Defending Our Water – Defending Our Lives
Show transcript [en]
Thanks everybody for being here. I I have a bo book full of notes from Josh's and uh Bryson's presentation this morning. So we'll try and attempt to continue to weave some of those themes in. And um anyways, appreciate being here. Thank you all for being here. Uh my name is Andrew Ort. I am with West Yoast Associates, which is a uh engineering consulting firm, water wastewater only. Uh we've got about 250 people now based in California, although I live in northern Minnesota. If I go down the street a little bit and look, uh I can see Lake Superior off in the distance, which is 10% of the world's uh fresh surface water. And um anyways,
it's a pleasure to be here talking about cyberinformed engineering with you all with Ginger Wright. >> Thank you all so much for coming this afternoon. Uh I'm Ginger Wright and my work is in cyber security for operational technology systems and my current passion which you will learn a lot about today and have an opportunity to learn even more is cyberinformed engineering and we'll talk about what that is as the story goes on. But essentially, it is a secret weapon in defending critical infrastructure that we can use more to make an adversar's action not work to avoid the worst impacts of a cyber attack. And I think that's something that we all want to know about, especially since this
morning Josh raised our awareness of some things that are pretty scary and concerning. And so we wanted to come back right after lunch and at least reassure people that there are solutions. There are ways that we can help our industries solidify their defenses and some of it uses engineering, not just fighting cyber with cyber. >> So, uh, we did have a third panelist. His name is Dean Ford. Unfortunately, he had a a work emergency that he had to attend to. So, I just want to give him a shout out. He provided some slides. We'll go through those sorts of things. I'm curious. He gave a really excellent presentation at Bides Las Vegas last year. Were any of you two
>> last two years? >> Last two years. Thank you. Were any of you present for that? Couple. Okay. Wonderful. So that's a little bit of background. I'm curious who here works in the water wastewater sector. >> Anyone? Okay. Wonderful. >> Who here is dependent upon the water wastewater system for your work? >> Oh, that gentleman is not. [laughter] >> Sorry. All right. [clears throat] And then uh who here has heard of cyberinformed engineering before? Couple of hands. Anybody practicing CIE? No. Okay. Well, the goal is that you can walk away from this with some ideas on how to apply CIE and then also uh maybe attend the trainings later today and tomorrow morning uh where we're going to
do a very detailed deep dive um before hours in each session. And um unfortunately there is a little scheduling overlap today. So Ginger will be hopping out midstream um from this panel discussion. So, what I would ask is that as Ginger says something, as I say something, if you've just got questions, just interrupt, please. Um, that's just going to make this much more uh interactive, and that's really the goal. So, with that, you know, I if you know Josh, uh you probably know that he's a big Avengers and and comic book hero fan. And so, he he said that the Avengers had assembled um to think big thoughts and do big things and and help
the country and the national security of the US. So I was thinking about like okay well what's my role like who do I you know think of myself as in that universe and I landed on happy who if you know drives Tony Stark around for two reasons one I love cheeseburgers and two it's really my job to get the defenders of our infrastructure to go where they need to go to do whatever they're going to do so very similar in roles and uh there was also a lot of discussion earlier about how we don't have a cyber defense force so I used to get up in front of you know rooms like this and you know primarily water sector
people engineers operators IT OT you know all of the different roles and I would ask a question I'd say who here considers themselves to be defenders of their infrastructure and I would get two hands so let's pause here who here is defenders of our infrastructure in this room okay wonderful when I used to ask that question you know five six years ago get two people and turns out that you know The reason that they had that kind of hallowed look in their eyes was that they were from it, right? And they were just getting hammered day in and day out. Now when I asked that question about a third to half the room raises their
hands, which is really wonderful because from my perspective and I think from a CIE perspective, our cyber defense force is the operators and the engineers and the IT staff and the OT staff and they really need to adopt this perspective and we're starting to in our sector. So, uh, those are, you know, kind of some some starting thoughts to bring us back to the, uh, the prior conversations. So, we've all relied on water at some point today. Um, we probably drank some water. We probably made a contribution to the wastewater system. And yes, I use that term very specifically. Um, a friend who helps uh, run the city of Sacramento, Department of Public Utilities, taught
me that. It's all a contribution. It's full of resources. Let's treat it accordingly. So if we think about where our water comes from, right? There's a watershed somewhere. When I go and I do risk and resilience assessments in the sector, the best days are the ones where I have to go into the coastal range of Oregon and look at the source water. Um drive through all of the national forest land, which most people never get a chance to go to. So those are the best days. But anyways, generally high elevation up in the Cascades, something like that. Um we have a natural reservoir of water. That water is then brought into a water treatment plant.
It's treated and it gets pumped out into a distribution system. In that distribution system, there are going to be pump stations to make sure the pressures are right because, you know, there's always changes in elevation. And of course, there are going to be water reservoirs to store water. Um, and this is going to include, you know, large reservoirs that are on the ground and also the water towers, right? And uh you know a funny joke from the the sector is it's funny how uh towns always name themselves after their water towers but a bunch. Yes. Thank you. >> That was a joke grenade. >> It was there we go. And [clears throat] then we have all these mains. You know
some large water manes can be uh 10 ft in diameter. That's really big right? Um, you think about the valving and this the design and the structural engineering that goes into those. We haven't even gotten to the control system yet. Um, it's really impressive, but most mains are probably in the uh, you know, 2 in to to 48 in depending on their function and how many people they're serving. The water is conveyed to the hospitals to your homes. Um, and then of course we use it and we put it into the the wastewater system and it's conveyed away from us to a wastewater treatment plant where it's treated, made safe, and then discharged into uh a receiving water
body, whether that be groundwater or surface water. Now, we're going to be very focused on water today, but we don't want to lose sight of waste water. And I'll bring that up a couple of different times in a couple of different ways, but um yeah, we just want to make sure >> for yourself. I'd like to lose sight of wastewater. [laughter] >> Fair enough. All right. So, [clears throat] we'll come back to this a little bit later. So, what we want to do is is kind of give a little bit of background. And this is very much based on the content that Dean provided based on his presentations the last two years. So where does water come from? We talked
about that a little bit already. Who or what uses water? What are some of the threats? And we're going to start from an allhazards perspective. And then questions, questions, questions. Please don't hesitate. So some some of Dean's foundational principles, right? This idea that there's no accidents. Um certainly there are probably more failures of imagination than anything. uh people are very much center to this. The executives have to be bought in, the engineers have to be thinking about it, the operators have to be aware and they all really have to be defenders. Um cyber can really be a wonderful unifying conversation especially within the context of CIE which we'll get to. Cyber of course is one of the many risks
that we manage. A lot of my clients convey water in seismically active zones. A good shake is going to be really hard on all of those linear assets, right? And um it's pretty hard to replace those costs a lot of money and takes a lot of time. And then of course I think probably just like every sector, Ginger, technology is outpacing our ability to maintain it and possibly secure it. >> Everybody wants the benefits of technology, but very few of us are willing to pay the price. >> So briefly, where is the Earth's water? Primarily in the oceans. Um there's a little bit in fresh water. When we think about fresh water, we've got uh about
twothirds of it in the glaciers and ice caps, one-third of it in groundwater, and a little bit of uh surface and other freshwater sources. When we think about those surface and other freshwater surf sources because those are what we can easily use. Um a lot of that is in ground ice and perafrost about 20% in lakes. The affforementioned uh Lake Superior is a big one of those and then lots of other places, swamps, marshes, ponds, etc. So, um, we're very focused on the easy to get water because that's the least expensive. Now, of course, there are some del plants or desalinization where they can take ocean water, treat it, and uh provide drinking water based on that. In the US, that's
not something we do much of. That's primarily in the Middle East and Israel. So, I think I've talked about this already, but it's a really nice slide kind of showing the the water cycle. So, of course, you know, water flows downhill. Um, and we get evaporation out of lakes and and oceans. Uh, wind car and uh the weather carries that upstream, creates snowpack, glaciers. Some of that water that melts goes into the ground, goes into um surface water bodies like streams, and I don't remember, Ginger, was it creeks or creeks? Probably depends on where you're from. >> Creeks for me. >> Okay. Creeks for me. All right. So, it does differ quite a bit from electricity and and uh Josh and
Bryson talked a little bit about the what the water sector really looks like. So, depending on how you define a water system, there's 151,000 water systems. Now, if we look dive into that number a little bit, there's going to be about 500 of those systems that serve 100,000 people or more. About 500 systems serve 50,000 to 100,000. And then about 9,000 systems serve 3,300 people to 50,000 people. Right? So we have this huge diversity of scale of operations. And you might be thinking 3,300 is kind of a weird number. Why would we pick that? That's going to represent about a thousand connections. So you say one connection is about 3.3 people on average. Now [clears throat] those systems serve
about 80,000% or sorry 80% of the population and we have 16,000 public water systems that serve about 75% of the population. Um water systems are very local. They are not widely connected. In the off chance that there is a connection, it's very rarely sized for anything other than a very uh limited emergency um support. And often times water systems do not like to test those connections which are usually you know there's two pipes coming in there are two valves and then potentially a third valve in the middle. Um they don't want to test it because it can change the direction of the flow of water which um can cause all sorts of sediment to flow in ways that it hasn't flowed
