← All talks

BSidesCharm 2026 - Keynote

BSides Charm 202642:3416 viewsPublished 2026-06Watch on YouTube ↗
Speakers
Tags
About this talk
Robert M. Lee reflects on a decade of operational technology security, tracing how OT threats have evolved from niche intelligence-agency concerns to militarized, scalable capabilities like PIPEDREAM. He argues that convergence of complex infrastructure, adversary interest in civilian targets, and financialized leadership at critical infrastructure operators has raised the stakes considerably. He closes with a call for building durable, mission-driven security companies and communities that can outlast the current moment.
Show original YouTube description
Robert M. Lee is CEO and co-founder of Dragos, the global leader in Operational Technology (OT) cybersecurity. The Dragos Platform protects critical infrastructure and industrial operations worldwide. For the World Economic Forum, Robert is a frequent speaker and serves on the cyber resilience subcommittees for Oil & Gas and Electricity. He is a SANS Fellow and on boards for the International Society of Automation and National Cryptologic Foundation. Robert was a U.S. Air Force Cyber Warfare Operations Officer tasked to NSA, and subsequently helped lead the investigation into the 2015 attack on Ukraine's power grid. He continues his public service as Lieutenant Colonel in the Army National Guard, designing and leading OT cybersecurity and response.
Show transcript [en]

folks. Uh, it's been a minute since I've been here. The last time I came to talk was I think 2017 or 2018. Uh and apparently it took him that long to get over it to invite me back. So hopefully this one doesn't suck. Uh and I'll try my best. But uh really I wanted to talk to you about uh a couple things today. OT threats for sure are going to be a component of it. And we'll stand over here now uh and and talk about OT cyber threat landscape and things like that. But really I want to take a different approach. I want to I want to have a talk that's really built a little bit

more on on a reflections kind of basis. 10 years is something special. Um, it's something special for this community and this conference, but it's also this month the 10 year anniversary at DRAOS. And so there's there's a thing about TI 10 that I'm going to celebrate. And I really want to talk to you about sort of where we've been uh especially in the OT space and what it means to you and then where I think we're going. And I think there's a lot of unease these days as I talk to folks whether it's politics or geopolitical or local security or international security or AI and mythos and all these things. uh there's a lot of like uncertainty and unease with

folks and I think one of the beautiful things about the bides community one of the things that I love about these kind of more community-like conferences is that community piece and we can come together as a community and kind of work through that unease but I'll give you my perspective on it and I'm going to try to walk over here again and see if this works. Look at that dialed in. Thank you. All right. So um OT for those of you that are unfamiliar with OT operations technology uh it's the critical part of critical infrastructure right and I think there's a lot of questions that I get from times of like is this device an OT device or is this

device an IT device or what is it and the classification really is built around what is it doing not the operating system there's a lot of Windows servers in an operations technology environment and I' I've seen that definition sort of morph over the years where even people are like it's X IoT see it and I'm like, "Stop it." Right? There's nothing in common between Alexa and a gas turbine. Like, knock that off. Um, but when we look at it, I think there's really I think you'll probably see me start using this more often. I think we'll start taking it back and say, "Well, it's XOT then. Well, it's we're we're extending OT, not the other way around." And when you look

at that, it's really around the control loop in the physical process. It's what are the digital components and all the things required to enact change in our physical world. Whether it's a valve uh opening up something, if it's a a slooh skate for a dam, if it's electric transmission substation, if it's the manufacturing we use for our pharmaceuticals and our food and beverage, um all of that stuff is a physical world. And it's really interesting to me how many folks over the years have viewed that as a niche. And I would just say there's a very large IT security bias to say, hey, the stuff that actually generates all the revenue and has all the actual impact on

society, that's the niche, but the server, that's the point. I'm like, okay, bold take. Um, but probably not one shared by most uh folks outside of infosac. And when we look at that world of OT, it's changed a lot in ways that we never intended, right? Like Mr. Edison never intended us to have automatic generation control capabilities at a transmission system operator activate a gas turbine system at a generator 100 miles away and immediately start putting it on the electric system because a market operator thought it was a nice time like a stock market. That's not how it was designed. Okay, but it's interesting now um with what all that complexity means not only for us um but for our

adversaries as well. So I'm going to I'm going to walk you down that journey, but I I also want to reflect again 10 years and tie the Drago story in here a little bit. not as a yay Draos and all that stuff. I'm not going to product pitch to you. Um, but I do think there's something special for all of us in this community to think about sort of bucking the trends. Like when I started Draos, uh, I did it out of Maryland. So, it's a Maryland based company. And I remember being told like just consistently that it was a stupid idea, but like everybody like every venture capitalist that I talked to, I went to San Hill Road, did

