Episode Transcript
[00:00:03] Speaker A: Hello and welcome to the Consulting Specifying Engineer podcast. I'm your host, Amara Rosgas, and in this episode we are talking about Cyber Informed Engineering.
The CAC podcast is about to turn three years old and I am excited to be here. Thank you for joining me today, Adam.
[00:00:24] Speaker B: Yeah, thank you so much for having me.
[00:00:28] Speaker A: And there is a lot of discussion about cyber Informed engineering and cybersecurity, so I thought I'd talk to an expert on the topic.
Adam Brody has four years of experience working on the electrical team at Canon Design.
Throughout this time he has had exposure to a broad list of topics ranging from basic design production work to understanding the importance of securing the operational technology network.
So, Adam, a lot to cover here. First things first. How is Cyber Informed Engineering and OT Security different from traditional IT cyber security?
[00:01:08] Speaker B: Yeah, that's a, that's a great question. And I think in the past they were very, very different.
They were really. There wasn't a whole lot of overlap at all. So they had very different, they had different goals, they use different kind of communication protocols.
They just worked in very different ways. You had different people working on kind of each area individually. So I guess to define it. So it, I think we're all familiar with is like, you know, information technology.
It's, it's more focused on like data preserving data, user data, you know, the integrity and security behind all of that.
OT or operational technology is more like, has more to do with like what engineers like, the equipment that engineers use. So it's like, you know, the controls and the monitoring of, you know, in my case it'd be like a piece of electrical equipment. So like a switch gear. We might have like a, a monitor on there that tells us, hey, this is energized and there's power still coming from, you know, a breaker or this, you know, or you know, the opposite. It'll say there's not power coming to this breaker and we want to communicate that.
So that's kind of OT versus it. But when it, when it comes to the security, like I said in the past, it was really no overlap. But as time has gone on and the technology behind OT and the monitoring of that equipment has evolved, there's been, I think, an increase in, in what has overlapped. So now OT is using more of kind of the similar protocols and the similar, similar functions of it. So going like using things like fiber optic, cabling, Ethernet communication, IP.
Wireless, you know, all the Bluetooth. All these communications are now showing up on, you know, installations of switch gears and mechanical equipment, air handling Units, different things like that. So as it's evolved, the priorities of both of them have still remained different, even though the communication and the kind of look of it has remained the same. So it, like I mentioned, is more focused with like user data and making sure that that stays confidential and the integrity behind that stays secure. Whereas OT is more concerned with like, you know, safety and fault tolerance and loss of equipment and like, you know, damaging the actual product that you're using. So if we, you know, in the case of electrical equipment, again, if part of the reason that we're monitoring a breaker is because we want to know kind of the health of that breaker. So if it's tripping a lot or like it's experiencing more current than it's supposed to, that's an issue. And it could lead to a damage of the breaker itself, a damage of the cabling, and also, you know, the safety of the people using it. So we, we want to keep an eye on those things for all of those reasons.
And that's another big difference between OT and it is that OT is very physical. So a lot of OT stuff we're monitoring and is in like kind of the physical world. It's physical data, whereas data is more, you know, oftentimes more zeros and ones and information OT is very physical. So it's like, you know, current, if I'm going to stick with electrical a lot probably during this whole conversation, but you know, current, voltage, things like that is a physical value that we're monitoring.
And oftentimes too, as it's evolved, control of OT has evolved as well. So you can adjust certain values using the components and the equipment on the OT network. So it's not just monitoring and communicating. Hey, this is the value at this point. Now it's also turned into kind of the control of it. So like maybe I want to turn off the breaker from kind of a different location.
So a lot of differences. I think, like I said, it's. As OT has continued to evolve and advance, I would say it's starting to look more like it and kind of sound more like it and definitely talk more like it. But the focus and the goal of each of them is very different.
[00:06:05] Speaker A: Okay, okay. And you touched on this a little bit. Adam. How has the growth of connected devices, remote access and cloud based monitoring changed the risk profile profile for electrical infrastructure?
