This is MANAGINGCOMPANYtheheadlinetheoffeatureNAMERISK AND BUILDING CYBER RESILIENCE IN ASSOCIATION WITH: DIGITAL REPORT 2022
MANAGING RISK AND 2CYBERBUILDINGRESILIENCE burnsmcd.com
burnsmcd.com 3 BURNS & MCDONNELL
BURNS & MCDONNELL OFFERS AN UNRIVALLED RANGE OF SERVICES ACROSS THE US AND GLOBALLY B urns & McDonnel l is an architectural engineering firm that services all critical infrastructure sectors within the US and internationally.
WHEN IT COMES TO GOVERNANCE, RISK MANAGEMENT, CYBER SECURITY AND REGULATORY REQUIREMENTS,
5 BURNS & MCDONNELL
“The primary focus is developing solutions around people, technology and process,” said Jerome Farquharson, Senior Managing Director, Governance, Risk, Cybersecurity and Compliance. burnsmcd.com
A record-breaking year of growth in 2021 saw it record US $5.7bn in sales, support nearly 17,000 projects and grow by nearly 650 employees, consolidating its strong position among the nation’s leading design and construction firms. Such comprehensive growth helped the firm secure eighth spot on the 2022 annual survey of Top 500 Design Firms by Engineering News-Record magazine, the firm’s fifth top 10 ranking. Much of the firm’s work divides between providing utility and critical infrastructure clients with industry frameworks, addressing regulatory concerns and providing risk management.Thatmeans focusing on governance from a corporate perspective, and cybersecurity across their enterprise –particularly concentrating on operational technologies (OT).
JEROME FARQUHARSON SENIOR MANAGING DIRECTOR, BURNS & MCDONNELL
Farquharson described his role as multifunctional, managing a business line within the transmission and distribution division.
“We have ‘backbench strength’, with team members who have operated from the utility and cyber sides, which provides us with the breadth and depth especially in Operational Technology networks.”
It’s telling that one of the first banners you see on the company’s website is ‘100% Employee-Owned’, reflecting its rich history andToday,culture.as an employee-owned company, every employee is invested in ensuring the success of all projects, believes Farquharson, ensuring commercial continuity in the modern age.
“What sets us apart is we have designed and built many systems, possess strong institutional knowledge, and can blend that with governance, risk management, cybersecurity and regulatory requirements. We can start from day one from that perspective,” added Farquharson.
6 burnsmcd.com BURNS & MCDONNELL
“ What sets us apart is we have designed and built many systems, possess strong institutional knowledge, and can blend that with governance, risk management and regulatory requirements. We can start from day one from that perspective”
BIOEXECUTIVE JEROME FARQUHARSON TITLE:
INDUSTRY:
Jerome is the senior managing director of the Governance, Risk, Cybersecurity & Compliance practice at Burns & McDonnell. He leads with a multidisciplined background in cyber and physical security, information systems, and business advisory consulting. Jerome has provided technology-oriented advisement for numerous Fortune 500 companies across the nation and possesses cross-industry expertise. He possesses a unique blend of technical, business, and project management skills to effectively provide value to diverse client and industry verticals. Jerome is an innovative technology Executive and Consultant with an entrepreneurial flair and a multi-disciplinary background encompassing highly complex areas such as cyber security, physical security, infrastructure protection, regulatory compliance, strategic business advisory, and information systems management. As the leader of Governance, Risk, Cybersecurity, and Compliance practice, Jerome has the unique ability to leverage both a technical and consulting background to take a 360degree approach to the deployment of technology solutions to manage risk and drive profitability in highly competitive markets. He has presented educational papers at numerous industry conferences and forums to address transmission and generation operational compliance SENIOR MANAGING DIRECTOR CYBERSECURITY LOCATION: GREATER ST. LOUIS, UNITED STATES issues. He has performed numerous compliance audits for large investorowned utilities to determine the level of regulatory exposure and define mitigation strategies to minimise penalties. Jerome is actively involved with several NERC and cybersecurity subcommittees, and regional Information Systems Audit and Control Associations. His initiatives have helped define security, regulatory compliance, and utility technology solutions for critical infrastructure organisations such as electric utilities, government facilities, and process industries. Noted as an astute corporate strategist and catalyst for change as a passionate advocate for the application of technology solutions to predict and mitigate external threats as an integral aspect of the organisational risk management framework.
