“The fundamentals of cybersecurity are the fundamentals of good engineering and operations.” - Andrew Ohrt
For the last episode of season 5, host Bryson Bort sat down with Andrew Ohrt, Resilience Director at West Yost Associates. A civil engineer specializing in water infrastructure, Andrew bridges the gap between traditional engineering and digital risk. Andrew walks us through the "invisible" nature of water systems, the impact of data centers on utility resilience, and how Cyber-Informed Engineering (CIE) protects our most essential resource.
How did a drive under a rebuilt bridge in Minneapolis pivot Andrew’s career toward critical infrastructure? Why did a single wastewater release shut down Waikiki Beach for an entire week? And what happens when a cybersecurity team finds a client’s PLC exposed on the open internet?
“To me, the integration of understanding cyber or digital risk in our critical infrastructure, the engineers picking that understanding up, building awareness, building skill sets, figuring out how to manage that risk, is one of the most important things that we've been working on,” he said.
Join us for this and more on this episode of Hack the Plan[e]t.
The views and opinions expressed in this podcast represent those of the speaker, and do not necessarily represent the views and opinions of their employers.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Bryson: I’m Bryson Bort, and this is Hack the Plant, season 5, brought to you by ICS Village and the Institute for Security and Technology. Electricity. Healthcare. The food we eat. Our water supply. We take these critical infrastructure systems for granted, but they're all becoming increasingly dependent on computers to function.
In Season 5, it’s more important than ever to ensure that our essential services are resilient to disruptions. This season, we’ll bring you insights on four of our most vital lifeline sectors - electricity, healthcare, food, and water. We know that our interconnectivity makes us vulnerable to our enemies – but what can we do about it?
We walk you through the world of hackers working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day. From the threat posed by Volt Typhoon to the aftershocks of the Change Healthcare data breach, it is clear: the time for action is now.
In my day job, I'm the CEO and founder of Scythe, a start-up building a next-generation threat emulation platform, and GRIMM, a cybersecurity consultancy and co-founder with Tom Van Norman of ICS Village, a non-profit advancing awareness of industrial control system security.
I'm also an adjunct Senior Advisor at the Institute for Security and Technology, a 501c3 Think Tank dedicated to tackling technology-driven emerging security threats.
Subscribe wherever you find podcasts to get each episode when it drops.
Today, I’m joined by Andrew Ohrt, Resilience Director at West Yost. A civil engineer specializing in water infrastructure, Andrew bridges the gap between traditional engineering and digital risk.
I met Andrew a few years ago at S4, *the* conference for critical infrastructure security practitioners in the world. The ICS Village has been a conference partner for several years running the Capture the Flag competition or exhibitions on vulnerability management.
In this conversation, we explore the "invisible" nature of water systems, the impact of data centers on utility resilience, and how Cyber-Informed Engineering (CIE) protects our most essential resource.
Andrew: “and I basically was like, Hey, the fundamentals of cybersecurity are the fundamentals of good engineering and operations.
Can you do things like operate without SCADA, or your control system? How long can you do that? So are your people trained? Are your systems engineered to do those things? Do you have things like cyber, physical protections?”
Bryson: We discuss how the water sector is integrating hardwired engineering controls with cybersecurity to prevent cascading failures in critical infrastructure, and the importance of public trust.
How did a drive under a rebuilt bridge in Minneapolis pivot Andrew’s career toward critical infrastructure? Why did a single wastewater release shut down Waikiki Beach for an entire week? And what happens when a cybersecurity team finds a client’s PLC exposed on the open internet?
Join us for this and more on this episode of Hack the Plant.
Bryson: What mistakes in life led you here? The quick bio introduction,
Andrew: so most recently, probably one of my coworkers didn't wanna go to S four one year because he had a family thing that he had a commitment to. And at that S four, I think it was maybe 2022, I met you, Bryson. So we've had the pleasure of getting to know each other since then.
But you know, professionally I came up in oil and gas and after a decent amount of time, there was really looking to make a change. And one day my family and I were living in Minneapolis, Minnesota at the time and I was driving underneath the 35 W Bridge, that brand new beautiful. Um, if you recall, that bridge fell into the Mississippi River.
Maybe about 20 years ago, they rebuilt it really fast and the new bridge is really amazing. So I'm driving under that and I'm looking up and I'm going, wow, I really wanna work in critical infrastructure protection. But the reality was is that I really wanted to work in resilience and a critical infrastructure resilience.
