industrial ips – Waterfall Security Solutions

Demystifying Cyber Jobs – In the Energy Sector | Episode 112

Waterfall team — Thu, 19 Oct 2023 14:39:09 +0000

OT Insights CenterDemystifying Cyber Jobs – In the Energy Sector | Episode 112

Demystifying Cyber Jobs – In the Energy Sector | Episode 112

In this episode, Amanda Theel and Eddy Mullins of Argonne National Laboratory walk us through the thought-process that goes into the selection of hiring candidates for Cybersecurity jobs. Their main focus is for the Energy Sector, but most of the information carries over into most other industries.

Available on

https://api.spreaker.com/v2/episodes/56774929/download.mp3

About Amanda Theel and Eddy Mullins at Argonne National Labratory

Eddy Mullins is the Workforce Development Project Coordinator and Amanda Theel is the Group Leader for Workforce Development at Argonne National Labratory where she leads the cybersecurity workforce development effort for the Department of Energy (DOE) Office of Cybersecurity, Energy Security and Emergency Response (CESER) where she leads the CyberForce® Program that oversees several collegiate cybersecurity efforts. Additionally, she provides expertise to DOE, the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) as a lead analyst on cybersecurity methodology and cyber guidance.

“…you’re bringing so much value to, not just the company, but honestly at the end of the day, to the United States.”

Transcript of this podcast episode #112: Demystifying Cyber Jobs in the Energy Sector

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome. Everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at waterfall security solutions who’s going to introduce the subject and guest of our show today Andrew has gone.

Andrew Ginter
I’m very well. Thank you Nate we have 2 guests today Amanda Thiel is the workforce development group lead at Argonne National Laboratory and Eddy Mullins is the project coordinator at Argonne National Laboratory and they’re going to be talking about jobs the the official title here is demystifying cyber jobs you know they’re focused on the energy sector but you know it seems to me that a lot of what they say applies to all industries. you know, especially you know since we’re talking about jobs and recruiting um and you know. People complain the the employers complain that nobody’s applying to ot cyber security job postings and the um you know the the people looking for jobs are complaining. There are no postings they can’t find them so in a sense. Both of these are the same problem and this is what Amanda and Eddy are going to be talking to us about.

Nathaniel Nelson
All right? then without further ado here is your interview with Amanda and Eddy

Andrew Ginter
Hello Amanda hello Eddy thank you for joining us before we get started. Could you maybe you know give our listeners a ah few words about yourselves and about the good work that you’re doing on the the cyber force project at Argonne National labs

Amanda / Eddy
Sure I’m Amanda feel I’m the workforce development group lead at argon national laboratory and I lead the cyber force program out of the office department of energy’s office of cyber security energy security and emergency response. And I’m Eddy Mullens I am the project coordinator at Argon national laboratory and um I work closely with Amanda. I assist in managing the Cyberforce program and the cyberforce program is the collegiate workforce development effort out of the department of energy that looks. At providing students that operational technology component of understanding how to get themselves into that energy sector job right? after they get out of college.

Andrew Ginter
Okay, so thanks for that. So you know in my understanding Cyber force is training you know, young folk to enter the the cyber security roles in the energy sector. and. You know you I heard you folks speak at at the energy set conference recently. you’ve been running into challenges getting your graduates placed. Can you can you talk about? Ah, you know some of these some of these challenges. What’s what are you running into here.

Amanda / Eddy
Sure so the cyber force program um hosts um a handful of competitions and exercises for collegiate students to kind of better prepare themselves with cyber security skills. And operational technology knowledge. But what we’ve come to really understand is that the terminology that a lot of these students learn at school in their colleges universities even in their quick programs that they take their boot camps. Don’t necessarily translate into the jobs that they’re looking at online and what I mean by that is the terminology that we would necessarily think in a traditional cybersecurity or cyber engineer that they’re looking for in a job. Doesn’t necessarily translate directly in a 1 to one when we get into the energy sector they use slightly different terminology and so these brand new people. Are you know students or folks that are looking to go into the um job market. They’re not fully under. Standing that. Um there’s a different vocabulary that’s out there and so trying to get them to really understand that they have to be look fully into a job description as well as understanding that. Um.

Amanda / Eddy
Their job role is not going to just be cyber when they get into an energy sector job. Yeah, and also one of the other things that we that we noticed you know is we looked at generation and and the way that the modern generation that’s getting into the workforce now the way they look At. The workforce is completely different than what if like a Gen X or a baby Boomer You know like the millennials of the Gen Z’s when they’re reading these job descriptions. There’s a lot more than just the totality of what it is that they’re going to be doing that they’re looking for is. You know they’re focusing so much on what is the general experience of and how does this job and the experience that it’s describing to me how does it fit into my life. You know like our our parents when they were in in the workforce. It was How do we fit to to the workforce Now. It’s kind of like how does the workforce fit for us So You know we’re seeing that. Some of these descriptions and the way that they’re written in the energy sector has been. They’ve been utilized for you know, quite some time. and they’re a little bit outdated to some of the modern tactics and the modern ideals that you know, ah. Current generation student would be looking for and and appealing to apply.

Andrew it seems to me that what you guys are talking about here. It’s ah it’s a common refrain maybe within industrial security but also in just about any line of work. You know. You go to school for all these years you learn Calculus and then you go out into the real world and you don’t know how to do your taxes. Is there anything unique about how we’re applying this to industrial security this problem.

Andrew Ginter
I don’t think so I mean I think it’s ah it’s ah it’s a widespread problem. The specific data points that Amanda and Eddy have are are in the energy sector That’s that’s what they do. But yeah I I see a lot of similarities across industries you know and it’s it’s not just across industries. It’s across. You know time I mean I’m coming up on the end of my career now but I remember you know before I started when I graduated high school I was going to do a sciences degree at the University Of Calgary I show up at the university and I know that to do a sciences degree. You’ve got to take first-year calculus and I had taken. High school calculus and the university had a program saying look if you’ve taken high school calculus you can do a challenge exam if you ace the challenge exam. You don’t have to do the first semester of University Calculus so you know I’m ah full of myself I I say you know I got an I got an a in high school calculus I should be able to do this. Show up for the challenge exam and you know they put the exam paper down in front of me and I don’t understand even 1 question your name goes here I understood that part the rest of it. No idea you know 5 minutes later studying these questions I get up I I hand the paper and I leave. I show up for ah for the the calculus course you know 2 lectures in I figure out that they’re teaching exactly the same thing that I learned in high school only they’re using a different notation and so I looked at these questions and didn’t understand one of them. So yeah, terminology Notation. You know this is stuff that you know what there’s there’s there’s gaps. You know. In this industry. There’s gaps in other industries. There’s gaps over time. This is I think this is a very common problem.

Okay, so you know that sounds like a couple of different problems. Can we can we hit terminology First can you give us some examples What what? you know? what are the what are the gaps that that students are seeing versus you know the the industry is is using.

Amanda / Eddy
Sure So in a lot of positions. We’ll say in the energy sector they tend to look a lot as in a generic post on either an operational security analyst or operational security. Um. Engineer and when they look at those things they tend to think of it as operational meaning less on the cyber side or it’s written more in a sense of um. It sounds like a help desk role rather than them actually working on the cyber side. and it tends to be well use word less flashy for them. So when we think through Cyber they’re looking for. Firewalls and they’re looking for the fact that they’re going to be building a secure backend um and part of that problem is and again it’s the knowledge that some of these students lack in just the general critical infrastructure field is that? um. Energy Sector specifically has been around for obviously so long that our our infrastructure has been there and it’s not changing So a lot of what we need. Security wise is understanding both and a physical type as well as the it that goes with it.

Amanda / Eddy
But it’s not just Cyber. It’s having a multi hatwearing person that understands both an I T infrastructure but also an operational infrastructure which is keeping the grid up and running but we can’t just. Keep the grid up and running by updating and putting updates in place or a firewall. and so they’re looking for those things of I’m going to be managing patching keeping the lights on for things and it’s not as clear as day. for these students and so when they don’t see that in a job posting or even a job title. It tends to be less clear for them if that’s actually what they’re going to be doing or not but when we talk to these organizations. That’s. Ultimately what they’d be doing on some portions of their job and other portions. We’d need them to really kind of help understand what’s the next thing look like for this company. What’s the next generation of energy look like in securing it and. Part of that is still trying to figure out what are we calling things. What are we doing and working through some of that.