BURNS & MCDONNELL
THE USER OPERATIONSANDTECHNOLOGYOPERATIONALPLATFORMACCESSFORREMOTE
XONA enables frictionless user access that’s purpose-built for operational technology (OT) and other critical infrastructure systems.
Technology agnostic and configured in minutes, XONA’s proprietary protocol isolation and zero-trust architecture immediately eliminates common attack vectors, while giving authorized users seamless and secure control of operational technology from any location or device.
LEARN MORE
Xona’s flagship Critical System Gateway (CSG) was a perfect fit with global engineering and construction firm Burns & McDonnell . “The pandemic underlined the difficulty of getting to remote sites to provision new control systems and the like: Burns & McDonnell needed to be able to do more with fewer people. We can give them a secure way to operate those systems without going to sites of that nature.”
“We’re always looking to improve our platform. We’re going to be launching our next generation this year. We integrate with the best security information management (SIM) and multi-factor authentication providers, and we’ve worked to make that more flexible and enterprise-ready.
XONA: SECURING REMOTE ASSETS FOR BURNS & MCDONNELL
LEARN MORE
“Looking forward, we see an opportunity to expand the amount of analytics we can garner from how users interact and operate technology. We’re excited to be working with Burns & McDonnell and looking forward to a bright future bringing security and safety to enterprises and all the people they serve throughout the world.”
Zero trust cybersecurity is a key advantage of Xona’s CSG. “Burns & McDonnell has been forward-thinking and a leader in how construction firms operate. We have talked to them in depth about cybersecurity and how to protect their assets, and immediately they understood the benefits right away: we were on the same page!”
The partnership with Burns & McDonnell is evolving all the time, Moore emphasises.
Having worked for over 20 years on IT, OT, networking and security operations, he identified an unaddressed vulnerability in the control rooms of power plants and distributed assets of all kinds. “There needed to be a way of remotely operating in a much more secure and compliant way,” he says.
Bill Moore, founder and CEO of Xona, discusses an evolving partnership Bill Moore founded Xona Systems in 2017.
1898 foundedYear 10,000+ Number of employees 100% Employee owned 60+ Global offices
“On average, most utilities do not have enough visibility into their operational network to detect any type of compromise in less than 50 days or under – we have to bring that down much faster,” he said.
The knowledge and attacks are becoming more sophisticated, so our ability to detect must be much faster”
“
The biggest challenge was the change in how systems communicated, from internal to industrial internet, and that has brought greater risks.
“The integration between IT and OT has become greater, leading to more direct access. From a business and national security perspective, it is important to understand the risks for utilities.” burnsmcd.com
JEROME FARQUHARSON SENIOR MANAGING DIRECTOR, BURNS & MCDONNELL
Within cybersecurity and governance, the energy industry is changing and so are the threats. But the industry needs to work faster, especially as power stations can affect lives.
Tackling the rise in cybersecurity threats
“The knowledge and attacks are becoming more sophisticated, so our ability to detect must be much faster. We have to share information and be much more proactive, and create a balanced approach – being able to provide solutions across the board.
11 BURNS & MCDONNELL
“Over the last 10-15 years there has been a lot more maturity around cybersecurity –we’re not there yet, but we’ve come a long way and that’s driven innovation.”
The SigmaFlow Compliance Platform is a purpose-built, comprehensive compliance evidence collection, management and reporting solution that solves the challenges of NERC compliance for entities of all sizes.
IPKeys Cyber Partners is a leading provider of cybersecurity and compliance solutions for critical infrastructure protection (CIP) in North America.
Learn More NEXT GENERATION CYBERSECURITY AND COMPLIANCE
Securing Grids & Smart Cities
Critical infrastructure is increasingly interconnected and automated. As regulations expand, companies face an increasing burden to maintain a strong cybersecurity footing and prove compliance. For this reason, firms like Burns & McDonnell require the support and partnership of firms like IPKeys Cyber Partners, a cybersecurity and compliance solutions provider.