the whole like Silicon Valley trip and sort of walked and and took the road and met all these investors. I took 123 venture capital meetings and every single one of them told me this was a really really stupid idea. Oh, t that's that's niche. Why didn't you want to sell to like Facebook instead? I'm like, all right. And uh how none of this was all that important to do? And I looked at it and said, "Okay, maybe it's a bad market. Maybe it's a stupid idea, but but it's important. It's it's important to all of us." Like my hometown in Alabama, Coleman, Alabama, doesn't get served by Southern Company, though they're a good company. It gets served

by Coleman Cooperative Electric. It's the small infrastructure. It's the local aspect. It's our communities. And the idea that our communities aren't worthy of protection, the idea that our communities are too small to matter. Um that that seems off. And so we we started Draos and and uh it it's been cool. Like we're the first first uh independent OT security company to be worth more than a billion dollars. That was fun. Um now we're a multi-billion dollar company and it's all out of Maryland. And I think that's neat, especially to this community that you can create companies here. You can be an entrepreneur. you can you can do something that matters. And all the Silicon Valley sort of discussions

eventually were like, "Well, you can't do that out of Maryland. You you need to be in the valley." Someone uh came to us for our series A and said, "We'll fund you, but you have to move to the valley." I'm like, "Why?" They're like, "Well, the engineering talent is here." I'm like, "Oh man, you haven't been to Baltimore. You like you haven't been to like DC. You haven't been to Fort me area." Like that's a cute statement. You you built a couple cloud companies or something, but like there's a lot of stuff happening out east coast. And uh I I think it's important for companies like Tennibal and Draos and the different ones that have come out of

Maryland to keep highlighting that the East Coast has got some amazing talent, amazing people. It's worthy of investment. And and so that's how I sort of marry that up with the OT idea. It's worthy of investment. It matters. And there's a lot of cool stuff happening there that people don't understand. So let's let's skip to the the changes in infrastructure that have taken place and what it means from a from a threat perspective. And then unfortunately with most of my talks it gets eventually to like death, destruction and war. So we'll get to that at the end. Um but but there's a there's a good hope thing in there too. So in the world of operations

technology we used to have very very heterogeneous disconnected kind of one-off infrastructure. And even when it became connected it was still heterogeneous. It was diverse. A carbon cracker in Dam Saudi Arabia had very little of anything to do with a water filtration system in Pittsburgh. the infrastructure, the original equipment manufacturers, the integrators, the physical process, the digital components, it was all different, very, very different. And what that meant is that when something went wrong, you turned to your people and said, "Hey, Lisa, what the hell happened?" And Lisa had worked there for 20 years. Her daddy worked there for 20 years or granddaddy worked there for 20 years. And Lisa knew the plant and Lisa could tell you,

"Here's what's going on in the plant. This is what went wrong. Let's recover this asset safely." Because a lot of people I think sometimes have the notion that operations technology they really care about availability. Not necessarily. Some industries do, some don't. It just it depends. Um but we really do care about knowing what the hell is happening in our infrastructure so that if we do need to recover it, we can do it safely and then we can understand how to bring up our asset or how to control and operate our asset in a safe way. So Lisa was our root cause analysis. Like Lisa was the person who called, Lisa could figure it out. We had

a very heterogeneous world. It also meant for the adversaries it was very very difficult to do attacks. There's a lot of hype in the community actually for first couple years at Draos most of my time was killing the hype in the media. They're like you're going to take down the power grid through a fishing email. I'm like that's not how physics works and there's not one power grid you know and so it was a whole whole thing pushing back on a lot of this stuff. Um but from an adversary perspective again very very difficult and I got my start in the community um serving in the Air Force tasked over the National Security Agency and I I built out the US

government's mission doing um intelligence and and response work for industrial control systems. Um but for a portion of my time they put me on the offense. That was also when I decided it was time for me to leave. They put me on the offense and uh we used to not call it offense. I think I I think at the time I would say that I did a lot of free unsolicited penetration testing of foreign government assets. Um, it was fun. And, uh, let me tell you my experience of what those offensive operations looked like, not with anything sensitive, but abstracted details. And, and give you an example of what the community on the offensive side

was going through. I'd have some joint forces commander walk in and say, "We're going to strike these targets in this sandy place." Right? Like, okay. And they'd look around the table and they'd go, "What capabilities do you all have?" They didn't care about cyber or air or tanks, whatever. there's what they want an effect. They're asking for like what can you do? They go around the room and they go around everybody and they finally get to Captain Lee and they're like what can you do cyber person? And I'm like, you know, at the time I had glasses. I think it was mostly for effect, but um I I had to push glasses up. I was like, well, from a cyber

capability, um if you give me 18 months, $30 million, and 13 people, I can develop you a capability for that target to be able to disrupt to the point of even doing physical destruction to take it down. They were like, cool. $30 million that's nothing in the military. Okay. 13 people. We got plenty of those. 18 months. What what what do you need 18 months for? I was like, well, researching the target, going to this, going to that, figuring this out. They're like building the infrastructure, mock labs, trying to have a range to do it. And they're like, subs up stop. You've done attacks before. Why can't you just do that stuff? I'm like, oh, it's different.

