For the last episode of season 5, host Bryson Bort sat down with Andrew Ohrt, Resilience Director at West Yost Associates. A civil engineer specializing in water infrastructure, Andrew bridges the gap between traditional engineering and digital risk. Andrew walks us through the “invisible” nature of water systems, the impact of data centers on utility resilience, and how Cyber-Informed Engineering (CIE) protects our most essential resource.
How did a drive under a rebuilt bridge in Minneapolis pivot Andrew’s career toward critical infrastructure? Why did a single wastewater release shut down Waikiki Beach for an entire week? And what happens when a cybersecurity team finds a client’s PLC exposed on the open internet?
“To me, the integration of understanding cyber or digital risk in our critical infrastructure, the engineers picking that understanding up, building awareness, building skill sets, figuring out how to manage that risk, is one of the most important things that we’ve been working on,” he said.
Join us for this and more on this episode of Hack the Plan[e]t.
The views and opinions expressed in this podcast represent those of the speaker, and do not necessarily represent the views and opinions of their employers.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Transcript
Andrew Orht: To me, the integration of understanding cyber or digital risk in our critical infrastructure, the engineers picking that understanding up, building awareness, building skill sets, figuring out how to manage that risk is one of the most important things that we’ve been working on.
Bryson Bort: What mistakes in life led you here? The quick bio, introduction.
Andrew: So most recently, probably one of my co workers didn’t want to go to S4 one year because he had a family thing that he had a commitment to. And at that S4 I think it was maybe 2022, I met you, Bryson, so we’ve had the pleasure of getting to know each other since then. But you know, professionally, I came up in oil and gas, and after a decent amount of time there, was really looking to make a change. And one day, my family and I were living in Minneapolis to Minnesota at the time, and I was driving underneath the 30-5-W bridge, that brand new, beautiful, if you recall, that bridge fell into the Mississippi River maybe about 20 years ago. They rebuilt it really fast, and the new bridge is really amazing. So I’m driving under that and I’m looking up and I’m going, Wow, I really want to work in critical infrastructure protection. But the reality was, is that I really wanted to work. Resilience and a critical infrastructure resilience, and so literally, days later, I had my first opportunity to support water utility with vulnerability assessment at the time that got me into contact with some colleagues who I work with at West Yoast, Dan Groves and Joel Cox. Got to know them. They’re just really exceptional cyber people. They make it a lot of fun. And over the, you know, ensuing few years, I wound up going to work with them. And, you know, eventually we got to know Andy Bachman, who, at the time, was with Idaho National Laboratory, and then that relationship really blossomed. We started working on cyber informed engineering, and it’s been a wonderful journey.
Bryson: For folks who don’t know, what is West Yoast?
Andrew: So West Yoast is a wastewater only engineering company. So if you have a say, a source water, whether it’s groundwater or another freshwater, right, we start there, and we’ll do pretty much anything all the way to the receiving water of the wastewater plants, right? Which, again, this groundwater, surface water, all the engineering, design, programming, cybersecurity, for those of course, and we’re about 260 people now focused on the western US, but through our work with Idaho National Laboratory and some wonderful relationships we have around the country, we do work pretty much wherever it makes sense.
Bryson: So let’s talk water, right. Hopefully listeners of the podcast are familiar with the different sectors and critical infrastructure we’ve been talking about for years here, and one of the things that we’ve been really pushing on is the fact that not all critical infrastructure is the same priority. And a lot of folks get confused because the US government designated 16 sectors, and so it seems like each one of those is the same. And I like to point out that water is really the bottom of all of them. We can get by with alternative approaches to electricity. We can get by with alternative approaches around all of the water is the one thing there’s no alternative for. It’s what cools, it’s what moves it’s what goes without it. The rest of this falls apart. So let’s start talking about that. How have you seen that in your career?
