, don't make fun of me, man. I grabbed whatever was near. I took it from my wife, you know, you know, you know, I was, I was watching, uh, at least the beer is all you took from your wife.

That's cool.

Yeah. I was watching a comedy thing and it was like, laughing about like white claw, how it's a gateway drink. So maybe this is a little step up against a white claw.

Hey man, there is nothing wrong with whatever you drink, whether it has alcohol content or not. This whole like, this is an unmanly drink, whatever it is. That's some crazy stuff for marketing. Like you enjoy your drink and it's good for you, man. That's true. Cheers everyone. Cheers.

All right, and before we forget, we've got to be better podcast hosts. Please follow us on Spotify or wherever you're listening. Please, on YouTube, like, subscribe, hit the thumbs up. I didn't get the special effect this time. You know, comment, please. We're trying to do some great shows for you guys. So let us know how we're doing. We want to hear from you.

Isn't that wild, though, like how much creators put effort into creating stuff and how very little feedback? I used to run this comic. I need to probably start it again, Little Bobby's Comic. Um, and, uh, I ran it for, I wrote this book when I was in the military, skated me a book for children management. And later when I was just teaching at Sands threatened telling me a book for children and analysts. And like, I just didn't think anybody would read them. I mean, the book sold well, but the comic I did every Sunday and I never saw anything. And I stopped at one day after 13 years. And I got hundreds of emails of, Hey, why'd you stop? It was great. Whatever. I'm like, where, where were you guys the last 13 years? It's like, wow. Yeah. Yeah. So for the people listening, you know, I'm, I'm flying in and flying out, but, uh, yeah, absolutely. Like tell the people that you enjoy their content and you enjoy their content.

Yeah, well, I'll tell you, when we started this, I was worried about the backlash, the embarrassment. Is it going to be terrible? Now I realize hate mail is like a privilege.

I mean, you'll take anything. My favorite piece of feedback I ever got out of that book, again, it was the military. I was frustrated. And so I wrote a children's book, but it was for a couple of generals that were pissing me off. And I just published it on Amazon. Didn't think it would go well. It didn't sell like 10,000 copies or some crap, but like, so it went, it went, it went wild. But like at the time it was just a joke and it was literally titled Skate In Me, a book for children and management. And my favorite review is on Amazon. There's like a one-star review. And he's serious. It's not a joke. He's serious of like, I read this book and I can't even tell what the target audience is supposed to be. And I'm like, it's in the title.

So I want to understand you said skater, right? Skater in me?

Yeah.

So let me ask you a question. Did you have like little centrifuges and stuff like that?

No, I mean, like it was such an abstract joke book because what happened So I was in the NSA at the time. I was an Air Force officer, but I was at the NSA. And I got called down to a combatant command. I was stationed in Germany. And they called me in to ask me how to attack this foreign government and this stuff. I was like, man, I don't agree with that. All my work is defensive. One of the reasons I took this mission and built this mission was to keep people out of civilian infrastructure. But when you're, you know, uniform, you're like, okay, fine, whatever. And so I showed up and I briefed them. I was like, I had prepared like a five-hour presentation on here's every component of their system. Here's every detail. Here's how you do it, et cetera, et cetera, et cetera. I was like, I wouldn't do it if I were you. Ethically, I think it's great. But if you need to, here's how to do it safely. You know, it's the whole like safe sex conversation. I hope you don't, but here's how you do it if you do. And at the end of the presentation, all these operators, We're supposed to be the APT, right? You know, the US government going after. One of the guys raised her hand like, great, great, great. Five hours in, by the way. So what does SCADA stand for? I'm like, are you fucking kidding me? Like, just like your, you haven't even Googled the term. And so I angrily on the train ride home wrote this book and I contacted a buddy of mine. It was like this engineer did drawing on the side. I was like, can you, you know, draw this and it was only ever intended. I published it on Amazon just so I could buy my own copy so I could put it on the general's desk. And I said, next time you need, next time you want to call my team, read this first. And it was as a captain in the military, like that's very flippant, but like I was, I was like, I was, I was done. And, and I forgot to delist it on Amazon. And then it just went wild. Oh my God.

It's like, it's like skating for dummies.

Yeah, it was kind of, but it was, there's nothing you could learn from that book. It was very flippant, but, but people, there's people, I get people now that send me pictures. I'm reading my kid this book on Christmas and it's adorable then, but like the context, the book is fine, but as context, I'm like, Oh, all right.

Did you have a following back then? Is that why people bought it or just pure? people's Googled it and found it on Amazon.

Yeah, it was Googling at that time. Because like, that the amount of we talk about industrial, I think we're gonna talk about in this this show as well, like operation technology, industrial control systems, and like, it's in vogue now. But go back just 15 years. Nobody was talking about it was like a very small community could fit around a fireplace kind of discussion. And so I think I had one of two or three books that even mentioned SCADA in a security context that was out. And so people were trying to look and they found this children's book, this comic book, but they got the joke and it sort of went wild from there. And, you know, especially the electric community, the asset owners and operators, people running the companies, they thought it was hilarious because they were trying to explain stuff. And I remember I remember it was, it kinda crossed the threshold, it was like jump the shark, when I had a general in the White House call me and tell me, and this is, I was still in, and he's like, Captain, this is hilarious, I keep it on my book, I keep it on my shelf, I keep it on my desk for when the management comes in. I was like, sir, you're a two-star general. How high do you need to be to realize you are the management?

Is it still on Amazon? Because I'll buy it. I want it autographed.

Yeah. I'll get you a copy of it, son. But yeah, I've got three now. Talk about the company. No, no, no. Here's my books.

Well, you know, I think this is really interesting because, you know, try to dabble you know from what i understand like you know if you think getting people to watch a podcast is tough like self-publishing on amazon is like impossible getting anyone to even see it or buy it or whatever you're you're like some kind of Naturally entrepreneur or something.