And so literally days later, I had my first opportunity to support water utility. With vulnerability assessment at the time. That got me into contact with some colleagues who I worked with at West Yost, Dan Groves and Joel Cox got to know them. They're just really exceptional cyber people. They make it a lot of fun and over the, you know, ensuing few years.
I wound up going to work with them and you know, eventually we got to know Andy Bachman, who at the time was with Idaho National Laboratory, and then that relationship really blossomed. We started working on cyber informed engineering and it's been a wonderful journey.
Bryson: For folks who don't know what is West Yost.
Andrew: So West Yost is a wastewater only engineering company. So if you have a, a, say a source water, whether it's groundwater or another freshwater, right? We start there and we will do pretty much anything all the way to the receiving water of the wastewater plants, right? Which again, this groundwater surface water, all the engineering design programming, cyber.
For those, of course, and we're about 260 people now focused on the Western us. But through our work with Idaho National Laboratory and some wonderful relationships we have around the country, we do work pretty much wherever it makes sense.
Bryson: So let's talk water, right? Hopefully, listeners of the podcast are familiar with the different sectors in critical infrastructure we've been talking about for years here.
And one of the things that we've been really pushing on is the fact that not all critical infrastructure is the same priority, but a lot of folks get confused because the US government designated 16 sectors. And so it seems like each one of those is the same. And I like to point out that water is really the bottom of all of that.
We can get by with alternative approaches to electricity. We can get by with alternative approaches around all of the water is the one thing there's no alternative for. It's what cools. It's what moves, it's what goes without it. The rest of this falls apart. So let's start talking about that. How have you seen that in your career?
Andrew: If we think about the water sector in the United States, we, we divvy utilities really based on population served. So if you think about any utility that serves over a hundred thousand people, there's about 500 of those in the country. If they serve between 500 and a hundred thousand people, there's about 500 of those as well.
And then between 3,300. And 50,000, there's about eight to 9,000 of those. But in total, Bryson, we actually, you know, depending on how you kind of slice and dice it, you could say there's over a hundred thousand water systems that serve people on a daily basis. Plus we've got about. 15 to 20,000 wastewater systems that serve people.
So the overwhelming majority of those are very, very small systems. And I think what happens also is a lot of those systems are part of municipalities, small municipalities. And when you know you are running a municipality, you also are responsible for police, for fire, for all of those really immediate services that you offer your community and water, you know, the pipes are buried, the facilities a ways off at the river.
It's not as visible, so I think people sometimes forget about it. Certainly take it for granted. I know that when I used to do a lot of work with Minneapolis Water and I'd come home to, you know, my little kids and I'd say, guys, I was aware that water was made right? And, and not everybody has that context.
I've been very impressed with a lot of utilities and some of the outreach they're doing with their communities and with their political leaders to try and bridge that gap of understanding That helps. People understand why rates might go up, right? To pay for cybersecurity and many, many other things. So I think that there's been a little bit of neglect over time.
We might also be responsible for that. The systems and the, the pipes we've engineered over time, they last really, really long times, right? And I think the reality is, is that if you put something in the ground and it just keeps doing its thing, you kind of forget about it over time until it breaks. And then, oh my gosh, you've got a lot of work to do.
So we're a little bit of a victim of our own success in that way as well. Now our sector risk management agency is the Environmental Protection Agency, and they've built some really excellent cyber capabilities over the last maybe five years, but compared to their other centers of excellence around air pollution, water pollution, managing, all of those things, I would say cyber's still a ways behind.
And I'm not sure that they'll ever catch up in the sense of the electric sector with NERC really driving cybersecurity adoption and that sort of thing. We don't have the regulatory framework that drives that. Of course, we have the America's Water Infrastructure Act, which drives all hazards, resilience assessments, emergency response planning, but cyber's only a portion of that.
Bryson: The EPA is SRMA. In my experience, that mostly meant that the EPA was kind of the face, but CISA was really the legs behind it because they had the cybersecurity professionals at the US government level be able to do that. In 2025, CIS A is now a fraction of itself, and I don't think there's been any, any change there.
So where does that leave us as a country with a situation from an SRMA level?
Andrew: It's been really sad to see what's happened to cis a a lot of wonderful people. I've had the opportunity to work with a number of them over the years in different capacities, and I, I know that a lot of our clients rely on them for guidance, for threat intel, all of those sorts of things that a government agency like cis a really meant to provide.
I will say that oftentimes the. Footprint has remained the same for cis A based on my experience, but there's fewer people in that footprint, so they're not really able to service water and wastewater utilities as much. Now they've done some really good things focusing on the sector. They have some good people still there, so that's excellent.
Now, if we're looking at the EPA. As I've mentioned, the EPA has staffed up and they really are pushing technical assistance programs. But one of the challenges that we've actually run into is that the EPA staff really come from an IT background, and you know, when you're bringing that perspective, you miss a lot of the engineering and operations things that can be done to advanced resilience and cyber resilience.
And so. This was coming up on two years ago. I had the opportunity to participate in an event hosted by the Office of the Director of National Intelligence, and a lot of wonderful people there contributing to the conversation, and I basically was like, Hey, the fundamentals of cybersecurity are the fundamentals of good engineering and operations.
Can you do things like operate without SCADA or your control system? How long can you do that? So are your people trained? Are your systems engineered to do those things? Do you have things like cyber, physical protections? We have had the unfortunate experience of seeing a lot of design drawings where things like protective relay.
Bryson: Jumping in here to provide a few definitions. The Office of the Director of National Intelligence, or ODNI, is the head of the US Intelligence Community responsible for integrating foreign, military, and domestic intelligence. Later, you’ll hear Andrew mention Distributed Energy Resources. DER are small generation units that live on the user side of your energy meter, so you probably have one in your house!
Andrew: Now they're starting to kind of fade away and. Those equivalent quote unquote controls are being pulled into the PLC programming, which of course if that PLC is accessible in any way to an adversary, yeah, they may be able to make some changes to that. And you lose that physical protection. So one of the things that I have noticed, and you know, I've heard that EPA staff are now going out to utilities and saying, Hey, talk to us about how PLCs are wired up.
And how do those actually control? What are the inputs, what are the outputs and how does, can we provide guidance to the entire sector that says, Hey, do it this way, to maintain these capabilities and capacities. And that's a really, really fantastic evolution for them because up until that point, they were very focused on secure remote access network segmentation, which are all super important things.
And you have to do those, those are consensus controls now, but. It's a little bit harder for especially an executive leader or an engineer who's been around for a few decades to really un appreciate those types of controls. Whereas some of the operations capabilities and the engineering controls, they've been working with that their whole lives, their whole careers, and they appreciated in a different way.
Bryson: That's really interesting that we have that kind of cross sector collaboration. I mean, I wouldn't initially the, I don't think the average person looks at water and goes, you know, what? They could learn from electric. And you mentioned earlier about how we don't have something like NERC sip, which is a, you know, very prescriptive regulatory requirement for electric, for the water sector.
So what kinds of things have you seen them actually being able to learn? I mean, it's a little more complicated than saying, oh, well that's how you manage your PLC.
Andrew: When I think about what we've been learning from the electric sector is we've seen, I I, and let's just say Bryson, we're maybe 15 to 20 years behind the electric sector from a integration of, of cybersecurity practices, uh, mandatory cybersecurity practices, but then also, you know, some of the digitization of our devices and equipment that we actually deploy to service customers.
What I think we've been able to do is you can't really buy like a motor control center. You know, something that operates a large pump without an ethernet port anymore. Right? And there's an expectation that that ethernet cable is going to be connected and there's going to be control over that ethernet connection.
In the electric sector. I think that's been going on for a long time, but now we've actually been able to benefit from some of the stories we've heard and the concerns that those electric sector asset owners have about making that connection and now we're able to say, Hey, clients. Okay. Maybe have that ethernet connection for the blue sky type days, but make sure you have just enough hardwired control that you can unplug that ethernet cord and stay in business.
So it's elevated our awareness. We do see that when there are combined water and electric utilities, the, the water side of that house is doing amazing cybersecurity things simply because Ner Xip is applicable over here and it's usually the same people. So they're doing the good things. They have to here.
Because they want to over here 'cause it's the right thing to do. So I think that's some of the things. We also are seeing a little bit of a trend towards regionalization in our sector. There are some systems that are very small. They're underfunded, they're kind of getting gobbled up by the larger, more well funded utilities.
And I think at the end of the day, this is probably a good thing for the end customer. It's gonna be about better water service, better maintenance, better water quality. That's wonderful. But whenever you get it. Excessive centralization, kind of like, you know, let's use the electric grid as a prime example of that.