Andrew: If we think about the water sector in the United States, we deviate utilities really based on population served. So if you think about any utility that serves over 100,000 people, there’s about 500 of those in the country. If they serve between 500 and 100,000 people, there’s about 500 of those as well. And then between 30 350,000 there’s about eight to 9000 of those. But in total, Bryson, we actually, you know, depending on how you kind of slice and dice it, you could say there’s over 100,000 water systems that serve people on a daily basis, plus we’ve got about 15 to 20,000 wastewater systems that serve people. So the overwhelming majority of those are very, very small systems. And I think what happens also is a lot of those systems are part of municipalities, small municipalities, and when you know you are running a municipality, you also are responsible for police, for fire, for all of those really immediate services that you offer your community and water, you know, the pipes are buried. The facility is a ways off at the river. It’s not as visible. So I think people sometimes forget about it. Certainly take it for granted. I know that when I used to do a lot of work with Minneapolis water, and I’d come home to my little kids, and I’d say guys, I was where that water was made, right. And not everybody has that context. I’ve been very impressed with a lot of utilities and some of the outreach they’re doing with their communities and with their political leaders to try and bridge that gap of understanding that helps people understand why rates might go up right to pay for cybersecurity and many, many many other things. So I think that there’s been a little bit of neglect over time. We might also be responsible for that. The systems and the pipes we’ve engineered over time, they last really, really long times, right? And I think the reality is, is that you put something in the ground and it just keeps doing its thing, you kind of forget about it over time, until it breaks right and then, oh my gosh, you’ve got a lot of work to do. So we’re a little bit of a victim of our own success in that way as well. Now our sector Risk Management Agency is the Environmental Protection Agency, and they’ve built some really excellent cyber capabilities over the last maybe five years, but compared to their other centers of excellence around air pollution, water pollution, managing all of those things. I would say cyber still a ways behind, and I’m not sure that they’ll ever catch up. In the sense of the electric sector, with NERC SEC really driving cyber security adoption and that sort of thing. We don’t have the regulatory framework that drives that. Of course. We have the America’s water infrastructure Act, which drives all hazards, resilience assessments, emergency response planning. But cyber is only a portion of that.
Bryson: The EPA is SRMA. In my experience, that mostly meant that the EPA was kind of the face, but CISA was really the legs behind it, because they had the cyber security professionals at the US government loved. Will be able to do that. In 2026, CISA is now a fraction of itself, and I don’t think there’s been any any change there. So where does that leave us as a country, with the situation from an SRMA level?
Andrew: It’s been really sad to see what’s happened to CISA. A lot of wonderful people. I’ve had the opportunity to work with a number of them over the years in different capacities, and I I know that a lot of our clients rely on them for guidance, for threat intel, for all of those sorts of things that a government agency like cis is really meant to provide. I will say that oftentimes the footprint has remained the same for CISA, based on my experience, but there’s fewer people in that footprint, so they were not really able to service water and wastewater utilities as much. Now they’ve done some really good things focusing on the sector. They have some good people still there, so that’s excellent. Now, if we’re looking at the EPA, as I mentioned, the EPA has staffed up, and they really are pushing technical assistance programs. But one of the challenges that we’ve actually run into is that the EPA staff really come from an IT background, and you know, when you’re bringing that perspective, you miss a lot of the engineering and operations things that can be done to advanced resilience and cyber resilience. And so this was coming up on two years ago, I had the opportunity to participate in an event hosted by the Office of the Director of National Intelligence, and lot of wonderful people there contributing to the conversation. I basically was like, hey, the fundamentals of cybersecurity are the fundamentals of good engineering and operations? Can you do things like operate without SCADA or your control system, right? How long can you do that? So, are your people trained? Are your systems engineered to do those things? Do you have things like cyber physical protections? We have had the unfortunate experience of seeing a lot of design drawings where things like protective relays, now they’re starting to kind of fade away, and those equivalent quote, unquote controls are being pulled into the PLC programming, which, of course, if that PLC is accessible in any way to an adversary. Yep, they may be able to make some changes to that, and you lose that physical protection. So one of the things that I have noticed, and you know, I’ve heard that EPA staff are now going out to utilities and saying, Hey, talk to us about how PLCs are wired up, and how do those actually control? What are the inputs? What are the outputs, and how does can we provide guidance to the entire sector that says, Hey, do it this way to maintain these capabilities and capacities. And that’s a really, really fantastic evolution for them, because up until that point, they were very focused on secure, remote access network segmentation, which are all super important things, and you have to do those. Those are consensus controls now, but it’s a little bit harder for especially an executive leader or an engineer who’s been around for a few decades, to really appreciate those types of controls, whereas some of the operations capabilities and the engineering controls they’ve been working with that their whole lives, their whole careers, and they appreciate it in a different way.
