Burns & McDonnell Arm Launches Unique Cybersecurity Service For Critical Infrastucture

It may not have the impact of a Super Bowl play, but a new service from 1898 & Co., the consulting arm of Burns & McDonnell, the engineering, construction and architecture firm, is set to move the cybersecurity resiliency ball down the field.

Under the rubric “Managed Threat Protection & Response” the company is offering a “proactive threat hunting and response capability” — a one-stop shop — for critical infrastructure companies, from electric to water utilities, to oil refineries and rigs, to pipelines. The new capability is an addition to its existing Managed Security Services (MSS) solution.

1898 & Co. clients will get around-the-clock and all days of the year monitoring of every possible vulnerability on their systems, with a focus on the harder-to-detect intrusions on their operating technology (OT) to their industrial control systems (ICS) that are a critical part of the infrastructure and require special attention.

IT And OT ‘More Connected’

Gabriel Sanchez, manager of Security Operations Center (SOC) operations and incident response, told me that over the years, IT and OT have become more connected, increasing the vulnerability of operating systems as IT attackers find they can affect systems in sophisticated and harder to detect ways.

The vulnerability of OT and ICS is that they can often be made to malfunction without immediate detection. The textbook example of this was Stuxnet, the U.S. cyberattack on the uranium enrichment centrifuges in Iran. That attack left Iranian engineers flummoxed as they saw their centrifuges spin unaccountably out of control.

Sanchez gave, as an example, an electrical substation. To sabotage it, you once had to get in there physically, he said. Now it can be done by an IT professional with malice and skill.

The response to an IT threat and an OT threat can be different as well. As Mark Mattei, director of industrial cybersecurity for MSS, explained, with a computer attack, an IT attack, you want to halt that immediately. But with OT, that may not be the wisest thing you can do.

Consider: If the attack is in a limited part of a plant or a system, you don’t want to shut down the whole plant or system. If a substation were to have an OT intrusion, you wouldn’t want to shut down all of the grid. If one pump at a refinery was experiencing ICS intrusion, you wouldn’t want to close down the whole plant.

Mitigating Damage To OT

Matt Morris, managing director of security and risk consulting, said the 1898 & Co. response to OT and ICS intrusions is, “What can we do to mitigate damage?”

Twenty-four-hour monitoring and instant proactive response are the keys to the company’s new service. 1898 & Co has consulted for years on cybersecurity, and Burns & McDonnell has a unique depth of understanding of it, having built so much critical infrastructure. 1898 & Co. is working in environments it knows and has “playbooks” developed over time for identifying threats and approaches to mitigation.

For utilities, refineries and municipal systems, like sewage and water, as well as some other local government functions the new cybersecurity package, including OT and ICS, offers peace of mind as well as economic savings.

Mattei explained, “We have a follow-the-sun model, 24/7, 365 days a year, including holidays.” He said for a company to install equivalent monitoring capacity, just the monitoring function would require an expense of about $12 million a year and rising. Staffing it — finding the talent — would be difficult, he added.

The company is building a SOC in Houston, starting with an initial complement of over 60 professionals. They chose Houston because it is central to much of the critical infrastructure, and because the talent pool is large.

Chris Underwood, vice president and general manager, said, “Managing security for ICS and OT for security is a rare capability for one reason: Critical infrastructure is a highly complex environment.

“Our consultants live and breathe critical infrastructure. We’ve worked in the industry and for the industry, so we have a deep understanding of its challenges.”