Andrew Ginter
Okay, that makes sense. you also mentioned sort of generational challenges. It’s 1 thing to to look at a job posting and say yes, this is the kind of thing I’ve been trained for. but it’s it’s another thing to look at it and say this is what I’ve been trained for and yes, this is what I want to do um it it sounded like you were saying that sort of a lot of the postings that you see out. There are sort of recycling language from ten years ago and really are not appealing to the the young people that. You know the the posting is targeting. Can you talk about about that what you know what? what needs to be in these postings and you know is it just the postings or does. The nature of the job have to change somehow in order to to attract this generation of of workers.

Amanda / Eddy
Yeah I think it’s it’s it’s a little bit of both both not just the the language within the posting and you know also what is the experience that come with it I mean we all know like after 2020, you know and in the modern generation. 1 of the biggest things that you know they look for is flexibility. You know if you look at the baby boomers the gen x like telecommuting never existed. It. It wasn’t an expected um expectation of work where now it’s it’s almost a demanded expectation of work and and and it doesn’t have to do with just telecommuting. Or hybrid work is just the flexibility of hours of scheduling. You know we all we all grew up with the standard 9 to 5 that’s almost kind of going into the older generation where it doesn’t exist now you know the modern generation is looking to be flexible on how it is that. They can work what hours do they work best at and those are some of the things that are simply to add to to a job description that can already emphasize what the job experience would be like you know when they look at. As soon as they start seeing that 9 to 5 yeah like Amanda mentioned earlier it just it doesn’t sound sexy. It’s not appealing and when you talk about the energy sector. Automatically when you think of energy. You think the line workers the boots on ground were.

Amanda / Eddy
The sector in itself already doesn’t have those appealing factors that would be working for a Google and Amazon those big tech companies. So that’s how you you modernize the the positions and the descriptions to provide a little bit of emphasis on the the benefits of of life. We all know that. Working for the energy sector has its own benefits and sometimes the energy sector kind of fails to emphasize those benefits of the the consistency of work those kind of things so it’s a little bit of both when it comes to just the terminology as well as the flexibility of of what they’re looking for.

Amanda
And what we want to see is we’re not emphasizing that job posting should be unrealistic either. at the end of the day like we understand that there’s always going to be jobs that just there’s not much you can change in a job posting to make it sound any better. But when we start looking at the generational differences between each generation and how potentially 1 looks similar to another but then what are their differences you start to kind of notice just in the workforce alone. What does each generation really value and at the end of the day we look at job postings and they tend to be written a lot for the baby boomers those that they really they were wanting a job and it really didn’t I don’t want to say didn’t matter what the job was but they were very.

Amanda / Eddy
They wanted to get in the door. They preferred structured organization at the end of the day and so you see a lot of positions written that way when you look at the gen x they started to be more flexible and wanting to really be able to see the ability to change. as an opportunity grew and so being able to be able to see that ability to grow within an organization started to occur. But then you get to the millennials and again as Eddy pointed out when they started to join the workforce covid hit shortly in the mix of it. And work from home started but equally millennials tend to be very money driven. So at the end of the day when you do a job posting for them. They’re very wanting much wanting to know what is the dollar range that they’re going to be hired within. I’m again, not stating that that’s a good or a bad thing but they kind of have an expectation upfront of understanding where their lifestyle is um within their kind of domain and then you see gen z which is kind of on almost a polar opposite spectrum again not saying that they’re not interested in the dollar value. But they’re really more interested in understanding like how do they bring value to your company but also bring value to their life. They want to make a difference. and that’s a really hard way that you need to think how can I write our job description to show someone.

Amanda / Eddy
The value that they bring to a bigger picture at the end of the day and honestly the energy sector has probably 1 of the biggest areas that you could bring to the gen z of saying like you’re bringing so much value to not just this company but honestly to the end of the day to the United States when you come here and work with us and to Edie’s point like venership brings stability when we think right? just this last year you know we’ve had a lot of those big tech companies having quite a bit of layoffs and so when you think through energy sector companies the like you know you have more stability there. Ah, may not be as flashy of a salary but you have stability and you have something that brings value back to you of I’m actually bringing power electricity something back to either my own house or to people that I know.

Nathaniel Nelson
Yeah, so I am ah millennial technically. But I’m only a few years off of gen z and so I do feel the urge to defend them a bit here. Um I don’t think that what Amanda meant is that ah gen z is you know money hungry or whatever it. Gens z does put ah a focus on the salary numbers because I think that there’s more of an idea of worker empowerment. You know that you don’t just go and work for a company and take whatever they give you but you. You vet them to make sure that they’re going to give you the experience and the compensation that you deserve upfront.

Andrew Ginter
That’s right I mean you know I have a daughter who’s who’s a millennial and you know I might use the word practical um to me, you know it’s it’s not just saying I want to know how much money I’m going to get it’s it’s a bigger picture of and what does that mean for my life. Where am I going to live do I have to drive into work. You know what? how does? How is it affect you know, sort of the the big picture and to me it’s you know it’s more than than the generation with each generation to me. You’ve also got to look at well bluntly how old is the generation and. And what are they up to in a current posting I mean you know to me it’s I see the mistake here. The mistake is old guys like me put a job posting together that would appeal to me when I was fresh out of school. Yeah well a I’m the wrong generation b I’m not fresh out of school b. You know see ah a lot of these folk aren’t fresh out of school either I remember you know when I was a young man I bounced from job to job. The grass was always greener. and then I had my first child and the wife looks at me and says you’re done moving around and I’m going that’s for sure and i. Got me a job I settled down and I stayed there for 15 years Why because I had other fish to fry. Okay I had I had other priorities in life I had other ways to spend my energy if I had spare energy. It went into the kids it went into the the home it went into the family. Not you know, finding the the grasses being our next job so you know.

Andrew Ginter
There’s a lot of variables here. It’s not just the generation but you know where is that each generation at at their point in life in this kind of age group that that you’re trying to appeal to.

Nathaniel Nelson
Right? And of course the conditions that in in which people are looking for jobs now are quite different. You know I can imagine someone in say your position Andrew who’s been at the same company for 15 years or or longer than that and then they post a job for. Maybe the kind of entry level job that they started off with and they have a salary number associated with it that sounds quite good to them. But of course ah houses cost a lot more relative to average salaries these days than they did before and so what might seem like a lot to. Somebody of an older generation now to a younger generation. You know doesn’t quite go as far.

Andrew Ginter
Indeed so lot of variables to take into account.
Um, so that makes sense but you know I want to I want to push back on sort of I heard you use the word remote work saying that you know there’s ah, a generation of of young folks out there that entered the the workforce you know during or shortly before the pandemic that have become accustomed to remote work. Everyone’s expecting remote work. You know I have to push back on that if you are a pipe fitter in a you know a power plant and it’s your job to you know fix stuff that’s broken and you carry a toolkit around all day. This is not something you can do remotely. You know. Is it really true that there’s a whole generation of people out there expecting to do remote work and you know to me that just doesn’t seem possible. Can can you talk about that a bit more.

Amanda / Eddy
Sure So You know you’re right? That’s it’s definitely I think more what I think idie and I were mentioning was more definitely towards the tech field and I think it’s a benefit of tech to be able to be remote. most jobs require you to have your computer and internet line and you know you should be able off to the races most of us figured that one out again unfortunately during a time in which we didn’t really have many options. but to be at home. other unless your job was to be in the office which again not stating that some of these energy companies did require someone to still be in the um office. But the a lot of Ah. We’ll say entry level are folks looking to come into. Um the Job Market. They grew up in what was a remote environment whether that was school whether that was a remote job and so they see ah. Flexibility into them almost a negotiation factor of that ability to be able to work from home and so seeing the tech industry is one of those of the few and again I think everyone looks at that. Ah, it could be a systemic problem moving forward.