Like that site that we did before, wildly different than this site, and if you want me to be able to do this, I have to have the time for this specific target because in a heterogeneous world, it was all diverse. It was all different. And the military commander would be like, "Well, what happens if we change targets?" I'm like, "Start over." They're like, "Okay." They're like, "Well, what happens like once you finish, how often can we use the capability you develop?" And I'm like, "Against that target as often as you would like. Everyone else probably not." And they'd look around, they huh, deeply, obviously, visibly disappointed. And uh they'd look over to the pilot and

they'd be like, "What can you do?" And if I be like, "I can be sober in six hours and bomb it. Congratulations." Like at that point, the pilot wins. And and why do I point this out? Prior to 2021, every single disruptive or destructive attack you ever saw in OT was carried out by intelligence agencies, not non-state actors, not militaries. Militaries don't sit around and think that's like not what we're known for. But intelligence agencies can do stuff like that. Intelligence agencies are like, "Let's hack everything just in case somebody walks in and wants access." you know, they they forward plan these things and they've got interesting research labs and all sorts of fun stuff. So, everything prior to

2021, intelligence agencies and intelligence agencies don't like to really do title 10 type attacks of anywhere in the world. They really want to be spying and like, you know, watching and so sometimes they get tapped to do the offensive operations, but they don't like it. So, you don't see a lot of it happen. So, what does that mean? Means if you're in the broader infosc world, the broader community and you are dealing with low frequency, high consequence attacks, but in your enterprise IT networks, you've got high frequency, maybe low consequence, but high frequency every day. You're getting the fishing emails and the scams and everything else. You're dealing with it all the time. You're eventually going to stop thinking

about the stuff that you don't see anything happening with. And so the entirety of the cyber security community said let's focus on this enterprise IT stuff. And to executives and boards and CEOs and national policy leaders, enterprise IT came to mean and represent the enterprise. Although it did not. There was a lot of CEOs and policy leaders that I talked to that believe that their dashboards and KPIs and the green things they get for enterprise IT means all the substations and plants, but it does not. So all the investments of cyber security reasonably went to where the risk was. But that only exists in a heterogeneous world that's very diverse where militaries are not in the

discussion. And again all that changed happened a lot behind the scenes. It wasn't like magically 2021 we just like cut over. 2021 is when the adversaries figured it out. I'll come back to that. So what does our modern infrastructure look like now? Homogeneous. Cotus running under every PLC out there. program logic controller. Rockwell, Emerson, Yokagawa, major OEMs buying up other original equipment manufacturers, integrators becoming global integrators, standardization taking place, open distributed control system standards, open protocols, a lot of commonality, a lot of IT stuff got into OT. It's still OT because of that control loop and the physics and the physical process. Is a printer IT or OT? I don't know what's it doing printing off reports to the

substation. It's in the OT network. I'd still say it's not OT. printing off the labels that if it stops, I can't ship the product off the manufacturing line. The manufacturing line has to shut down. Sounds pretty OT to me. It's the context. But we now have all this stuff, digitization connectivity homogeneous cloud historians doing data analysis to forecast weather events. It's all homogeneous. What does that mean for us before the adversaries? It means that Lisa has no idea how that plant works anymore. All that stuff that she and her dad and her granddad worked on and grew up with, it's different now. It's complex systems of systems, massive automation packages, AMI infrastructure, connectivity everywhere that's creating a control

loop that's not just a subsystem. At best, your engineers and operators may understand a subsystem. They do not understand anymore all of it because it's very complex. They don't need to. They need to be able to specialize. Specialization happens in every field. So now they understand a component of what's operating but not the plant. Nobody does. Which means when something goes wrong, uh-oh, now you got to call a lot of people together and try to figure out what the hell is going on. And I will tell you, I've been involved in a lot of instant response cases over the last 12 to 18 months where fundamentally when the incident happens, they have no idea whether it's cyber or not. And

there's a lot of folks that are going, "Well, I'm going to run indicators of compromise against the human machine interface." I'm like, "That's not how these attacks happen." Most of the attacks that we see are adversaries that misoperate the equipment. I don't need an exploit or vulnerability or malware to open up a circuit breaker. That's a function in the HMI that the the operator has access to. Why why would I exploit something to give me exactly what I have access to? So yeah, exploits and vulnerabilities and malware and OT exist, but most the stuff we see is the misoperation using the natural the native functionality of the system of systems and that system to system focus