If you did that, wow. I think I'm not the stupidest person in the world when it comes to industrial, but let's be real. There's a time and place aspect to it. So when I, cause I, I walked in, I mean, I'm, I'm not that old. I walked in 2010 timeframe to the NSA. and said, hey, what are y'all doing on industrial? They're like, go find the unknown unknowns. I'm like, we're talking about what now? Like your mission is to find the unknown unknowns. I'm like, who's in charge? I'm like, you are. I'm like, I'm in charge of what? Like the unknown unknowns. I'm like, what does that mean to you? And they're like, we don't know. But Rumsfeld's really into it. Oh, God. What the shit is this? And so they said, go find basically go find the state actors doing stuff that we're not aware of. I'm like, I still don't know what you want me to do. And they're like, dude, just here's access to everything we have in the intelligence community. Go have fun. I was like, what are you doing on industrial? And they're like, what's industrial? And I'm like, what are you doing on control systems? Like, what are control system? Like, it's everything that has interaction with physics. And they're like, I don't think we're doing anything on it. And I'm like, Okay, that's my mission set. And so me building and leading the government's team on industrial was because no one else was doing it. It wasn't like, Rob, you're so special. Here you go. It was literally no one was doing it. And so like, I just got to build it. And so I think the same thing with the Amazon thing. At the time, it wasn't a topic. And so if you Googled SCADA in 2013, my book was like the number one Google hit. So it's just a time and place thing, I think.

So I want to add to that really quick, right? Number one, I probably would never know what OT or IOT was until Joe put me in charge of doing NAC. So I did NAC and I was like pulling the, yeah, I had hair at one point, pulling the hair out of my head, trying to figure out how to get these devices on, how to micro segment it, how to make sure they don't get on the network, how to whitelist these devices.

And here's the other thing- And by the way, it was punishment.

It was punishment. And you don't even know. You don't even know because I was dealing, I want to be very careful what I say. I was dealing with people who had no clue. And then the second thing I want to tell you is, I walked up to a couple of 8,200 guys. I'm like, hey guys, if I wanted to compromise a centrifuge and spin it really fast, then spin it really slow. How would I do that? Because why are you asking me?

Yeah. Look, man, the physics wins at the end of the day. And I think, I think there was a desire to talk about OT. So let me, let me, uh, maybe simplify it real quick. OT really is just whatever computing and networking systems are around physics. That's really what it comes down to. Uh, there's all these wonderful things in the world of IT and they, they accelerate the company. If you want to advance the company and you want to take advantage of whatever buzzwords you want to use, like digital transformation or whatever, you're tapping in all the power that IT can provide. But let's not forget the reason the business is in business is the OT. The reason Pfizer exists is OT. The reason Southern Company exists is OT. The reason Dow Chemical exists is OT. OT is the physical process of the computing and networking around it. Sometimes it's a Windows system. Sometimes it's a purpose-built controller built in 1970. It's all those weird stuff, but it all relates to the physical process. And so what's interesting to me is IT security presents a lot of opportunity, but IT security going to the plant and telling them what they have to do is misunderstanding. The plant's the reason you're hired. Uh, the mission is the operations. Now the operations can't stick their head in the sand and go, we're going to connect to the cloud and do all these things and screw you guys. Nah, you gotta do both. Um, and both have value, but the operation side of the house is 100% the reason that my kids have lights and water. It's 100% the reason that I got an employee. It was actually, it was one of the best days. I got an employee that called up a customer to sell to them that made the insulin. he was taking talk and, uh, climate change drive their Buick with gas to the site to protest at the gas station. You know what I mean? Like, it's... I'm not, I'm not, I'm not taking a stance on that by the way. Climate change is real. I'm not, like... That's another discussion. But my whole point is the world runs because of industrial. We want to do it cleaner, we want to do it more efficient, we want to do it safer. The world runs because of industrial. Everybody outside of banks, and even banks have building automation, but that's just, you know, whatever. I got asked one time by venture capitalists, Dragos has done decently well, and that have raised, I don't know, 440 million or so for the company. And every investor was asking, what's the damn of industrial? What's the total addressable market? And I'm like, I don't know, man. Physics, everything like it's everything. And so if you take that lens of we are here because there's communities who depend on us, we are here because there's a mom and a pop and a kid and whatever else that need this shit to work, then everything becomes a little more crystal clear on how do we partner together to do it. And everything else usually is just weirdness between teams for almost no reason whatsoever.

Not only do you need it to work, we need to protect it, right? And it's funny because I wrote, when I did my master's, I did it on ethical warfare. And what people don't realize is that nation state that might be doing, or the threat actor that might be doing that attack, they're removed. It's almost like being a drone operator without the screen, right? They don't know, they know what they're doing, but they're removed. They're not on the ground, you know, charging a hill. and you don't always have that emotional state to it. And people don't realize how important it is to protect their technology. And I'll tell you this last thing, I interviewed once for a company and she said, well, what would you do to protect my manufacturing? I said, a lot, but beyond what you think, remove the labels from your equipment or cover them up, put cameras on in addition to protecting it by micro segmentation or access control is or packet inspection. Don't think just the ordinary, think beyond that box, physical controls to the place. Because not only do you have to protect it from a network stance and cyber stance, but physical and other means. So people don't realize the, and you of all people definitely understand that, right? The gap that's there that people don't comprehend.

I think people wanna pretend, and I did too, by the way, that wanna pretend that there's good guys and bad guys in the world. And most people are good guys with nuance. And I'll tell you, I spent a long time, an embarrassingly long time believing that, where my time in the military and in the NSA, not only did I did sort of industrial control systems, but at the same time, I had other traditional mission sets, including counterterrorism and signals development and other things. And shit, like, talking as an American in Iraq and Afghanistan, I looked at it as, hey, that kid wanting to shoot at my guys? He probably watched his dad get drone strikes or some shit. There's balance. So let's not pretend evil and non-evil. There's just nuance of everybody comes up in their world, everybody comes up in their way of thinking, and there's nuance. And for a long time, I was like, there's no real evil in the world. I wanted to rationalize it. There's no real evil. It's just nuance. And then I watched, during the pandemic, certain state actors break into pharmaceutical clients of ours for not the purpose of stealing the vaccine. If you did, that's fine. People are like, that's bad. Don't get me wrong. I'll try to stop them. That's my job. But if China, Russia, Iran, whoever, North Korea is trying to use their intelligence services to steal the vaccine for their people, that's why their intelligence services exist. That's a good use of it. That's an economic thing. That's about money. But if that was the reason, it'd be okay. But what did we see them doing? Trying to manipulate the vaccine, trying to hurt people, not steal it, trying to hurt people. And I was like, motherfucker, there are evil people. Like you're just targeting civilians. This is not a discussion. And by the way, I was in the military. I love the military. Don't get me wrong. We had red, white, and blue. There's more symbols on my arms for each military unit I was in than I'd care to count. But why did I leave the U S military? Cause we started doing some shady shit and, and it wasn't like of our own accord, but it was, Hey, let's go. Hey, captain Lee, how do you do X, Y, and Z against a site? Like, why are we targeting that site? Well, that site serves power to an integrated air defense system. And then we need to take down like, then just take down the integrated air defense system. No, no, no, we're gonna take down that power site here. I'm like, but off that power site is also that local community, but it's a valid military target. I'm like, no, that's civilian infrastructure. No, that's a valid military target. I'm like, no, you can walk across the unit, walk across the base, find a pilot. He'll sober up in six hours and you can drop a bomb on the IADs. You don't need a cyber anything. And so, you know, I think most people lose the nuance here of thinking we're just the good guys. There is a, a desire by every state out there, including us. And I don't say every state, I'm sure the Vatican isn't like thinking about it, but most states- But you don't know that for sure.