Amanda / Eddy
And it could be a benefit dependent on where your organization is um that that is definitely something that we’ve noticed that um the younger generations look for and find as a means of want is their ability to work. From I won’t even say work from home but work from wherever they’re at some of them. It’s they want to be on vacation three hundred and sixty five days a year but work from wherever that places and some of them is they just really enjoy working from home rather than being in an office so they can work in. You know. Be at home and at ah Alaska but work for you know a company on the East Coast whatever makes most sense for them in a comfort environment. But I I agree with you that no not every industry and not every person you know, understands that that’s something that you know is available to them.

Eddy
I mean it’s kind of one of the appeals to come into the tech industry when you think you know the tech industry and you look at California and states you know those those big states. Automatically you you assume 2 things 1 flexibility and 2 you assume high salary and the flexibility especially with tele remotest. Will allow some companies to be able to gain talent outside the scope of their their availability. You know if you look at rural Arkansas and you need a cyber operator in a rural area if if you don’t have that flexibility you limit yourself on.

Amanda / Eddy
How far can somebody be from the office. Are you gonna is somebody gonna be willing to drive 2 hours to go into the office or if you allow the teleremote the hybrid option you can get talent within outside the scope of driving distance which allows you to to operate slightly more efficiently. so that’s this this one. That’s what I was referring to when it comes to the flexibility in in the tech industry. That’s kind of one of the benefits to it.

Nathaniel Nelson
On the subject of remote work I have some notion that there are jobs within an industrial setting that that can be done remotely. You know that is ah maybe a work at a sock or someone who’s. monitoring the plant through some internet connection which is a subject. We’ve talked about before but don’t you need most people to be on premises like what percentage of people are we talking about here with regards to who can be remote.

Andrew Ginter
Um, ah, the short answer is it depends there. There isn’t an an easy number that springs to mind. you know some of the the dimensions of the problem. one is is criticality. if we’re talking about. Ah, you know managing small wind farms or small solar farms. A lot of that’s done remotely. Ah why? Well because the worst case if you get something if you if you get something horribly wrong. What’s the worst that can happen. The the turbine turns off the power stops coming out of you know 3 of your windmills does that affect the grid. Not really is even affect your bottom line. Well it depends how big a utility you are if you only have three windmills. It’s a big deal if you have you know 700 nobody notices. So on the other hand. You know if you’ve got a a large power plant that is you know feeding ah hospitals. It’s feeding the military installations. It’s ah you know it’s a really important asset. You’ve got I don’t know a hydroelecttic dam driving it or you’ve got coal-fired power plant. You know, massive. Boilers and furnaces. There’s more of a push in the the sort of the network engineering world to ah make that not so accessible remotely because all remote access is is potentially ah a threat. Um.

Andrew Ginter
It has to do with the role as well as you pointed Out. There’s a lot of you know if if what you’re doing is is looking at stuff and drawing conclusions about it and sending sort of abstract information back into into decision makers like your your example was a good one. The outsourced security Operations Center These people. Generally don’t have. They’re not trained as incident responders. Okay, they don’t log into the system and start poking around on it. They’re not trained to touch the systems but they are trained to look at the alerts and you know look at circumstances and decide whether something merits. Ah, deeper investigation and then so it over the fence with a lot of information to the incident response Team. So The incident response team might have to fly out to site but you know or might be hosted at the site. but not necessarily the people doing the analysis. So yeah.

It’s a long fancy way of saying it depends.

Okay, so so you know that that all makes sense imagine though that we had a magic wand and we waved the magic wand and all of a sudden. The the job postings people were putting out were you know speaking to the aspects of the job that appeal the most to the you know the current generation of of entry level workers. and you know magically you know use the terminology that that resonated. You know with the entry level worker saying yes this is what I was trained on. This is what I’m I’m able to do if we fix those problems are we done.

Amanda / Eddy
No, unfortunately I don’t think so just yet what we’ve also tended to find and again I’m not nitpicking on the energy sector because I know that this is done in a lot of places but we found that there’s. a use of I’ll use the word conglomerate job postings. So what I mean by that is if I’m looking for a software engineer the job posting will be posted as a software engineer 1 2 3 or senior and while that seems. Very open to anyone to apply? it. The position itself is written for the senior level. So when you read through a job description like that. It comes very um. Unwelcoming to an entry level person looking to apply it doesn’t provide a very clear understanding of are you looking for multiple software engineers. Are you looking for 1 am I as an entry level person who’s applying going to be compared against potentially someone who is a senior level am I going to even have the ability to apply and when you look at the job descriptions. A lot of the preferred experience.

Amanda / Eddy
Is pretty hefty upfront because again, it’s written for a senior level and in talking to a lot of organizations. We’ve found that they do these in essence because it’s a budget and instead of writing out several positions. They pick whatever their max budget may be and the job postings are written to whatever their highest level person they can hire and then they have the discretion to hire people below that so it’s. It’s slightly concerning because if I see a software engineer senior and I’m an entry level person coming right out of college. My first thought is not to think I’m going to try to sell myself as a senior software engineer and if I don’t have contacts at that organization to even begin to ask the questions. Can I even apply for this is it more than 1 position. Do you think that there’s openings for others. It leaves it to be very unopen and unwelcoming even though at the beginning it looks like there’s these 4 potential areas that could. Phil for me. The other thing that we’ve noticed is that in these conglomerate positions sometimes just the lack of ensuring that it’s very clear and not just like grammatically looking that when we copy paste and change experience levels suggestions that we’re being.

Amanda / Eddy
Very mindful that those changes are occurring and just similarly looking at like a software engineer one some of the job postings we found were like they which to me would scream a very close to entry level person people were asking for like. 18 years of work or eighteen months of work experience which is you know a year and a half otherwise they’d take an internship experience but equally so then we need to make sure we’re providing those opportunities out to people in and the meantime.

Eddy
Yeah, and and one of the difficult thing is that you know we we understand a budget at limitations but you know a lot of these companies when they’re looking for secession planning when you write a position and you have multiple levels then competitively. You would think that. The company would take the person with the highest level of experience which is the least amount of training necessary for the person to be able to come in do the job like we always like to say you know, plug and play. But every time you look at the senior level you have individuals with 18-15 years plus of experience where. In the closer years the baby boomer generation the closer years to retirement and what occurs is that when you have these positions like that and all you continuously gain is high senior level members to your company which is good at that time you negate to have the secession planning.

Amanda / Eddy
Because you’re you’re missing out on those entry level positions that are lacking the training to get to senior level. So once you start having the large numbers of retirements and people start to leave. You have no one in the bottom to fill that position in the training. So what occurs is that as your seniors start to leave then you’re starting to. Alter the positions to bring in entry level where now you lack the senior experience to to produce that training to eventually repeat the cycle. So we noticed a lot that a lot of these these students. Because they automatically like a man that was mentioned they automatically presume they’re going to be competing against a senior coming off of college even at a high level of education a masters or a ph d as soon as they say experience required a lot of students look back and say is my education. My projects in school any competition. So is that experience or is experience mean days on the job and a lot of the times they have ah some experience but they sell themselves short knowing that I would possibly be competing with somebody who has 1015 years plus and companies lose a lot of modern innovative talent because of the way these conglomerate positions are being written.

Andrew Ginter
All right? So so you know thinking about this, let me ask you a hard question. we’re talking about people coming out of school or out of university into entry level positions but a lot of the. People I mean I I go to conferences I talk to people a lot of the people that I talk to a lot of people that I see in the ot security space. They they did not come out of school into ot security. They came out of school with you know, an engineering degree or you know some sort of technician certification. They worked 5 years and then looked around and said you know let me take the next step. Let me you know, get some skills in in a new field in addition to what I’ve been doing for the last five years or they come out of it. You know they go to school for it or even it cybersecurity. Ah, they get a few years experience maybe at a help desk maybe in ah you know a sock a security operations center and then they start you know, stepping out of their their sweet spot getting some some extra training getting some extra experience and moving into the ot security space. Um. You know none of these are entry level people. They’ve they’ve all started somewhere else. They have 5 years experience under the belt of some kind and now they’re moving into the ot space is there really such a thing as an entry level ot job.

