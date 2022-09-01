Burns & McDonnell is an architectural engineering firm which services all critical infrastructure sectors within the US and internationally.

A record-breaking year of growth in 2021 saw it record $5.7bn in sales, support nearly 17,000 projects and grow by nearly 650 employees, consolidating its strong position among the nation’s leading design and construction firms.

Such comprehensive growth helped the firm secure eighth spot on the 2022 annual survey of Top 500 Design Firms by Engineering News-Record magazine , the firm’s fifth top 10 ranking.

Much of the firm’s work divides between providing utility and critical infrastructure clients with industry frameworks, addressing regulatory concerns and providing risk management.

That means focusing on governance from a corporate perspective, and cybersecurity across their enterprise – particularly concentrating on operational technologies (OT).

“The primary focus is developing solutions around people, technology and process,” said Jerome Farquharson , Senior Managing Director, Governance, Risk, Cybersecurity and Compliance.

It’s telling that one of the first banners you see on the company’s website is ‘100% Employee-Owned’, reflecting its rich history and culture.

Today, as an employee-owned company, every employee is invested in ensuring the success of all projects, believes Farquharson, ensuring commercial continuity in the modern age.

Farquharson describes his role as multi-functional, managing a business line within the transmission and distribution division.

“What sets us apart is we have designed and built many systems, possess strong institutional knowledge, and can blend that with governance, risk management, cybersecurity and regulatory requirements. We can start from day one from that perspective,” added Farquharson.

“We have ‘backbench strength’, with team members who have operated from the utility and cyber sides, which provides us with the breadth and depth especially in Operational Technology networks.”





Tackling the rise in cybersecurity threats

Within cybersecurity and governance, the energy industry is changing and so are the threats. But the industry needs to work faster, especially as power stations can affect lives.

“On average, most utilities do not have enough visibility into their operational network to detect any type of compromise in less than 50 days or under – we have to bring that down much faster,” he said.

“The knowledge and attacks are becoming more sophisticated, so our ability to detect must be much faster. We have to share information and be much more proactive, and create a balanced approach – being able to provide solutions across the board.

“Over the last 10-15 years there has been a lot more maturity around cybersecurity – we’re not there yet, but we’ve come a long way and that’s driven innovation.”

The biggest challenge was the change in how systems communicated, from internal to industrial internet, and that has brought greater risks.

“The integration between IT and OT has become greater, leading to more direct access. From a business and national security perspective, it is important to understand the risks for utilities.”

As we become more interconnected that means our risks increases, as exposure increases, and subsequently more controls are needed.

“Data is considered a new currency,” he adds. “What we learnt from the last couple of years is the rise in exponential threats such as malware, where you have actors siphoning off over gigabytes of data, and the constant threats from ransomware and malware are increasingly becoming more sophisticated. So, it’s critical to understand who’s in your network.

“When you look at the future of critical infrastructure there are two key developments; firstly, the integration of Artificial Intelligence to analyse data and understand data much more quickly, and synthesise that data to present patterns faster. Secondly, in the industry today, there is a lot of work on predictive analysis – marrying that with cyber and AI is key integrating security by design.”

Describing a fictional yet plausible scenario, he said a control room operator would start to see systems slow down or lose control access. At this stage, the operator would have to assess whether it was a normal outage or an attack.

“If the system can’t be restored quickly or the risk quickly assessed then it means the longer the bad actors are in your system, the more they learn your systems, siphon information, install multiple backdoors and lodge multiple attacks,” he said.





Strong partnerships with Xona Systems and IPKeys Power Partners

Jumping on the call are Bill Moore, Founder and CEO of Xona Systems, and Trey Kirkpatrick, VP of NERC Implementation and Consulting at IPKeys Cyber Partners.

“My responsibility is leadership for our zero-trust user access platform for OT and critical infrastructure, providing very secure platforms for the cyber-physical world,” said Moore.

He wants to “set the standard” for secure user access in OT globally. “We have installations in 30 countries today and would like to get up to 100 across energy, oil & gas, manufacturing, transportation and government market segments – that’s our vision,” he said.

He said it is seeing significant potential around automation and inclusion of IIoT.

“It’s provided the capability for us to look at the way we provide a solution, to make it more flexible and adaptable. We see there is OT only user access and then there’s the IT-OT convergence, which makes it a much more interesting landscape. We’re looking at providing our customers a secure and flexible platform that can address operational requirements across diverse network architectures.”

The singular goal of IPKeys’ SigmaFlow platform is to make it easier for customers to manage their NERC compliance programs.

“SigmaFlow is a software platform focused strictly on NERC compliance that our customers use for all the NERC standards,” said Kirkpatrick.

“We help our customers meet all requirements, and ensure all standards are tracked through our software so that they can ensure that audits go well and using our new products like SigmaFlow Beacon to monitor baseline configuration.”

“We’re always looking at our systems and making recommendations to customers on how they can improve their security. Some of the products we’re coming out with – the baseline monitoring and patch management – are vital for the entire country.”

“These partnerships are invaluable for the development of our solution, and without them, our customers suffer. Bringing in the talent of Burns & McDonnell, you see the benefit and we hope to share that with other customers throughout North America.”





Electrification, renewable energy and AI data changes

As the utility industry continues to embrace decarbonisation and electrification, Burns & McDonnell will continue to help utilities understand complexities and implement renewable energy solutions.

“If you look at the whole idea of electrification, it really looks like The Jetsons, but it’s a lot of fun, it’s really exciting.”

Coupled with the increasing emphasis on wind and solar, is the development of smart cities, incorporating greater use of AI and data analytics within the Operational Technology (OT) networks.

“I see that all as a major shift. There is a lot of discussion integrating cybersecurity into the critical infrastructure design process. Security by Design also is going to be a key development.”

Burns & McDonnell recently announced it is supporting Buckeye Partners, L.P. as the EPC contractor for a new 164-MW solar energy project in Hill County, Texas, between Waco and Dallas, part of Buckeye’s energy transition strategy, and bringing additional solar generation capacity to its portfolio.

Kirkpatrick agrees the future is definitely with renewables.

“There’s a big offshore build out on the east coast and utilities have to keep up with that, and growth in microgrids,” he said.

“It means the requirements and regulations are going to continue to change, and it’s important we keep up with that on the software side and serve our customers.”