“The SigmaFlow compliance platform gives our customers visibility and control over their security and compliance programs in one interface. IPKeys heavily invested in our products and brought additional cybersecurity expertise to the platform.”
Evolving Threats, Requirements and Solutions In Energy IPKeys provides cybersecurity and integrity services to clients as varied as the DoD and local municipalities. They also support some of our most critical infrastructure: energy providers.
SigmaFlow, the flagship product of IPKeys Cyber Partners, meets those needs.
Louis Riendeau, VP SigmaFlow Operations and Product Management at IPKeys Cyber Partners, discusses cybersecurity in the energy sector.
IPKeys Cyber Partners Leverages SigmaFlow to Secure Critical Infrastructure
In conversation with IPKeys’ VP of SigmaFlow Operations and Product Management, Louis Riendeau, we discuss the evolving landscape of energy and how it intersects with cybersecurity and regulation.
Increasing Diversity and Expanding Regulations Industry experts expect current regulatory frameworks to expand and include more and smaller providers, additional industries, and additional measures. Energy providers are already seeking tools to secure their systems and help them achieve and demonstrate compliance with regulatory frameworks like NERC CIP. When asked about the near future of regulation, Riendeau states: “Cybersecurity threats are growing and our energy grid is becoming more diverse. That’s why the work we’re doing to extend our technology to support these systems, and the regulatory requirements that are likely to follow, is so critical at this moment.”
“Our customers face a number of threats, from ransomware attacks to nation-state sponsored threats,” says Riendeau. “Not only do they have to defend against these threats, but they also need to prove they’re compliant with a complex set of regulations.”
14 burnsmcd.com BURNS & MCDONNELL
“What we learnt from the last couple of years is the rise in exponential threats such as malware, where you have actors siphoning off over gigabytes of data, and the constant threats from ransomware and malware are increasingly becoming more sophisticated. So, it’s critical to understand who’s in your network.
“If the system can’t be restored quickly or the risk quickly assessed then it means the longer the bad actors are in your system, the more they learn your systems, siphon information, install multiple backdoors and lodge multiple attacks,” he said.
He said it is seeing significant potential around automation and inclusion of IIoT.
He wants to “set the standard” for secure user access in OT globally.
“My responsibility is leadership for our zerotrust user access platform for OT and critical infrastructure, providing very secure platforms for the cyber-physical world,” said Moore.
Describing a fictional yet plausible scenario, he said a control room operator would start to see systems slow down or lose control access. At this stage, the operator would have to assess whether it was a normal outage or an attack.
As we become more interconnected that means our risks increases, as exposure increases, and subsequently more controls are“Dataneeded.isconsidered a new currency,” he added.
“SigmaFlow is a software platform focused strictly on NERC compliance that our customers use for all the NERC standards,” said Kirkpatrick.
“ If you look at the whole idea electrification,of it really looks like The Jetsons, but it’s a lot of fun, it’s really exciting”
“When you look at the future of critical infrastructure there are two key developments: firstly, the integration of Artificial Intelligence to analyse data and understand data much more quickly, and synthesise that data to present patterns faster; secondly, in the industry today, there is a lot of work on predictive analysis – marrying that with cyber and AI is key integrating security by design.”
Strong partnerships with Xona Systems and IPKeys Power Partners Jumping on the call are Bill Moore, Founder and CEO of Xona Systems, and Trey Kirkpatrick, VP of NERC Implementation and Consulting at IPKeys Cyber Partners.
“It’s provided the capability for us to look at the way we provide a solution, to make it more flexible and adaptable. We see there is OT only user access and then there’s the IT-OT convergence, which makes it a much more interesting landscape. We’re looking at providing our customers a secure and flexible platform that can address operational requirements across diverse network architectures.”Thesingular goal of IPKeys’ SigmaFlow platform is to make it easier for customers to manage their NERC compliance programs.