before and cause all sorts of issues. So um that's not something that's widely done or widely used even though in some cases those connections exist. Um the Bay Area is actually a really good example where there are lots of connections. They just aren't exercised or used. [clears throat] Um let's see. We do have to of course treat waste water to prevent sanitary and uh you know pollution from getting into primarily our surface water bodies. So uh two quick stories on that. One is um if we have uh any Chappelle Show fans from back in the day, of course there's the Charlie Murphy skit where he talks about the purifying waters of Lake Minnetonka, you know, in the one of the
Prince skits, right? So Lake Minnetonka is beautiful. If you ever have a chance to go, it's it's wonderful. However, um Met Council, which was which is the regional wastewater provider in the Minneapolis St. Paul area and the surrounding southern county area, they um had a operational mishap and they had to release a bunch of waste water into Lake Minnotonka. It lost that sort of purifying status briefly and they had to just let nature kind of do its run its course. And the reason that they had to do that was is they couldn't convey water to the plant effectively. They had two options. One was to let the wa waste water flow into the lake or two let
people's basement fill up with waste water. So they chose the lake. That's a pretty bad day for a wastewater utility. Um, similar things have also happened in Hawaii along uh Wiki Beach. So imagine you take your family to Wik Ki, there's a wastewater release. Nobody can go in the water even in the ocean, right? So um, pretty bad days. It sounds pretty shitty, said Josh. So there we go. All right. [clears throat] Who's using it? Right. Residences, of course, we're using it. uh the casinos using it as a commercial entity. Uh we use a lot of water for cooling and heating. One of the things that is really emerging is the concern around water resources and data centers. I
don't know if have you looked into this at all, Ginger? >> Um some of my peers have looked into it and I believe there will be a presentation on that tomorrow morning. >> Ah wonderful. Ah thank you Emma. So everybody uh go to that presentation tomorrow. So, um I actually have done work for a utility in the national capital region that serves a lot of data centers and they um they actually had a mishap where a data center was about this close to shutting down for you know one of the big cloud service companies and it it [clears throat] caused them to hire me for a year full-time to help them figure out emergency management. It
was not cyber at all. It was just how do we communicate? How do we take all this data that we already have and get better? Um energy of course you there's a lot of places where you can't um generate energy without water public safety fire hydrants and sanitation um fire hydrants right that water doesn't need to be safe to drink right so there's always a little bit of tension in do we provide fire water if we can't provide safe drinking water healthcare which we'll talk a little bit about more food transportation and then recreation which we've touched on. All right. So, um, you know, this is a kind of a complex graphic of the source
and use of fresh water in the US in 2015. Um, about twothirds of the water came from surface water. About a third came from groundwater. Um, in places like California where groundwater resources are dwindling, there's a huge movement to create new surface water based utilities. So, there's kind of a the the pendulum swings back and forth a little bit over the decades. And right now we're swinging towards surface water. And you can see, oops, not sure how that did that, but you can see that there's lots of uses for water. And of course, it was touched on this morning a little, the food, energy, and water nexus. That's a big um topic of conversation. And Emma will cover some
of that tomorrow. So Dean's, one of Dean's clients, I don't know who it was, but they do serve um nearly 800,000 people, provided this quote. So really wonderful quote about the importance of water and hospitals and that connection. So hospitals are the most critical customers that we serve. Even a few minutes without water is detrimental and prevents a major life safety threat. Our hospitals are some of the most significant water users in our system. ABC Health System is a as a whole is our largest customer by volume and revenue. Each hospital is also in the top 15 users monthly report. So that really illustrates the importance and the connection of hospitals and water. So if
we look at how a hospital is actually using that water. [snorts] So 42% um sanitary HVAC 23% all that heating and cooling. Interestingly medical processes 14% right. And my guess is that associated with this is there's probably a lot of on-site treatment systems to get that water chemistry just so and then we have laundry cafeteria and miscellaneous and uncounted for um water usage. So that just gives a sense of how water is actually used by a hospital. Now interestingly this is from the Massachusetts uh water resources authority and um they are one of the larger utilities in the c country. they actually serve the greater Boston area. So, domestic water use in gallons per day per person and the growth between 20
uh sorry 2000 and 2020. So, you can see um we're here in Nevada. So, there's a pretty high water use compared to other states. Um domestic water use here is uh between 101 and 125 gallons per day. And the population here is growing like crazy, 55% in those 20 years. So one of the things that um we you know are observing here if you you know take some time and look at this people are moving out of some of those northern states and going to some of the warmer states and western states and that's causing water stress in different ways. So [clears throat] some threats that we always have to be concerned about is you know concerns
around the quantity and quality of water. And we'll get into some of this when we talk about the cyber portion a little in a little bit. droughts, quality impacts, wildfires are rampant, of course, and those it just causes chaos for water quality. Um, physical threats, you know, contaminant inserted into supply. There was, I think, a 2013 uh CBS ran an episode of NCIS where the plot of the story was that um a bad actor injected some bad ethylbeth ethylmethyl bad stuff into uh the water system upstream of a military installation. And they were able to do this because they just connected a pump um up to, you know, the uh the backflow um in the basement of the house. There
was no valve protecting that backflow. And so they were able to pump it in. And AWA, the American Waterworks Association, which is really the premier industry organization, actually sent uh CBS a, you know, a letter saying, "Hey, this can't be replayed. You need to take this episode down." because it created such a detailed map on how somebody could take uh conduct this attack on a water system. um aging assets of course uh everything's getting um you know quite aged but I will say that utilities are really doing a much better job of this than they were um 10 years ago and I was the American Society of Civil Engineers has a in infrastructure scorecard that
they issue every year and I want to say that in the water sector we've gone from like a D minus to a C minus in the last 10 to 15 years which doesn't sound like a lot but think about maybe uh if you were in high school and who brought home a C minus instead of a D minus to your parents. That'd feel pretty good, right? Right. So, as a sector, I feel pretty good. Yes. >> Don't you think they're worried more about lead line replacements than cyber >> Yes. into the mic. Don't you think they're more worried about lead pipe replacements than cyber security right now? That's where the money's going. So, we'll get into what they're most worried
about, but I would say that you are absolutely right. The money is flowing to lead line replacements and it's a huge concern. Um, especially when you get into, you know, schools that still have all that old plumbing and that sort of thing. Uh, natural hazards, of course, we always have to be worried about those. Now, one of the interesting things that h is happening is the regionalization of water treatment um and water systems. So there's um oftentimes a large well-unded system with less well-unded smaller systems around it and um the big system buys the little system, right? And it's kind of funny, you know, if the water systems are mostly municipal, you wouldn't think that they would be um you know uh
acquired like that, but that absolutely does happen. It creates some unique challenges from a technology perspective, especially as you you know get multiple SCADA systems with different technologies, different levels of security, etc., and you have to combine all those. So that's a real challenge. State and local control, we have tons of regulations, same um at the federal level, but from a cyber perspective, there really is no federal uh we'll use the term Dean chose here, control on cyber pollution. Uh I'm not going to spend a lot of time at uh most of this, but you know, we have forever chemicals, POS, PAS, uh storm water and climate change is a big deal. We're looking at people
at the aging workforce. I would say that a lot of my clients have have sort of gotten through the silver tsunami and they have uh the average age of their workforce has probably dropped about 10 years in the last 5 years which is a huge win for them. Um funding of course is always a challenge. Uh just to kind of touch upon chemical costs. So I think between 2019 and 2022 when um when I had the opportunity to present with the director of Minneapolis water she had said that the uh disinfectant costs had gone up four and a half times in three years. So that was really just you know over co um let's see so from a cyber and
operational technology perspective um you know there's lots of different things here but you know it's OT right if it works don't touch it I almost grabbed a a meme of an old network switch you know covered in about half an inch of dust and it's like it's still working don't do anything so um you know the good and and some of these do cut both ways for sure gravity is our And right once you get that water up to an elevation, you can leave it there and it'll drain out as people use it, but you have to take a lot of energy to get it up to that elevation often times. Um, our product uh production process is
relatively simple. It's relatively slow and it doesn't really go boom compared to other sectors. Uh, the distribution process can be relatively simple. Although I would say that if you had to sit in one of these control rooms and look at eight screens with some of them very focused on, you know, 20 um remote sites with changing pressures and everything, it does get fairly complicated. The government finally recognizes water is critical. Um for the emergency managers in the room, right, water didn't have its own emergency uh ESF. Um we were emergency support function. Thank you. we were actually buried under public works and we're finally getting out from that which is a really good thing because what does
public works mostly care about? Roads. Um regulatory agencies are definitely engaging and of course we're all of our technologies are converging. All right. So uh to get to an earlier question here, what do we in the sector really think about cyber security at this point? So every year on around June 1st, the American Waterworks Association releases the state of the water industry report. Um really really um interesting data. They um they pull, you know, thousands of utilities um and the top issues facing water utilities are listed here. You got the top 18. Of course, money is the first one. Do we have enough money to do the things we need to do? But if you go down, number eight is
cyber security issues, right? So that is above droughts. It's above um a lot of other things that you would think that they'd be very concerned about. And this is a really substantial change over the last few years. So the text here is very small. Um I will just sort of explain this. So if we move from see right to left on this slide and I grabbed this out of the report, we start on the right with 2020 and we move on the left as we go left up to 2025. And what we find is that for the first three years 2020, 2021 and 2022, cyber security was not included in this list of top issues.