is between system one, system two or system three physical impact which means it's not host logs and what has the information security community done since we looked away from OT and said let's look at enterprise IT we went massively host which was smart because if you're dealing with threats targeting your enterprise IT environ You care about your data, care about personal data and credit cards and all these things. And there's product security is really important for host security and edr and patching and passwords and all this. You take a very host maybe eventually we get to the network kind of view just generally makes sense. But in the world of OT, if we're systems of

systems, I don't actually care about any one host. I could physically set your Russian operator down at the engineer workstation in most substations and they still wouldn't know how to make the lights blink. The point isn't the system. It's the understanding of how the systems of systems works together. And so that means a lot of that data is network data. It's transient. Was the command sent? Yes or no? I don't know. Were you collecting the data ahead of it being sent? If not, it's gone. I've been involved in some uh incident response cases that we can't name, but you would be able to point to in the media, very large national events where governments and others have come out and said it's

not cyber. It's not a cyber attack. And the reason they've said that is we're usually advising them to say that because they don't have the data to prove it one way or the other. There's a lot of things happen that we just simply don't know because they're not collecting the right data sets ahead of time. That's a homogeneous world, a systems of systems world. The inability to do root cause analysis unless you prepare really well ahead of time. Mapping out what data am I going to need? Getting the executives together to go cool, we're going to get sued because we're an infrastructure. Everybody uses us. Everyone likes us. Everyone hates us. It's like you're the protester that

goes to the gas site to like protest. Still uses your gas to drive there. It's adorable. So like we are basically hated in the infrastructure community by all the people that leverage it. Okay. So you're going to get sued in your incident. Um you are going to have shareholders discussions. You're going to have an SEC AK filing if you're public. You got to figure out the data to have operations get back up and running. And security is going to want to understand some things too. You got a set of probably 20 questions that are going to need to get answered. And unless people are thinking about that ahead of time and figuring out what data

maps to each one of these questions, they're not collecting it and we get into a place going, I don't know what happened. I don't know. That sucks. That's making every government around the world very uncomfortable. For some reason, I get to talk to a lot of heads of state and various people around the world and they're all thinking OT and they're all very uncomfortable with the reality that somebody could lose their life on their soil and we wouldn't know if it was an attack from somebody or not. That's not a place most governments are going to be comfortable staying long. And I expect we'll see a much different regulatory view in the future if this doesn't get solved very quickly.

But let's come back to the adversary. So what does the adversary do in this world of root cause analysis being difficult and homogeneous systems and commonality and all that stuff? They scale their operations. They get to a place that same conversation like I'm back in the military now. It's weird conversation. I got a phone call like as a quick aside. It was like hey uh when you back in the military I'm like that's adorable. I got the tattoos got the t-shirt. not doing it again. Um, and uh, they're like, "No." And it was like the the powers that me may be without naming them um, obviously, but anyways, cars at me were like, "No, no, we want you back." I'm

like, "For what?" They're like, "We think we probably will actually go to war with China uh, sometime 2020, 27, 2030." And their game plan is almost exclusively to hit OT, energy, food supply chains, etc. to scare the public and keep us out of the war. And uh, we have no actual national response plan. Like most government agencies are like, "Call me, call me, call me." It's like FBI says, "Call me for instant response and help." Scissor says, "Call me." You know, National Guard sometimes, "Call me." At the end of the day, it's like a bad Carly Red Jetson song, and nobody knows what you're actually going to get in response. So, they're like, "Hey, can

you come back and like build it out from a National Guard perspective and and and so forth? You've been complaining about this for like 15 years. Why don't you come and fix it?" I like, "That's fair." And I was like, "Okay. Um, I'll do that." And they're like, "Cool. You're the exo down at the brigade." I'm like, "Sorry, what now?" They're like, "You're the exo at the the brigade level exo." And I'm like, "Exo? What? What the is an exo? And what's a what's a brigade?" And they're like I was like, "I was air force." They're like, "Well, congratulations. You're army down." I'm like, "Okay, cool." Um, so now I'm a lieutenant colonel down in the army

guard, uh, where my nights and weekends job is figuring out how to not have China kill a bunch of people, which is fun. Um, that's spare cycles. That's good, right? Anyway, so adversary perspective though, I don't do anything offense. That was part of the deal with me going back. I was like, I'm not touching that. Like Draos is a global company. I want to kick everybody out of infrastructure that's not invited. US, Israel, China, Russia, Iran. If you're not invited in civilian infrastructure, get out. There's no good guys or bad guys. They're just That's what we call them when you target civilians. And I'd like to kick the out. So I can't be involved in the offensive

side. So I only do that disclaimer to say I'm happy to tell you what it's going to look like anyways, but I'm not involved in. So what is that conversation now that Captain Lee took before that Colonel Lee would have to take now? That conversation when the joint forces commander goes around and this is every military in the world has the same kind of thing. Joint forces commander goes around the room and says, "What do you got? What can you do?" Now that person in charge of the cyber offensive side says, "Hey, 18 months ago, we built a capability for your target." And they go, "Well, you didn't know what my target was." Well, if it's

OT, this works. Like, what do you mean works? Everything from unmanned aerero vehicle servo motors to water pumps to electric substation, if it's generally modern infrastructure, lasts 15 years, this thing can operate and work on it. Okay. Well, what's the risk of using this capability? like is it a one-time capability? We use it and they patch this or whatever. Like no, no, no. It's using the native functionality built into these systems. It works forever. You're like, so you've built me a forever capability that works on almost any target and it can do destruction. It's like, well, if physics allows it, you can't violate the laws of physics. This isn't the energy policy of the US.

That's completely divorced, but anyways. So, you can't violate the laws of physics, but if the physical environment will allow an explosion, yes. but we can at least do disruption at all of it. And they go, "What does it cost?" I go, "Oh, it costs like $30 million," which is like a credit card swipe for for militaries. And they go, "Okay, well, yeah, that sounds like a great option." That happened in 2021. That that capability was called Pipe Dream. It was a a government in the world. You couldn't like really guess and be wrong in this, but there's a government in the world that wanted to prepare uh to go to war with the United States and NATO.

Hint hint. Anyways, uh they wanted to prepare for for going to war with the United States and NATO. They built a capability called pipe dream that was their wartime capability. They picked out a bunch of targets across the US and other locations. They haven't done it yet, but through the magic of intelligent sharing work, um Draos and an undisclosed third party collaborated together to identify and analyze the capability prior to its employment. Lawyer speak. Anyways, um and so when that capability was talked about and like published on, um it's available for people to learn about, but there's no patching it or fixing it. It's the can you detect and respond and deal with this thing. And uh that thing works. And

guess what? When it was identified, every government around the world is like, I want one of those. Par is a thing in international relations. If Pakistan has a capability, India wants one. If China has a capability, the United States has one. If Iran has it, Israel wants it. And it's international parody. You want what your peers have in terms of capability, which creates a little bit of an arms race. And so all this discussion of, oh, we can actually target OT now, and it's not as expensive to do. It's not as specialized knowledge, and it's scalable. Congratulations. You're no longer in the world of intelligence agencies only. You've now entered the domain of militaries. And guess what militaries

don't do very well? They don't shut up. Even the guy that like killed Osama bin L was like, I'm gonna write a book. And I was like, God bless. And so militaries tend to talk about their capabilities or run national exercises and release capabilities idiotically on the virus total where people my team pick it up and go, I think this is what they're going to use in Taiwan. And all this type of stuff takes place and as a result, it starts proliferating to non-state actors. And if you think there's deterrence with governments, I I don't buy that. to be a deterrent, you have to have a credible threat and a red line. And on everything

cyber, when our adversaries were like, what do you do if we hack you? Like, I don't know, but we'll tell you when we do it. Like, what's the level of hacking that you care about? I don't know, but we'll tell you when you see it. Like, you can't have deterrence in that world. So, governments have long figured out that attacking infrastructure, going after Ukraine, going after wherever else, like, they can do it. So, I don't think there's as much deterrence as you think, but there's like none with non-state actors. And so we are seeing non-state actors now where state actors who were involved in OT operations. We see them very clearly sharing infrastructure and sharing knowledge

with non-state actors. We were tracking one group that for a while was like hacking internet facing HMIs and like writing like Israel sucks on them and stuff and it was like hey this this is not very nice but it's not like scary. They were doing that and within like a month they had like a pause in operations and came back with like PLC level implants, lateral logic manipulation, physical process manipulation, like stuff that you don't learn in a month, stuff that they got to knock on the door and they're like here's your new capability package. Non-state actors share with everybody. All right. And so you are getting to a point where those low frequency high

consequence events are now starting to become more more and more frequent. Like we took like seven instant response cases in like a week um this past month when the Iran stuff kicked off. Like they're becoming a lot more public like a lot more frequent than people realized. But two themes commonly happen or I should sorry three themes commonly happen. Number one, most of the cases still don't get in the public for good reason. Number two, a lot of the cases don't get diagnosed correctly. So cyber is never even considered as a part of the component of it. And number three, when they do, sometimes the instant response team that comes in looks at it and goes, "Oh, it's a Windows server.