It does open up opportunities for some cascading impacts, and so I think we've, we've seen what happened in electric and we're very cognizant of not creating a similar system.
Bryson: Is there also a mutual dependence and a trend of centralization that's being driven by data centers? Because we have an increasing use of artificial intelligence, which requires increasing compute.
Increasing compute requires increasing electricity, and here we are.
Andrew: So there's a, a data center that's supposed to go in a couple miles from my house. The local community is not real happy about it. Very consistent with a lot of communities around the country. I think that. That phenomenon is going to be really disastrous for the water sector in part because oftentimes the water utilities are the power utilities largest customers, right?
I mean, on the order of a few percent of all the power produced goes to water and wastewater facilities. So if you start to think about demand charges, changes in rates associated with that, it's gonna drive those electric costs way up for those large users. Now we are seeing some wonderful innovation.
In the sector around, you know, using, uh, Distributed Energy Resources, battery, solar, offset some of those charges through capital infrastructure like that. That's great. Now we are seeing also, of course, in certain parts of the country, the data centers do want to use water. To do cooling and such. I have worked with a couple of utilities who have kinda run into some problems with water service because the data centers are very demanding and the contracts are very rigorous, and so they do focus on those data centers as very important customers.
And if there's any disruption in water service, it's a really, really big deal. I will say that the outcome of those efforts have led to really, really improved emergency preparedness at those utilities. People really getting in line and saying, Hey, we're gonna do things like the national incident management system, incident command system, all of those things.
So that's, I think, really been a net positive.
Bryson: You mentioned wastewater. I think a lot of folks don't realize, right? We just think water. There's actually different kinds of water and different water has different purposes and different meanings. Can you go through that?
Andrew: So we have drinking water, right? You go to your kitchen, you turn on the tap, you pull up a cup and you drink it. That has been treated to very rigid standards. The states often have their own standards, but of course the EPA has the Safe Drinking Water Act, and a lot of that water is exceedingly high quality around the country.
So that's drinking water. Now you've got storm water. So it rains. You see the, the runoff going down the street, goes into a catch basin and then off into a surface water body. Usually that storm water, sometimes storm water will go into wastewater plants. Depends on how the collection system was designed and what the local regulations require.
Now from a wastewater perspective, so you drink that water, you have to go use the restroom. So you flush the toilet, and where does that water go? Right. So it goes into pipes, which goes into lift stations. They're called, because oftentimes we rely on gravity flow to go from houses whenever possible.
'cause pumping water is really, really energy intensive and expensive. So as much as we can, we rely on gravity. Sometimes we have to pump it up to get to a higher elevation, and then it flows down. Now. That results in wastewater plants being right on the coasts, right on the river. And oftentimes, you know, there can be some real flooding risk at those locations.
So this, this wastewater comes in. There's some different processes. You have a little bit different goals when you think about it. And the end goal is to discharge that treated wastewater in the environment. Now, oftentimes. These are being distributed into rivers, lakes, maybe the ocean. For example, off of Waikiki Beach, there was a wastewater release there untreated and it shut Waikiki down for about a week.
This happened, I dunno, maybe about eight to 10 years ago. So. A lot of the wastewater treatment is more about getting the water to be safe so people can recreate in it. So we can have healthy ecosystems. And if you don't treat it really well, you wind up with a lot of just like really bad quality environmental conditions.
People get sick really easily and you don't want that. So I guess Bryson, does that kind of help paint the picture?
Bryson: Yep.
Andrew: Bryson now, There is a, certainly some codependence. I will say that while the water sector is not widely adopted AI at all yet, and that's something we're very focused on, uh, making sure that it's done really well at the right scale. Talking to a water utility a few days ago and one of their business services leaders was like, Hey, our data is our data.
We're never sending it to the cloud. And I said. Amen. Right. That's great. But I think at the same time, their operation staff are kinda looking around going, Hey, it'd be really nice to have an AI assistant, in part because if you think about like the institutional knowledge within the people, right?
Hundreds and hundreds of years of experience. But then there's also all of the manuals, and it's not like a bookshelf of manuals, it's a hallway of bookshelves, of manuals. And if you could pull in that relevant information and feed it in to an engine and really put that engine and that, that AI next to the operator who's responsible.
Because AI will likely never be maybe an our lifetimes rice and will will never be licensed to operate that water system. It's always gonna be a person, which is really important. I think that's really helpful. And then, uh, there is a demand from the operations staff to at least play around with some of these technologies, which is really good.