Amanda / Eddy
That’s a really good question. so I it is one that’s like a definite one. That’s super hard to just jump right into and you definitely need the the mixture of talent I think what. At least it from my point of view and I I would presume Eddy’s as well is what we’re we’re looking to push back I think a bit on is wouldn’t it be great that instead of having and and again I’m not pushing back on just energy sector I think this happens quite a bit is. Organizations look to have someone else pay to build. Someone’s skill set up and then say I’d love for you to come work for us but instead of harvesting that talent as young, fresh green talent and saying. We’re going to build you and we want you to stay with us that provides a lot of people so much more hope that you have actual interest in having them grow and so whether or not I walking in the doors fresh out of college. No. 100 % anything about operational technology if you buddy me up with the right person in your organization whether that’s an informal or formal apprenticeship. Whether that’s an informal formal buddy system internship at the end of the day.

Amanda / Eddy
I’m going to be more loyal to that company because they see value in me of putting forth that time and effort to grow me for their organization and seeing the point of moving me through how they want things to be done by the time five years comes around again. Think people have happened to do it all the time they. Transfer organizations they move whatnot. But you’re starting to already start to see what you’re fixed in somewhat of your ways of how you see things done things and other ways and so we would love to shift the paradigm away from just saying well operational technology is you know. Bob who’s been doing it for 30 something years sooner or later Bob’s going to want to retire and who are we going to look for his protege and at what point in time. Do we start saying instead of looking for the person that’s been there for the last. 15 years that kind of knows what bob does when bob goes on vacation every once in a while. Why don’t we start looking at the younger talent that is interested in helping and start getting them involved. They’re interested and wanting to know equally they have a passion to understand how do these things break. and so instead of just saying we don’t have entry level if that answer is fully true which I agree with you to some you know, aspect on that operational technology side. You know that’s not something that we should be comfortable with actually going out and being able to say is that.

Amanda / Eddy
There’s no such thing as entry level because even 5 years of experience in an engineering program or I t and moving over and cross training to them move into ot technically you’re still a novice You’re not. You know you don’t know it all yet. But we just don’t want to call it entry because. 1 wants to take 5 years of experience and say now you’re an entry level again. so that’s my my push is you know hopefully that at some point you know we work to really start bringing in some of the younger talent and giving them that opportunity of using some of their. Very large brain capacities that they have to think outside of the box of how can we really secure some of our energy sector needs.

Eddy
Yeah, you know we’ve all heard the saying. It’s not always greener on the other side and like just like you were saying like. When you have somebody who has 5 years in a previous organization. They have a reference point and a standard of what it is that they want to do and how they want to be treated when they’re doing it. So. When you go from it. You have your 5 years of experience. You’re technically still kind of new now into the ot space and you realize this is not for me or I really like this but I don’t like the way this company does it. That’s when you start having large turnover rates and you start having a lot of.

Amanda / Eddy
People who come in do a year and then they want to pursue a higher salary so you spent 1 year training a person you made them a very good ot operator. Thank you very much now they went to another company to pursue another higher salary another experience when you. You take somebody who’s brand new and the only experiences they have is a college dorm and they’re willing to learn because they just spent four years five years learning they don’t have a reference of what another job should be. They don’t have a reference of how this job should be all they know is what you teach them and all they know is that I’m here to learn it. So. You’ll get more time and more effort and experience from this individual who’s really brand new green off of you know the academia side of the house who’s to gonna take the time to learn something than somebody who already can learn it quicker but ultimately say this is not for me I’m gonna go this different path. So. that’s why we’re kind of pushing to for companies to take the chance what we’ll call is take the chance and understand that it can be learned. It can be taught. It’s about taking the time to put them with the right mentorship and taking the. Effort to really get them to be what the company needs.

Andrew Ginter
Cool. Well you know this has been good I’ve I’ve learned stuff. you know before we let you go and well let me thank you first. Thank you both for for joining us before I let you go you know can you can you sum up for us what what should we take away from from these these questions and you know what. What are what are next steps if if we if we want to use the knowledge.

Amanda / Eddy
Sure so I hope that again we were obviously speaking to energy sector that’s who we work with the most um is that you know we really want to be able to bring together those open job positions that we know energy sector has and the. Amazing talent that we also bring from the cyber force program and the collegiate space and even those that have graduated from the program that are still seeking. You know new employment and be able to honestly marry the 2 bringing that talent to the energy sector and be prepared but how do we do that so that. Both sides are happy at the end of the day that both understand and are open to the ideas of what you know each are looking for and understanding really the expectations going forth. You know in future. You know people and work and things that we’re doing and then also really to just understand just from. Generationally and this is not just energy sector specific but all that you know we really need to stop and take a look at how are we? you know when we’re trying to recruit and you know write our positions for the next talent that we’re looking for. We really need to think through like what are the generations that we’re looking for interest. And each you know senior level position could be a very different group than someone when you’re looking for an entry level and we should be working to kind of ensure we’re being inclusive and and writing our positions so it makes.

Amanda / Eddy
The most appropriate sense to who we’re we’re writing it for so other than that I you know we’d love for people to we have the cyber force competition. That’s our main program out of the cyber force. that comes up here in November we would love for people to be able to participate. that’s our red blue exercise with collegiic students if those are interested. They can reach out on our website and that’s cyber force that energy dot gov and we’d love to hear and see people there as soon as possible.

Nathaniel Nelson
Andrew that was your interview with Amanda and Eddy do you have any final thoughts to take us out today.

Andrew Ginter
Yeah I mean the the big thing I got out of the interview was you know concrete ideas for for making job postings appealing to the generation that you’re recruiting, you know for the stage of life that that generation is in and this is something. You know it sounds to me like we have to you know consult with our hr people. These are people who study people not you know recycle a job posting that you know attracted us the old folk to the industry when we were that age many many decades ago. Um. More generally you know what I got was sort of a strong sense of of how important it is to hire young people succession planning you know the energy industry has to think long-term a lot of industries have to think long-term and I’m diverging a bit but you know succession planning can be tricky. That’s something that. Sort of deserves a whole episode if if we can find a guest but let me give you sort of ah just a taste I remember reading a report this was some years ago. it was a a manufacturing company. They brought in a couple of young engineers to replace. You know a technician who’d been with the company for forty odd years and was was approaching retirement and these engineers just couldn’t seem to keep up with the technician they they were together they were they were less productive than the technician was singly.

So they they they brought in ah, an an expert in operations analyst followed these people around for a couple of weeks came back with a report and said here’s what’s happening every time one of these engineers any time anybody goes to this technician and asks a question this person reaches behind his desk pulls on a clipboard with 79 scraps of paper on it.

Nathaniel Nelson
Yeah

Andrew Ginter
You know some of them yellow with age flips through you know answers the question and goes back to work get that clipboard copy it. These are your standard operating instructions. You can’t afford to have them hanging on a clipboard in 1 person’s office so you know. Making things work. Succession wise is is important. It can be difficult. Um and you know hiring young people fresh out of school can make them more loyal but you know in my opinion look even if if people jump around you know like I said in the first ten years of their of their. Career you know the grass is always greener. they bring you know people coming into an organization bring perspectives from outside the organization. you know if someone’s leaving our business. We might be miffed, but we’re probably hiring someone at that level in from another business. So. You know the energy industry has to think and does think sometimes as an industry not just as individual enterprises and as an industry you know we have to be about hiring and training and growing young people. This is something the industry has to do this is something that every utility. In the industry has to do and and here’s some concrete advice to you know, speed that process especially for the ah the the entry level folk.

Nathaniel Nelson
Okay, well thank you to Amanda and Eddy for elucidating that point for us and Andrew thank you as always for speaking with me this has been the industrial security podcast from waterfall. Thanks to everyone out there listening.

Andrew Ginter
It’s always a pleasure. Thank you Nate.

Nathaniel Nelson
Well thanks to Vlad Gabrie Anghel for speaking with you Andrew and Andrew is always thank you for speaking with me this has been the industrial security podcast from waterfall. Thanks to everyone out there listening.

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

October 20, 2025

IT & OT Relationship Management

October 20, 2025

Analyzing Recent NIS2 Regulations – OT security is changing

October 5, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Demystifying Cyber Jobs – In the Energy Sector | Episode 112 appeared first on Waterfall Security Solutions.