Bryson: That’s really interesting, that we have that kind of cross sector collaboration. I mean, I wouldn’t initially, the — I don’t think the average person looks at water and goes, you know, what they could learn from electric? And you mentioned earlier about how we don’t have something like NERC-SIP, which is a, you know, very prescriptive regulatory requirement for electric for the water sector. So what kinds of things have you seen them actually being able to learn? I mean, it’s a little more complicated than saying, Oh, well, that’s how you manage your PLC.
Andrew: When I think about what we’ve been learning from the electric sector, is we’ve seen, and let’s just say, Bryson, we’re maybe 15 to 20 years behind the electric sector from a integration of cybersecurity practices, mandatory cybersecurity practices, but then also some of the digitization of our devices and equipment that we actually deploy to service customers. What I think we’ve been able to do is you can’t really buy, like, a motor control center, you know, something that operates a large pump without an Ethernet port anymore, right? And there’s an expectation that that Ethernet cable is going to be connected, and there’s going to be control over that Ethernet connection in the electric sector. I think that’s been going on for a long time, but now we’ve actually been able to benefit from some of the stories we’ve heard and the concerns that those electric sector asset owners have about making that connection, and now we’re able to say, hey, clients, okay, maybe have that Ethernet connection for the blue sky type days, but make sure you have just enough hardwired control that you can unplug that Ethernet cord and stay in business. So it’s elevated our awareness. We do see that when there are combined water and electric utilities, the water side of that house is doing amazing cyber security things simply because NERC zip is applicable over here, and it’s usually the same people. So they’re doing the good things they have to here because they want to over here because it’s the right thing to do. So I think that’s some of the. Things. We also are seeing a little bit of a trend towards regionalization in our sector. There are some systems that are very small, they’re underfunded. They’re kind of getting gobbled up by the larger, more well funded utilities. And I think at the end of the day, this is probably a good thing for the end customer. It’s going to be about better water service, better maintenance, better water quality. That’s wonderful. But whenever you get excessive centralization, kind of like, you know, let’s use the electric grid as a prime example of that, it does open up opportunities for some cascading impacts. And so I think we’ve, we’ve seen what happened in electric and we’re very cognizant of not creating a similar system.
Bryson: Is there also a mutual dependence and a trend of centralization that’s being driven by data centers, because we have an increasing use of artificial intelligence, which requires increasing compute. Increasing compute requires increasing electricity, and here we are.