So of course there's then the additional dependence of electric and water. Now with the advent of the public safety power shutoffs in California, we have seen an amazing number of investments in backup power solutions. Primarily diesel generators at this point, but also the DER systems that I mentioned a little bit ago.
I. Between rounds of risk and resilience assessments required by the Safe Drinking Water Act. The first one was in 2020. Second one was in 2025. I mean, massive investments. I personally have seen tens of millions of dollars of investment, and we don't work with that many. Utilities, right? We're a relatively small company, so I think the reality is is that we're grabbing that dependence and controlling it.
Now, the power companies do also need water, and we're responsible for providing a lot of that water for cooling steam, generational of that. So the idea of being able to. Cause cascading impacts in our critical infrastructure systems is something that I think is not well characterized. You know, potentially in a classified situation it is.
I don't have access to that, but we kind of use professional judgment, I would say, and I, I think having some models and that sort of thing would be really helpful to understand how these systems connect, how we can break those connections, reduce the single points of failure, and get a little bit better.
Bryson: I have to admit, I did not expect artificial intelligence to come up as a topic here in water, but I'm not surprised. You commented earlier that you felt like the water industry is about 15 years to 20 years behind the electric industry, and I can remember five years ago the debate in electric about how the cloud was or was not going to be a part of things.
Then we started to see the cloud become a part of things. And the first thing that I think it's important to note is what that means, right? This wasn't like everything suddenly gets connected to the cloud and your bulk electric system is now an AWS, but why wouldn't I? Find a way to move my operational data into a data historian in the cloud.
It's cheaper, it's easier to store, it's easier to access. It's not something that compromises the integrity of the operation. And now I can have multiple people, especially if I'm a larger organization, being able to access, manipulate the same data. And we see this time and time again today where artificial intelligence is being driven by operational need.
It's not a security question, it's a function question. And you gave a really great insight. 'cause my follow up question was gonna be like, what's the use case? And the use case is, Hey, we have all of these things that help assist an operator, right? Assistive tools to help an operator in context that's incredibly valuable.
That's gonna make it safer, that's gonna make it faster. I mean, everything is better with this approach. And so now you have the, okay, we're going to do this. Now, how do we secure it? And it's always gonna go that way. And I agree that we're not, again, same kind of thing. We're talking about electric, we're not talking about AI running things.
We're talking about AI supporting things on the line. So follow up that I wanted to have is,
Bryson: Back to the government. You talked about the Environmental Protection Agency and the technical assistance programs. You talked about a conversation or exercise that you did with OD and I, obviously within the bounds, which you're comfortable with sharing.
What exactly are going on with those programs and what did you learn from the encounter with ODNI.
Andrew: I learned that there were a lot of people who were very concerned about this and they're very interested in it. So what I took away is that there was a, a strong political will to go and make resources to fund resources to fund people going out into these systems to help create a more cyber cured environment for these wastewater utilities all across the country.
Bryson: What is the EPA doing with the technical assistance programs? That was the one that you had said that was, there was a lot of it. People coming into it. Again, talking to electric, that's a lot of the primary driver on these things is it's an IT program coming from the office of the CISO where they're going, Hey, these assets now have a cybersecurity risk, and the OT engineers.
Are not trained on the cybersecurity aspect of that risk. They're trained on the automation and function of those devices for their purposes. And so you have these IT folks coming in and it's like a cultural clash. There's a vocabulary difference, there's a different values. I mean, even if you work at the same company, you're still different people and there's a lot of that kind of conflict.
Andrew: So what we see mostly is technical assistance with cybersecurity assessments. So the EPA has some, some resources. They do emphasize what I, I tend to call, and I mentioned this earlier, consensus controls. So it's gonna be get your stuff up, the internet, have secure remote access, do those sorts of things.
So the EPA and some of the state primacy agencies do offer those types of assessments. But what I've noticed with all government agencies that I've come in contact with is that you know, they can't recommend a certain device or manufacturer. So while they might say, Hey, you need a new firewall, this small utility's looking around and being like, what?
I know that, but like, where do I go to get one? What does it need to do? And that's where. The government sort of has a line in the sand in my experience, where they can't make recommendations beyond that. And I think that that's the real challenge because most of these utilities rely on either engineering companies or integrators.
