Robert M. Lee

SANS fellow Robert M. Lee brings to the classroom one of the most valuable and respected of credentials: real-world experience. In addition to being the CEO and founder of Dragos, Inc., which is a technology and services company for industrial control systems (ICS) and Operational Technology (OT) networks, Robert now serves as the SANS ICS Practice Lead. In this role, he is focused on expanding the reach of ICS security training and fostering industry partnerships to support critical infrastructure organizations. He is also a member of the World Economic Forum where he has spoken multiple times at the annual Davos conference and has testified numerous times to the U.S. Congress in both the House and Senate. Further demonstrating his commitment to service, Robert is a Lieutenant Colonel in the Army National Guard, leading OT cybersecurity and response efforts and serves on the board of directors of the International Society of Automation (ISA) and the National Cryptologic Foundation.

Throughout his career Robert has been the go-to expert on analyzing and responding to industrial cyber threats. In 2015 the attack on the Ukraine power grid was the first time in history a power system went down due to a cyberattack. Robert and a few others formed a specialized team to respond to and analyze the attack. "I was the first in the industry to publicly confirm the attack and wrote the industry standard report on the attack exploring how it occurred, the lessons learned, and what must be done to protect other infrastructure sites," Robert says. He and his team also analyzed the malware from the 2016 cyber-attack on Ukraine's Kiev substation and dubbed it CRASHOVERRIDE as the first ever malware tailored to specifically disrupt electric grid operations. Since then, Robert and his team have been involved in most of the major industrial attacks including leading the OT response portion of the Colonial Pipeline ransomware attack.

More About Robert M.

Profile

That experience is what forms his teaching philosophy. "I make it my teaching philosophy to constantly bring in new material into the classroom through my personal experiences and the successes and failures of those I've seen in the industry," says Robert. This augments the traditional classroom material students receive to ensure they get the most relevant and cutting-edge concepts in the industry. But Robert's real-world experience also keeps things interesting. "I enjoy telling and sharing in case studies and stories from the field, looping in bigger concepts into the technical material, and setting a humorous tone so that no matter the seriousness of the topic we all have fun together."

Robert got his start in information security making small control systems for humanitarian missions in places such as Cameroon. He joined the United States Air Force and became a cyberspace warfare operations officer tasked to the National Security Agency. In that role, he created and led a first of its kind mission identifying and analyzing states targeting ICS. For Robert, that intermixing of defense, intrusion analysis, and threat intelligence provided the ultimate thrill.

Robert has worked offense, defense, and intelligence in various government teams. "My time on the offense helped me better appreciate defense and how sometimes we simply get it wrong: defense is not necessarily harder than offense and there are many opportunities we have to defend and make the world a better place," he says.

Today he is the author and instructor for SANS ICS515: ICS Visibility, Detection, and Response, the industry's first and only incident response and threat hunting class for ICS,FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training, and co-author on ICS310: ICS/OT Fundamentals. "The SANS family is amazing, the students are world class, and teaching is what keeps me constantly refreshed and excited in the industry."