“We Need Smarter Ways of Building Data Centers” | Episode 111

Waterfall team — Wed, 20 Sep 2023 11:12:53 +0000

OT Insights Center“We Need Smarter Ways of Building Data Centers” | Episode 111

“We Need Smarter Ways of Building Data Centers” | Episode 111

In this episode, Vlad-Gabriel Anghel of Data Center Dynamics Academy walks us through the industrial OT aspects of data centers, a very recent addition to the growing list of critical infrastructures, and digs into industrial / OT security needs and solutions for the space.

Available on

https://api.spreaker.com/v2/episodes/56675115/download.mp3

About Vlad-Gabriel Anghel:

Vlad-Gabriel Anghel is Global Head of Product at DCD>Academy which is helping the entire industry design, build, and operate better data centers across the globe

Vlad Gabriel is a tinkerer at heart and a problem solver by trade, with a deep passion for all things tech, especially computer networks and distributed systems.

“…our needs as a society that is run on digital services are only going to increase. Therefore, we’re going to need more data centers. We need to get smarter at building them, in more efficient and sustainable ways.”

Transcript of this podcast episode #111: We Need Smarter Ways of Building Data Centers

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at Waterfall Security Solutions who’s going to discuss the subject and guest of today’s show Andrew how are you?

Andrew Ginter

I’m very well. Thank you Nate our guest today is About Vlad-Gabriel Anghel. He is the global product manager at Data Center Dynamics Academy or DCD Academy for short. It’s a bit of a mouthful you know, but what he’s going to be talking about is industrial cybersecurity at. Data centers and you know data centers are about more than just protecting the information I mean obviously ah, that’s very important, but it’s also all about physical operations and you know electric power and cooling Vlad develops educational programs that are focused on data centers and. Industrial cybersecurity is a very important topic in the data center space.

Andrew Ginter
Hello Vlad and welcome to the show. before we get started. Can you say a few words about your background and about the good work that you’re doing at data center dynamics.

Vlad Gabriel Anghel
Of course, Andrew first of all thanks thanks for having me on v I’m the global product manager at Data Center dynamics is training arm which is known as DCD Academy um I’ve been around the digital infrastructure industry for about a decade now. And I don’t think that will change anytime soon as I essentially have a deep passion for pretty much everything digital infrastructure and especially data centers. Um I’m a thinker by heart and a problem solver by trade. And as well as that during my high school years I was I became a Cisco certified network associate both in routing and switching and in security. So naturally I now. Put my efforts together to ensure that the next generation of data center professionals are equipped with the knowledge required to run these complex technical facilities. So yeah, in a nutshell that’s me.

Andrew Ginter
Thanks for that. you know our topic today is data centers and and we’ve never had anybody on from the world of data centers. can you you know sort of give us the big picture. What What’s a data center look like physically um and you know what are what are you know. What are the operating priorities I mean at a power plant. Everybody’s worried about safety first you know what’s it. What’s it like working in a data center.

Vlad Gabriel Anghel
Right? I mean ah, as I said it’s ah previously I always whenever whenever I get into this this type of discussion I always I always say what is a data center could be It’s the simplest question but has the most complicated answer in short, it’s a technical facility where a business stores. Processes and disseminates his data now this can look on the outside. They essentially kind of look the same they are warehouses you wouldn’t even be able to figure out that there are that’s a computing warehouse or to say. there are multiple types of date centers. We’re not, we’re not going to cover all of them but they vary based on the business that ah that is using them. right now. because of the advent of the cloud and because because of the avent of internet of things. 5 g and now ai one of the main things that and we’re seeing within the industry is the hyperscale segment. So the cloud providers with essential a cloud services provider. Essentially they do not. They’re not able to to keep up. They’re not able to bring bring these facilities bring these facilities around quick enough and when you add that that when you add into the mix that there is a talent shortage in this industry. The problem becomes quite quite big. one of the main things that the data center always needs to ah.

Vlad Gabriel Anghel
Needs to do is what what we internally within within the industry call needs to be available so availability is paramount when a data center goes down or when the I t load that that data center supports go down. There are a number of repercussions first and foremost there can be contractual repercussions. So definitely a financial. It will take a financial hit and as well as that there can be reputational repercussions. let’s take for example, a classic example of a bank. If the Bank’s Data Center goes down. You’re not going to be able to check your account balance or you might miss a payment that you need to do for your mortgage for example and so on and so forth. So a data center going down has a massive massive impact. on both as I said the reputational and the financial financial outcome of of a business.

Andrew Ginter
That is the picture I have of a data center of you know racks of computers inside and and you know a warehouse-looking thing outside but you know this is the industrial security podcast. Can you talk about? you know what’s on the inside. Um,, there’s obviously computers. But there’s also Infrastructure. What’s what’s that infrastructure look like what’s the automation. On the on the infrastructure side look like and and what are the security concerns.

Vlad Gabriel Anghel
Certainly um I mean to begin with every single data center is going to have um to let what we call spaces within within the industry right? every data center is going to be split into the white space and the great space. Great space. The white space. Is essentially what you can see as the I t room is essentially the place where you store your servers your switches your networking gear and everything in between um and the gray space is everything that keeps this that keeps the white space alive sort to say. I always have an analogy when when presenting this to to some students you need to look as ah, the white space as the brain and the gray space as pretty much everything else in terms of lungs stomach heart and everything else that allows the brain to function when it comes to um. When it comes to what’s what’s inside the gray space because as you said we’re talking industrial security within within the Grayspace. You’ve got the power distribution system. Ah you also have the environmental control system or the koing system simply because um and obviously all the other like control systems and softwares. these are usually managed through through skada instance. Um and because we’ve got because as I said as I said previously hyper scalers for example, but not just that like pretty much every sector within this market cannot build them fast enough. you now end up with.

Vlad Gabriel Anghel
Facility managers that previously were tasked with managing one facility are now tasked with managing 5 or more facilities now in order to be able to do this because you can’t be in the same place 5 times. Um the the whole gray space and the whole equipment within the gray space. It’s. Is now connected to the internet now again as there’s this separation between white space and gray space. So is the separations of the professionals working within these spaces. Ah, you’ll always you’ll almost always find I professionals within the white space that are aware of cybersecurity in general and understand what the what the surface. what what what? the risks are when connecting a device to the internet whereas on the operational technology side or on in. Or within within the gray space. that is not the kind that is not common knowledge so you do risk of having pretty much your whole your whole if if not taken care of. You’ve got your whole ah your whole gray space or your the whole infrastructure that keeps the white space alive. Prone to the same type of attack vectors that you can find within the it space. a classic example, we all know it and I’m sure it’s been talked previously in in in previous episodes. The Stuxnet.

Vlad Gabriel Anghel
Ah, Stuxnet incident was exactly was exactly up was a worm that essentially buried into ah Zimon’s plc and then had a knock-on effect on everything else that those those controls were well controlling for lack of a better word. so the same the same. The same thing can can easily happen within a data center and as we mentioned previously. You do not mention the d work or downtime.

Andrew Ginter
That’s right – in a lot of Jurisdictions data centers and you know similar facilities are considered critical information infrastructure and so when there’s reliability issues at these facilities. It’s not just you know. Financial concerns and contractual concerns. A lot of the time. The government is looking over your shoulder breathing down your neck because this is critical infrastructure when when this kind of infrastructure drops. It’s not just a business that suffers. It is society that suffers it is commerce that suffers. It is you know government that suffers.

Nathaniel Nelson
Yeah, although it occurs to me when you say that that in the Microsoft case the attackers were going after information. It seems like what you’re talking about has more to do with reliability. Of these data centers now I have some vague understanding that there are plenty of data centers out there with huge amounts of competing resources where maybe even if one does go down the load can be transferred but to another or to 3 or 4 others. Is that not the case.

Andrew Ginter
I think generally it is and you know this is this is reaching sort of the borders of of my you know my knowledge here but I do understand that in some jurisdictions certainly the United States I think I think europe as well. Um. In some jurisdictions. you’re not allowed to move customer data out of the country or out of the jurisdiction in the case of the the european union and so that would tend to reduce. The the number of data centers that could serve as your backups for those critical functions. now again I don’t know which jurisdictions in the world have these rules I don’t I don’t track this but you know hypothetically if you had a smaller jurisdiction. They only had. 2 or 3 or 4 data centers in. Let’s say the country and one of them fails. You’ve lost 25% of your processing capacity. You don’t have as many options for some of those critical functions because of the law.

