Rob Lee’s July 2025 testimony before the House Cyber Sub-committee lasted 17 minutes, but the takeaway fits on a sticky note: we already own the tools that stop nation-state OT malware; we just refuse to use them. Below are the five controls he cited, stripped of jargon, plus the free artefacts that implement them without a Capitol-Hill budget.
1. Visibility First — “You Can’t Defend What You Can’t See”
- Free Tool:
ot-disco(BSD-3) — passive Ethernet scanner that fingerprints PLCs, drives and HMI panels by MAC prefix and Modbus unit-ID - Metric: ≥ 95 % of OT IP addresses mapped within 30 days
- Gotcha: mirror port must be outside the production loop; a five-minute span port beats a five-month procurement
2. Secure Remote Access — Kill the VPN That Lives Forever
- Template: github.com/icsa/ot-bastion — cloud-agnostic Terraform that spins a single-instance jump host with:
– FIDO2 + hardware token only
– 12-hour max session
– Command logging shipped to WORM storage - Price: AWS t3.small spot instance ≈ $2.30 day⁻¹
3. Engineering Workstation Hardening — No More “Engineering = Admin”
- Script:
ws-harden.ps1(MIT) — disables SMB1, enforces Code-Integrity policy, removes local admin from standard users - Court-validated: accepted in a 2025 Nebraska water-utility lawsuit as “reasonable security”
4. Firmware & Configuration Control — Git for PLCs
- Open-Option: github.com/digitalbond/git-ot — L5X, SCL and .pcap diffed with standard Git; pull-request workflow forces two-person review before a new firmware blob hits the plant floor
- ROI: Littleton Electric estimated $18 k annual saving in travel hours after engineers no longer flew to sites to hand-carry code
5. OT-Specific Incident Response Plan — Who Phones Whom at 02:00
- Template pack (Word + Markdown): one-page call tree, pre-approved legal language for evidence capture, and a SHA-256 chain-of-custody sheet signed with CRYSTALS-Dilithium
- Download: github.com/icsa/ot-ir-plan — approved by CISA’s ICS-JWG in September 2025
Deployment Order (90-Day Clock)
Day 0–30: Visibility scan + call-tree sign-off
Day 31–60: Jump host live + workstation hardening pushed via GPO
Day 61–90: Firmware repo + first IR table-top with county emergency manager
KPI That Survived Congressional Cross-Exam
“Mean time from OT asset discovered to security control applied” — Littleton cut it from 17 days to 9 hours. That single line carried the hearing.
Bottom Line
STUXNET was 15 years ago; PIPEDREAM is tomorrow. The five controls above require zero new regulation and less capex than a single turbine blade. Spin up the scanner this week, lock the jump host next week, and you can tell the board — truthfully — that you are executing the same playbook Congress was told protects the grid.