Then cyber pops up at the same level for 23 and 24 and now it continues to move up in 2025. Now, as we look at the different sizes, I kind of talked about how utilities um are are sized and there's different ways to do it. So out of the 2,000 that responded the the medium large system and very large systems this is their most important um priority right now is investing in cyber security. If we look at small systems it drops way down to seven and if we average it out across all of them it's second which is really wonderful. Now this is probably the most important thing that I take away from this sorry about that is that utilities
are saying hey what do we need to innovate around cyber security and from my perspective cyber informed engineering actually provides a lot of that possibility now Josh presented this earlier this is a list of attacks and 12 of them are actually water wastewater utilities and Josh you mentioned earlier that you're surprised that this didn't stay classified yeah I am as well. So, briefly regulatory uh background, the Safe Drinking Water Act does now require cyber security assessments. Uh you have to do it every 5 years. More and more states are requiring them every year. Josh mentioned that there was earlier today that the sanitary surveys did have a cyber security component and Iowa, Missouri, and Arkansas a couple
along with AWA and the National Rural Water Association did sue. And a big part of that was is that it didn't matter if you served 8 million people like New York City or 100 people like, you know, the trailer park down the street. They had to adhere to all of the same constraints and requirements. And that, you know, really just isn't an equitable approach. One of the things that's been proposed is the water risk and resilience organization, which is functionally a water nerk. So if I say nerk, does is everybody generally familiar with that? getting some nods. No. So, Ginger, do you mind doing a quick 30 seconds on NERK? >> Sure. In the energy sector, NERK aids
the utility population to set and abide by a set of requirements for high and medium criticality assets and the asset owners agree to abide by those standards. NERK helps to enforce the agreement for that standard. Um and ultimately the policymaking body that controls all of this is an organization called FK or a commission called FK. >> Thank you. So we would have an industry-ledd organization that's providing cyber and physical security standards and auditing of the application of those standards in the water sector. All right, let's get on to the main event. Ginger, >> it is not here yet. legislation has been introduced and we've been waiting for it to be passed for several years now.
>> EPA. >> So the question is is would this WOR uh organization report to the EPA? So the expectation is that um similarly to Nerk and Perk which report to DOE as the sector risk management agency for energy that theRO would report to the EPA as the water wastewater sector sector risk management agency. Yes. All right. Okay. So I work for the Idaho National Laboratory. One of the things that we are privileged to do is security assessments on critical infrastructure. Many of those security assessments focus on the cyber security of that critical infrastructure. And as we looked across all kinds of asset owners from all of the 16 different sectors, we saw something missing in almost every
assessment that we did. The IT and the cyber teams were over here and they had policies and procedures for how they looked at the digital layer of that asset owners infrastructure. The engineers and the operators were over here and they had policies and procedures for how they ran and controlled and designed the engineering and the physical part of that asset owner's infrastructure. But there were very few places where there was an admission that what happened on the digital side could affect the physical side. And inevitably the digital side just wanted to tell the physical side what to do. Here's what your password length is going to be. Here's how you're going to log in. Here's how your remote access policies
are going to work. But they never said, "Hey, you all run the plant 24 hours a day, seven days a week. What's the worst thing that could happen that we on the digital side of the world really ought to know about and that ought to motivate what we do? We noticed that conversation was missing. And so we started to pull the thread of what would happen if we could get engineers more involved in assuring the the physical side of reliability from digital ad digital adversaries and digital adversary effects. What would that look like? What would an engineer need to know? Right now, according to AET requirements, and AET is a certification body that certifies universities to teach
engineering, we send an engineer to go take a cyber security class. Does anybody here know what they learn? [laughter] >> In short, yes. They learn about adversary threats. They learn about the attack chain, but only from a digital standpoint. They learn about how protocols work and how protocols are taken advantage of. But nowhere, nowhere, nowhere do they learn how to apply engineering risk management to what would happen to my production capability if an adversary got hold of critical equipment. and of all the critical equipment that's part of my production capability, where could that adversary do the most damage? So that when I then reach out to these IT and cyber people, I'm having them focus on
the thing that my company needs the most. It's very very strange to have a group that is trying to protect a set of assets that they know very little about and that they don't ask the owners and arbiters of those assets, what do these things do anyway? How do they work? What is the the manager in charge of your thing care about the most? How can I help you achieve that mission? Instead, it's, hey, I've got a checklist of things on the cyber side that must be done for me to get out of here. So, can we just do my checklist? So, with this idea in mind, oh, do we have a question? Yeah, I was going to let you finish, but
since you asked, um, I work with with a with a water company and one of the and then I listened to a presentation to the water isac group from the EPA and they sort of said they were in charge and then somebody asked them, well, what about CES? Are do they like Bigfoot you or you know, how does that work? So my question is how many organizations are there out there that want to regulate a particular water district and how many organizations are out there that want to sort of help at the same time. >> So the answer is different >> and well and the answer is changing in time. So you are right. Um, a couple of
years ago, it was likely that there would be regulation at the EPA standpoint and at the CIS standpoint and maybe several other organizations involved with setting how an asset owner might comply with the regulation. What's the kind of compliance model? Does an asset owner set a riskbased approach and then demonstrate how they're achieving it? Um, as we move into this federal cycle, there seems to be less interest in the federal government driving very harsh regulatory standards. That doesn't mean it won't happen. And I certainly do not have a crystal ball to predict where regulation's going in this administration, but I perceive that there is going to be much more localized effort to help asset owners with
security needs, but much less force coming down from the federal kind of top if that helps.
>> Yes, they do. And so for >> repeat Uh the question was do states also regulate water utilities? I'd say absolutely. So the privacy agency which is going to be the one who has the most strict regulations can either be the EPA. So in a place like Idaho, you know, to some extent it's probably the EPA. Uh but if you go to California, they very much want to have primacy over whatever goes on in their states. So um their state. So they they will have the Cal EPA and uh the division of water resources I believe and DDW division of drinking water who are all sort of engaged in different ways. Um what I would say like a simple answer to your
question is is in five years there will be one federal entity that is responsible for cyber for all utilities and then every single state will probably have their own perspective to some extent and that can include um you know do an assessment every year. um hopefully that that um type of a requirement which currently exists in the state of Minnesota I believe Indiana, New York um also will come there will be some funding that comes with that but that's TBD a lot of times that money comes from the feds and it's not going to you know that funding is not going to be available for a while >> so that we have a question here uh or
did >> oh Okay, >> thanks. >> Josh, did you have a question or a comment? >> Okay, >> so with all of this in mind, the cyber threat environment getting more complicated, the technology environment getting more and more digital, and engineers getting not very much closer to being able to exercise good risk management over the kinds of assets they were deploying. We knew that something had to change. So the department of energy brought a group of actually a group sorry go back a group of experts together and these were asset owners. They were from um electrical utilities and other utilities universities um federal organizations. We tried to get the largest cross-section that we could of critical
infrastructure and we talked to them about this thing called cyberinformed engineering and got their advice on what would a strategy look like that would allow us to begin bringing engineers through their university training or their technical education into being a part of the cyber discussion. And there is a link to that strategy here. But one of the things the strategy makes clear is at the end when we have this cyberinformed engineering thing and it's cooked into a university degree so that no engineer engineering in today's modern world can graduate without having some ability to do risk management thinking about digital appliances. Doesn't mean they need to understand every bit or every bite that goes through it. It doesn't mean that they
have to be an expert on the protocol, but they do need to understand what could go wrong if an adversary had full control over it and how might they prevent that. That would look like engineers incorporating cyber security practices into their body of knowledge, including engineering minimum requirements and specifications for physical infrastructure systems that incorporate digital controls. So if you're working in infrastructure and you've got digital controls, the engineers have to come in and determine is this going to work effectively and what do we need to add more risk management and maybe even physical controls to okay >> sorry >> I'm just not water is new to me as a critical infrastructure. So, you might
have mentioned this in the beginning, but how do people's like wellwaters uh kind of factor into some of those things in terms of like who supports those? Like we're talking about the rural areas that have like their own things, but obviously there's probably a bunch of people that have their own wells and so like sitting with groundwater, well water, whatever that is, like is there a support system for those groups as well? And I'm sure that we're going to start seeing IoT into weird spaces as well like that. >> Oh yes. >> Yeah. So I actually I live in a fairly rural area. I have my own well and my own septic system. And so from that
perspective um both of those are governed by either the state or the county respectively. And um unfortunately um well for better or for worse right my well is only dependent upon power. It has a very very simple um controller. It's just like if the pressure goes down, the the pump turns on and once the pressure gets to a certain point, the pump turns off, right? There's no electronics beyond that um simple mechanism. Now, from a septic perspective, very much regulated by the county. They do inspections, all of that sort of thing. Septic systems are a large source of contaminants to the groundwater um aquifers. And it's in some places around the country, they have programs that are called uh septic
to sewer. sort of the, you know, the the alliteration that they use and that those are programs just to like close down those septics, install wastewater lines so everything goes to that plant and becomes a point discharge. >> But when we think about modernization in especially residential water systems, I work mostly with energy systems and there is a profit motive and an environmental motive for many people to install digital energy systems in their actual residence. For anyone who has a home water system, typically those are electromechanical, as Andrew pointed out, and there just isn't that profit motive unless you are the person who really wants to know everything that's in your groundwater at every time of the day to put a lot of
automation and technology in it. So, we're not seeing cyber creep into the residential water systems to the degree right now that we predict in the future or the the degree it has in energy, but we're certainly starting to see it in municipal water systems. Every organization is looking for automation to tell them how to do things better, faster, cheaper, more. Um, every organization is looking and and you even got a question this week about use of AI in water systems and especially at a distribution level. Everybody wants some autonomous thing to make it faster and easier for them to do the work they have to do.