Nathaniel Nelson
Yeah, you know it occurs to me. right now I’m gonna start over it actually reminds me of a a conversation that I was having with some folks at ah, a major software company software as a service provider.

Nathaniel Nelson
We’re talking about Black Friday when everybody is on the internet all at once that whole weekend and it’s sort of like just there’s so much less, resource to go around so they have to solve this massive problem of How do we use the same amount of infrastructure to serve this many people and they were talking about especially because you know these senders can become overloaded and can cause one of them to go down what happens in the worst case scenario you don’t want everybody’s shopping websites to go down all at once and just the sheer. Magnitude of the logistical challenge involved was impressive and intimidating so I get the sense that there isn’t a ton of unused infrastructure available even in the cases where you don’t have those regulations in place.

Andrew Ginter
And that’s certainly true. You know when you know in Black Friday you know certain days or times of the of the day or times of the year where yeah, even if you have a lot of data centers around. There may not be that much spare capacity again. Critical. Information infrastructure is sort of the the message here. It has an impact on the business operating the infrastructure but it also has an impact on society so you know this is this is the new reality.

Nathaniel Nelson
I’m just glad that the Cloud is up right now because our podcasting software uses that for backup files. So thanks to everybody out there doing doing vlads work

Andrew Ginter
Yes, indeed.

Andrew Ginter
Okay, so so you know preventing outages reliability is King but you said you know we’re connecting these things to the internet you’ve got remote teams can we talk about the data what data is moving out to the to the it networks what data is moving out to the internet what are people looking at remotely what are people using remotely why? Why do any of this.

Vlad Gabriel Anghel
That’s a great question and well in a nutshell I would say it’s it’s essentially remote management and ensuring that all the all the operator like ensuring that the facility is within normal operating parameters I’ll give an example. Ah, most of most of outages that happen within our industry are usually related to a power failure but that power failure can happen in many ways it can happen because of human error it can happen because a static transfer switch or an automatic transfer switch failed to. To switch from the utility to the backup generators at our own site. It can be loads of things. when and again we’re talking about mechanical and electrical systems mechanical systems will always be prone to failure. most most data centers right now are still being cold using air. that air obviously needs to be ah needs to be funneled through to the actual servers at a particular temperature and on the particular humidity level should the humidity level surpass the normal operating normal operating operating parameters. You can either get a short circuit on on the board or. Many other things small errors that you would not even be able to assign to I don’t know something like like an old operating system failure or anything like that if 1 thing 1 thing you will always find within a data center is an uninterruptable power supply.

Vlad Gabriel Anghel
The power that comes from the grid. Ah for for a data center while good to have it. It’s it’s not reliable enough and it’s not clean enough in order to feed it directly to a server or a switch for example. So all data centers will connect their utility to the uninterruptable power supply the uninterruptable power supply is essentially a big set of batteries that turns the Ac current that comes in from the grid into Dc current that can be. Eaten up directly by ah by the servers and the switches therefore because as I said there is a skill also skills shortage within within the industry. you do not have enough people to place them across all your facilities to ensure real-time monitoring therefore. 1 of the data that passes through um as as as as you as you pointed it out most of it is going to be related to remote management and again depending on the flavor of data center that is going to be different a collocation data center is going to have totally different requirements to a hyperscale data center. In terms of what needs to be managed and what doesn’t need to be managed. So I would say like in a nutshell to sum up ah most of this data is facility operating parameters and as soon as something goes auri.

Vlad Gabriel Anghel
Someone is able to see it and act upon it before the actual load is lost.

Andrew Ginter
So I’m not sure I understand here. you know you you said you’re you’re looking at this stuff. The the goal is uptime. you’re looking at indicators of you know, potential problems especially with the power supply. Into the future how far into the future. Can you see I mean if there’s a lightning strike and and ah a transformer blows Out. We’re talking near Instantaneous. What what kind of visibility? Do you have into that.

Vlad Gabriel Anghel
Right? It’s not necessarily about utmost the utmost visibility on pretty much everything in in the in the example that you’ve described you might have you might have outside of the gray space. For example, you might have. data being pulled into from a weather station if you’re able to see that the storm is going to come and you know that the utility grid you’re connected to is not that reliable your switching mechanism your power switching gear. For example, will. Detect that there has been a loss of load on the utility and then it’s going to switch that over to the onsite backup generator which is usually diesel. Obviously there are other other other fuels and the industry is is exploring that massively right now. But yeah, um. Another example in here would be. You’re you’re interested in those status changes more more like um if you know that you’re running on the generator for the next 7 hours then you can think about do I have enough fuel to run that generator for 7 hours in order to not lose the load what happens if. That generator fails do I have another generator that I can switch switch the load to and so on and so forth when it comes to the cooling side of things. For example, you’re always interested to keep on to keep the operating parameters in terms of humidity temperature and stuff like that. Ah.

Vlad Gabriel Anghel
Within within quite close ranges in in the in the white space. if humidity drops because your humidifier essentially died and you weren’t notified. Ah you you like the the actual facility manager didn’t receive an honor of that hey. In data hole one. The humidifier is no longer firing. Um that overtime can lead essentially to static discharges that might actually fry the motherboard of a server and you don’t know like in a caucas. Ah, environment. For example, that server is owned by another company that essentially relies on you to keep it alive for them to be able to do business so I would say that’s that that’s kind of it. In the sense that you’re interested in those status changes. You’re interested to get as much data fed into as possible. both from the both from the infrastructure side of things. The server side the the whitespace side of things and as well as that everything else that you can, you can get your hands on as I said there are a lot of data centers that. Are directly directly tied into weather stations so that they are aware of pressure changes coming in the next two weeks wind speeds and so on and so forth. There are other data centers. For example, that might have onsite power generation like a wind turbine and they could technically.

Vlad Gabriel Anghel
Make a conscious decision knowing that hey we’re going to have wind speeds of I don’t know thirteen thirty kilometers per hour next week that essentially means that we can disconnect from the utility and run on ah wind power for x amount of time and we’re going to save x amount of um. X amount of dollars at the end of the day.

Andrew Ginter
Okay, so you know this has been interesting. Thank you for that. coming back to to industrial cybersecurity. you know to me sort of the the Cyber Threat. We worry about you know if if everything’s connected. Well then everything’s exposed. The bad guys can. In principle get in and you know turn off power flows you know interrupt the the operation of the of the the Data Center. so let’s let’s swing back to industrial cybersecurity. How how are we preventing that. What’s the yeah, you know you teach people how to do ot security for for data centers. What do you teach them.

Vlad Gabriel Anghel
I mean essentially I’ve always always said this the answer to this is Education Education education um the the contractors that are going to work within the contractors or engineers that are going to work within within the gray space because they do not have this. Um. This it mindset sort to say or this cyber security mindset. They’re not even aware that that that that might be an issue. Ah so therefore it’s it’s classic stuff. Really It’s stuff like have you checked what the remote login for that particular piece of equipment that you just installed is. Have you changed the default remote login or you haven’t it’s still admin and 1 to 3 4 okay, if for example, you bring a new piece. A new generator in and you do not cover that particular attack attack vector what. You can just imagine someone is even like again and and threats can come in from both directions. They can come in from the inside from a disgruntled employee for example or they can come in from the outside. Um. when it comes to when it comes to as I said like my previous previous example, you just got got the new piece new new generator in but no one changed the um no one changed the default default remote access ah credentials someone could possibly go in put it in maintenance mode.

Vlad Gabriel Anghel
Then something happens to the utility this power switching mechanism tries to switch the utility ah tries to switch the energy from the utility from the utility grid to the onsite power generation and the generators in maintenance mode. So it’s not going to accept the load and you just lost the load.

Vlad Gabriel Anghel
There’s ah end again. It’s like ostensibly ah these professionals are the ones working within within the operational operation operational technology side within the data center. They essentially just need to be aware that hey there’s a play thought off surface. Um.