And many of these integrators are very small organizations to develop, install, and maintain the control system. So that third party is already there. So the utility tends to turn to the integrator and say, Hey. What do I do about this? And the integrator says, I've got it. We have observed a real lack of cybersecurity talent in integrators all over the country.
There was a wonderful post about this on LinkedIn. I can't remember the gentleman's name, but he characterized it really well. It's like, Hey, integrators, you've gotta get on the the cybersecurity train. You have to learn how to secure these systems, how to communicate with your clients, emphasize the importance.
What we find is that once the clients know about it, they understand their fiduciary responsibility to take action. We do have concerns about how these actions are actually taken. We recently worked with a utility that my colleague was a couple thousand miles away, and he just went to Shoan, searched up for a, a specific PLC.
Sure enough, he found. The integrator gave a little bit of a surprising response to that, and from us, from our perspective as cybersecurity leaders in the water sector. Holy cow, we can't imagine ever putting a client's PLC out on the internet, and we were shocked. Now, I expect that that PLC is no longer available via an internet connection.
I hope that's the case. I hope in a year I get to go back and start to ask some of those questions, but we'll see.
Bryson: You talked about fiduciary responsibility, and this is where there's a bit of a perverse incentive in the system because if you discover a problem, you're now liable for the problem and so you're incentivized not to find the problems.
But that contrasts also, I dunno, complimented by the challenge of a constrained rate base. The end of the day, the money for the operations go to what citizens pay for water in their community, which is regulated and nobody wants to pay more. For it. So how are you helping these clients who find these problems but may not necessarily be able to have the capital or the resources to resolve them?
Andrew: I wanna start this part of the discussion by acknowledging that I have a certain bias based on the clients that I work with. Because if a client is working with me, they already have an understanding of the importance of cybersecurity, the services we offer, and how that relates to them providing continuous service to their customers.
So what we find is that. The planning cycles in our sector are longer because they're public agencies. The planning horizon can be a year, can be two years, can be even longer than that. Once you get into the planning cycle though, stuff can get done and it's really amazing. So once you're in the planning cycle and there's a will, like things really get done, Bryon, and they, they do a great job.
I will say that I observe people coming in from outside the sector and they say like, I'm gonna have to wait. 18 to 24 months to make a sale. And we're like, yeah, that's just the startup cost here. And then they don't really stick around, right? 'cause they can go to a private company who can cut them a PO next week and off they go.
So there's a little bit of just patience that's required because of the public nature of most of the organizations that we work with. Now, there's a lot of utilities who. Our financial straits and the federal government really hasn't come through for those agencies, in my opinion, like the federal government has come through for smaller electric utilities.
Now, again, I'm an outsider to the electric space, but I think that that's a real issue. I will say that oftentimes that those smaller systems tend to be a little bit simpler. They tend to have really good operations staff still because all those operators are still licensed and really well trained with lots of experience.
So while. Some of the cybersecurity controls may not be in place. Some of the really great operational controls are, which is very positive.
Bryson: What are, obviously, you talk about consensus controls being probably still the baseline challenges that most of these places are still working with. What are some other common issues that you see?
Andrew: At West Yost, we helped the American Waterworks Association develop the cybersecurity resources back starting in 2019. We've done a number of updates since then, so there's the technical controls. We also see some organizational challenges is oftentimes there isn't a person who knows that they're responsible for cybersecurity of their OT system.
So part of the education is turning to the the director of operations or the superintendent of operations and saying, Hey, the OT system's your responsibility, right? They go, yep. Say cybersecurity of that system is also your problem, right? And they're like, no, that's it's problem. And then it says, we don't play in ot.
Right. That, that's yours. So I, I think that there's a disconnect and we're trying to really bridge that with a lot of the conversations we have. So finding that person, making sure they know they're responsible, helping them build awareness, understand what questions to ask, you know, their internal resources and their external resources to drive those improvements.
Part of it's is training. So I will say that engineers in our sector, you know, and I'm looking mostly at civil engineers and I have a degree in civil engineering, so I'm looking in the mirror just a little bit here. We're a little bit behind. Starting what in the, in the seventies there was this really big awareness that, you know, earthquakes were gonna be a big thing.
Especially if you think of the Cascadia Zone earthquake, which, you know, it estimated to be like a 9.0, I mean, massive. Right. Something big like that comes along. And engineers, we have to adapt. We have to say, okay, well we have to design our systems to perform differently, to have different standards of reliability.