Okay. How CIE works is we first leverage an engineer, not a cyber engineer, not a cyber safety engineer, but an engineer who has a context and a body of knowledge around a physical or process discipline. So whether it's space or whether it's agriculture or and software engineers um you really do matter but not for this part of the conversation specifically. We're looking for that that physical context area and discipline. We provide a framework that that engineer can use to engineer out the impact of a cyber attack. And if you don't believe that's possible, come to the training this afternoon and I will show you how we do that. Um, and hold me accountable. If I don't deliver on that
promise, let me know. We're focused on engineers and operators, not to make them a secondary or shadow IT or cyber staff, but to use the context they have to harness our cyber security protections to the most important systems and the most important functions of our organization. Because often our cyber teams are trying very hard to do a checklist of requirements across the whole system. They don't have time and they don't have the understanding to understand where to apply the most cyber security or where if a a requirement is implemented with laxity where it has less impact or more. And we're leveraging things that engineers already understand that are not usually part of our cyber discussion
that include functionality, safety, and reliability. Most engineers are conversant in these three things. It's how they make engineering decisions and it's how we help them make cyber decisions. So in this example, and Josh alluded to this earlier, if an adversary is breaking into a critical infrastructure asset, first they attack the digital domain. And the way that we can limit the probability of that attack being successful is to leverage what we think of as traditional cyber security. Absolutely. traffic controls, routing controls, segmentation, all of the things that cyber people do every day. However, ultimately, if those asset or if those adversaries are looking to attack the functions of that critical infrastructure, they are ultimately going to have to levy some sort of
effect on the physical infrastructure that runs it. either to diminish the amount of control, to diminish the the visibility of that asset, to take control away from the operator and do something else. And we certainly saw that in the Ukraine attacks of 2015. Um, I think everybody now has seen the YouTube video of the mouse moving and the operators looking, you know, distractedly, not knowing how to stop that. Um, those are exactly the things that an adversary would want to do to the physical equipment. And the way that we stop them is putting engineering in place. Engineering in place that limits the impact that the payload can have. Certainly, we don't want the adversary going loose in our networks and
wandering around until they find something. But if we have limited the worst that can happen, that traffic through the network is less concerning. And there's time for the IT and the cyber teams to figure that out and to fix it while we're ensuring that our operational technology is reliable and functioning as expected. Okay. Cyberinformed engineering has 12 principles and uh if you're thinking what I've been told already, I've been told too many. So I'm going to focus on just the two most important and we'll talk about what the rest do. If you come to the training this afternoon, you will get a deep dive in each of these 12 principles and a chance to actually play
with it and work with it in a real use case. So I always like it better when I'm applying something rather than having someone just bloate with me. The most important principle of cyberinformed engineering is consequence focused design. We are looking at our system hopefully from the design phase forward and trying to design in those engineering controls that limit the potential that digital technology could do harm to our process. And if you're thinking, "Wait a minute, that might protect you not only from an adversary, but also from a user who did the wrong thing or a burp in the system that just sent the wrong packet." You bet. It will protect you from both. It has the
potential to protect you from AI that made a decision that would have a negative impact on the system. And these are all great side benefits, but we're talking about this for cyber security. And this consequence focused design is the question that the engineer understands. How do I understand what critical functions my system must ensure and the undesired consequences it must prevent? I taught a cyberinformed engineering class to a group of cyber professionals and they were cyber professionals in the power industry. So I asked them this question about an advanced distribution management system. What is the worst thing that could happen if cyber adversaries had total control? And they looked at each other and I'm really
sorry to tell you they didn't know. They didn't know. And then when we pulled someone who was an engineer, it was like, well, okay, you could kill somebody if you violated lockout tagout, and these are all industry words, in the right way. Um, if they didn't have their physical lockout tagout mechanism, you could reach through this digital system and cause someone to get hurt. Um you could also do a number of other things but it was critical for my understanding that the cyber people installing the system protecting this system had no idea what an adversary could do to that in terms of the process that their organization was running or safety reliability and performance. So that's
why this is our first question. Our second question also appropriate for an engineer is how do I implement controls to reduce the avenues for attack or the damage that could result. Understand this is not about perimeter defense. I hope the cyber team and the IT team can help us with perimeter defense. The engineers job is to look at the process. What is being produced? what are the very important aspects of production and ensure that we've got the right protections that even if the digital layer goes completely haywire or is controlled by an adversary, we can manage the negative outputs that occur. The rest of these principles all help those engineers talk to the cyber teams
and think broadly about digital effects. So in reality there are two big principles and 10 small ones. So if you want to hit the other side of it um although one of the most important principles that is maybe it is a big principle is cyber security culture. What we are trying to do in cyberinformed engineering is to ensure that our culture for cyber security extends all the way through the organization from the engineers from the operators from the cyber security professionals so that we all have a similar understanding of the consequences that we're trying to prevent and the systems that we are trying to protect. That unified culture ensures that we're getting investments in the right place and making the right
decisions.
I kept looking backwards at one of the doctors in the room. Um, how many people have ever said, "How do I make the business care about cyber security?" Right? Pretty much everybody here. What if you flipped the script and said, "What does the business care about?" And then, "How do we help secure that?" I think it's not just the culture point you made. It's that you're meeting them on their turf in their love language at their level and you have handed on a silver platter how you can actually drive value instead of pushing a rope. But the second and we did this with the medical field. We said uh hypocratic oath for connected medical devices.
>> Caregivers already care about their profession. We're just trying to support and enable that. But the last point I'll make and I almost asked earlier is on that chart where cyber security was rising. I think there's two hazards in that. It looks good at 50,000 foot level, but how much of that is a a NIS cyber security framework without application and prioritization or a CISA checklist of controls or an EPA version of the CISA checklist of controls and how much of it is maybe on data privacy like credit card numbers or billing information instead of things that can go boom. So, the reason I love this is we're not giving them new things to care
about. we're taking the things they already care about and making it safer. >> So, I agree with that. Um, one of the things that we often find, um, when we talk to asset owners who are interested in this idea is that when we look at the things that they've done to their systems from a safety perspective, they can already take credit for a lot of cyberinformed engineering. They've already made good decisions that control what bad things can happen in the system. And so what we're asking them to do is okay now think just a little bit more about how the digital technology works and let's build on that design work that you've already done. Um Andrew
participated in or developed a paper that helps to link cyberinformed engineering with your enterprise risk management. So if you work in an organization that has a mature riskmanagement strategy, this helps you lead that conversation with the board or with your executives about how this practice will influence the bottom line and the things the company cares about. And so that's a resource that's available to you. And I'll note that I believe our training starts in eight minutes. So, should we do an interim Q&A right now for Ginger? >> All right. >> Well,
I was going to ask, is your training filled up already or is there any open slots? >> So, this afternoon's training has some gaps in it. Uh, tomorrow morning's was a little more full. When they talked to us about it, they said there were 22 folks there. So they will if you have not used Eventbrite and paid your $6.63 they're happy to help you process that even if you're standing in line. So even with eight minutes there's time to get in there. Um and I have Professor Kitty warming the room up with the slides so he'll get us started and then we'll we'll come over after that. >> Um great presentation. I have a question. Um it seems like one of the
most uh elementary or first steps into understanding this kind of a cyberinformed engineering consequence is to ask the engineers and other folks building these systems to uh report to you what they think the worst situations could be. And I would agree that's a very important first step. But it is also the case uh possibly that they don't know. And a kind of classic case was, you know, when we first started hacking cars, some researchers um fuzzed a a car and unlocked a mode where the brakes um the brake fluid could get drained. Right? So they the engineers had anticipated an adversary in the system had anticipated making sure that they didn't have any connection to the
brakes but did not account for this one edge case where if you entered that mode and then started your attack you would essentially disconnect the brakes. Right? So in what sense do we have the ability to trust humans to report what they think the consequences could be versus a more rigorous approach that would account for maybe all possibilities in a system because but if you ask a bunch of these folks they don't know and they even if they are very well verssed in the system probably would not be able to report all the actual consequences. >> That is a really good point and can bust for the win. Uh love cars. Um, so the best of these conversations are the
engineer with someone who has a cyber bit who can talk about, hey, you think that that's what's going to happen. How do you know that that's what's going to happen? And what information is passed by this system and what guarantees that information didn't get in subverted before it got to the point where this next system acted on it? And you're right, a vanilla engineer may not have the fullness of imagination to think that through. That is one of the risks. And it I don't want to make this like catty shack where the engineer just goes no no no no no no no no because that's not exactly how this works. But getting the engineer first to not trust the
technology to start asking the question about wait a minute what is the data that comes to my system and makes this next process initiate what where did that data come from how have I verified that data how do I know that it hasn't been subverted by an adversary what do I have that would alert me these are all the questions that our framework helps them provide but most engineers are much better at the framework when they do it with a cyber person at their shoulder. >> And I will add to that and say that um the level of creativity that engineers and operators are willing to apply to you know thinking about the worst case
scenarios now is uh much greater than it was 10 years ago. And part of it is the requirement to do these risk and resilience assessments every 5 years. So they're having now regular conversations about what's the bad day. And so um for example um we probably did about 80 to 100 cyber risk and resilience assessments in 2020 and so far we've done about maybe 25 for this new round and um you know we would go in and we would talk to people about you manipulating the control system to cause physical damage and they'd be like no that can't be done. And uh as a really good example of sort of the change in perspective, about 3 or 4 months ago, we
were having another similar conversation with a large water utility. They um get water from a, you know, a goodsized river and they have some really important mains running under the river. And so we reviewed all the data and we said, "Hey, we think we can damage the mains under the river and that's going to be a really bad day." And they just looked at us and said, "Yeah, we think so, too." And just the fact that uh they didn't push back, that they were already there is such a huge conceptual leap for some people um in our sector. >> And I will add it would be ideal if asset owners buying and investing in critical equipment were allowed to look
inside it and actually had the right to inspect what they buy and to hire people to look at it and to know what it was. Um, that would be ideal because that's how that engineer and that cyber person could start really looking at what could possibly happen. In most commitment letters, whether it's a license or a purchase document, um, when you buy this critical equipment, you sign away the right to inspect. um because that you will lose either the support from your vendor or you will face legal liability if you take the thing apart and attempt to understand how it works other than functional testing which is usually allowed but often even that is controlled and that is one thing
standing in the way of getting really good engineering understanding of these systems as well as good cyber understanding >> and before we move on to the next question so um are there any professional engineers in the What kind of engineer are you? >> Electrical. Wonderful. So I'm a I'm also a licensed >> uh engineer and um if we look at the engineers code of ethics, it starts with you have to hold paramount the health, safety and welfare of the public. And so if we are doing that right, we're willing to have some of those uh bad day type conversations. And it's been an evolution right? >> Wait, what's number two? >> Oh, Ginger. Number two is that you may