Vlad Gabriel Anghel
Surface areas of attack. just knowing which ones are going to be immediately available to someone can essentially just just just make just make a total total world of difference. Another thing that we we we strongly strongly enforce him in in our series of eo when it comes to when it comes to cybersecurity is if something like this. if if you realize that hey this is this is a this is a surface area of attack that no one has thought thought through. Raise it up with your manager, go go hire ensure that it is put in a standard operating procedure when installing a new generator ensure that to come back to my previous example, the default um remote access credentials are changed and they’re changed to something that fits with. The Cyber security policy for example of or the password policy if you want um of of the business.

Andrew Ginter
So What strikes me here is that this all sounds very familiar. you know patching Passwords remote access Systems. You know don’t be silly. Don’t leave a default password on the remote access system. and. You know in a sense. Maybe it’s not surprising. It sounds a lot like what I see in other you know standards and regulations like NERC CIP. NERC CIP is you know North American Critical Infrastructure protection for the power grid. Ah, it’s all about ensuring reliability not of the data center but of the power grid. so yeah, very familiar focused on Reliability begs the question if this is critical industrial, not critical, industrial critical information infrastructure. are there regulations in the space are the regulations coming in the space and and this is what I asked Vlad next.

Andrew Ginter
And can we can we talk about regulations I mean other industries the tsa just came down with you know, new rules for for petrochemical pipelines Nine weeks after the colonial incident similar rules just came out from the tsa for rail systems. you know, passenger rail systems um there’s you know been regulations for the power grid in North America forever ah there’s nistu now over in Europe you know is any of this affecting data centers are there are there are there cybersecurity regulations for data centers.

Vlad Gabriel Anghel
They definitely are I’ll say I will say that I mean 1 of our cyber our old cyber security track ah came was born of a need in. Ah, for example in in the Us. if you’re part of the state of New York since 2018 if you have a facility that houses any sort of financial information. The engineers working within that facility are required to demonstrate cyber security training and refreshers every six months. That’s just 1 example when it comes to when it comes to regulations in general um regulations have got ah have gotten kind of like how sha buh this have gone have kicked into gears specifically after the covid pandemic um during the pandemic data center technicians were essentially classified as essential workers and that was kind of the very first time when data centers came to the fore in in the public public mind. they were they were the things that essentially allowed us to continue working working in the conditions like from home and working remotely and keeping in touch with people when we couldn’t physically do that therefore after every after thus settled um a lot of people started realizing? Oh my god.

Vlad Gabriel Anghel
These facilities use a lot of power um without everyone actually thinking I also use a lot of digital services So regulations are now regulations are now coming to the fore in the sense that trying to essentially.

Vlad Gabriel Anghel
From the design stage enforce a sustainable and energy efficient design for legacy data centers. They will be required soon within the European Union. For example, they will be required to share and make. Public The the power usage efficiency of a one of the ah several several metrics actually one of which is power usage efficiency which essentially calculates how much power you need to run the facility versus how much power you need to run just the I T load. The closer. You are to 1 of a Pu E the more efficient you are obviously that doesn’t apply to every single type of Data center because if you are to implement liquid cooling in your data center your Pe is going to go up there but you’re still going to use less resources. So There’s this like. The regulation the regulation landscape in a wake I I feel like Regulators are still trying to map their way through um through the industry but when it comes to cybersec Security Cyber Security regulation Beyond everything that’s already out there when it comes I don’t know to like. Payment processing systems Pc idss and so on and so forth for data centers. There’s all that and then there’s another level and the level that will that level will be dictated by the type of data that you house and store as I started.

Vlad Gabriel Anghel
when I when I asked them this question in New York for example they life simple this is gonna be the law going forward. We need people to be aware that cyber security is something that needs to be of paramount importance front and center into every professional’s mind. Regardless if they work in a mission critical capacity or not now. As time went on other states in the us have also essentially just copied this particular law and we’re seeing it. We’re seeing it spread out as well.

Andrew Ginter
So The regulations are are changing. but you know data Centers. You know, unlike many other kinds of of sort of very conservative industrial processes. Data centers are way out on the bleeding edge of. Almost everything. what else is happening in the Data Center space. What what new is coming down the pipe here.

Vlad Gabriel Anghel
That’s that that again of a very good question and if we go back to to my to my to my introduction is it this. What’s happening is the reason that I’m not going to change industries anytime soon. Because right now we as as as I mentioned previously with the advent of Ai. we need to. We need to find more smarter ways of ah smarter ways of building data centers and more efficient and sustainable ways of building data centers. 1 of the main gripes everyone has with the data center facility is the amount of power they use. Um that is not to say that they are. There aren’t data centers out there. For example that are completely independent of the grid or even better using renewable renewable. Ah, renewable power sources created their own microgroup microgrid that feeds back surplus energy into the grid. We right now we’ve got we’ve got people testing the idea of having small nuclear reactors on site to completely. Um. Disconnect from the utility and not not even rely on the utility per se um we were seeing. We’re seeing more innovative ways of um of handling your cooling system for example, oil and gas oil and gas is a massive massive use user of.

Vlad Gabriel Anghel
Supercomputing and when we’re talking about super computerers. We currently the way we the way we approach supercomp computerers is hey we just put a bunch of computers together and ask them to do the same thing now for better or for worse that is a data center. when it comes to um. Highly intensive processing tasks such as the determining determining the depth and the type of material and the design of an oil. Well for example or where on particular oil oil. Lake or oil field is when it comes to when it comes to going deep underground. These are highly highly intensive tasks and because they are highly intensive tasks. They will require graphical processing units because they require graphical processing units the temperatures that you need to work with go. Go through the roof because a gpu is essentially geared to all to work in normal operating conditions of around ° when you get when you have thousands of these. It becomes a problem. Um air can only can only work. Up to I would say um around 20 kilos per rack if that but then if we look at liquid or dielectric fluids. They can handle much more.

Vlad Gabriel Anghel
So what happened what happened with because within dcd we also have within within the center dynamics. We also have an award series where pretty much everyone from from the industry submits submits their latest and greatest designs and one that really caught my eye was a single phase. Immerstion cooling data center which was built in Texas but it was built by ah by an australian company. Essentially what they did. They took your classic rack that hosts. Um your servers and switches put it on the side and effectively created an immersion top. They filled that immersion tub with dielectric fluid in a closed loop system that diaelectric and and then the servers and well because they they only did it for the servers. The servers were dunked horizontally ah, vertically sorry, not horizontally they go horizontally in a normal rack. Servers were tonked vertically. With absolutely nothing on them. So all the the casing was out the fans were out and the processor was in direct contact with the diaelectric fluid being in direct contact with the direct dielectric fluid. It was able to call it at the much with with much greater efficiencies using way. Way less ah energy in order to achieve those efficiencies. So that’s the thing. It’s like we are in a moment of I would say extreme innovation simply because every single data center professional looks ahead and realizes that.

Vlad Gabriel Anghel
This is not going to change anytime soon. Simply like our need of as a society of digital services is only going to increase therefore we’re only going to need more data centers. We just need to get smarter at building them in a more efficient and sustainable way. So I’d say that’s. The the main thing going forward with with data centers. Everyone is looking for a paradigm shift in how to build and operate in the most efficient and sustainable way possible.

Andrew Ginter
So you know earlier in the in the episode Vlad was you know I asked him about safety and reliability and and he you know focused in on reliability right? away as sort of the the big priority here. But when we’re talking about. Nuclear generators on site. You know I have to wonder if if you know safety isn’t going to isn’t going to come back into the equation in a big way in the future. you know I worked in not a data center I mean I worked in a the University Data Center full of supercomputers this was thirty years ago back then ah there were safety concerns in the data center I mean obviously when you have large amounts of power. You’ve just got to be careful with what you touch that you you don’t get fried. That’s a safety concern. but you know in some of these data centers and I don’t know if this is still the case but back in the day. Ah, some of the data centers did not have oxygen atmospheres if you were in there when the fire suppressive atmosphere was pumped into it. You’d you’d asphyxiate you had you know you had to have safety training just to set foot in these wretched places because. You know most of the time they were filled with ah an atmosphere that had no oxygen so no fires could start so you didn’t want to be in there when when the oxygen or when the when the atmosphere changed. so you know again, what? what struck me about about the automation and the the cyber security concerns here you know is that.

Andrew Ginter
They seem very familiar and it sounds like in the future might even become you know, even more familiar as as ah, these designs you know, move more towards a ah space where there are additional safety concerns on top of. The the you know the the top of mind reliability concerns that that all critical infrastructures have.