No, no.

The Illuminati aren't in charge, but anyway. But there are a wide variety of state actors who go, but we're the good guys. So that's okay, but this isn't. And I usually come down the side of civilian infrastructure ought to be off limits. If I'm in uniform, shoot me. If they're in uniform, shoot them. We know what we signed up for. We chose to sign up for it. This isn't a draft. Civilian infrastructure, stay out. So one of the reasons I got out was I'd like to protect civilian infrastructure. Because again, my kids deserve to grow up in a world with safe lights, water, manufactured goods, et cetera. And if you can't side with civilians, I don't know what side you're on.

And it's, Rob, it's exactly, you know, when I wrote that paper, I was saying to myself, what people don't understand, even, and I'm going to guess, even the people attacking whatever, whatever nation state they are, whatever, they don't realize the cascading effect of what happens. You turn off the electric, food spoils, you know, medical equipment doesn't work. Then you have sanitation issues. Then people start getting sick. And then it goes cascading exponentially into a world of hate. People are going to die by the thousands and tens of thousands and hundreds of thousands. If we ever lose our electric grid, we're going to have some serious issues that I don't even want to think about how bad it will be.

There's a lot of, yeah, there's a lot of truth in what you just said. I don't like when people are, and I'm not saying you're doing this, I'm using what you just said to launch off. There's a lot of people that want to fear monger, buy my product, do my services because the world is going to end. And I usually tell people the threat is worse than you realize, but not as bad as you want to imagine. You know, there, there's some stupid stuff out there. You don't need to freak out about, you know, I had a talk one time with Ted Koppel and what's the guy Tom Siebel about EMP is hitting the electric system. I was like, guys, stop. That's not the issue. But at the same time, There's a lot of very head in the sand. Life is okay. Like life is a lot more fragile than you realize. Um, let's take a look at Australia. Australia has been doing some good stuff. There's a port operator. Won't name them, but you can Google it. And there's a port operator that was hit there. Uh, they're good people. I've gotten to sit down with them, talk to them quite a bit. And when they got hit with ransomware and they had to stop their port operations, people thought the Australian news ran stories about, oh, now we won't get our Christmas presents and stuff on time, like Christmas presents. What about the insulin coming in on that ship and the kids depending on that? And so there was almost a pharmaceutical shortage and they averted it by like a week. And people don't realize like how close it was to people dying off the pharmaceuticals, not getting into the country, not your Christmas presents, you know? And so I think the industrial world is often discounted and, and very often yelled at, but very often people don't realize just how dependent they are on it. I mean, operation technology is awesome data centers. You know, we, we work with a very large company. You could name everyone in the planet could name, and they operate a lot of data centers and shipping fulfillment centers around the And I asked them about risk management on their shipping facilities because we're protecting a bunch of them. I said, okay, on a shipment fulfillment facilities. How many do you care about? And they're like, one to five, we don't care. We can lose any five and we're okay. Like what happens on six? And they're like, oh, on six, the amount of medicine that is shipped through our popular service stops being allowed to deliver within the time that people need it. And we estimate it to be somewhere on the order of a hundred thousand deaths. Yeah. I'm like, oh, OK. All right. So sick is the number.

So Rob's thinking about this, right? And now by no means am I saying what happened in Baltimore had anything to do with cybersecurity.

Oh, God, it did not.

No, no, no. But what I'm saying to you is Maryland.

Yeah. Crazy. Yeah.

But what I'm saying to you is think about all the people now that are impacted by the collapse of that bridge. The amount of stuff that comes to Baltimore is supposed to be one of the most major ports in the country.

It's the ninth most popular port. The supply chain is now absolutely backed up. Yes, exactly. And people. And it was through. Well, I'm not even going to opine on it. But either way, I will say, and I know you're not taking this angle, but I do feel I need to say it. The amount of people that wanted to add a cyber angle to it ought to be ashamed of themselves. There's nothing to support that. A bridge is not built to survive a loaded ship hitting it head on. You know, but it's insane to me. Then people are like, oh, the infrastructure was bad. I'm like, well, no, no, no. And there's been the Joes and a couple of the people in the world that come out. John, there is cyber and otherwise. And others being like, was there a cyber angle? I was like, stop, dude.

Like, there's no nothing is even remotely out there. But my angle was not about cyber. It was about the impact of the supply chain because of what happened to that bridge. And people don't realize whether it's a natural disaster, whether it's a collapse of a bridge because of infrastructure wasn't built correctly, whether it's a boat hitting into it. This is no different from the issue is if electric grid collapses, it's a cascading effect that causes medical issues. It causes food, fees, famine, you know, everything.

Well, what amazed me was it's got, it's over 10 years ago now when we had hurricane Sandy hit in the New York area. I mean, you know, certainly it was inconvenient to power it out. My house was out for like two weeks, whatever, you know, spotty everywhere. But what amazed me was how, like when the electricity stopped flowing and like the, uh, you know, the trucks stopped running and you couldn't get gas and, you know, food wasn't coming in and everything. It was like, within days, we're like, are we going third world here? Like the supermarket shelves are empty. Uh, you know, the gas lines, I mean, if after a day or two, it happened so fast.