Andrew: Yes, so there’s a data center that’s supposed to go in a couple miles from my house. The local community is not real happy about it, very consistent with a lot of communities around the country. I think that that phenomenon is going to be really disastrous for the water sector, in part because oftentimes the water utilities are the power utilities largest customers. I mean, on the order of a few percent of all the power produced goes to water and wastewater facilities. So if you start to think about demand charges, changes in rates associated with that, it’s going to drive those electric costs way up for those large users. Now we are seeing some wonderful innovation in the sector around, you know, using distributed energy resources, battery, solar, offset some of those charges through capital infrastructure like that. That’s great. Now we are seeing also, of course, in certain parts of the country, the data centers do want to use water to do cooling and such. I have worked with a couple of utilities who have going to run into some problems with water service, because the data centers are very demanding and the contracts are very rigorous, and so they do focus on those data centers as very important customers. And if there’s any disruption in water service, it’s a really, really big deal. I will say that the outcome of those efforts have led to really, really improved Emergency Preparedness at those utilities. People really getting in line and saying, Hey, we’re going to do things like the National Incident Management System, Incident Command System, all of those things. So that’s, I think, really been a net positive. Bryson, now there is a, certainly some codependence. I will say that while the water sector is not widely adopted AI at all yet, and that’s something we’re very focused on, making sure that it’s done really well at the right scale. Talking to a water utility a few days ago, and one of their business services leaders was like, hey, our data is our data. We’re never sending it to the cloud. I said, Amen, right? That’s great. But I think at the same time, their operations staff are kind of looking around, going, Hey, it’d be really nice to have an AI assistant, in part, because, if you think about like, the institutional knowledge within the people, right, hundreds and hundreds of years of experience. But then there’s also all the manuals. And it’s not like a bookshelf of manuals, it’s a hallway of bookshelves of manuals. And if you could pull in that relevant information and feed it in to an engine, and really put that engine and that AI next to the operator who’s responsible, because the AI will likely never be, maybe in our lifetimes, rice and will never be licensed to operate that water system. It’s always going to be a person which is really important. I think that’s really helpful. And then there is a demand from the operation staff to at least play around with some of these technologies, which is really good. So of course, there’s then the additional dependence of electric and water. Now, with the advent of the public safety power shut offs in California, we have seen an amazing number of investments in backup power solutions, primarily diesel generators at this point, but also the der systems that I mentioned a little bit ago, between rounds of risk and resilience assessments required by the Safe Drinking Water Act. The first one was in 20/22, one was in 2025, I mean massive investments. I personally have seen 10s of millions of dollars of investment, and we don’t work with that many utilities, right? We’re a relatively small company, so I think the reality is, is that we’re grabbing that dependence and controlling it. Now the power companies do also need water, and we’re responsible for providing a lot of that water for cooling, Steam, generation, all of that. So the idea of being able to cause cascading impacts in our critical infrastructure systems is something that I think is not well characterized, you know, potentially in a classified situation, it is. I don’t have access to that, but we kind of use professional judgment, I would say. And I think having some models and that sort of thing would be really helpful to under. How these systems connect, how we can break those connections, reduce the single points of failure and get a little bit better.
Bryson: I have to admit, I did not expect artificial intelligence to come up as a topic here in water. I’m not surprised you commented earlier that you felt like the water industry is about 15 years to 20 years behind the electric industry, and I can remember five years ago, the debate in electric about how the cloud was or was not going to be a part of things, and then we started to see the cloud become a part of things. And the first thing that I think it’s important to note is what that means, right? This wasn’t like everything suddenly gets connected to the cloud and your bulk electric system is now in AWS. But why wouldn’t I find a way to move my operational data into a data historian in the cloud? It’s cheaper, it’s easier to store, it’s easier to access. It’s not something that compromises the integrity of the operation. And now I can have multiple people, especially if I’m a larger organization, being able to access, manipulate the same data. And we see this time and time again today, where artificial intelligence is being driven by operational need. It’s not a security question, it’s a function question. And you gave a really great insight, because my follow up question was going to be like, what’s the use case? And the use case is, hey, we have all of these things that help assist an operator, right? Assistive tools to help an operator in context, that’s incredibly valuable, that’s going to make it safer, that’s going to make it faster. I mean, everything is better with this approach. And so now you have the Okay, we’re going to do this now. How do we secure it? And it’s always going to go that way. And I agree that we’re not, again, same kind of thing. We’re talking electric we’re not talking about AI running things, talking about AI supporting things on the line. So follow up that I wanted to have is, you mentioned wastewater. I think a lot of folks don’t realize, right? We just think water. There’s actually different kinds of water, and different water has different purposes and different meanings. Can you go through that?
Andrew: So we have drinking water, right? You go to your kitchen, you turn on the tap, you throw up a cup and you drink it. That has been treated to very rigid standards. The states often have their own standards. But of course, the EPA has the Safe Drinking Water Act, and a lot of that water is exceedingly high quality around the country. So that’s drinking water. Now you’ve got storm water so it rains, you see the runoff going down the street, goes into a catch base and then off into a surface water body. Usually that storm water, sometimes storm water will go into wastewater plants. Depends on how the collection system was designed and what the local regulations require now from a wastewater perspective, so you drink that water, you have to go use the restroom, so you flush the toilet, and where does that water go? Right? So it goes into pipes, which goes into lift stations. They’re called because oftentimes we rely on gravity flow to go from houses whenever possible, because pumping water is really, really energy intensive and expensive. So as much as we can, we rely on gravity. Sometimes we have to pump it up to get to a higher elevation, and then it flows down. Now that results in wastewater plants being right on the coasts, right on the river, and oftentimes, you know, there can be some real flooding risk at those locations. So this, this wastewater comes in, there’s some different processes. You have a little bit different goals, when you think about it. And the end goal is to discharge that treated wastewater into the environment. Now, oftentimes these are being distributed into rivers, lakes, maybe the ocean. For example, off of Waikiki Beach, there was a wastewater release there, untreated and it shut Waikiki down for about a week. This happened, I know, maybe about eight to 10 years ago. So a lot of the wastewater treatment is more about getting the water to be safe so people can recreate in it, so we can have healthy ecosystems. And if you don’t treat it really well, you wind up with a lot of just like, really bad quality environmental conditions. People get sick really easily, and you don’t want that. So I guess Bryson does that kind of help paint the picture?
Bryson: Yep, back to the government. You talked about the Environmental Protection Agency and the technical assistance programs. You talked about a conversation or exercise that you did with ODNI, obviously, within the bounds which you are comfortable with sharing what exactly are going on with those programs. And what did you learn from the encounter with ODNI?
Andrew: I learned that there were a lot of people who are very concerned about this, and they’re very interested in it. So what I took away is that there was a strong political will to go and make resources, to fund resources, to fund people going out into these systems to help create a more cybersecurity environment for these wastewater utilities all across the country.
Bryson: What is the EPA doing with the technical assistance programs? That was the one that you had said that was, there’s a lot of it, people coming into it, again, talking to electric that’s a lot of the primary driver on these things is it’s an IT program. Am coming from the office of the CISO, where they’re going, Hey, these assets now have a cybersecurity risk, and the OT engineers are not trained on the cybersecurity aspect of that risk. They’re trained on the automation and function of those devices for their purposes. And so you have these IT folks coming in, and it’s like a cultural clash. There’s a vocabulary difference. There’s a different values. I mean, even if you work at the same company, you’re still different people, and there’s a lot of that kind of conflict.
Andrew: So what we see mostly is technical assistance with cybersecurity assessments. So the EPA has some some resources. They do emphasize what I tend to call, and I mentioned this earlier, consensus controls. So it’s going to be, get your stuff off the internet, have secure remote access, do those sorts of things. So the EPA and some of the state privacy agencies do offer those types of assessments. But what I’ve noticed with all government agencies that I’ve come in contact with is that they can’t recommend a certain device or manufacturer. So while they might say, hey, you need a new firewall. This small utility is looking around being like, what I know that, but like, where do I go to get one? What does it need to do? And that’s where the government sort of has a line in the sand, in my experience, where they can’t make recommendations beyond that. And I think that that’s the real challenge, because most of these utilities rely on either engineering companies or integrators, and many of these integrators are very small organizations to develop, install and maintain the control system so that third party is already there. So the utility tends to turn to the integrator and say, Hey, what do we do about this? And the integrator says, I’ve got it. We have observed a real lack of cybersecurity talent in integrators all over the country. There was a wonderful post about this on LinkedIn. I can’t remember the gentleman’s name, but he characterized it really well. It’s like, hey, integrators, you got to get on the cybersecurity train. You have to learn how to secure these systems, how to communicate with your clients, emphasize the importance. What we find is that once the clients know about it, they understand their fiduciary responsibility to take action. We do have concerns about how these actions are actually taken. We recently worked with a utility that my colleague was a couple 1000 miles away, and he just went to SHODAN searched up for a specific PLC. Sure enough, he found the integrator gave a little bit of a surprising response to that. And from us, from our perspective as cybersecurity leaders in the water sector, holy cow, we can’t imagine ever putting a client’s PLC out on the internet. And we were shocked. Now I expect that that PLC is no longer available via an internet connection. I hope that’s the case. I hope in a year, I get to go back and start to ask some of those questions, but we’ll see.
