A year ago, Ian Bramson — with a deep experience solving the business challenges of cybersecurity, risk management and digital transformation — was brought in as vice president of Black & Veatch’s new global industrial cybersecurity practice. In this question-and-answer session, we sat down with Bramson to discuss the crucial need for industrial cybersecurity, the relentless threats and what he’s learned in his role.

Operational technology (OT) cybersecurity comes down to two basic things — safety and uptime. We call it “consequence-driven cybersecurity”, and it focuses on managing our client’s top risks. That was the push behind developing this in the beginning, and it’s still our focus.  

We've done that in numerous ways. We help our clients figure out what's needed now and what’s next — the most common questions we’ve heard. We do a lot of assessment, planning and requirement-setting, depending on where they are on their cyber journey. It's usually that consultative approach that says, “What do I do about this now and how do I make a risk-prioritized plan? How do I get the resources and authorities I need to go build a program? And how do I make sure I have the visibility and control over my OT assets to keep them safe and running?” We usually start there with lots of our clients, whether they're doing a new build or doing brownfield ongoing operations. 

And then we fold into the “can you help us build?” That's when we come with the secure-by-design cyber — we're engineering it in or we're doing the in-construction phase. Or if you're on the other side of the equation and your operations already are going, we'll help you actually implement it and stand up your program from a programmatic level. Then there’s the operational piece in which we do managed services and security operations centers.  

We've learned our clients have got new kinds of technologies such as AI or machine learning (ML), increasing the impact and abilities of threats. And, of course, digitalization is happening — meaning more connections, more attack surface, more ways the “bad guys can do bad stuff.” This threat environment is always changing and always growing, and we need to make sure you get ahead of it. It's not a set-it-and-forget-it scenario. You have to stay on top of it and keep evolving to stay ahead. You can't be passive. 

Why should enterprises pay attention to industrial cyber? 

Bad guys are trying to blow stuff up and shut things down and they’re targeting critical infrastructure — our clients. They're trying to have what we call cyber physical or real-world impacts. Clients need to up their cyber game for the safety and uptime of their operations — site safety, environmental safety, public safety, operations continuity, national security and economic stability. Our clients need to have control over their critical infrastructure systems at all times.  

What advice can you give to anybody interested in upping their cyber game? 

They need to first understand some of the basic questions to answer. Do you know what you need to protect? Do you know what holes you have? Can you see if someone's in there and can you get them out? Those are some of the core questions people get overwhelmed by, especially now with the integration of smart technologies, AI and cloud-based systems into OT assets. Boil it down to the basic questions you need to be asking and you can start building core foundations. The second thing is you need to build this in from the beginning and not just wait until you’re in operation. You need to look at the full lifecycle across everything you're doing, so start early. And third, you need to go with someone who knows what they're doing. A lot of our clients aren’t sure what to do next and turn to us as a trusted advisor.