[00:06:21] Speaker B: Yeah, so there's, I guess before we get into the risk of it, there is some good that comes from it. Obviously, like we're able to see more clearly what's happening in the kind of electrical infrastructure. And it's, it's a great selling point to be like, hey, you can always look at this. So where in the past, you know, you would have to go out to maybe like the location of the equipment, now you can remotely monitor it. So I can have like a computer in the electrical engineer's office and he'll have a software pulled up and he can see the current and the voltage and like all of the statuses of all the breakers. He can see the statuses of all the, you know, generators, transfer switches, and in a lot of cases too, there's, there's control in that. So you can push a button and you can turn something off, turn something on.
And there's a lot of pros to this.
It does, you know, obviously save time in going out. It saves time in, you know, training people to use it. When everything is so streamlined and connected, you only have to learn, you know, one software, one protocol, and that makes it a little easier on that end there. There is an inherent risk, though, that you take on with that. And that's really kind of the concern of cyber informed engineering is, you know, it's kind of the idea if, if I can remotely view, remotely control something, somebody else can too, you know, and it's, it's you, you take on that risk a bit where somebody could, you know, bad actors they call it in, like the cyber security world could get into your system. And, and now all of a sudden they have access to not only viewing, which is not, I mean, it's definitely a concern, but you definitely are worried whenever you start talking about control because they can shut off power, they can hold you at ransom. And I mean, when you start talking about the industries as it affects, like, obviously electrical infrastructure is everywhere, but you start talking about like healthcare or data centers are big on this right now. And you're talking either the life safety of people or you're talking about millions of dollars in revenue that you're losing.
So there's, there's this risk that you take on whenever you increase all. You take on these good things, but you increase the risk of kind of the vulnerability. And if someone were to get access, they could, you know, get in and really disrupt the physical aspect of the design.
And this kind of goes hand in hand with, I mean, electrically, everything becoming more electrical and being controlled more electrically. You can, you can, you know, there's almost a single point of failure where someone gets into your electrical, you know, infrastructure. They can hold, you know, your heating, your cooling, obviously all of the power to, like, convenience receptacles, your lighting, like, they can just shut you down completely. And that's a. And that's a pretty big risk that you take on. So there, I mean, you know, the different components that are being used typically come with some sort of security.
But at the same time, I think there's a level of understanding and concern that's not always present. Like when we start getting into designing these systems where it's. It's not really consideration that we're taking in. Whereas with it, obviously, we have lots of safeguards and guardrails up where I don't think that OT is necessarily there yet in every single industry.
So bit of a concern there. Like, we're like. Like I said, we're. We're modernizing these, these techniques, but we're bringing on inherent risks and inherent vulnerabilities as we're doing that.
[00:10:24] Speaker A: Yeah. And there are a lot of risks. So why should electrical engineers or MEP designers think about cybersecurity at the design stage rather than leaving it to it or anybody else?
[00:10:40] Speaker B: Yeah. So, I mean, it's always better to kind of get ahead of these things.
I think when you, when you make a design change, you know, paper and pencil, before you actually get out on site and get things installed, you can. You save the risk of, you know, reordering a part that you've already ordered or, you know, redesigning something. And that always brings on, like, cost. Right. So it saves you some time, it saves you cost and the long term.
But kind of like we were talking about before, it and OT are just very different priorities where your. It can be very secure. Right. Like, you have all the user data protected, but your OT can still have a lot of, you know, inherent vulnerabilities. And it's been. I get my experience that OT is something that needs to be viewed by MEP engineers and they need to be the ones who are. Who are looking at that because it is so much more integral to kind of their.
What they're doing and their workflow and their systems that they're designing. So I think they have an understanding of, like, what each individual component does. So it's. It's better to have the, you know, design happen at that level rather than waiting for it to be like, hey, you know, this component uses, you know, Ethernet.
This component has a WI fi. You can connect to this using WI fi.
Help us figure that out. It's more so like, we can get ahead of that and be like, okay, we're designing this where we know where this is going, we know the protocols that are using. We should be kind of monitoring this and understanding the vulnerabilities that we're taking on, on here.
But, and so kind of just getting ahead of it, kind of starting that conversation sooner rather than later.
So I, yeah, so I guess the cost is a big influence there.