Bryson: You talked about fiduciary responsibility, this is where there’s a bit of a perverse incentive in the system, because if you discover a problem, you’re now liable for the problem, and so you’re incentivized not to find the problems. But that contrasts, also, I don’t know, complemented by the challenge of a constrained rate base. The end of the day, the money for the operations go to what citizens pay for water in their community, which is regulated and nobody wants to pay more for it. So how are you helping these clients who find these problems but may not necessarily be able to have the capital or the resources to resolve them.
Andrew: I want to start this part of the discussion by acknowledging that I have a certain bias based on the clients that I work with, because if a client is working with me, they already have an understanding of the importance of cybersecurity the services we offer, and how that relates to them providing continuous service to their customers. So what we find is that the planning cycles in our sector are longer because they are public agencies. The planning horizon can be a year, can be two years, can be even longer than that. Once you get into the planning cycle, though, stuff can get done, and it’s really amazing. So once you’re in the planning cycle, and there’s a will, like, things really get done, Bryce, and then they they do a great job. I will say that I observe people coming in from outside the sector, and they say, like, I’m gonna have to wait 18 to 24 months to make a sale. And we’re like, yeah, that’s just the startup cost here. And then they don’t really stick around, right? Because they can go to a private company, you can cut them a PO next week, then off they go. So there’s a little bit of just patience that’s required because of the public nature of most of the organizations that we work with now. There’s a lot of utilities who are in financial straits, and the federal government really hasn’t come through for those agencies, in my opinion, like the federal government, has come through for smaller electric utilities. Now, again, I’m an outsider to the electric space, but I think that that’s a real issue. I will say that oftentimes that those smaller systems tend to be a little bit simpler. They tend to have really good operation staff still, because all those operators are still licensed and. And really well trained with lots of experience. So while some of the cybersecurity controls may not be in place, some of the really great operational controls are, which is very positive.
Bryson: What are, obviously you talk about, consensus controls being probably still the baseline challenge that most of these places are still working with. What are some other common issues that you see?
Andrew: At West Yoast, we helped the American waterworks Association develop the cybersecurity resources back starting in 2019 we’ve done a number of updates since then. So there’s the technical controls. We also see some organizational challenges as oftentimes there isn’t a person who knows that they’re responsible for cybersecurity of their ot system. So part of the education is turning to the director of operations or the superintendent of operations, and saying, hey, the OT systems your responsibility, right? They go, yep, you say cybersecurity of that system is also your problem right now? Like, no, that’s it’s problem. And then it says, we don’t play in OT right? That’s yours. So I think that there’s a disconnect, and we’re trying to really bridge that with a lot of the conversations we have. So finding that person, making sure they know they’re responsible, helping them build awareness, understand what questions to ask. You know, their internal resources and their external resources drive those improvements. Part of it says training. So I will say that engineers in our sector, you know, and I’m looking mostly at civil engineers, and I have a degree in civil engineering, so I’m looking in the mirror just a little bit here. We’re a little bit behind starting what in the in the 70s, there was this really big awareness that, you know, earthquakes were going to be a big thing, especially if you think of the Cascadia zone earthquake, which, estimated to be like a 9.0 I mean, massive, right? Something big like that comes along, and engineers, we have to adapt. We have to say, Okay, well, we have to design our systems to perform differently, to have different standards of reliability. And now, a lot of the systems in seismically active places, they’re putting pipes in. Their building, buildings that are seismically resilient. Similar situation occurred in the 80s when health and safety became much more important. I remember being on my grandpa’s old farm, and he just had this old flywheel. There were no guards on that. He also only had nine and a half fingers and all of those sorts of things, right? Like we just didn’t think about health and safety engineers, we now have to design and implement systems in a much more safe way so that our operators, who are really kind of