Andrew Ginter
Well, that’s quite the vision for the future of Data centers. It’s It’s obviously a field that’s evolving very quickly. but you know coming back to Cyber security on on the security issue for data centers. What What are the main takeaways. What? what? What should we? What should we be thinking about. For the the industrial side of the Data center.

Vlad Gabriel Anghel
yeah I mean it’s the way the way that I see it. it’s it’s quite quite simple as it’s part of um as data centers are part of of the mission critical. It’s it’s a mission critical industry downtime can downtime needs to be avoided at all costs. so I would say first and foremost is the old adage that we like in this industry is Education Education Education make your professionals make your engineers aware of the fact that this is is even a possibility most of them are not going to be aware. You will protect your id it equipment or your yspace you will protect it from cybersecurity point of view in as as best as you can simply because you’re going to have the people that are able to understand this landscape whereas in the gray space you the the professionals working in there have a totally different background. And therefore are not even aware of that this this this is a possibility so I would say yeah just Education Education education always always ensure that they know this is a possibility they understand the repercussions of this and as well as that. Know what to report if something goes already if something looks odd, they know how to report it up and as I said previously ensure that if an event happens or if something if a particular if a particular cyber security incident has taken place.

Vlad Gabriel Anghel
That the steps to avoid that are embedded into the standard operating procedure of um of that particular facility. And yeah I mean if you’re more curious about the world of data centers just visit our website Data Center at our dot com. that’s where you’re gonna find in-dep features on pretty much every every every subject the subject matter within the industry. That’s where you’re gonna find video interviews. That’s where you’re gonna find the training division which I’m responsible for um and yeah. The world of data centers is a wonderful thing and I wish more people would be aware of it.

Nathaniel Nelson
Andrew clearly education is important in this space. But I’m wondering if there are any other takeaways that you got from this episode.

Andrew Ginter
Yeah, well you know the thing that struck me is that a lot of these systems. A lot of the the concerns about cybersecurity. They’re very familiar to anybody you know involved in any other kind of of industrial cybersec security operation.

In particular with the you know the fact that this is is ah critical industrial or sorry of the critical informational infrastructure and you know there’s such a focus on Reliability I’m I’m reminded of the the Nersip standards. which are also very focused on Reliability. You know some of the measures he talked about. You know teaching people about seemed seemed familiar. There. and unlike you know the the power industry where you know power uses is is increasing a couple of percent per year worldwide. It’s sort of it’s a mature industry unlike that the data center industry strikes me as still in its Infancy. Um. I mean for I don’t know what what is it now 50 years. We’ve been everything has had more and more computers in it. Data centers have sprung up with more and more computers in them more and more data centers. This is a growth Industry. We’re going to continue automating Business. We’re going to continue automating everything. There’s always going to be more computers. There’s always going to be more data centers is what it sounds like and the field needs expertise and experienced Professionals. So yes, we need Education. I’m wondering if there isn’t an opportunity here for industrial cybersecurity people from other industries. For example, the power industry the power sector where it’s you know a mature industry I Wonder if there’s an an opportunity for some of these professionals to switch fields and to make an impact in a growth industry.

Andrew Ginter
It’s always a pleasure. Thank you Nate.

Nathaniel Nelson
Well thanks to Vlad Gabrie Anghel for speaking with you Andrew and Andrew is always thank you for speaking with me this has been the industrial security podcast from waterfall. Thanks to everyone out there listening.

Doing the Math – Remote Access at Wind Farms

September 22, 2025

I don’t sign s**t – Episode 143

September 10, 2025

Secure Industrial Remote Access Solutions

August 28, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post “We Need Smarter Ways of Building Data Centers” | Episode 111 appeared first on Waterfall Security Solutions.

Active Defense in OT – How to Make it Work | Episode 110

Waterfall team — Mon, 07 Aug 2023 12:02:50 +0000

OT Insights CenterActive Defense in OT – How to Make it Work | Episode 110

Active Defense in OT – How to Make it Work | Episode 110

In this episode, Youssef Jad, the CTO and Co-Founder of CyVault tells us about their Active Defense which provides "intrusion prevention" deep into industrial networks, something that has long been considered as not feasible.

Waterfall team

August 7, 2023

Available on

https://api.spreaker.com/v2/episodes/56334516/download.mp3

About Youssef Jad

Youssef Jad is the CTO and Co-founder at CyVault where he leads the Cyber Defense operations and novel R&D products. Youssef has over 20 years of experience in IT/OT/ICS/CPS/xIoX/Blockchain cyber defense, keynote speaker, consultant to Fortune 10 compagnies, and boasts impressive accomplishments such as a turnkey cyber solution for the US-Gov/DHS/FBI, offensive initiatives for cyber military units, SME for ICS4ICS, and lead of the global “WannaCry v2 Ransomware” task force.

Active Defense in OT – How to Make it Work

“…common wisdom is that you simply cannot do IPS deep into industrial networks. CyVault proves this common wisdom is outdated…”

Please note that there isn’t a transcript for this episode. Here are some of the highlights from this week’s podcast:

In this episode we look at how network Intrusion Detection Prevention Systems (IPS) can work in OT / industrial environments. An IPS is an IDS with extra functionality. A network IDS looks at each packet in the network or network connection and decides if the packet or stream of packets looks suspicious. If the IDS recognizes what looks like an attack in progress, the IDS an alert – usually to a SEIM to log the event.

An Intrusion Prevention System (IPS) does same thing – and if the attack seems serious enough, the IPS will take actions to interrupt the attack in progress. For example, some IPS systems that watch copies of network traffic on mirror ports will send TCP Reset (RST) packets back into the mirror port, targeting the TCP connection that is being used to propagate the attack. These packets cause the TCP connection to close, interrupting the flow of attack information.

While this seems fairly straightforward for IT networks, the risk of false alarm is a problem historically on OT networks. A false alarm risks shutting down essential communications and causing entire plants into costly unplanned shut-downs as a result.

Youssef Jad digs into the CyVault Dome product that addresses this issue to bring about active defense – IPS – on industrial networks. How can this be done safely? CyVault has tested attack interruption actions with industrial vendors and industrial equipment. The Dome product interrupts attacks in progress only when an engineering study has proven that such interruptions are safe – that they pose no threat to industrial operations. And the system can use old-school TCP RST packets, or more modern methods of interrupting attacks, involving interactions with the hosts and endpoints involved in the attack connections.

And if attacks are ever detected on systems or connections where outright interruption has not been proven safe, the IDS component of the solution still raises high-priority alerts. In this case, CyVault also works closely with engineering teams at the site to walk them through the investigative and restorative procedures involved in diagnosing what’s going on and fixing it.

Again – common wisdom is that you simply cannot do IPS deep into industrial networks. CyVault proves this common wisdom is outdated.

Listen in to get the full scoop.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Active Defense in OT – How to Make it Work | Episode 110 appeared first on Waterfall Security Solutions.

industrial ips – Waterfall Security Solutions

Demystifying Cyber Jobs – In the Energy Sector | Episode 112

Demystifying Cyber Jobs – In the Energy Sector | Episode 112

Available on

About Amanda Theel and Eddy Mullins at Argonne National Labratory

Share

Transcript of this podcast episode #112: Demystifying Cyber Jobs in the Energy Sector

Trending posts

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

IT & OT Relationship Management

Analyzing Recent NIS2 Regulations – OT security is changing

Stay up to date

Tags

“We Need Smarter Ways of Building Data Centers” | Episode 111

“We Need Smarter Ways of Building Data Centers” | Episode 111

Available on

About Vlad-Gabriel Anghel:

Share

Transcript of this podcast episode #111: We Need Smarter Ways of Building Data Centers

Trending posts

Doing the Math – Remote Access at Wind Farms

I don’t sign s**t – Episode 143

Secure Industrial Remote Access Solutions

Stay up to date

Tags

Active Defense in OT – How to Make it Work | Episode 110

Active Defense in OT – How to Make it Work | Episode 110

Waterfall team

Available on

About Youssef Jad

Active Defense in OT – How to Make it Work

Share

Trending posts

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

SCADA Security Fundamentals

Stay up to date

Tags