They're like, do you have like a bunker? You, you live in this world. Yeah. Bunker. And like, for what? I was like, every, every person, if they're financially able to should have two weeks of food and water storage. Okay. And they're like, but what about a month? I'm like a month. They're like, if the power is out for a month and the banks are out for a month, I'm like, you're eating your neighbor's dog. Like there's no bunker at that. You don't want to live in that world. Like it's gone. And we did this war game back when I was on the government side, we did this war game in a certain country that again, a big ally of ours. We looked at like, if we took down just the water utility industry across the country, how long would the country last without being recoverable? So how long would you go before that country was wiped from history? And it was like 33 days. It was like 33 days after dysentery, everyone always talks power, but like the water industry, dysentery and yellow fever, everything sort of sets in. And for about 33 days, it wasn't recoverable anymore. It would just be like a national park that people talked about in history.

Yeah, I study, you know, ancient history. I'm like a Roman history, not in other things. And it's like, you know, water is life. Water is the key. When at least one set of barbarians came to Rome, they were smart enough to figure out they went after the aqueducts and they were toast.

We massively abuse our water industry in the United States. And it's it's a really key infrastructure.

So think of it.

Yeah.

So think of this. I was stuck in Florida for Hurricane Irene. No planes were flying. I'm driving up and I start running out of gas and I get to a gas station. I'm like, I need gas. Like, oh, electricity's out. So I can't get gas. Thankfully, I went to the restroom and somebody said, oh, and I had almost no gas. He says, drive about maybe five, 10 more miles up. The gas stations are open. I pulled in as my car was dying and I got gas. But just the fact electricity's out caused an issue because I couldn't get gas from a gas pump.

Yeah, pumps don't work. It's hyper-connected. So what most Americans need to understand is your infrastructure asset owners and operators do an amazing amount of work that will never be public to keep things reliable. What we also need to understand is we are going through a transformation digitally. with connectivity and moving to homogenous infrastructure from versus heterogeneous and codependence on software stacks that are ubiquitous and so forth, that the tax service is also exploding. And so both can be true. The asset owners and operators have done an amazing job and the landscape is changing so fast. We've got to layer in security to be able to do something about where we're going. And that somehow is a nuanced topic to be able to capture in policy circles and similar. And so you talked about Davos and Senate and everything else. You know, I most of my time is spent running my company. We got 500 something folks doing operations around the world. But a good portion of my time is spent with policymakers around the world going, You keep talking critical infrastructure, but do you realize that 95% of all the things you've ever done went to the non-revenue generating portion of critical infrastructure, which is IT. And IT is important. Not saying it's not. It's honestly been underutilized and underserved. But in addition to enterprise IT is. the enterprise, which is all the plants and all the substations, all the manufacturing sites, et cetera. And all we've ever done for most of them is try to segment them off and have a firewall. And now that we're connecting up and getting digital transformation industry 4.0 or whatever you want to call it, that stuff is not segmented anymore. And you probably want to do more than just try to prevent attacks from happening.

Well, let me ask you this, you know, in the, uh, in the it world, I mean, IT world, again, we talk about critical infrastructure, banks and things, whatever, but really, until recently, a lot of it hasn't been, you know, life and death. And really there are, one of the reasons we have so many securities problems are there aren't, you know, standards, there aren't protections built in, there isn't a huge regulatory framework, even though we complain about it all the time. But compared to like the real physical infrastructure side, I mean, You can't. There ain't a lot of startups in the water industry who say we're going to build fast to break things. There are rules, there's engineering. I mean, are you seeing that being applied to the

to the control systems there too, or is that something that needs more help? It's well intentioned, but there's gotta be a balance. And I'm not a regulatory person in the sense that I generally feel that regulation and security are not only not the same thing, but usually are opposite of each other. But you gotta have regulation for some of these industries. So some industries have a centralization of big companies that can influence the rest of the industry. And it works really well. Some markets, there's no big companies. So let's, let's take IOT as an example. If you're an IOT manufacturer, you think about time to market and your cost of goods. And so if I can reduce the cost because customers are buying on price, and if I can reduce the time to market, I'm doing that. And if I don't, I may go out of business. And so security presents a barrier. You're going to tell me I need to pay more for this product and slow down my time to market. You'll kill the company. We're done. And so in an IOT market, there's no central players. There's no ability to influence. It's anybody that pops in. Regulation makes a lot of sense. Hey, if you want to sell into the market, you got to do X, Y, and Z. You got to be this tall to ride the ride. Then you can sell your products in the market. It actually can make sense. In the electric industry, we have a lot of regulation, but there's less than a hundred investor owned utilities, less than 20 or 30 large public power companies. You can get a bunch of them together. They have the electric sector coordinating council, and you can go talk to them and say, here's what you want to do. And they'll agree with you. And they'll say, let's go do it without regulation. You can influence that center mass. In the middle, you got the water industry. You got about 55,000 plus, 100-ish, but really about 55,000 water utilities of any decent size. That's hard to go talk to each one of them. It's hard to get a central mass, but you don't need to do regulation like the IOT market. But you might want to say, you guys form a council, figure out what you want to do, and we'll hold you accountable to that inside of our requirements. And so each industry kind of takes a different stance. And so I guess to go back to your question, do I think the manufacturers, the OEMs, the original equipment manufacturers are putting in products that are making us more secure? No, the answer is no. Some great people at those companies, but the answer is no. But could we say beyond the standards, here's the ride to ride, and here's what it means to have a more secure product? Yeah, I think you could, and it would make some impact. But remember, and I'll stop here, but remember, most of the industrial attacks we're worried about are not about product security, which is like an IT mindset. Not bad, by the way, but it is an IT mindset. Most of the concerns we have are about misoperation. If I can open up a circuit breaker to energize or de-energize a substation, so can an adversary. So that living on the land style attacks in IT is the game in OT. Oh, okay.

That's interesting because you see, we think like IT people, you know, it's like, and there's more living off the land and everything, but you know, vulnerable, well,

You walk into a pipeline and you go, oh my God, it's vulnerable. And I go, who cares? And they go, no, no, no, no, it's Windows XP. And I'm like, again, who cares? And that freaks people out at first. They're like, no, but it's Windows XP, it's vulnerable. I'm like, but what can you do with it? What outcome can you achieve? I'm not saying it's a good thing, let's be real, but what's the issue? If I get on an engineering workstation and I know how to reprogram a controller and runtime operations to over pressurize a valve, And I don't need a vulnerability to do that. I just need knowledge of the industrial process. And so that's scarier than the vulnerability on the Windows system.

So there's three things I'm gonna add to that. One, like living off the land, people don't realize the dracks of the world on the machine with the sub Linux. People don't do anything to patch it. They're patching everything on the computer, but they're not patching the drack. Two, from an IOT standpoint, everything is almost proprietary, right? Like when you buy, when you have a Windows machine, even like a Macintosh or Apple, you can get an EDR installed and it's mass produced. There's no mass produced for your TV or anything else. Cause it's like a little Linux embedded thing. And nobody's really making security for that. And no one's updating. How, when's the last time somebody updated their car as they're driving? Oh, let me go update my firmware on my car. Who's doing that? Nobody. So then your car's taking over and you wonder why assuming that somebody really did that but or somebody's looking at your tv or your camera on your tv who's updating the firmware to a higher level security and then the last thing about these utility companies it is so hard to find the right people and pay the right people to maintain that i am like like i was going to joe joe's like adam they're not going to pay for it i'm like joe we work for an organization we should get packet inspection. He's like, Adam, they're not going to pay 2.5 million for packet inspection. But we'll see people in, we'll see people in the stream. And then, you know, the other thing I tell people also is watch Joe flip out. Pism. So people don't integrate their physical security with their IT stuff. Physical security integration management. I'm sorry, physical integration, physical security integration with your actual IT stuff. People don't have that and they don't know a single source. Why is the person VPNing in when they swipe their card? And maybe you think I'm crazy, but I think these integrations can help a little bit.

Well, of course they can. And so I think all the discussions are always what's the return on investment relative, right? And so there's not a bad idea out there. There's not a bad idea out there in security. Great. It's all great ideas. Let's just start there. All great. What's the one that's going to return the most value for what I'm putting into it? And maybe I got the opportunity to do two, maybe three. I don't have opportunities to do 20 critical controls. I don't have an opportunity to do all of NIST cybersecurity framework.

And risk versus reward, right?

Yeah. What's the one to three things I'm doing? And I gotta tell you, it's hard when you're an executive at an infrastructure company, because you hear from the FBI on every field office that's in your service territory about the two or three things you should do. You hear from the DOE, the two or three things you should do. You hear from the CISA, the two or three things you should do. You hear from the NRC if you have nuclear, about two or three things you should do. You hear from TSA if you have pipelines, two or three things you should do. You hear from every vendor out there, the two or three things you should do. And you get it all together and you hear 50, 60 things that are disjointed and you go, I don't know what to do. We're hit below.

We see that in IT too, but everyone's got a different opinion when you've got multiple orders. But something that there's a bit of a consensus on, like in IT, the modern thought is like, okay, when we had Ryan Westman on talking about stuff, some of the basics is like, look, if you had to boil it down to two or three things, what should you be doing? You got to be careful with the You got to get your vulnerabilities under control. You got to get your endpoints under control, protected, and you got to monitor. Okay, you do that, you got a decent security program. Basically, more or less, in the IT world. One in three of those would be good in OT. I was going to say, what would you say to focus on in OT? Not necessarily one of them.

I mean, what would you say? I mean, I've taught at SANS for 10 years now, outside of my role at Dragos. And my students always come to the same question. Rob, we're learning all this cool stuff. What are a couple of things? So Tim Conway and I sat down and did this exercise. Tim Conway is a beautiful human being over at Sands Institute. He was a grid operator for 20 years running electric operations and then did security. I get all the publicity, but Tim is the brains. And, uh, and what Tim and I did is we said, look, we got bias. Everyone's got bias. We all walk in with bias about what we think is good. And how many times we've heard that's a good control or bad control. And it's like, it's not an ethics discussion. It's what control is relevant to what we're trying to do. So what we did is we sat down and looked at every single industrial security attack that's ever happened. Um, all that we had access to my data from Dragos, his data, our personal cases, everything that we could find. And we said, what security controls from an OT perspective were useful in all of them. Not that you couldn't find some useful ones in one-offs, but what were the security controls useful in all of them? Because those would be odd.

The bang for your buck, you know, where's that?

Yep, where's the bang for your buck? And it ended up being five. And so we published SANS ICS five critical controls. These are the five controls that have worked every single time in every industrial attack we've ever seen. And there are not only companies, but countries picking it up, like Australia is using it now in the ACSC, for like, when they go do assessments across critical infrastructure, they go use the five critical controls. And to me, that's how you move the needle. Because if you come in with here's NIST cybersecurity framework, or here's 62443, or here's CBGs, or here's whatever, it's too much for anybody consume outside of maybe the fortune 50. And so for everybody else, it's here's five things. Here's a strategy. Here's why we did it. Here's the math that you can check if you want to go down this path. And we've seen that return a lot of value for folks. And I would just say, from an OT perspective, the easiest way to define the five versus what you're talking about is an IT, and this is hand-waving, okay? But in IT, you deal with systems and data. How do I protect the system? How do I protect the data? I want endpoint protection on the system. I want vulnerability management on the system. If somebody gets on and escalates privileges and steals off the system, it's a bad day. How do I protect the data? Encryption at rest, encryption in transit, DLP, et cetera, et cetera. How do I protect the data? In the world of OT, we care about systems of systems and physics. I don't really care that the engineering workstation is vulnerable. Go compromise it. Now make the lights blink. I don't know that you can. But if you know how to access the engineering workstation, system one, in such a way to modify the logic on System 2 in the correct way, in such a way that causes a valve to open, a pressure relief valve not to close, or a circuit breaker to open when it shouldn't. System 1 impacting System 2 with a physical consequence of System 3, that's a bad day. And so we care less about systems and data and more about systems and systems and physics, which implies not only industrial knowledge, but it's actually more network. Usually in an IT environment, you do endpoints, and then if you have spare resources, you do the network. In OT, it's do the network, because that systems the systems. If you got spare resources, do the endpoints. And then that's a big hand wave, but that's kind of the way to think about it.

Okay, so when we in IT, traditional cyber talk about living off the land, because you mentioned it before, too, you know, we talked about, okay, you send the phishing email to someone, and then you're on their machine. And you're like, Okay, now I'm going to do that. I'm going to use some tools and I'm going to try to get on a domain control and I'm going to try to get, you know, domain credentials and I'm going to try to go and see if I can get into this application and find a way, you know, we call that moving around, living off the land and through IT systems. It's almost sounding to me from what you were saying that the concept in OT of living off the land is still getting movement, but it's a little bit different in what you're doing.

Yeah, but it's the same and. It's the same and. This is going to sound really arrogant OT stuff, and it's not meant to be, but OT is everything that is an IT plus. Plus. The stuff that you bring in expertise from IT is not irrelevant, but you got to learn what that plus is before you apply it. And so all the things you just mentioned, but domain controllers, we've got domain controllers, we've got domain controllers in the plan. It's got DCS, distributed control system access. So we're the domain controllers relevant. That PowerShell movement that we're talking about and the lateral movement or Cobalt strike getting dropped in. Cool. Relevant. But then there's an effect. Yeah. Before we care.

Yeah.

And so like talk about living on the land, there might be domain controller down to engineering workstation. Then what's the engineering workstation living on the land. It's using the Siemens TIA engineering workstation portal to program a controller that has from program from run mode to program mode. And now I need to know what to do, but I can't just go throw code at it. I got to know what the physical profile is to then be able to do the logic correctly to go like, you can't just go in and be like, open a circuit breaker. Like. what register are you talking to and what part of the physical process and what does it mean? And so like a lot of these like DEF CON presentations and stuff are like, I own this PLC and we're like, nobody fucking cares. But when it's, hey, I own this PLC with the knowledge of how this environment runs. So I know how to manipulate this register and what value to give it to cause a physical consequence. I don't care if it had a vulnerability or not, that's scary.

So you need to know IT. You need to know about the extra infrastructure, whether it's a PLC or the control station. So you have to do a lot of reconnaissance in order if you don't, like what commands do I type? AC-7-whatever it is. You have to know the nomenclature for that program, that language to control those things.

Yes. Yes. And it's, and it's specific to that site. Usually now we're getting into a class of capabilities that are not site specific, which is scary. And so not enough time to go into it here, but there's a capability called pipe dream, pipe dream. We covered it at Drago's people go research it. It's the first cross industry capability. And that one's scary where essentially. This software, first of all, we have protocols like Modbus, TCP, and so like that, and OPC. And it knows how to use those. Okay, great. But then it also knows how to use Codesys. Codesys is a software framework that has been embedded into like every PLC these days.

Oh, wow.

And so instead of knowing this Siemens controller versus this Emerson controller, if you just know that version of CODIS, you can just do it. And so that's what makes it scary. You can just be this ubiquitous kind of technology, but you still got to know, oh, register two is a servo motor. And if I switch it to a 20, that doesn't do anything, but a 50 in this context allows me to, and then you, you hit on it with this centrifuge. P1 centrifuges and the TANs. If I wanted to manipulate the P1 centrifuges to cause physical destruction, I needed to know physics of that environment, not cyber. And if I knew as an example that I could take it down to, let's say 47 Hertz, and then pipe it up to 1410 Hertz, and then maybe I dropped it down to 1210 Hertz, And did that in a certain cycle every day over the course of three months that it would cause a physical degradation of the of the centrifuge to where it exploded out of its canister. That'd be pretty cool. But knowing this programming language or the cyber component of it would never solve it.

Yeah.

But if I knew that and then knew how to do it through cyber, that's world ending.

That's that's the physics. And that was if I look, you would know more than I would. But I know if I understand correctly, it was do it really slow.

really fast and really slow they're really fast yep and if you know that environment some environments can handle that some environments I can go open up every valve possible to cause an overpressure over pressurization event and I got a safety system that just won't allow it to happen and it's okay but in some environments I hit certain it's I got to know the code of the environment. You know, I got to know if I hit A, B, C, D, E, F, this will violate the physical profile. But if I don't know that, I can punch crap into a system all day long and maybe it's allowed digitally, but it may not be allowed physically.

So, Rob, I need a movie review from you. Die hard.

Yeah, yeah. Not not possible, but not possible in the way they articulated it. But articulated policymakers concerns. I mean, look, there's a lot of different movies out there, Black Hat, all the rest of them. And like- Oh, Black Hat was great. I liked it though. There's always this nuance, and I hate to be that guy, but we are that people on OT. There's always this nuance where like, that's not possible. And like, but could you kill a lot of people? Oh yeah, you could kill a lot of people. You gotta do this instead. So it's almost like we're talking out both sides of our mouth. But like the way, you know, Ted Koppel as an example, wrote a book called Lights Out. And I, to this day, the technical side of me would be like, that's stupid. It can't work like that. And then like a congressman would be like, but could you achieve the same outcome another way? I'm like, oh yeah, you could totally kill a lot of people. And it's- It's theatrical libid- It's theatrical libid taking the movies. Yeah, it's usually not the outcome. But yeah, it's usually not the outcome. It's the way they choose to get there. Like, oh God, you could not do that. And we get caught up in the details sometimes. And yeah.

Okay, so let me ask this. I'm going to bring in a different movie. So I think this if I get it, this could be the movie, Star Trek to the wrath of God, showing my age, when like, they hacked through the console, they can whatever. And then but actually, it's before they do that. But you know, they said, they knew exactly where to hit us. You can get in but you have to know where to hit them.

Star Trek, Star Wars, Jurassic Park. Yeah, those would be the better one. Jurassic Park, oh yeah. Jurassic Park, they had one IT guy monitoring everything that locked him out of the systems and they were able to physically control the gates and everything. Great, Jurassic Park. Star Wars, everyone says that the blast port where Luke shot with the X-Wing, oh, that doesn't make any sense. a lot of

faster than light travel, but they don't have drive encryption.

Let's also be real on two fronts. One, there's a lot of civilians and contractors that died on the Death Star. The rebels are terrorists. Okay. Second of all... Oh, come on.

That's from Clerks. You see that movie? Come on.

right okay first of all very much in line with that of like the jedi take kids when they're young in front of their parents by like buying them like turn it all right right a little little cultish i i remember fighting fucking jihadists it's similar but um when you look at you can't understand why anakin would be like totally screwed up in the head yeah a little bit but uh but also the piece to your your point when you look at like complex systems If you, if you are able to study any complex system long enough, you will find a flaw. And if you do that long enough, you will find that flaw to be digitally done, or it may not be on design, but later on do upgrades. It may become digitally vulnerable. And that is what we're experiencing all across industrial of there's really safe systems and they were designed safely and you could not do anything to them to hurt people. But then we decided to stick an IP address on it to make it more accessible. And we're like, Oh, now you can.

But how many of these, these, these situations are really layer seven, right? Really at the layer eight, I'm sorry, layer eight at that keyboard level where somebody social engineered or opened up the wrong, the wrong, um, the wrong firewall rule, or the wrong container, or didn't put the right password on it, or... I mean, some of these are layer eight, right?

Yeah, there's a lot of it. Like, I mean, I don't know how many, and this was, I'm stealing this quote from Austin, one of our pentesters, but... but there's a lot of like temporary any any rules and there's nothing there's nothing more permanent in the universe than a temporary any any rule yes and so yeah so there's a lot of that out there but even if you got rid of all that The adversaries we're seeing are finding they're not doing anything creative. They're not sophisticated. It's the vulnerability comes out. They know you're going to take at least 30 days to patch it. They can reverse it to find the exploit within a day or two. And they go target the VPN concentrator. That's a good question.

How many of them were zero days?

Not, I mean, now visibility is always an issue, right? But from our collection, not many. And look, I was on the offensive side doing stuff against other people's infrastructure. And there was no point in my day dealing with HR and training and everything else and every commander that wanted a briefing. There was no point in my day that was like, How do I look fancy in the Kaspersky report? Like that was not my requirement. My requirement was get the job done, move on to the other 30 missions you have. And so what is fancy? It's an operational risk. If I look really good and fancy and you catch me, you're calling in a big time IR firm. But if I look basic as shit and you happen to catch me, you're like, ah, some stupid criminal actor, move on. And so you never want to be more advanced than necessary from an operational risk perspective. So a lot of the adversaries don't need to do the cool, interesting thing people think about. They just do the fundamentals and they're winning.

Yep. Keep it simple. Yep. Absolutely. There's something else I want to ask about. We're talking about getting in and knowing what to do. And then Adam was talking a little bit about reconnaissance. I want to ask, say someone, you know, gets in, they pop whatever, they get into the, you know, plant, whatever it is. And let's assume that they, you know, they don't just get the plans off, you know, off IT systems, whatever. Is there a way to do reconnaissance to learn what those key circuit breakers are, what those key things are? Can someone, once they're in, figure out what they need to do?

And we see a lot of this actually. And so when the U.S. government comes out, then sometimes they're overhyped. But they go, oh, a state actor broke in. We're very concerned about what they're doing. It's usually not, they're going to do something tomorrow. It's usually they're still in the type of data useful to do attacks. And that may take a while. And so in an industrial environment, if I see somebody coming in and selling passwords or whatever, I'm like, okay, whatever. Maybe it's impactful, maybe it's not, but usually not. But if I see somebody coming in and taking screenshots of the human machine interface about how it's logically constructed, if I see people stealing the engineering diagrams of how the integrator physically set it up, if I see them stealing the data historian about the set points that have historically been done in that environment, I look at that and go, not a lot of intellectual property value there. They know what they're doing and there's still an information that can help them design an attack. So that's the kind of stuff we look for. And so there is a set of engineering data. Most of it is in your environment. Some of it is in your integrators environment that when taken and combined together is reconnaissance that someone can use to design an attack that would cause physical consequence if the environment allows physical consequence.

This is absolutely fascinating. I gotta tell you. I knew OT was different, but this is really, really intense.

And look, there's a lot of things that people should get excited about their life. And IT security is also cool and interesting, but I gotta tell you, OT is fun. But you gotta be ready for it in the sense that IT, you're gonna work high frequency, low impact. You're gonna deal with a lot of shit. Not necessarily one of them is going to bring down the country, but it's gonna be cool stuff. A lot of it, a lot of experience.

It's a niche and a niche and a niche.

Yeah, but OT tends to be lower frequency, not low, but it's lower frequency, high impact. You know, I've taken a couple of cases that are now in books and movies, but I only took a couple of those cases. A good IT instant responders taking cases every month, you know, and so it's, it's, Low frequency, high impact. And so you got to know what you want to sign. I've had IR folks that joined Dratos going, I want to do instant response in industrial. I'm like, cool. And then after like six months, quit going, there's not enough cases here. We're like, this is a lot of industrial cases. And they're like, but we're taking one every month. My last firm, we took five cases a month. I'm like, How many people do you want to take down the power grid? Well, that's old school before ransomware. Yeah, before ransomware. But that's the thing. But also, if you're in IT, sometimes you can get mundane of like, this is the 30th ransomware case I've seen. They're doing the exact same thing, you know, dropper, COBOL strike, whatever else. It's like, yeah, it happens. But anyways, it's different. So I don't want to paint it like it's just this rosy field of, you know, join. But OT to me is a lot of fun. It just makes you think differently.

You bring up an interesting point, right? You know, you want to learn IR, you go, do you do like the OPSEC or the Offensive Security CERT or you do try hack me. But if you want to do OT, you got to really dig down deep, download manuals and stuff like that.

OT security is a specialization, dude. And so I know this is like not. I don't know, I feel like anti community when I say this next statement. And I've built my career on SANS and teaching and welcoming people in this community. But OT security is not for starters, period, in my opinion. If you played a video game, it has skill trees, you always go do your fundamentals and then you specialize. And it's the same thing. Go fundamentals in engineering, go fundamentals in IT security, go fundamentals in something. and then specialize in OT security and bring in your skill set. I don't think OT security is a place to start just by volume of stuff you deal with. It's a specialization on top of skill sets, and it's different. And some of your skills will be useful. Some of them won't. But don't pretend we're starting Star Wars Galaxies. You want to go be a creature handler up front or some shit like it's go specialize.

So I'm going to I'm going to say I think you're wrong about one part. I think it's a specialization and a specialization. I mean, not only do you have to know the basics and fundamentals, but then you really need to know a little, a lot about IR, and then you need to know a lot about OT, and then you need to know a lot about that specific industry that you're working on, whether it's gas or electric, because they all have different equipment. So it's really, you're becoming like, you're layering a level of specialization.

Yes. No, absolutely. I get called all the time to go to, I got this morning, I got asked to come and keynote this conference. And it's looked interesting. Thousands of people would have been cool. And I asked them what they want me to talk about. And they're like AI. And I'm like, it's not me, dude. And they're like, what? No, you're a cybersecurity expert. I'm like, I don't know what that means. They're like, no, you're, you're renowned cybersecurity expert. I'm like, no, I know industrial security. And even that is broad. What I mean by that is I know electric mining data center, pharma, water, you know, maybe some oil and gas, cybersecurity. I've never been in certain paper mills before. Like, you know, like it's subset of a subset to your point. And I think the days of pretending that people are cybersecurity experts, like died with like Bruce Schneier, you know, type skill sets. And what I mean by that is if you were coming up in the eighties and nineties, you were a cybersecurity expert. If you're coming up now at a college, whatever else, in 2024, you can't be a cybersecurity expert. The field is too broad. You can be application security expert. You can be an AWS cloud expert versus a Rackspace cloud expert. But if you want to say that OT is just a security skill set, it's like, man, no.

It's still too broad. And it's, look, in this industry, I don't know if you know May Kemper. She has her own podcast and she does other ones. I did her podcast, was it today? Yes, I don't remember. But we were talking about, and I said, you know, May, we in this industry are very self-deprecating. We put ourselves down constantly. But the reason why we really do that is because we really know how, you know, like, let me give you an analogy. I did martial arts. I was a white belt. I learned some stuff. I became a green belt or blue belt, whatever. And I thought I knew freaking everything. And then when I became a black belt, I realized I know shit. I am, I know nothing.

And this is during, during Kirk effect or whatever, but, but it's absolutely right. It's absolutely right. The more you, that's what I, I've never, never called myself an expert on shit. And, and here's my arrogance. If there's a list out there of like the top five cybersecurity experts of ICS, I bet you I'm on that list. You know, I bet you I am. I wouldn't put myself on the list. Because I know people like Tim Conway. And Tim Conway is not gonna be publicly on that list. But if I got some weird ass questions about digital relays work at a substation in a certain operating environment, I'm calling Tim, because I don't know what the fuck I'm talking about. And so it's just, the more you learn, the more you realize you don't know shit. And so I think it's spot on.

Well, it's interesting too. It's funny, like you said, you have Yeah, 500 people. Where in the world did you find 500 people? Or how many? Yeah, you got to do this. They just don't exist.

Yeah, I, there was probably let's say there was, and I'm just making up numbers here. Let's say there was 100 people in the ICS security community at one point that were really the experts. I probably hired 50 of them out the gate. Like we centralized and monopolize the talent early on. And then we said, go build courses internally, built a thing called Dragos Academy of this training, this documentation, this whatever. We built our tech. We're a technology company. It was how do I codify the knowledge in the platform? People come on to us and be like, do you use AI? And I'm like, yes, actual intelligence. We codify their expertise into this. And so like our whole thing is how do we build tech and training to where I can take an 18 year old at a high school and turn them into an O.T. security analyst within six months? That's the goal. This idea of hiring these purple colored unicorns with stripes and stars on her ass is silly.

You ever see Boiler Room?

Yeah, yeah, yeah.

Anybody like we're hiring anybody have a series of I have a series seven. Get the fuck out. Why? Because we don't hire, we build them. And that's the point I think you're making, right? I'm not saying that you wouldn't hire somebody who knew it, but your specialty, like there are certain things you can't learn, right? In school. And it's kind of like, we say the same thing about some of the, you know, when you work for a nation state, there's skills you're never going to learn unless you do it in a nation state. It's kind of the same thing with your company. You're never going to get that education anywhere else but your company, or if you did it, some other company similar to that. And I'd be willing to bet you there's very few companies. I don't know any other companies that do it, but I'm sure there are.

We have competitors on any one aspect of what we do. But not all of them. We don't have a single competitor that does tech services and Intel. And so if you want to do tech services and Intel ICS specific, you're coming to Dragos. And so to your point, where are we taking from? Asset owner, operator community? No, thank you. I'm not stealing from our customers. Bad blood in a small community. Don't do that. And so for us is 100% build them. I want people that got curiosity. I want people that got some level of expertise of something else they want to bring to the party. And when we put our recruiters, I don't look for people with ICS experience anymore. Uh, we put up recruiters for my executive team now, you know, CRO, CMO, CFO, all these others. And the first thing they want to say is, oh, we want to find somebody with industrial experience, right? I'm like, no, I want you to find somebody that's scaled by 100 million. Yeah. Find all these skill sets. I was like, I don't want them to have whatever you think industrial is. Cause then I got to de-educate them to then teach them what we know. bring me a blank sheet of paper on industrial, but bring me with the experience on these other things. We know industrial enough to teach them the rest. And I think, you know, a lot of companies talk about that, but they got to, they got to actually put that into real practice. And I see companies on stage saying, we build and then you go to their HR system, and for the job sites, and it's like, we want a new analyst with three years of experience in a sand cert. And like, that's not a new analyst. Or we want a seven-year incident responder who also has five years of malware reverse engineering with also four years of threat intelligence experience. We want to pay them $55,000 a year. Like, good luck. And then we go, there's 300,000 jobs unfilled. I'm like, you got 280,000 jobs that are unfillable.

It's like a LinkedIn when they say, I want somebody with 15 years cybersecurity experience for a junior role.

Yeah. Yeah. Or I want someone with five years experience in this technology that's three years old.

Yes. Yeah. Well, that's a whole other discussion.

Yeah. We're going on a rant, but this is what you get for a security cocktail hour. That's great, especially towards the end.

Stuff's getting spicy. But no, but we are kind of at the end of our time. We've gone for a while. This has been absolutely fascinating. I really didn't know much about it, but- Oh, you tell all your guests that they're pretty.

But look, I appreciate hanging out with you guys. And look, for people that are interested in industrial security, the water's warm, come on in, but don't have illusions of grandeur. It's hard work, but industrial is fun. OT is fun, but spend time, take all your expertise, value it, but put it in the corner for a second, walk into the plant and go, how is it made here? What are you trying to do? What's the mission of this site? Then pull from your tool chest of how can I help you? But if you come in with, here's the playbook, I guarantee you're going to fail. And if you can take that mindset of like, if you, if you find somebody to sit down and watch the TV show, how it's made, I think it's on a discovery channel, whatever it is, and their face lights up, hire that kid. You know, that that's the industrial world. You'll be fine.

I'll tell you this Rob, I wanted to say what Joe said. This has been fascinating. And not because we tell everyone they're pretty. There are a lot of different pretty people. But this is the first time I think we've ever touched on this subject at this level. And it is fascinating. How many people can I go to to really find out this information? And I'm being very transparent here. So thank you very much. I've learned a lot. And you kind of made me a little bit more interested than I was before. So thank you.

That's awesome. Well, Joe, Adam, I appreciate you invite me on and good luck on it all. And for everyone else, like and subscribe and show your content makers that you love them.

Thank you. Awesome. All right. Thanks, Rob. Adam, always fun with you. All right. Thanks everyone for listening.