not practice engineering on any system you don't understand. >> Raise your hand if you feel real comfortable with that requirement right now. Me either. [laughter] >> All right, question. >> So maybe a good segue to that last point, but what's the Hollywood movie that you guys refer to and said this is actually the best one for the water industry? Like if we have to go like advocate to the public, if we have to go create a more uh uh more in-depth understanding of what actually is occurring, you know, there's all kinds of, you know, kind of crazy stories that we see in the in the Hollywood and everything else, but what's the one that you guys kind of refer back to or like
in terms of how it presents attacks to water? >> So that the NCIS episode is the one that really stands out to us. Um I think Bryson earlier brought up the August Cole and PW Singer book. Um but they uh they have another book called Burn In which is a I think actually a better book than Ghost Fleet. Super easy to read. I recommend everybody read it. It'll take you a couple hours. Um but what it does is it articulates um kind of a multiaceted attack on automation across some sectors where it's like you just sort of give a system a nudge get another system to react and then there's this cascading failure and um it's not
AI induced in the book but it's you know very plausibly could be done by AI and when I talk to utilities that's generally what I say hey go read this it's water specific and you know it's just a fun burn in. >> Yes, >> absolutely. Yep. >> Okay. Should we go into practicing CIE? >> I think we should. All right. So, let's talk a little bit about actually practicing CIE in the water wastewater sector. So, as Ginger mentioned, I do get to help her and the CIE team at INL develop resources. Um, one of the other things I do get to do is actually go with out and work with water wastewater utilities and do cyber informed
engineer. So you saw the 12 principles, right? And those are really well made. One of the challenges though is that we kind of have to um we have to boil this down to make the messaging just a little bit easier, right? So um three assumptions that we always start with is the systems are vulnerable, right? the the digital systems are our adversaries are well resourced with time, money, and expertise. And if we are targeted, we cannot stop them, right? They will get access. And this always this used to put people in a really bad spot mentally, but now they just kind of like, yeah, yeah, okay, we get it, right? And I I do want to just take make a note here is
that I have um maybe what would be an optimistic borderline naive view of our sector because I think of the utilities that I work with tend to be very forward thinking and so there is a certain amount of bias that I do have but it's also a really good set of examples on how any utility can move forward. All right. So in our water in our sector, you know, similar to every other sector or um industry, there's [clears throat] a way that we do engineering. So we have different milestones. We have uh the prelim preliminary 30%, 60% and 90%. And just to talk a little bit about what those that means. So at the preliminary stage,
you usually have a a PDR or preliminary design report. You might have some highle schematics. Generally, you know, the the project has been budgeted. management has said, "Engineers, go forth." And the engineers say, "Okay, we're going to have a reservoir. It's going to be about this big. It's going to be located approximately here. There's going to be pipe going that way." Wonderful. At 30%, now you're starting to actually get process flow diagrams. You're starting to get uh specifications at least at the table of contents level. Now 60% is where the rubber really hits the road from a CIE perspective. Now if you've done your job really well and had the opportunity to do it at the
preliminary stage you can say hey we're going to do CIE in this project when you get to 60% now we're actually starting to have electrical mechanical and very high level control system drawings which is where a lot of the work is done. So we're going to have drawings you're going to have partial specifications. Uh has anybody here ever like created engineering drawings or written specifications? Thank you. Yes. All right. So, it's a it's a lot of work that goes into all of these and it's a you know there's a very rigorous system to do these. You're also starting to get estimates and schedules. 90% you continue to build this out and eventually you get to 100% and you know
in some places we call this issued for construction. Now, Ginger and I and a good chunk of the CIE team have been working on a project around CIE adoption. And one of the people that we interviewed for this um you know I was talking about how you know once you get to 90% you can really do good review and you can have lots of comments but his point was by the time you get to 90% most of the money is spent. So if you want to make changes you got to have change orders and this has been a little bit of a challenge for some of our clients. So [clears throat] um one of the things
that we have done is we have gone and we've essentially redteamed designs from a CIE perspective and what [clears throat] we've done and is to create a a role of um you know really a commander type role. Now if you were in the military commander intent is going to be a very familiar term but the team that I work on none of us were in the military. Um so this was something kind of a new idea. Um, we actually got the opportunity to review a 60% and 90% um, water uh, treatment plant for a pretty goodized utility in [snorts] California. And, you know, when we started, we were just kind of engineers doing engineering review things. Like, it kind of turned
into a peer review. And it was a little unsatisfying if I'm going to be honest. So, what we did is we kind of got to 90% and we were like, you know, this just isn't working. And I said, "Okay, everybody, I am now the mission commander and you are the attack team and you are going to, you know, looking at the process flow diagram, you're going to attack here and you're going to attack here and you're going to attack here." And they said, "Okay." Right? And then all of a sudden, we had this organizational structure emerged and it became a really powerful way for us to communicate to the utility and the utility to communicate internally. And
since then, uh, this utility has actually included cyber informed to engineering requirements in in all of their engineering RFPs that they've released, which is pretty amazing. So, in order to really do this review that I'm talking about, we have to have a certain type of skill set. So, um, you know, Josh didn't explicitly, uh, say that I could talk about my kids, but I'm going to because about a year and a half ago, I got a call from the principal at Bayiew Elementary School, and he said, "Uh, hi, Mr. Ort. Um, your son Anders was uh, caught hacking into his um, fellow students uh, reading accounts." And I said, "Really? Did he social engineer his way in?" And then the
principal goes, "What do you mean?" And I was like, "Oh, wait. I have to be the concerned father this time because I was actually in the process of doing a social engineering project for a client." And it turned out that he had just sort of gotten bored and he had just figured out sort of the this very simple algorithm for passwords and, you know, he finished his work and then he went to finish their work and by virtue of doing it, he was able to like go and buy little widgets in the program, right? That's all he wanted. But this was a, you know, a pretty bad day for for him and I was really proud. So um
you have to have that type of a mindset and that type of a skill set ready. You know that's uh the gentleman who asked about like you know how do you get to that worst day is it's like that level of creativity. And so you got to have the engineers right you you probably have that person in your life who's a little bit like my son who's willing to like just try things and mess stuff up and and go for it. Um the operators right dayto-day they know what's going on in the system. They in the water sector are also licensed and we have run into challenges where we do uh what we call day without SCADA exercises and
I'll get into that a little bit later but the operators actually push back on that sometimes because their lensure is on the line. IT and OT cyber security it's a wonderful time to really build some relationships there. uh communications and emergency management. I will say emergency managers love this stuff, right? Their whole lives are based around thinking about the worst day, right? They eat it up. Um targeting expertise. OSENT is extremely valuable. One of the things that I've gotten in the habit of doing is I'll go to an LLM and I'll just type, hey, what kind of PLC does utility X use? Right? And sometimes it tells me, sometimes it doesn't. Um but I always go and I always
report that. I actually at S4 um gave a similar presentation to this and I I you know told told people a story about it and this gentleman from the east coast came up and he said you know I went to perplexity and I looked up what kind of PLC I used and it was right and I had to tell my IT manager to get on that right and that was a pretty bad day for him but of course and then you've got the people who know how to break stuff and really enjoy it because they also inject a lot of energy engineers We can be a little stodgy at times, especially electrical engineers. I don't know where
he went, but I do like to pick on them. All right. So, who's really ready to go and adopt CIE? Now, I will say, and Ginger alluded to this earlier, is that every organization by virtue of doing engineering well, by doing operations well, is already doing CIE to some extent. And that's one of the ways that um you know CIE is easier to talk about with a broader audience than just cyber security because if we go in and we do a cyber security assessment and we're looking at this large group and we're saying oh your networks aren't segmented they're kind of like I mean I conceptually get it but I don't really know what that means. But if we go in
and we say, "Hey, are your operators able to operate without the control system?" They know what that means, right? And they always have an answer. That could have been last Tuesday, right? Because the SCADA system just doesn't work very well or it could have been 10 years ago or 20 years ago. So, um, you know, it's easy to build on those sorts of things when we have a certain level of organizational awareness, right? Leadership is very concerned. OT is out growing it protective cocoon which is something that we see a lot more of it's really important and when engineering is a little bit more resilience focused in general but also open to the cyber conversation because they recognize to
some extent that it is partially at least their problem and then of course it and OT they have to get along right this is really really important now this is probably the most um impactful term um when I do presentations that that I introduce Engineers for as long as engineers have been around have been very accustomed to this concept of a failure mode. And if you like look at a water pump, you know, especially um some of those at older utilities, these pumps can be a hundred years old very easily. I mean, they're just like huge chunks of steel. I mean, really impressive. And they've lasted that long because they were engineered to not catch on fire and not blow up
and, you know, not do all those sorts of things. And they've been really wellmaintained. So engineers understand failure modes and we understand u you know how to prevent them in in many cases. What we haven't often done though is say hey there's somebody else on the other end of that wire that wants to intentionally make this system fail. So when you couple that idea of cyber enabled and failure mode, you start to really get engineers to perk up, right? Then they start to recognize some possibilities that perhaps they didn't before. >> Can I add one more idea? Yeah. So we're using the word failure here, but we have failed to define it. >> Often we think failure mode means the
system is off or rendered unusable. It it just no longer is available. For an engineer, a failure mode is a disruption in safety, reliability or functionality. If I mess with one of those three characteristics, that is a failure mode. So understand that a cyber enabled failure mode may make the system work faster, work better in some aspect so that it hastens on its way to burning out a pump or causing some other downstream aspect. So it's very important for us to understand what failure mode really means from an engineering context and that it's not just I made the pump go boom. It may be I made the pump run a lot faster and vibrate a lot more and that caused the
pipes to burst and now we have a real problem. >> Yes. Thank you. >> All right. So, I talked a little bit about engineering in the water sector and one thing I didn't do is I didn't give um context on sort of the volume of content at each one of these stages. So, preliminary design report we're talking order of magnitude 50 pages maybe 100. 30% design review, we're talking maybe 200 pages or so. 60% design review, um, you know, probably about 300, 350. Now, we really get into specs and we're probably talking over a thousand pretty easily. And then once you get to commissioning, right, that's a whole other story. That's uh tons and tons of
checklists and that sort of thing. Now, Ginger, I don't think I've actually told you this yet, but um we've been working on a CIE project for a water wastewater utility who is in the process of install uh you know, designing and soon to be commissioning a new treat um pump station for the water system. And what they have realized is that their engineer was um sort of in uh unintentionally delegating all of the responsibility for cyber security to the integrator which was you know another contractor and the the asset owner didn't really have any visibility on what the integrator was doing what kind of capabilities they were doing. So what the the asset owner actually asked us to
do was to write into the engineering specifications language around how they can operate this pump station without the control system and then also how will we actually protect this control system from misuse and this is a pretty big sea change I mean it's not a lot of text right this is less than a page of changes in a thousandpage document but very very impactful and from a commissioning perspective now that utility has to go and test the system without visibility of you know the normal um uh you know HMI or human machine interface views. Uh they have to test it with a lack of communications. They have to test it without you know access to the servers and then they have
to test it without the PLC's and we're going to see how that goes. That's usually where things get a little dicey for these utilities. So very exciting. All right. Do you want to start this one? >> I would love to start this one. >> Go for it. >> So, there's a classroom. Oh, go ahead. Ask your question. >> Totally. Okay.