And now a lot of the systems in seismically active places, they're putting pipes in, they're building buildings that are seismically resilient, similar. A situation occurred in the eighties when health and safety became much more important, and I remember being on my grandpa's old farm and he just had this old flywheel.
There were no guards on that. He also only had nine and a half fingers and all of those sorts of things, right? Like we just didn't think about health and safety. Engineers, we now have to design and implement systems in a much more safe way so that our operators who are really, you know, kind of the end customer of the engineer can go about their day and then go home and have a lot, you know, fewer health and safety concerns.
To me, the integration of understanding cyber or digital risk in our critical infrastructure. The engineers picking that understanding up, building awareness, building skill sets, figuring out how to manage that risk is one of the most important things that we've been working on. And my colleague Dan Groves and I actually wrote a book called, UH, resilience through Cyber informed Engineering and Engineering and Operations Approach to cybersecurity, to help the engineers and the operators in these organizations understand their role and understand that they can really do amazing things.
Two, having a cybersecurity organization. Part of writing that book, though it's not terribly technical. If you look at a lot of the, the cyber informed engineering resources, they're quite big. They can be very technical in, in certain ways. We wrote this book so that, uh, a leader and executive in one of these organizations who is probably a civil engineer, who may be an operator, they can pick it up and they can say, oh.
This makes sense to me. I understand this perspective on cybersecurity and oh my gosh, I have one of those types of assets I need to go and do things about this, and it's been really helpful. I think, um, we've gotten some wonderful feedback from operations leaders around the country. They just want to have.
Excellent operation staff. So they want people who are super into what they're doing. They know what all of the data means, how to collect the data in a manual way. They can sort of intuit what the systems are doing beyond what the SCADA screens are telling them, and it's really helped reinforce their perspective for them.
That's been some really good feedback we've gotten. The engineers can be a little stodgy. We're still kind of breaking down some of those barriers, but it's coming along and even at some of the utilities that we work with, we're seeing pretty significant turnover in the engineering staff. One utility I work with, you know, when I started working with them 10 years ago, I mean the average age of the engineer there was probably 55.
Now that average age, I mean it could be in the low thirties. So one of the excellent things about this new generation that's coming on is they understand digital, they understand cyber a little bit more, and I, I think we'll get a little more uptake in this generation of engineers coming up than maybe we, uh, have experienced so far.
Bryson: You wrote a book on consequence informed engineering. You talked about how you've worked with Andy Bachman at Idaho National Labs, who have been uh, the champions for consequence informed engineering. Is that something that speaks specifically to you because of the civil engineering background? Is that something that you also see as a natural conduit for engagement with these kinds of engineers who run these water plants because that's what their background is as well?
Andrew: Spoke 2018 right before I had met Andy is that I was really struggling to grasp sort of my role as primarily a civil engineer at the time, much less of a cybersecurity professional. My role in making, helping my clients make their systems resilient to cyber attacks and really what the nature of those cyber attacks could be.
And so when we got to know Andy and we got to know some of the other staff from Idaho National Laboratory, it really clarified to me. That, Hey, we can take an engineering approach. Two, building cyber resilience. It's not just about the firewalls. You have to do all that stuff, but once it kind of came into my more, a realm that I'm a little more comfortable in, which is pipes and pumps and treatment processes, it really kind of opened up a certain level of understanding and appreciation that I previously didn't have.
Now as we've gone on and we've worked with Ginger Wright, especially at the lab, who leads the CIE program? The applicability of cyber informed engineering and consequence driven cyber informed engineering. It's really amazing to see these things come to life. We were really pleased to be able to publish our book, have it become a, a sector specific resource.
In the pantheon of CIE resources that are available and like I mentioned, seeing it be helpful around the country now, there's still a lot going on when it comes to cyber informed engineering. We, we do act as a contractor to the lab. One of the things that we've been working on for a while is, is helping people understand how they can adopt these practices.
Bryson: Those who attended Critical Effect last year will remember Ginger’s presentation on performing cyber consequence analysis for critical infrastructure operators. If you missed it, you can watch the full talk on ICS Village’s YouTube!
Andrew:And so when we sat down and we thought about it. We said, okay, well there's all sorts of different types of organizations, whether it's an integrator, an engineer, the asset owner, the the cybersecurity vendor said, okay, that's good. And then we said, well, there's all sorts of people in different roles, right?