it's an IT incident like nope that's a skater system and so they're getting mislabeled as well and it's really throwing off the understanding of how frequent some of these things are are doing and getting but they are a lot more frequent and they are going to become more and more frequent as more actors have more scalable capabilities it's just the the laws of infosc all the time that there's still people in the community going it OT it's all T it's like oh god or why would we even focus on that we've segmented it away like okay so here's is where we're going. And that logic is not going to keep you safe. And let me let me say

this. I I love this community. I spend a lot of time teaching. By the way, I'm just curious. How many of you have ever taken one of my classes? Just a couple. Yeah, there's a couple of you in here. Good. Good. Good. Um I love teaching. I love being in this community. I love everything about it. Like I really really do. I'm really getting to that maybe it's just you get old, but I'm getting to the point where I'm like I'm tired of that part of it. And what I mean by that part of it is the I I don't believe in the industrial threats or I don't believe this or I don't believe that. And it's like it's

not religion. You can assess but you don't believe or not believe. And I and I find it really interesting as I I sit on a set of data and insights and we're tracking like 27 groups around the world that are targeting OT. And I'll still get people like I don't believe this a real thing. And I'm like okay. Um I just go back I think it was Dracula 2000 was the movie. I don't know very tangenty. Anyway, Drag 2000 and it was like this vampire. The guy was above him with like a crucifix and he's like laughing the vampire and he's like, "Haha, I don't believe in God." And then he like pushes a button and a knife comes out. He's

like, "Don't worry, he believes in you." And like stabs him and like that's very like OT threats. Okay, there's a lot of a lot of people with the it's not going to happen to me. And it's like you do know that's the one thing you don't get a vote on, right? Whether or not you're relevant to the adversary or whether or not you're a good target to the adversary is the only thing you don't control. everything else, how you design it, how you train your people, your infrastructure, where you do business, the security controls you use, you control the whole playing field. The offense does not have the upper hand. The defense has the upper hand. Whether

or not you use it is dependent upon you, but but you've got it. The only thing you don't get a vote on is if you're if you're a good target. And so, here's where we're going and where I'm getting really concerned. And this is not even with like Iran and China in the discussion yet. I I've been involved in some of the mythos stuff and circles and interesting dialogues and all this and and I think a lot of the AI stuff is a bit hyped but not too hyped. What I mean by that is the like are we going to see AI models that just start creating OT malware and deploying and self-hacking and bringing

down utilities and data centers and ports and stuff all around the world and like I don't I don't see anything that says that right now. I see that when you have good data and good analyst AI is an enabler. I see that when you have shitty analyst and shitty data, it's still shitty. And AI doesn't make it a whole lot less shitty. And so I don't buy into and I don't have any information at this point in time that would suggest that we're going to see like AI models get out and just start hacking the world. At least on OT. I don't know about it. I don't really care about the IT side of the house. Sorry. Like good luck.

Anyways, but on the on the OT side of the house, I don't see any indications of that whatsoever. What I do see though is on the product security vulnerability side and all that that the perimeter is about to get blasted and if you took a I'm going to just put firewalls and segmentation and I'm good now with security I think you're kind of screwed very quickly and it's going to be a whole lot more can you actually empower smart humans maybe with AI or not as well with tools capabilities and knowledge to be able to do detection response and be resilient still do prevention where you can but we all talked in the community like you should

prevent what you can't but you should definitely get to detection response like those days are now here and it is required and what I worried about is to roll out an OT security program to go and actually get into the plants of whatever capability you're going to use to scale up your workforce to change the cultures and mindsets internally to get the collaboration required to then go and actually learn to do detection response and hunting and instant response and all that stuff for most that's like a fiveyear journey and there's a a lot of people in the community that are just now thinking like, oh, I should start that journey. I'm going 5year inflection window here

is really bad for where we're at currently. And so I do think we're going to see some pretty nasty things within the next couple of years. And it deeply bothers me. And I don't know how to fix time. We can we can fix some things of like let's go quickly on this, that, and the other. But even if you're moving quickly, some are at best in a two or threeyear event window. And so having those conversations in your company right now if you have OT or out in the community as you go and evangelize and so forth, there's got to be the we are going to start putting these things in place, but how do we just batten down

the hatches right now anyways of some of the things we're doing? And hey, we actually haven't connected everything up to the cloud yet. Like is now the right time? And like these are some very interesting questions to be having inside of an event window because here's where we're going to start going very quickly. Going back to the AI thing, I'm not concerned about AI hacking the world, but I do think that we're going to see a lot of AI in operations in the control loops. So, let's go back to the discussion of us, not the adversary. When you look at operations, all these companies are getting pressed hard. the electric utilities. If you look at the energy bills, actually most

electric utility bills are slower in rise than the actual inflation rates, but they're still getting beat up because the prices are rising and people are having a hard time. So, they're doing anything and everything that they can to figure out how do I run this complex energy system and keep the bills low? How do I not put capex back on the rate base and so forth? And that's a lot of automation and AI is pretty interesting sounding for that. We're seeing right now agentic AI be rolled out at wind farms and solar farms and battery farms and stuff already. And it will not be long before it is in a substation. It will not be long before

it's in control centers. I've got mining customers that are already rolling out agentic AI in like self-driving caterpillar vehicles and so forth around big heavy mines, stuff that if you get wrong can kill people. That complexity just made Lisa's job about a thousand times harder. So the ability of AI to hack the world, forget it. Our embracing of it in our infrastructure is going to add complexity and the difficulty of getting root cause analysis to the point that people are going to die and we will not know why. So let that sit in for a second. I know I told you I'm going to get to the place where I'm not the the happy speaker, but