So I work in rail, light rail specifically and one of the biggest challenges that we have is there are so many vendor managed environments to where like you mentioned before and some of those things like that ability to actually see and understand the technology that you're purchasing is kind of like a real problem in some of those areas. And so in that same way of you know let's say you have a PLC that goes down or some other type of device do is that is there a correlary cor moving on uh in terms of like that there's that vendor management component or is the water system basically cut off and there isn't as much connected there
or you have to fight vendors to be able to manage and and operate that technology. >> I think everybody has that same issue. >> Okay. Um I will say you mentioned rail. So there was some very salacious vulnerability information published I think two weeks ago about a head of train end of train protocol uh that's used for connecting trains and moving them around. And the idea was that someone with a communications device wireless radio I'm sure none of you have any of that. um could broadcast that protocol and potentially man-in-the-middle that particular protocol. And not only was it vulnerable, it was known to be vulnerable and had been reported ages and ages ago. So that was when the cyber
people reported that vulnerability, it was reported as if the physical part of the train didn't exist. And it was the vulnerability of this protocol that was the key thing to look at. As we started having conversations with train experts around this protocol, there are other things that are on the train, physical protections, engineering protections that protect that train even if that digital layer is subverted. And that was one of the examples that we cheered about where we're able to say, "Hey, yeah, there is this critical vulnerability and it does exist in the digital layer, but because the engineering and operational layer was somewhat aware of it and was concerned about it for other reasons, that's a
very highintensity safety operation for any train yard. There are engineering controls that ensure that that the impact of that vulnerability is not going to be met. So that was at least a win on the train side that we had. So in the classroom that's doing the training, they're going to do a deep dive with cyberinformed engineering and we wanted to give you at least a taste of what they're going to do. So I'm going to have you leave your ordinary work, whatever it is, and come join me at the municipal water station. I've hired you all. Thank you so much for saying yes. Um your paycheck is coming. It will have a lot of zeros in it. A really a lot of
zeros. Um your job Yeah, no other numbers, but a lot of zeros. You can tell your parents, I got a job at Bides and I'm making a lot of zeros. Um, so we have these water booster pump stations. They are dotted out across the city. Um, as Andrew said, they keep the pressure in the system at the right level for the environmental conditions and our systems, and they ensure that if a subscriber pulls a tap or operates the system, they get the water they expect in the right amount. They also discourage because of the pressure in the system the growth of biologic agents that would make our water undesirable and potentially poisonous. So we got a grant from the
state and we're so excited we right now we maintain these booster pump stations by driving to them. We have two engineers in the truck and they go from pump station to pump station and they reset the pumps to be right for that day or that week and then the next week they're doing it again. The good news is they do a lot of physical work in that booster pump station when they're there. The bad news is that's really expensive for us and we'd like our engineers planning other growths in the water system that we'd like to do and focusing on making the system overall better. So, we got a grant from the city. We are
going to install cloud-based monitoring and control on our water booster pump stations. Who here is excited and wants to be part of this project? Okay, I got a couple of people tentatively like maybe maybe just I'm with all the zeros I'm not going to write that on my resume and it's totally okay. So, when we look at this cloud-based monitoring and control, our focus is on the pumps. There's a lot of other systems in the water booster pump station, but we wanted to just put control on the pumps right now and we'll grow this if it works. So, with the pump applying cyberinformed engineering, what's the worst that an adversary could do to one of those pumps through this
cloud-based monitoring and control system if they had the magic keys to the kingdom? What's something they could do? Come on, anybody in the audience? >> Shut off the pumps. Okay, that's great answer. And what would happen if someone shut off the pumps? >> No. the water pressure in this area would would fail and then we would have to kind of raise pressure in other parts of the system and we would have to send our engineers in a truck and they would have to get the system going again and they think it would take about two hours to restore somebody who cut the pumps off. Okay. What's something else someone could do? >> Yes, >> they can over pressure the system.
>> Okay. They can turn the pumps on and make the pump do more than it's supposed to do. So over pressure the system. Yes, they can do that. The good news is we have some protections in the system that allow us actually to operate safely in an over pressure zone for a while. We have a bladder system that will contain some of that. And so again, our engineers think they can get out in a truck and repair that in the amount of time before damage is incurred, >> assuming the alarm is not also compromised. >> Fair enough. >> And that only happens to one station. >> Yes. And we do have some contractors that we can put in trucks, but yes, once
they if they do all of them, we are a little bit strained. Okay, I've got somebody in the back. >> Okay, the good news is this. The the suggestion was that someone could take over our chemical doping system and affect how much chemical we're sending in. We are not going to put that under cloud control right now. We want to try out this software first. And the other control we have in place that we did look at is we have a pretty narrow pipe that allows the chlorine and other chemicals to go into the system. So even if you turn the system up to 11, very little material would flow through the pipe at any one time. So we're we're not
automating it, but we think we'd be okay. Maybe maybe >> you brick the pumps. >> Can I brick them? Well, if I could turn the pumps off or I could turn the pumps on, what else could I do? Okay. Yes, I can turn them on and off and on and off and on and off. And if I can do that, what happens when I turn an electrical system on, especially something that rotates? >> Say that again. >> It uses a lot of power. And when it uses a lot of power, does it stay at the same temperature? No. It heats up that inrush of current causes an inrush of temperature. And if I cause that inrush of current to come
and to come and to come, would it feel like Las Vegas inside that pump? [laughter] It would. It would not be able to release all of that temperature because it uses convection. And so eventually the heat in that pump would get to a point where I am degrading the insulation around that pump. And that is assuming that it is so well anchored and so well engineered that the actual on and off activity of the water flow isn't damaging it. But just from an inrush current, I can on and off and on and off and damage the pump. So that's a pretty bad consequence. So, we went back to the engineering team and they said that that would take if you
damaged the pump, especially if you damaged the housing around it, made it hard to just do a flat replacement, that could be as much as 18 months. Back in the back.
So creating a vacuum. The good news is this large pressure tank right here has a bladder system in it. And so it is designed to absorb some of the fast pressure changes that our system has. And we think we can ride out what an attacker could do using this particular pump given its power compared to the the tank. So we think we're okay in that. So, this on andoff thing, if I can focus you in on that, the engineers have said 18-month outage, potential meeting the mayor and having to say boil water order, potential EPA involvement. They're really concerned about that. That could be a really, really bad day for our engineers and operators. So, the
cyber team, of course, has lots of ideas for how they would like to change that. But one engineer raised their hand and said, "There's this thing called a time delay relay." And I know it's kind of silly. It looks like a kitchen timer. And when I have a time delay relay, I can only issue commands once per timing window. So let's say we set it for five minutes. I can turn the pump on and five minutes later will open again for a command and it will accept the off. And so my adversary who's trying to ram that pump ultimately gets on and then we get to some hysteresus and then off again. How much do you think they cost?