There's the executives, the engineers, the operators, the cybersecurity professionals. And so we said, okay, we're gonna go talk to these people. And so we went out and we, we interviewed a number of people, had some wonderful conversations, and I was blown away. By what people are doing across sectors out in the world, in the wild.
And we figured out that depending on where people are in their organization, what their professional responsibilities are, they're gonna have a different perspective. And so what we were able to do was to create what we called adoption pathways. Which is like, okay, if you're at the top, of course, right?
You get to set the rules. You tell people that we're gonna do CIE, they say, yes, boss. No, you do have to fund it. Of course, that's one thing. But we also saw a lot of really cool grassroots implementations of cyber informed engineering. One of the, the things that really kind of changed my perspective is we were at a conference, ginger and I were facilitating a conversation, and this young cybersecurity professional, very much a, a, a traditional like, you know, network engineer, very focused on securing the control systems for Fortune 100 companies, right.
So his job in those giant companies was very, very narrow. But he said, look, I have to go and do CIE. I know about I gotta go do this now to help my customers. And so he picked out the little chunk of CIE that was sort of within his span of control, and he went off and he did it. And he turned a bunch of stuff around in ways that we would've never thought, but it was really helpful.
Because as an engineer who has done engineering for a long time now, he really changed my mind and I said, okay, the cybersecurity professionals can, can take this. They can put their spin on it and they can adopt it and go, and then they can be kind of become that change in their organization. They really wanna see.
So that's one thing we've developed. Now, of course, the adoption pathways, it's really about how you get started. We're also in the process of developing a capability maturity model. So you've begun adoption, where do you go from here? Right. And I think that that should be out in the next couple of months.
I'm very excited for that to be out and do the conference circuit and be able to talk about that at various places. We have a, a mutual friend in, uh, Josh Corman. Who runs SRT 27. So he's very keyed into this. You know, his thing is no water, no hospitals, which is very much true. And he's got his program that he's running to make sure that our hospitals and our water systems and all of the, the interconnectedness, right, it's resilient in the face of whatever's coming down the pike in 2027.
So people definitely should go check out SUPT 27 in your favorite search engine.
Bryson: They are a partner with this podcast.
Bryson: For any of our listeners who might be unfamiliar, Josh Corman is the Executive in Residence for Public Safety and Security at the Institute for Security and Technology, who are our partners in this podcast. UnDisruptable27’s mission has directly influenced our decision to focus on four vital lifeline sectors of electricity, healthcare, food, and water this season. We’re working together on Critical Effect ‘26, set for June 17th and 18th in Washington, D.C.
Andrew: Amazing.
Bryson: If you could wave a magic non interconnected wand, what would you change?
Andrew: The other day I had some windshield time and I was thinking about 2027 and the expectation that there's could be some disruptions in our world.
And I started thinking about unconventional warfare. Now I'm an engineer. I was never in the military. My research on unconventional warfare is, you know, razor thin. But I do understand that the intent is to be subversive. If I were to wave my magic wand, I would increase the trust level. That the public has in their utilities, in their water and wastewater utilities, where those utilities are doing really excellent work.
Because I think in my relatively uninformed perspective on this is that one of the great ways to inoculate yourself against some of these unconventional warfare tactics is to establish trust and. In advance, uh, of any type of action by your adversary. Of course, trust in, in our current world is a pretty tough thing oftentimes, but I'm gonna counsel all of my clients moving forward that they need to have really excellent public outreach.
They need to engage, they need to give tours. They need to do those things to build and not maximize the trust that they can between now and 2027 and beyond.
Bryson: You've waved your magic wand now looking into your crystal ball. Which looks suspiciously like an HMI. What is one good and one bad thing that you think will happen?
Andrew: One good thing. So I think there's gonna be a little bit of a bifurcation. And the, the good part of that bifurcation is that the leading utilities, the big ones, the ones that are well-funded, they're gonna take some things like cyber informed engineering, very safety, reliability, and performance centric cybersecurity.
And they're gonna implement it in the big systems. They are going to be able to be much more resilient to cyber disruptions and other disruptions. Now, the downside of that is that. Systems that are less well funded, maybe they're served by engineers that are less informed, right, less capable. They're gonna continue to bear this cyber risk in some really unfortunate ways.
Those engineers are not going to be building systems that are as resilient. They're not gonna be managing that risk as effectively. So I think that's the one good thing and that's the bad thing, and I think that that's gonna be become very apparent over the next five years.