the end customer of the engineer, can go about their day and then go home and have a lot fewer health and safety concerns. To me, the integration of understanding cyber or digital risk in our critical infrastructure, the engineers picking that understanding up, building awareness, building skill sets, figuring out how to manage that risk is one of the most important things that we’ve been working on. And my colleague Dan groves and I actually wrote a book called resilience through cyber informed Engineering and Engineering and Operations approach to cybersecurity to help the engineers and the operators in these organizations understand their role and understand that they can really do amazing things to having a CyberSecure organization. Part of writing that book, though, it’s not terribly technical, if you look at a lot of the cyber informed engineering resources, they’re quite big. They can be very technical in certain ways. We wrote this book so that a leader, an executive in one of these organizations who is probably a civil engineer, who may be an operator, they can pick it up and they can say, Oh, this makes sense to me. I understand this perspective on cybersecurity, and oh my gosh, I have one of those types of assets. I need to go and do things about this. And it’s been really helpful. I think we’ve gotten some wonderful feedback from operations leaders around the country. They just want to have excellent operations staff. So they want people who are super into what they’re doing. They know what all of the data means, how to collect the data in a manual way. They can sort of Intuit what the systems are doing beyond what the SCADA screens are telling them, and it’s really helped reinforce their perspective. For them, that’s been some really good feedback we’ve gotten. The engineers can be a little stodgy. We’re still kind of breaking down some of those barriers, but it’s coming along. And even at some of the utilities that we work with, we’re seeing pretty significant turnover in the engineering staff. One utility I work with, and when I started working with them 10 years ago, I mean, the average age of the engineer there was probably 55 now that average age, I mean, it could be in the low 30s. So one of the excellent things about this new generation that’s coming on is they understand digital they understand cyber a little bit more, and I think we’ll get a little more uptake in this generation of engineers coming up than maybe we have experienced so far.
Bryson: You wrote a book on consequence informed engineering. You talked about how you’ve worked with Andy Bachmann at Idaho National Labs. Have been the champions for consequence informed engineering. Is that something that speaks specifically to you because of the civil engineering background, is that something that you also see as a natural conduit for engagement with these kinds of engineers who run these water plants, because that’s what their background is as well.
Andrew: About 2018 right before I had met Andy, is that I was really struggling to grasp, sort of my role as primarily a civil engineer at the time, much less of a cybersecurity professional, my role in making helping my clients make their systems resilient to cyber attacks, and really what the nature of those cyber attacks could be. And so when we got to know Andy, and we got to know some of the other staff from Idaho National Laboratory, it really clarified to me that, hey, we can take an engineering approach to building cyber resilience. It’s not just about the firewalls you have to do all that stuff, but once it kind of came into my more a realm that I’m a little more comfortable in, which is pipes and pumps and treatment processes. It really kind of opened up a certain level of understanding and appreciation that I previously didn’t have. Now, as we’ve gone on, and we’ve worked with ginger Wright, especially at the lab, who leads the CIE program, the applicability of cyber informed engineering and consequence driven cyber informed engineering. It’s really amazing to see these things come to life. We were really pleased to be able to publish our book. Have it become a sector specific resource in the pantheon of CIE resources that are available. And like I mentioned, seeing it be helpful around the country. Now, there’s still a lot going on when it comes to cyber informed engineering. We do act as a contractor to the lab. One of the things that we’ve been working on for a while is helping people understand how they can adopt these practices. And so when we sat down and we thought about it, we said, Okay, well, there’s all sorts of different types of organizations, whether it’s an integrator or an engineer, the asset owner, the cybersecurity vendor, said, Okay, that’s good. And then we said, well, there’s all sorts of people in different roles. There’s the executives, the engineers, the operators, the cybersecurity professionals. And so we said, Okay, we’re going to go talk to these people. And so we went out and we interviewed a number of people. Had some wonderful