>> 20 bucks and we can put them on as part of a regular maintenance in the water booster pump station. So should I do some monitoring on the system through the sock to make sure that people are not issuing commands at the rapid rate? >> Yeah, I should do that. And potentially I should drop some commands if it's just looking like there's no way this is what should happen. I should probably talk to an engineer before I set that system up. Anybody with me on that? Yeah. Okay. But would a $20 time delay relay? That means that even if the adversary blows past my monitoring, my sock is asleep, they've all gone home for Christmas, the
adversary gets in there and says, "Okay, on and off and on and off and on and off, and my system goes on, off." And then within the two-hour window, the engineers are there, they take it off the system. Um, and we did do engineering analysis and even if they did this to all the systems with a time delay relay, we can keep things going until they take everything offline and can run it manually. So, I will admit this is a kind of a happy movie story. We picked an example that works, but this is an example of how cyberinformed engineering works and how it can work with cyber security. And we wanted to at least give you the taste
of thinking through that. So, thank you for coming to the water booster pump station with me. You all get a raise double your salary. >> Twice as many zeros. >> Yes. >> I I Yeah. Yep. >> Um, when you go to owner's operators and you're working with them to incorporate cyberinformed engineering, does it cost a lot of money? Does it cost extra? And I asked this because, as you know from our secure by design work, right? The question is, how much is this going to cost and who's going to pay for it? And then of course our answer is always like well let's look at all the costs that everyone is is paying right not just uh the manufacturers but you
know what are the costs that the uh customers of software are bearing right uh both left and right of boom so I'm just curious as I am drawing parallels here the questions that you've received on this and how you're answering them >> so I will say we get that too we get this is gonna slow us down this is gonna cost money or it's going to be extra design work that we have to do or this is one of my favorites. We're past the design phase. We couldn't possibly implement this now. Okay. Um and what we find as we work with people is that typically if we can get the culture of the team working
well, it actually doesn't take them a lot longer to include this in the hazard analysis that they do or the risk planning that we do. Now, we are developing some tools that help people who have uh on the engineering side, we often think about hazard analysis, and it's typically they have tools that are used for safety. And so, we're trying to find some ways to add these consequence-based ideas into their ordinary hazard analysis that allow them while they're under the hood, while they're thinking about safety and reliability, they can just add this cyber security risk in. But we are getting that. What are you finding as you work with asset owners? >> So, everybody asks that question. Um,
[clears throat] especially even internally at West Yostast, we get that question because we have to competitively bid for projects. And so, we're saying, hey, if we have, if we're automatically going to do this and it costs more, then we're going to win less. Um, so that's a big concern across the, you know, the spectrum of project delivery. What we're finding though is, you know, applying the 8020 rule, like that first 80% is really pretty inexpensive. you know, it's a little bit of additional engineering review. Um, and um, that provides a ton of protection, especially in the two principles that Ginger highlighted earlier on consequence focused design and engineered controls. Um, you do wind up needing to re-engineer some things,
but um, I'm also a big advocate of, you know, using common sense, right? you you have to like we're not going to go and redesign systems out of you know just applying CIE unfortunately but uh there are lots of good things and you know we've got a little bit of time left today and we can get into some of those and some of the things we've heard from early CIE adopters but I I would say that the cost compared to the capital cost of implementing these is you know less than 1% I mean it's small >> uh just a add on that like when we talk about a the water hammer the way to absorb a
water hammer there's a couple ways to do so you know the pressure sensor arresttor concept of an analog pressure sensor that shuts down the pump like a circuit breaker would for electrical surge in the house it's like 2,000 or 10,000 depending on who you're talking to for the pressure zone but what we're also saying is if you have 10 pressure zones you don't have to do this everywhere like what's the highest consequence failure for downtime it's the hospital one. So if we bring a level of ruthless prioritization andor downstream stakeholder analysis as to what's the highest cost of failure, it's not every leg of the pumps and the pressure zones. It's just the ones that
the town decides it's worth a little bit of insurance on. Then we can maybe prove it's a high value thing and then it's net new. Every new green field power water plant might say that was a worthwhile investment. So we have to maybe pilot this narrowly and then see where we can put it in going forward. >> Yeah. And to that point, so I mean this was probably eight 10 years ago, a utility had decided to kind of do something like this on their own without the terms of CIE or anything. And what they had realized is that some of their most important uh influent mains were in really poor condition. And so they started to get concerned about over
pressure, water hammer, blowing these mains out, causing damage. And I I would say that to replace these mains in total was was probably at the time a high eight to low nine figure type of investment. Um you get into all kinds of property rights issues when you try and do these things. I mean it's really a quagmire. And so what they had done in that situation is exactly what Josh was talking about, right? You get these um pressure sensors and they shut the pump down if you know if anything occurs to drive that pressure up. And you know the the important thing is to wire it correctly, right? You don't wire it into the PLC. You wire it directly into the
controller for the pump and um in right directly into the motor, excuse me. And that provides that input and that way aworked adversary cannot access it. I >> think there was a question over there. Yeah. >> Yes. Um so I know when I've dealt with municipals, they've been small and they're run by not the town but a board of commissioners. >> Yes. And so a lot of them drive cost benefit, meaning we're going to lower the cost and it'll be to our benefit because we'll get elected again for another term. And they kick all the projects down the line regardless of the fact that doing it now given time value of money etc etc. Does it ever have any
benefit to create a worstc case scenario in order to drive CIE or or really I mean I guess any any change but in this case to really change the way they're they're looking at this. >> Do you mind if I talk about Idaho >> please? >> Okay. Um I've got to leave for the training so this will be my last part but before I left um I've got an alternative idea for you. So um sometimes we can create a worstc case scenario but let's face it how many of us have seen a whole lot of FUD and how much of us are becoming a little bit resistant to FUD. Uh fear, uncertainty and doubt does drive action but
sometimes it drives action without reasoning being engaged. So we had a wonderful experience in the state of Idaho. The state environmental organization had was doing a call for their yearly grants and loans for municipal water entry entities or anyone else who wanted to put an update in their water system. And they put 20 points of the scoring of this grant towards that utility having something with cyberinformed engineering as a part of their endeavor. And they're starting to define some rules about what they meant, what that meant. But each asset owner was encouraged, even if you don't do everything, if you try to employ cyberinformed engineering, we will then be more likely to accept your proposal.
I loved what that meant from the state organization as kind of the owner and the responder of worst resort to a municipal water problem. they were putting their money where their mouth was and they were encouraging asset owners to develop a mature strategy towards engineering cyber resilient solutions. Um it may not be the only way to do this but I am so excited about the way that's working and I hope that it pays out. >> Yeah, it's really exceptional. Um and Idaho Idaho Department of Environmental Quality will be putting out some guidance for water systems um on C applying CIE which is going to be a really amazing resource. Uh Ginger and I have seen an early draft of it and it's
fantastic. Um one of the other things that we've done to your point is um when we do these exercises we always invite the executives and we put them in the middle, right? They don't play, but they observe. And when they get the chance to observe and hear the back and forth and see the challenges, um, it really drives home the challenge that their staff are faced with. Um, you don't, you know, do the first exercise that way, right? You let the engineers and the operators kind of build up, you know, some knowledge and so that they can demonstrate to their leadership everything they knew and so know and some of the challenges that they have.
But it's a really good way to do it. >> Andrew, I'm going to duck out. Thank you for bringing this home. >> Thank you.
>> And I'll be over there soon. >> Might have to grab one. >> Yeah, the camera guy. Um, so I've never had the privilege of running security operations in a municipality or critical infrastructure. I'd like to, but I just do business, you know. So uh but I have a lot of friends who are operators at uh at independent energy stations. And so I hear from their point of view the operator way of thinking where if if I if I fail at generating power, I'm not going to worry about what the state's going to do or anything else. It's that I have a contract with someone else that will find me a bajillion dollars if I
don't generate this power. And that's their underlying principle of pretty much everything. Um but from a cyber perspective, they pretty much have no input. So I'm wondering if you see the future of operators um having an interface with the security operations center to where they actually the operators start thinking cyber rather than the IT guys and the operators two different worlds. Where do you where do you see the intersection? >> Yeah. So one of the things that uh we've been working on is um a paper on how early adopters of CIE are picking it up and running with it. And so we've talked a little bit about how you can apply a CIA to new infrastructure that's in
design, right? Of course, that's where you want to do it. But let's just be honest, we've I don't know untold trillions of dollars of existing infrastructure that we need to modify in a cost-effective and meaningful way. And so what the early adopters told us is that if we're looking at the different CIE principles, there are a couple that you prioritize for existing infrastructure. One of those is going to be planned resilience, right? To some extent, this could be just really great emergency preparedness. And it and it that's certainly part of it, but it's also going to be, hey, under a focused cyber attack, what are we actually going to do? And uh the other one here is
active defense, right? How do you know what's going on in your system? What do you actually do? How do you consume threat intel and make changes? And what we think that those two principles actually give us and give operators like your friends is the opportunity to really kind of take CIE and run with it in their own way building on all the good operations that they're already doing. Now in the water sector, right, it's relatively rare that there are contractual obligations to the extent to what you described, but what we do have is state regulations, right? and we do care what the state says because they will authorize you know continued operations and that sort of thing. So um
you know if you have existing infrastructure existing systems and organizations right focusing on those and those can be some of the lower um cost type things that uh an entity can do to adopt CIE. So that's what we say and if you go to the um CIE implementation guide there's I think shoot it's like 1,200 questions right and and the the guide isn't meant to tell you how to go and do CIE it's to get you thinking about how to do CIE and if you think about it so there's 12 um principles I think there's seven engineering life cycle stages so you divide 1200 by 12 by seven and you wind up with 14 questions on average per
principle per life cycle stage. And so it's really a great, you know, way to start adopting CIE and picking it up. Um, if you go to the training and, you know, we'll get into that. It's way too much to talk about here. So, does that answer your question? >> Good.