we're going to get consequences where we're talking loss of human life, not credit card theft. And I'm so grateful the people working in the financial services protect my credit card, but I got four kids now. And I'm thinking the world they're going into is a little bit weird. And that's without all the politics. Okay, that's just infrastructure management. And I got asked recently at a board level uh at a board meeting and I didn't realize it was recorded. Um it was just always interesting when it was a public uh power company. Um I don't think anybody in the world has ever had to wonder my opinion, but recording it and putting it out there is another one. And I got

asked the question like what's the number one risk that you see to the energy sector? They were thinking cyber and OT and all this. I was like honestly it's that at a lot of the companies I see there's so much financial pressures mining manufacturing electric whatever. And there's money to be made that private equity investors and others are getting involved and the CEOs aren't coming from the ops floor anymore. They're CFOs and they're investment bankers. And as I look around this boardroom, there's not one person here that's ever been in the substation. And I think you're going to then start authorizing projects and programs and investments without understanding the context of your business. And that

scares me. And it scares me for what it means for our infrastructure. It doesn't mean you can't be a CFO and be a good CEO. Like I I've got one at a power company is fantastic, but he spent like 20 years in the industry to then make that journey. And so it was okay. I don't care your background as long as you spent the time to understand the business that you operate. And so the convergence of massive complexity inside of systems and systems, the convergence of adversaries who are and are happy to target infrastructure, the convergence of the ability to cause physical impact in that world, all built on the basis that you may not even know

what took place. You don't know what plan to activate. It gets a little dicey. And then we bring in, oh yeah, we might go to war. That's that's an interesting convergence of events. So, let me take it back to maybe trying to bring us out of this as I end this. So, where's that 10-year remembrance thing and what I want to talk about at the beginning about like Draos and Beach and Besides all this? Here's here's what it is and here's why it matters. Here's why this audience matters. April 2016, I started Draos. 10 years this year, my company employees have heard me start talking a little bit differently. And I explicitly have been telling them

for the first time ever at Draos, I feel like we're not going to just like die. Like bankruptcy, what a startup, you're always like, where's the next thing and let's go and like I got to raise capital, whatever. I'm to a point now if I never raise another dollar of capital, I can run the company profitably and be okay. When that comes off your your back, you're like, oh, things are okay. We went through all of our drama at Draos at various points in history, and it feels like good right now. And and I'm looking around my team, I'm like, this is working. and it feels good. And what that meant was for the first time in 10 years, I had the

opportunity to start sitting back and thinking more instead of reacting and start thinking about what does the future hold? And so a lot of my employees will have heard me talk about this and I think it's just as relevant to OT security. I think it's just as relevant to this community, which is how do we build a 100red-year company? How do we build something that outlasts us? Because I see a very interesting market and very interesting mission moment. I see a lot of our competitors who are good people by the way. Like if you're in OT security, I don't care if we compete. Like welcome to the party, pal. Thanks for being here, okay? But if

you're in OT security, most of those companies are selling off to like OEMs or taking debt rounds or like struggling or let's sell to an IT player who's just going to cannibalize us for IT use cases. And so there's not a lot of competitors left in this space. And then I look at the mission moment of all the changing infrastructure and the threats and and all the things that are going on and countries explicitly saying, including ours, that targeting OT and targeting energy infrastructure and targeting things like that is okay somehow. And I go, there's a market and a mission moment to get this right. There's a responsibility, not a yay us, but a responsibility.

And I've started to have to think about what does it mean to be a hundred-year company. Early on in my career, I was like, I'll take venture capital and I'll IPO and exit the venture capitalist. and that'll bring stability. And then you actually start looking at the IPO markets and how that actually takes place and everything else. You're like, actually, you're not guaranteed to stick around for 100 years just cuz you go public. That that's not the vehicle either. And so I had to think about like what vehicles, what structure, how to do it financially, what what makes sense to get us around for 100 years. And then I realized that was the easier part of the

problem. And we'll have to make some changes and do some things and that's great, but that's the easier part of the problem. It was I'm going to die. Everybody in my team that I'm very excited about that I'm like, man, we're nailing this and we're doing good. They're all going to die. It's the only thing you're guaranteed, right? Again, I'm I'm going to pull this out. Don't worry. Hold on. All right. We're all going to die. I can't trust in anybody on my team now to be here in a 100 years. So the thing that I'm built and that I love and I think is very missiondriven and we we have like programs like community