But also just like getting it into the understanding of the, you know, mechanical electrical engineers that this, you know, is a vulnerability in their design is always good to get on, on paper first, of course.
[00:13:06] Speaker A: What gives this structure, what standards or framework or guidance documents do you recommend that electrical engineers become familiar with for this topic?
[00:13:17] Speaker B: Yeah, so there's actually a lot that's out there right now and it's, it's something that's kind of.
There are more things I think being developed all the time.
If you just Google Cyber informed Engineering, a bunch of different websites pull up. I know one that I've looked into quite a bit is the US Department of Energy has a kind of page on it and they link out to different resources and they kind of describe like, what is it, why is it important?
Different things like that.
Another really helpful resource that I've used is a document published by the National Institute of Standards and Technology or the nist.
They have a document for the Guide to Operational Technology.
And that goes over a lot of stuff that I've talked about in this like, you know, difference between OT and IT good, you know, why do you need an OT secure network, you know, how to set that up, what are the goal, what the goals of it should be, things like that. So highly recommend any, you know, really any company who's interested in this. But to look into that and you know, try to figure out what that process is going to look for them, look like for them.
And then also Canon Design has actually published a couple of white papers, so I'll plug that. So if you look those up you can find it. But we're publishing some more information about kind of the what, what the security of this network looks like in the MEP world.
[00:14:54] Speaker A: So if you could give one takeaway to MEP engineers who are new to this topic of cyber informed engineering.
What's that one takeaway?
[00:15:05] Speaker B: Yeah, so I think at this point where like most of the industry is at is we just need to start having these conversations and informing ourselves of this topic. I just, I think that's kind of the state that it's in right now.
I, I don't think that it's taken over, you know, industry wide. I think it's kind of more fresh and new. There are definitely some industries where it's very important and very, like, they are heavily focusing on this, for sure.
So I think it would be to the benefit of all MEP to just start getting informed, start looking into those resources that I talked about, start understanding where big vulnerabilities are. So some really big vulnerabilities, like wireless communication. So, you know, it's.
Again, it's kind of the idea where if I can access it, someone else can too. And there are, you know, securities and all that, but those securities can be gotten through. So whenever you have something that's wireless, it's.
That's a big vulnerability, especially, you know, that that makes it so that you can get access to something from outside of the building even. And it's pretty easy to find out where our equipment is because we take up massive amounts of space. And, you know, mechanical equipment, they have louvers on the walls, and electrical equipment has giant conduit coming into it. So just kind of understanding how our design as engineers, where there are things that we. We do as we're integrating these new communication technologies, does, I guess, increase the vulnerability, increase the risk, and understanding that and kind of starting that conversation with the rest of the design teams, starting that conversation with vendors as they're bringing up these, like, new technologies and just being like, okay, so what's the security around this? What is the vulnerabilities to this? What risks am I taking on?
I think that's probably the best step forward as of right now. And then start to try and think about, yeah, creating secure OT security on your projects.
[00:17:21] Speaker A: All right, well, Adam, it sounds like you are balancing a lot.
What is it like balancing being a parent and an engineer and dealing with all of this?
[00:17:32] Speaker B: Yeah, it's.
It's a blast. First and foremost, I. I've. I've definitely enjoyed it. I have a. A very young daughter.
I wish that there was more overlap in the expertise. I wish any of the stuff that I talked about helped at all with parenting, but unfortunately, it doesn't.
I.
You know, it's. It's two very different worlds that. That you live in. A funny thing is, I went through all of college, first couple years of working without drinking coffee, so I made it to all my, you know, early morning STEM classes without any coffee. But then I had a kid, and now I need coffee. So the sleep deprivation is real. But.
But all in all, it's good.
[00:18:29] Speaker A: Oh, yeah. Well, I appreciate it, Adam. Thank you so much for the insights.
[00:18:36] Speaker B: Yeah, no problem. Thank you.
[00:18:39] Speaker A: Excellent. Well, this is where we need to wrap things up. There have been a lot of questions about cyber informed engineering, so for more information on the topic please visit Consulting specifying engineer at www.csemag.com, and don't forget to check in regularly for new podcasts. Thank you for joining us and we'll be back again soon. Bye Bye.