>> Yeah. >> Okay. So, I do want to come back to this. We've got about 20 minutes left, but before I do this, are there any lingering questions or topics that we haven't touched on? Um, anything, you know, you were expecting that that we haven't provided yet. Josh, it's given away a little bit of tomorrow's talk, but um, Emma and Manish are going to do AI data centers are both a threat and a fix. >> And a threat and a fix. Um power generation requires water, data centers require water. Um so when we're looking at how fragile the interdependency are right now between water, no water, no hospital, for example, most of our strategies we've been
discussing aren't factoring in that we're building a hell of a lot of AI data centers with really high capacity needs and we're not making more water. So since we may not get a chance to ask you that tomorrow morning in advance of their talk, do have you been thinking about how we might better ruggedize or fortify or think through the continuity of operations for water supply for AI data centers, etc., etc. Like is that stretching your brain too far or is that something you can anticipate in prime? It it is something that um just starting to think about in part. Um my friend and colleague Andy Bachmann is very focused on that topic and um he every day sends me stuff to
read and watch on it. I can't say that I've worked on it specifically outside of that example from about eight years ago where that utility did have a data center um run out of water and they had to take a lot of action to demonstrate to their customer that they that was not going to happen again. Right? So when I said earlier that it's rare that we have contractual obser uh obligations when it comes to data centers, I was totally wrong. I misspoke. Um there are [clears throat] significant contractual obligations in those situations. And you know, you might think also like why doesn't the data center just drill a well and suck water out of the ground,
right? Well, I was actually uh doing some work for the city of Carlsbad, California, right? One of just the most beautiful places on the planet. um they've tried to drill wells and I'll say they as you know private entities and and public entities in that area and there's just isn't groundwater. It's just solid rock. Uh I personally had to drill a well at my house. It was 350 ft deep just to get enough for a single household. I can't imagine how deep that and how wide that well would have to be in order to you know provide a data center with a reliable backup water source. So it's expensive. Also water quality can be a real issue. Please.
>> And I almost wonder like we've seen this before a little bit when Bitcoin was all the boom and everybody and their mother was like, "Oh my god, Bitcoin like let's string together 10 different video cards and then all of a sudden there were heating and cooling issues." Like the same type of thing from a draw. And so is there a correlary I still can't say that word. I keep trying to to really see how that might in some way obviously the AI thing is going to be much bigger but could we use like the Bitcoin mining thing as a anagram? >> Yeah, certainly a different word. >> I'm sure we could. Yes. >> Yeah. So, I think that this will become
a much greater topic um just as you know source water stressors you know continue to pose problems for our industry. Josh, anything you want to add on that? Are we good? >> Yeah. Okay. Well, attend tomorrow.
>> I don't have a great answer for that. And and part of the reason is is that I think a lot of those um Bitcoin mining operations popped up in places where the energy rates were very very favorable to that sort of thing. And I don't, you know, I do a lot of my work in California, which was not um conducive to that. >> Um, not so much a question for you, just I've been listening to the feedback on and off um and had some hallway feedback as well. Um, if you were here for the opening remarks with the the couple draft videos we did, there's a you know, uh, Ginger brought up FUD, right? Fear,
uncertainty, and doubt. And one of the things we we said last year when we opened this track, but we maybe failed to remind people this year is this is a very tough set of topics because just because it's scary doesn't mean it isn't true. So there's there's equal and opposite sins that we could commit, right? Um I I feel like the more consequential something is, the more forthright we have to be, which means you never exaggerate it and you never coddle people or downplay it. And the problem we had, we we've leveraged FUD for so long in the vendor community that we've lost all our credibility. And when you cry wolf all the time, when there
are actually wolves at the door, no one's going to believe us. So, this is part of our hazard for this particular project is several people this morning thought some of the videos were not scary enough and some of them thought they were way too scary. And we've had Congress people tell us, you need to make these scarier. So there probably isn't a single right answer for how scary they are other than uh we may have to make a lot of stakeholder specific videos. So the the waterhammer video has been very effective with professional engineers who helped us understand that the hospital video has been very helpful with uh clinical staff. Neither one of them is very appropriate for our
neighbors. Right? So one of the open invitations it wasn't rhetorical. We actually want feedback on how to best strike a balance between truly scary things that also empower realistic action. So, we can talk about a really terrifying water hammer if the fix is $2,000 or $10,000, but we have to deliver it as a package deal. And even though this room is mostly technical talent and we like to break things and take them apart and put them back together, we're gonna have to learn some storytelling and persuasive speech because if we just say, "Oh, it's fine. You'll be fine. Don't worry about it." Then we're not going to get the corrective action we need. If we sound
too scary, we're going to polarize people or paralyze people. So, uh, I'm not saying it's easy, but if you find yourself feeling that this is FUD, suffer, you know, tolerate that discomfort just for a day or two here and simmer with it because it might reveal a new fresh idea or angle. But I'd love your take maybe on how do we balance saying something scary without it sounding like FUD. >> Yeah. So, and to go back to that um water sector industry report that I showed, the utilities are already concerned about this and it it's what I found is that more people are looking for a solution than they are skeptical of the problem or they've shut down
because the problem is too big. I've gone into a lot of places where the engineers or former operators are really, you know, they're the executive leadership. So, when you start using terms around engineering and operations, they understand it, right? as Josh would say, it's their love language and we're just putting cyber on top of that. And so it's been a much more constructive set of conversations than it is if we talk about cyber security, right? And um I think that that's one of the reasons that CIE is really a big part of the solution to the know larger scale national security issues around cyber security. Please >> to piggyback on the idea about storytelling and the earlier point on
how municipalities operate as someone who isn't deep in the weeds on various uh critical infrastructure specific things cuz that's just not my day-to-day job. Um but I am a person who cares about the water that serves my house and I live in a municipality. To what extent do you see success or do you wish people would try this more to just show up at those meetings where the conversations are happening where the budget discussions are happening? >> That's a good question. So how much can a member of the public who's not a trusted entity go and really push for cyber security? I mean so most utilities either have a governing board if they're a special district or the
city council is generally responsible. So, I would actually just start by talking to your council person. And I would also, you know, most water wastewater utilities also understand that they're they service the public. They're taking the public's money and they're doing good with it. And so, they want to engage with you because they want to educate you. Uh I have a utility that um because of, you know, just making sure that reading standards are relatively low on any of their public facing information, they actually get a lot of phone calls from people are like, "How do you disinfect the water?" like what is the treatment process? And sometimes they just say just come to the
plant. Let's walk around. And they do wonderful outreach like that. So, please engage with your utility. My guess is they're going to enjoy it. They love what they do day in and day out for the most part. And you know, if you're not getting what you want, call your council member. And it may actually be beneficial to them for you to call call your council member. We'll probably save this on uh Wednesday morning, but part of the reason for these 12 pilots as aggressively as we can is we're going to part of the output of that is we're going to try to give scripts to each of you that you can go ask at your town
planning meeting, your city council meeting, your council person. So like you don't have to like write a bespoke one yourself. will give you proven questions that can drive the tenant outcome. >> All right, we have just a few minutes left here. So, I did want to just kind of make one one point. So, we did talk a little bit about Oldsmar earlier. Whatever happened, I've heard a different story than what Bryson shared. Doesn't really matter. One of the things that happens in our sector is that um the public perception can be impacted very easily if there's a water issue in Florida and my parents are in Minnesota. So very specifically the hack in Oldsmar was reported. CNN picked it up, right?
They ran with it. My parents, my elderly parents in Minnesota called me and said, "Andrew, we heard about the hack. Is the water safe to drink?" And I said, "You live in Minnesota. the water systems are not connected. Yes, you're good. They're like, "Okay, thankfully." And, you know, frankly, the fact that they were like watching the news and asking those types of questions is really good. But, you know, we we do struggle with perception in um in a land of plastic, you know, water bottles and all of those sorts of things that are relatively easy solutions. Municipal water is oftentimes higher quality and, you know, just better in general and certainly less expensive, like much less expensive. So,
you know, there's um you know, that incident of course people are aware of. There's also Equipa, Pennsylvania, um Mules, Texas, um Abernathy, Texas. Are those do those names ring a bell? Yeah, maybe. Okay. So, when it comes to the incidents in Texas, there's a wonderful Wired article about it. I don't have the link, but if you just say, you know, water system hack wired into your favorite search engine, please do that. Really, really excellent. Um and then if you go are curious about the Aliquipa incident. So the cyber avengers actually you know they were targeting Israeli made uh PLC's. Aquipa had one. It was targeted and compromised and you know the municipality had to do what they had
to do which meant you know shut off the automation at that pump station and do things manually. And it was a pain for a while right until they were able to get up and going again. But you know overall you the operations and maintenance people have responded really really well. So I think that uh Josh at one point had said you know if you want to test out your meme game go for it. You all have made it this far so let's go. All right before I do that was a teaser. I wrote a book with my colleague Dan Groves. I wish Ginger was here. She's read the book and she gave it two thumbs
up. Um the reason she gave it two thumbs up was because it's very much for the uh you know sort of water utility every person. We wrote a bunch of case studies really and some of those I've shared with you today. What we want is that somebody can pick that book up and they can say oh yeah I've got one of those. Here's a story about it. Right? And and it's very accessible. It's not super technical but we're just trying to get CIE out there in the sector. So, uh, it's published through AWA. Please go ahead and pick one up. All right. So, Alice in Wonderland is the theme. So, here's a little bit of an overture.
Um, maybe a little naive. If everybody minded their own business, the world would go around a great deal faster than it does, right? If we minded our own business, we wouldn't be having these conversations. We'd just be focused on making the best water and wastewater systems we could without necessarily a concern about securing them. Now this is very naive. I understand that. So what we want to do is redefine expectations. Of course, John Bean is a good place to start. We do not we want to get to a place where we don't, you know, design a system without cyberinformed engineering, right? It should be in everything that we do. And really the goal of this is one of my
favorites, right? To be undisruptible, right? They've got us surrounded. Those poor bastards, they spent all of that time and money and effort and energy trying to get in to our systems to try and compromise us, but they can't actually do it, right? Because we used physics and we used good engineering and we used good operations to prevent any of the consequences that they were really seeking. So, it just becomes a shoulder shrug, right? That's what we really want. So with that, that's the extent of my meme game. So thank you and I'm happy to happy to stick around for any questions. Um Ginger and I'll be around and then I'm curious, is anybody planning to
attend the training today or tomorrow? Wonderful. Okay, great. We'll get to do a deep dive. Thanks everybody. [snorts]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51