conversations, and I was blown away by what people are doing across sectors, out in the world, in the wild. And we figured out that depending on where people are in their organization, what their professional responsibilities are, they’re going to have a different perspective. And so what we were able to do was to create what we called adoption pathways, which is like, Okay, if you’re at the top, of course, right, you get to set the rules. You tell people that we’re going to do CIE, they say, Yes, boss, no, you do have to fund it. Of course, that’s one thing. But we also saw a lot of really cool grassroots implementations of cyber informed engineering. One of the things that really kind of changed my perspective is we were at a conference, ginger and I were facilitating a conversation, and this young cybersecurity professional, very much a traditional like network engineer, very focused on securing the control systems for Fortune, 100 companies, right? So his job in those giant companies was very, very narrow, but he said, Look, I have to go and do CIE I know about. I got to go do this now to help my customers. And so he picked out the little chunk of CIE that was sort of within his span of control, and he went off and he did it. And he turned a bunch of stuff around in ways that we would never thought. But it was really helpful, because as an engineer who has done engineering for a long time now, you really changed my mind. And I said, okay, the cybersecurity professionals can can take this, they can put their spin on it, and they can adopt it and go and then they can be, kind of become that change in their organization that they really want to see. So that’s one thing we’ve developed. Now, of course, the adoption pathways. It’s really about how you get started. We’re also in the process of developing a capability maturity model. So you’ve begun adoption. Where do you go from here? Right? And I think that that should be out in the next couple of months. I’m very excited for that to be out and do the conference circuit and be able to talk about that at various places. We have a mutual friend in Josh Corman, who runs UnDisruptible27 so he’s very keyed into this. You know, his thing is no water, no hospitals, which is very much true. And he’s got his program that he’s running to make sure that our hospitals and our water systems and all of the interconnectedness, right, it’s resilient in the face of whatever’s coming down the pike in 2027 so people definitely should go check out UnDisruptible27 in your favorite search engine.
Bryson: They are a partner with this podcast.
Andrew: Amazing.
Bryson: All right, if you could wave a magic, not interconnected wand, what would you change?
Andrew: The other day, I had some windshield time, and I was thinking about 2027 and the expectation that there’s could be some disruptions in our world, and I started thinking about unconventional warfare. Now, I’m an engineer. I was never in the military. My research on unconventional warfare is, you know, razor thin, but I do understand that the intent is to be subversive, with that, if I were to wave my magic wand, I would increase the trust level that the public has in their utilities, in their water and wastewater utilities, where those utilities are doing really excellent work. Because I think, in my relatively uninformed perspective on this, is that one of the great ways to inoculate yourself against some of these unconventional warfare tactics is to establish trust and in advance of any type of action by your adversary. Of course, trust in in our current world is a pretty tough thing oftentimes, but I’m going to counsel all of my clients moving forward that they need to have really excellent public outreach. They need to engage, they need to give tours. They need to do those things to build and not maximize the trust that they can between now and 2027 and beyond.
Bryson: You’ve waved your magic wand now looking into your crystal ball, which looks suspiciously like an HMI. What is one good and one bad thing that you think will happen?
Andrew: One good thing? So I think there’s going to be a little bit of a bifurcation. And the good part of that bifurcation is that the leading utilities, the big ones, the ones that are well funded, they’re going to take some things like cyber informed engineering, very safety reliability and performance centric cybersecurity, and they’re going to implement it in the big systems, they are going to be able to be much more resilient to cyber disruptions and other disruptions. Now, the downside of that is that the systems that are less well funded, maybe they’re served by engineers that are less informed, right, less capable, they’re going to continue to bear this cyber risk in some really unfortunate ways. Those engineers are not going to be building systems that are as resilient. They’re not going to be managing that risk as effectively. So I think that’s the one good thing. That’s the bad thing, and I think that that’s going to be become very apparent over the next five years.