JEROME FARQUHARSON SENIOR MANAGING DIRECTOR, BURNS & MCDONNELL
“We have installations in 30 countries today and would like to get up to 100 across energy, oil & gas, manufacturing, transportation and government market segments – that’s our vision,” he said.
“We
customers
we’re
invaluable
the
–
Trey has over 30 years in the energy industry. He has experience with operations, engineering and maintenance with nuclear power, transmission, distribution and renewable generation. Trey is responsible for the NERC Implementations and Consulting services at IPKeys Cyber Partners and the SigmaFlow Compliance Manager software. Trey holds a BS in Engineering from Texas A&M University.BIOEXECUTIVE TREY KIRKPATRICK TITLE: VP, NERC SERVICESIMPLEMENTATIONANDCONSULTING COMPANY: IPKEYS CYBER PARTNERS INDUSTRY: COMPUTER AND NETWORK SECURITY LOCATION: MAINE, UNITED STATES
–
our solution, and without burnsmcd.com 15
our
their security.
recommendations
“These partnerships are for development of
patch
“We’re always looking at systems and making to on how they can improve Some of the products coming out with the baseline monitoring and management are vital for the entire country.”
help our customers meet all requirements, and ensure all standards are tracked through our software so that they can ensure that audits go well and using our new products like SigmaFlow Beacon to monitor baseline configuration.”
Bill Moore is the CEO and Founder, XONA, providers of a unique “zerotrust” user access control and analytics platform especially tailored for Operational Technology (OT).
With over 20 years’ cybersecurity experience, Bill has worked with public and private organisations leaders to provide better visibility and control over their networks and data to reduce enterprise cyber risks.
BIOEXECUTIVE BILL MOORE TITLE: CEO AND FOUNDER COMPANY: XONA INDUSTRY: COMPUTER AND NETWORK SECURITY LOCATION: MARYLAND,
As the utility industry continues to embrace decarbonisation and electrification, Burns & McDonnell will continue to help utilities understand complexities and implement renewable energy solutions.
Electrification, renewable energy and AI data changes
Moore has recently been working closely with power, oil and gas, and manufacturing customers as well as Industrial Control System (ICS) cybersecurity technology companies to find more efficient ways to reduce operational costs and cyber risks simultaneously. UNITED STATES
16 burnsmcd.com BURNS & MCDONNELL
them, our customers suffer. Bringing in the talent of Burns & McDonnell, you see the benefit and we hope to share that with other customers throughout North America.”
burnsmcd.com 17 BURNS & MCDONNELL
IMPORTANCE OF NEXT GENERATION TRAINING
One of the biggest challenges facing the utility industry workforce is training and imparting the knowledge, according to Farquharson.
“There is a great opportunity for youngsters coming out of school to apply their talents at these institutions. We have to continue to support them and understand it’s not a ‘start up’ but important for career development and to keep the grid up and running,” he said.
SENIOR MANAGING DIRECTOR, BURNS & MCDONNELL
18 burnsmcd.com
JEROME FARQUHARSON
“ In the utility industry today, there is a lot of work on predictive analysis – marrying that with cyber and AI is key”
“I see that all as a major shift. There is a lot of discussion integrating cybersecurity into the critical infrastructure design process.
“If you look at the whole idea of electrification, it really looks like The Jetsons, but it’s a lot of fun, it’s really exciting.”
Coupled with the increasing emphasis on wind and solar, is the development of smart cities, incorporating greater use of AI and data analytics within the Operational Technology (OT) networks.
“It means the requirements and regulations are going to continue to change, and it’s important we keep up with that on the software side and serve our customers.”
recently announced it is supporting Buckeye Partners, L.P. as the EPC contractor for a new 164-MW solar energy project in Hill County, Texas, between Waco and Dallas, part of Buckeye’s energy transition strategy, and bringing additional solar generation capacity to its portfolio. Kirkpatrick agrees the future is definitely with renewables.
“There’s a big offshore build out on the east coast and utilities have to keep up with that, and growth in microgrids,” he said.
Security by Design also is going to be a key development.”Burns&McDonnell
burnsmcd.com 19 BURNS & MCDONNELL
burnsmcd.com POWERED BY:
