Ian Bramson of Black & Veatch discusses the importance of prioritizing core operational continuity in critical infrastructure environments
Black & Veatch has been home to innovative minds for more than a century. The company is at the forefront of critical human infrastructure, delivering full engineering, procurement and construction projects as well as the upfront advisory and ongoing operations services that keep critical infrastructure flowing smoothly. As employee-owners, the team is deeply committed to solving the world’s infrastructure challenges today, tomorrow and always.
“My career has been somewhat eclectic,” begins Ian Bramson, Vice President of Global Industrial Cybersecurity at Black & Veatch. “It’s not your typical cybersecurity or operational technology (OT) career path, having started out at Coca-Cola in Santiago, Chile, with one of the bottling partners. I ran my own company a couple of times and worked for different consulting agencies, at one time in the intelligence community. I ventured into cybersecurity when I was at Booz Allen Hamilton. While my expertise wasn’t necessarily technical, I did have an aptitude for advising senior executives at Fortune 500 companies how to mature and develop their cybersecurity programs, and that’s how I got into the sector.
“I went on to work for Siemens, heading global sales for the cybersecurity solutions team, working with senior executives in the energy market to develop strategic cybersecurity solutions for their OT challenges. My next move was to ABS Group. As you can probably tell, a common thread for me is a love of being at the forefront of new and emerging technology. OT is about protecting not only critical infrastructure, but also prioritizing safety, reliability and availability. It’s been a different path, but combining all those different experiences has been a critical factor for my current role.”
Changing landscape
Today, Bramson leads the commercialization and operations for global industrial cybersecurity across Black & Veatch’s vertical and geographic markets. He heads the OT cybersecurity practice, developing and delivering solutions across critical infrastructure. As a thought leader in the industrial cybersecurity space, he works with the public and private sectors to drive innovation and awareness for industrial cybersecurity.
While Black & Veatch has provided cybersecurity services for more than 15 years from within different functions of the company, Bramson was hired to formally establish a cybersecurity team in February 2024.
“The company made this important move because the industrial space, more than ever, needs to pay more attention to OT security,” he said. “What distinguishes Black & Veatch in this sector is that we are a global expert in critical infrastructure, having designed and built it for more than a century. The company understands the sector’s idiosyncrasies, so we know best how to better secure it.
“In OT cyberspace, things are getting much more connected with the increased use of automation, enhanced digitalization and remote delivery,” he added.
Alongside these enhanced capabilities however, threats have also been evolving. The Colonial Pipeline Company ransomware attack, for example, was a seminal event, afflicting computerized equipment managing the pipeline and halting operations to contain the attack. While it was an IT-originated attack, it had disproportionate OT consequences. It was the largest cyberattack on an oil infrastructure target in U.S. history, serving as not only as a warning bell for the good guys but also a dinner bell for the bad guys, jumpstarting an increase in attacks on critical infrastructure.
“While ransomware attacks are still prevalent, I always warn our customers to be vigilant concerning the next thing, whether that’s supply chain attacks, third-party attacks or malware from third parties infiltrating systems,” Bramson said. “As connectivity increases, the cybersecurity landscape changes, and new technologies often have inherent vulnerabilities. While smart technology brings greater visibility, connection and control, from an adversary’s perspective it’s a question of how that technology can be manipulated. Cybersecurity tools incorporate AI to detect anomalies. Similarly, adversaries are using AI to scan complex networks and establish weak security as well as generate deepfakes.”
Cyber challenges
Cyberattacks on industrial operations are raising the stakes and reshaping how companies are managing risk. Today, critical infrastructure organizations face a new reality: cybersecurity impacts operations’ safety, continuity, liability and national security. With rapidly evolving cyber threats to industrial systems, bolted-on solutions and reactive measures aren’t enough. Embedding cybersecurity into every stage – from planning, design, build and operations through to decommissioning – helps enable long-term success.
It’s crucial to keep operations secure, maximize efficiencies and control costs with comprehensive support throughout the OT asset lifecycle with cyber asset lifecycle management (CALM) services. Building cyber protection in from the start optimizes performance, safeguards investments, boosts stakeholder confidence and drives operational safety. Proactive cybersecurity isn’t just smart; it’s essential for maintaining critical infrastructure’s safety, maximizing efficiencies and staying ahead of potential risks. Resilience is built through collaboration and supporting organizations to be better prepared for the cyber challenges they are facing now and in the future.
“The renewable energy sector, for example,” Bramson continues, “is experiencing an influx of new technology like any other critical infrastructure. It tends to be spread out geographically, which requires remote connectivity from a management perspective and considerable investment. If renewable energy is important to us, it’s also going to be important to the bad guys, thereby posing an inevitable security risk.
“Of course, while there will always be an element of risk associated with insider activity, generally, it’s accidental rather than malicious,” he added. “User awareness has improved dramatically, but there will always be emerging threats to existing knowledge. When you consider critical infrastructure and the engineering mindset of predictability and repeatability, the cyber realm is naturally at odds with that; a disparity that is further compounded by the operational volatility of consistent threat from active adversaries.
“Rather than speculating about the next big threat, I tend to go back to basics and encourage clients to understand their strengths and weaknesses, to be aware of what needs protection and where vulnerabilities lie, as well as to reinforce the importance of training for awareness and prevention,” Bramson elaborates. Cybersecurity is as much a safety issue as any other for this sector. It may not always have been considered so, but it is becoming increasingly apparent.”
Indeed, as a leader in the global engineering, procurement, construction (EPC) and consulting industry, Black & Veatch is revolutionizing industrial cybersecurity by advancing it to the forefront of new construction or major modernization projects. The company’s holistic portfolio of services enables organizations to plan and design cyber protection during the engineering phase, ensuring that it’s strategically built into the new infrastructure.
Business imperative
This unique proposition is based on the premise that built-in cyber protection is significantly more effective than when bolted on later. This approach bridges the gap that organizations in critical infrastructure typically face by making cybersecurity an integral part of the complete EPC process. In this manner, organizations are elevating cybersecurity to its proper role of protecting critical infrastructure.
“With legacy assets and processes,” Bramson continues, “it’s not always straightforward, but the fact of the matter is that the sector is only becoming increasingly more connected, and therefore, will continue to demand greater cyber resilience. When systems in critical infrastructure don’t perform as expected, the outcomes can be catastrophic.”
To Bramson, ‘cybersecurity is intrinsic to operational resilience and should be at the frontline of the sector.’
“It’s a dynamic and exciting sector and one of the reasons why I decided to join Black & Veatch,” he said. “In today’s cybersecurity landscape, our clients have recognized that protecting their operations and their customers’ data and information from cyberattacks is no longer an option – it’s a business imperative and one in which I’m proud to play a part.”