defense program where any utility in North America under 100 million in revenue gets all of our software our training everything for free forever which is about 97% of all the utilities. How do I know the next CEO is not going to come in and go I don't that's a small medium market we could we could make some money on that instead of just doing mission. So the harder part is not the vehicle or the capital structure or what allows the entity to exist. You should think about those things, but it's I like this team. I trust this team, but none of them are going to be here in 100 years. How do I make sure that team

understands what we're doing? And that to me came back to culture. It came back to values. It came back to mission. It came back to how you treat people. It came back to how you reward and incentivize the treatment of others. It was all of that stuff. And I think without going on a Drago tangent, I think that's as relevant to y'all and in this community and you hit your 10 years of B-size charm. Congratulations. Is there a B-size charm 100? Why not? But what would it be? What would the components of this community be investing in and codifying now to make sure that we've got a vibrant infosc community that we've got a bunch of

people who give a 90 plus years from now? And and I think a lot of us should think a little bit more about that. And and I'll give you a statement that's going to sound inherently political. And trust me, no one can ever figure out what I am. Like the Democrats will have me like testify in Congress because I think I'm one of theirs. The Republicans will have me testify in front of Congress because I think I'm one of theirs. And I just feel like the ins and Lord of the Rings of like nobody cares about me, so I care about nobody. Like it's just like one of those like I'm not anybody. I just want my kids to

be safe and so I'll help anybody and I'll support either side of it. But here's my damn near political statement somehow. If in a hundred years we don't think about our neighbors, if in a hundred years we're not thinking about our community, in a 100 years our shared infrastructure that we all depend upon and take value of that we're not treating it well, planet, everything else too in that, but I'll stick to OT. I don't think that's what any of us would envision that looking like. No matter what your view is today of the political strife or geopolitical strife, whatever, they're all dead in 100 years. Don't worry. You don't worry about it. Okay. Could be dead soon. Who knows? So,

like a lot of this is a what does it mean in 100 years? I have nobody to hate in 100 years because I don't know them. I don't I don't know what they've done. I just know a couple values and commonalities that I'd like to be in place for them for our descendants or not. And and and again, here's the political statement. And I'm going to bring this back to like an American thing. I don't know. Now that I'm back in the military, I feel like a little bit more like I'm allowed to embrace the the American piece. even the word global company. I'm like, "Yeah, America." Uh, and here's my like American pride statement. I go

around the world and am embraced in different countries because I've always been the I do not care about the politics. I'm here to protect infrastructure. Let's do that with a community building mindset. And generally speaking, most countries around the world love that. When I go to Singapore, they would make me a Singaporean citizen tomorrow. I know various ministers there and so forth. They've asked me to move there. They love me. They think I'm additive to the community. I love them. They're beautiful, beautiful, beautiful souls. They'd have me there as a citizen tomorrow. I'll never be Singaporean. My wife is German. My kids are German. I have a house in Germany. I pay taxes. I can move there. They love me. I was

stationed there years ago. I'm one of the members of the community. I'm never going to be German. Saudi Arabia. I've got like two brothers in life. Tim Conway and Dr. Sad. Dr. Sad and I go way back. And the Saudi culture and community has embraced me for a long, long time on the shared values of community and infrastructure. Forget your politics. On infrastructure and community and kids, we always were aligned. And I can move there tomorrow, they'd set me up in a nice villa. They'd celebrate the moment. They'd give me citizenship. I walk in sometimes the airport in Saudi. Saudis are great. Walk in, they'll see me, oh, and they'd move me through the express lane. Difficult

now that I lost the beard, but it but it used to. And they would embrace me in a heartbeat. But I will never be Saudi. But the thing I think about a lot with America that at its core, one of the most beautiful things that we have is anybody in the world can come here and be American. Not a citizen, but American. And if that bothers you on some political spectrum, I'm telling you, you're off. Okay? I don't want I don't know your views in life and you don't know mine. But if that one doesn't resonate with you, you're just wrong in the societal view of history. And when I think about building a hundredyear

company, a 100red-year community, a 100redyear thing that should exist, the I don't know who you are or who you're going to be, but I love you already, and I need to think about how to take care of you already. And we should start with protecting civilians and infrastructure and realizing that OT is not the same thing as it, and having an understanding that our shared infrastructure is worthy of protection. And it all comes back down to values. And it all comes back down to mutual respect. And when you can nail that and you can codify that as a culture, you are going to do wonderful immeasurable things. And people are going to try to hurt you and hurt your

kids and we'll have the wartime discussions and all those things. But we will get through it and we'll do it as a community as we always have. whether it's AI disruptions or geopolitical conflict, it will work when we go back to the core fundamentals. And so as you go throughout your rest of your BIDS conference and this beautiful thing that we have in terms of a community and you think about what that means to you, take the opportunity to meet someone you don't know. Take the opportunity to be the ships in the night passing by and think about what would I want to be leaving for a hundred years and embrace that for the rest of your conference.

And thank you so very much for allowing me to spend some time with you.

[ feedback ]