Defense is Doable: Robert M. Lee’s Congressional Testimony on Securing America’s Critical Infrastructure

Fifteen years ago, STUXNET proved that malicious code could damage physical systems. What was once speculation became a reality: operational technology (OT) and industrial control systems (ICS) were vulnerable to cyberattacks, and by extension, so was national infrastructure.

Fast forward to July 22, 2025, and that threat has not only grown; it has matured and gone global. But in his testimony before the U.S. House Subcommittee on Cybersecurity and Infrastructure Protection, Dragos CEO and SANS Fellow Robert M. Lee delivered a clear message: “Defense is doable.”

Lee’s testimony was urgent and real but not alarmist. Instead, it was a roadmap for what we’ve learned, what we’re facing, and how we can protect the systems that keep our society running with tools currently we already have.

The Evolution of Threats: From STUXNET to PIPEDREAM

In his remarks, Lee outlined how threats have shifted since STUXNET in 2010. Back then, STUXNET was unique, now it’s the blueprint. Lee noted, “STUXNET was very targeted. PIPEDREAM can be used against everything from unmanned aerial vehicles to water systems to power systems.”

Dragos now tracks over 25 state and non-state groups targeting OT environments. Nine ICS malware families have emerged, including PIPEDREAM, a toolkit built for use across multiple industries. Unlike STUXNET, which was custom-built for a single purpose, PIPEDREAM signals a new generation of cyber weapons.

Even more concerning, Lee warned, is the growing overlap between nation-state actors and cybercriminals. Tools once limited to governments are now being shared or sold, increasing the likelihood of high-consequence attacks. “Let me be blunt,” Lee said. “We are not prepared for a major attack on our critical infrastructure. We know that such an attack would be part of any major conflict with an adversary.”

Why Defense Is Still Within Reach

Despite these threats, Lee was optimistic. The path to defense doesn’t require specialized tools or massive budgets; it requires focus, visibility, and implementing a few foundational security controls. “We know what needs to be done, and we know it can be done,” Lee said.

He shared the example of Littleton Electric Light and Water Department in Massachusetts. After receiving intelligence from the FBI and installing Dragos’ OT visibility platform, Littleton discovered and removed an intrusion tied to VOLT TYPHOON. Without that visibility, the intrusion would have gone unnoticed. “They were able to do this because they had visibility in their OT networks, and they were proactive in their security,” said Lee. “Most companies don't do this.”

The lesson: when operators can see what's happening in their OT environments, they can stop threats before they escalate.

And visibility is just the beginning. Drawing from years of incident response and threat intelligence, Lee pointed to a proven set of defenses, the SANS Institute’s Five ICS Cybersecurity Critical Controls: “SANS Institute, the leading cybersecurity provider, analyzed every industrial cyberattack that’s ever taken place and asked a basic question: What security controls actually worked? It was five. We know exactly what those five are, and how to implement them.”

Recommendations for Moving Forward

Lee didn’t just highlight problems; he offered a framework for improving OT security.

Prioritize OT, Not Just IT

Most cybersecurity spending still focuses on IT despite OT systems powering the physical functions of critical infrastructure. These systems run for decades, demand precision, and require specific strategies. Treating them like IT is ineffective and dangerous. “If you look at regulation standards and everything else, it's not five,” Lee said, referring to the five proven OT security controls. Lee also shared the concerning fact that, “About 95% of all cyber spend goes to enterprise IT, and about 5% to OT. That is where your national security is, your environments, your local communities.”

The Federal Government Should Speak with One Voice

Conflicting guidance from multiple agencies leads to confusion. Lee called for the federal government to speak with one voice that provided clear threat scenarios and outcomes. “Too many agencies are sending too many messages, many of which are overlapping and often contradictory to our industry,” he explained. “We have to tell the industry, ‘Here's the threat. Here's what success looks like.’”

He added, “Right now, it is extremely confusing for asset owners and operators to determine who is going to help them, and most importantly, what the actual guidance is that they should follow.”

Support, Don’t Duplicate, the Private Sector

Lee cautioned against wasting federal funds recreating tools that already exist in the private sector. He warned that many operators today still wouldn't be able to detect something like STUXNET, even 15 years later, not because the tools don’t exist, but because they haven’t been implemented. “We already have the tools to detect advanced threats,” he said. “Federal efforts to replicate them just waste money and slow adoption. Fund deployment, not reinvention.”

He added, “Government tools have consistently underperformed in comparison to private sector tools, and at a higher cost to taxpayers.”

Develop and Strengthen Public-Private Partnerships

The discovery of PIPEDREAM was the result of collaboration between Dragos, the NSA, CISA, and E-ISAC, identifying the malware before it was deployed. “We uncovered PIPEDREAM in coordination with the NSA and an undisclosed third party,” he said. “We ended up coordinating with CISA and the electric ISAC, and that allowed us to warn operators before the adversary was even allowed to deploy it.”

He continued, “Broad, unfocused information sharing efforts do not work. Targeted, focused coordination does.” Lee also emphasized the importance of two-way collaboration: “A lot of asset owners and operators feel that it’s a one-way communication into government with no expectation of what comes out of it.”

Hold Vendors Accountable

Lee called for enforceable cybersecurity standards for all vendors selling to critical infrastructure environments, including providers like Dragos. “All the focus is placed on asset owners and operators and not the vendors,” he noted. “Asset operators and their vendor community should share responsibility for meeting basic security requirements.”

He added candidly, “As a CEO of Dragos, I'm surprised that I have the amount of flexibility I do to make willfully poor security choices to increase my margins… I'm surprised by the ability of CEOs to make that decision.”

Create a National OT/ICS Incident Response Plan

Right now, OT operators don’t know whom to call during an incident, or what support they’ll receive. “Most operators simply don't know who to turn to call after an incident or what they'll get in response,” he said. “Responses differ across state lines, and there's no basic credentialing for who shows up and what they can do.”

Speaking about the Colonial Pipeline incident, he added: “I led the OT portion of the incident response… I witnessed a lot of turf wars between FBI and CISA. It needs to be very clean, or no asset owner or operator will want to work with them.”

Final Words: Let’s Get Out of Our Own Way

Rob Lee’s testimony made one thing clear: we’re not ready for a large-scale cyberattack targeting US critical infrastructure. But it was also a call to action. “We have the tools,” Lee notes. “We have the people. We have the knowledge. We just need to execute.”

The threats may be evolving, but so are we. And Lee reminds us: “We know what needs to be done. And it’s time to stop standing in our own way.”

Watch Rob Lee’s full congressional testimony to hear his insights firsthand.

And explore SANS Institute’s Five ICS Cybersecurity Critical Controls to learn how your organization can take actionable steps to secure critical infrastructure.