Cybersecurity in Engineering: Building a Secure Future from the Ground Up

Show Notes

In this episode of Tech Takes, host Louis Savard, C.Tech, explores the ever-evolving landscape of cybersecurity—a discipline that has rapidly transformed from an IT concern into a core strategic priority for engineers and professionals across every industry.

Joined by Tim McRae, CEO and Founder of Tailcraft Security, their conversation uncovers the growing sophistication of cyber threats and the vital need to embed security into the engineering process from the very beginning. Together, they discuss how securing intellectual property, anticipating emerging threats, and designing with security in mind can protect both innovation and infrastructure.

Discover how cybersecurity is no longer optional—but a fundamental pillar of responsible engineering, ensuring systems are resilient, trustworthy, and future-ready.

Have a topic you’d like to discuss or comments about the episode? Reach us at techtakes@oacett.org.

Chapters

• 0:00: Introduction and Sponsor Message
• 0:35: Welcome and Episode Overview
• 0:56: Importance of Cybersecurity in Engineering
• 1:28: Cyber Threats in Engineering
• 1:59: Guest Introduction: Tim McRae
• 3:06: Common Cyber Threats in Engineering Firms
• 5:11: Engineering Firms as Vectors for Larger Attacks
• 7:18: Ransomware Targeting Smaller Organizations
• 8:29: Real-World Examples of Cyber Attacks
• 12:25: Data Classification and Protection Practices
• 17:02: Impact of Cyber Attacks on Engineering Firms
• 19:03: Proper Data Classification and Management
• 22:25: Importance of Proactive Security Measures
• 27:29: Choosing the Right Platform for Data Security
• 30:00: Understanding the Dark Web
• 33:50: Leveraging Dark Web Intelligence
• 37:06: Documentation and Lifecycle Management in Security
• 40:10: Embedding Security in Smart Infrastructure Design
• 42:00: Conclusion and Final Thoughts on Security

Transcript

David Terlizzi: 00:00.74 - 00:24.02
Tech Takes Podcast is brought to you by Niagara College's Walker Advanced Manufacturing Innovation Center. From day-to-day support in our quality department to long-range new product plans, WAMIC is your competitive advantage. Learn more at ncinnovation.ca slash WAMIC. That's ncinnovation.ca slash W-A-M-I-C.

Louis Savard: 00:35.38 - 02:53.93
Hello, and welcome to Tech Takes, the podcast where technology meets real-world impact. I'm your host, Louis Savard, and today we're diving into a topic that affects every one of us, cybersecurity. Whether you're designing infrastructure, building software, or just trying to keep your digital life intact, cybersecurity has become more than just a technical issue. It's a strategic one. Cybersecurity used to be seen as just an IT problem. But times has changed. Today, it's a mission critical for every engineering and engineering technology professional, team, organization, and project, no matter the industry or field of practice. From blueprints and brief schematics to smart infrastructure and control systems, the data engineering professional's handle is more valuable than ever, and cyber criminals know it. That's why this episode is all about the new front lines of cyber threats and what it means to build with security baked in, not bolted on. We'll explore the big questions. What kinds of threats are hiding in your inbox or lurking in the cloud? How do you secure your intellectual property projects without slowing down innovation? And why is cybersecurity now as essential to design a structural integrity or performance? Joining us today is someone who knows this world inside and out, and even sideways. Tim McRae. He's the CEO and founder of Tailcraft Security and a global enterprise security risk management leader. Hang on to your hats here. Tim has held high-level security roles across the public and private sectors, from the Canadian Pacific Railway and CGI to the City of Calgary and the Government of Alberta, transforming how organizations think about and implement security. He's got their credentials to back it up, a master's of science and security and risk management from the University of Leicester and certifications like CISSP, CPP and CISA. But more than that, Tim is passionate about helping businesses build smarter, more resilient security programs that align with their goals. Tim, welcome to the show.

Tim McRae: 02:54.53 - 02:58.07
Thanks Louis so much. I appreciate it. And it's great to see you again. So thank you for this. I appreciate it.

Louis Savard: 02:59.09 - 03:02.57
Yeah, it's been a year or two, so it's nice to rekindle, right?

Tim McRae: 03:02.63 - 03:05.717
A little bit of time. Yeah, it's been a little bit of time. Absolutely. That's right.

Louis Savard: 03:06.37 - 03:36.72
So we're certainly thrilled to have you here. I can't wait to chat about how companies, especially those in the engineering and tech, can take a more strategic, proactive approach to cybersecurity. And I really want to emphasize a proactive, and I'm sure we'll have comments later on on that bit, because I have my thoughts on that. So let's get started here. Absolutely. Let's start with a simple ones. So what are the most common cyber threats targeting engineering firms and departments today? And why are engineering firms such an attractive target now?

Tim McRae: 03:37.60 - 05:10.06
Yeah, no, it's a really good question. And again, thanks for starting off with that one. We're seeing particularly from engineering firms, but this is, I think, consistent across all organizations. We're seeing this increase in ransomware and intellectual property theft. And it's because the information that engineering firms and other companies have, it has value. And if I can get something of value without putting an inordinate amount of effort into it, take that information and sell it to make value and make money. To me, that's worth the effort, worth the time and worth the risk of trying to break into an engineering firm to get that data, to get those plans, those blueprints, all of the information you talked about in the introduction. What if I can take that, monetize that and sell that? What if I can take that, ransom it and give it back to you for money? That we're seeing that huge increase, you know, in the last, in the last five years, we've seen a substantial increase, but even just in this past year, we've seen about an 84% increase in ransomware attacks. So that almost 35% of all the attacks that were at least recorded from the internet were ransomware. That's phenomenal. We haven't seen these numbers. We've never seen this space before. This is something brand new for all of us in the cybersecurity world. And we're seeing more and more of it increase again and again, year over year. So engineering firms are no longer, you know, not part of this equation. They are being targeted for the information that they have regarding the projects they're working on, the clients that they have, or the data about the employees in your systems as well.

Louis Savard: 05:11.58 - 05:47.52
Now you just touched on something that I wanted to follow up on and you talked about the data that they have and the customers and the people they work for. So do you see engineering firms as potentially a vector or a stepping stone for those threat actors to get into? I'm in, I'm from the municipal world, right? So we have a paving company that's fixing potholes cause it's always the potholes, right? But do you see those threat actors going after that paving company knowing that they're working with a, let's say a large size municipality as a hope to kind of jump into those systems? Is that something that's happening? Absolutely.

Tim McRae: 05:47.54 - 07:17.26
And I mean, let's go back to remember the Home Depot hack, how they got in. It was through an HVAC vendor. So everybody who's part of your third party supply chain, everyone who's attached as a vendor, if I'm working through, let's say, let's take your example. And in your municipality, you've, uh, you know, you're working with and have had this one paving company for a decade. They've got access to your systems. They can see the job orders or the work comes through them. Invoices flow back and forth. Everything is electronic and it's lovely except when. The access you provide them, let's say someone mistakenly increases the access that you have from the paving company. Somebody gets into the paving company, follows the path and ends up in your municipality. Would you be able to see them? Can you find them? What access do they have? Can they alter the payroll for that particular company, the paving company? What if I increase and add a zero to my invoice to you? Would you notice? Would you pay? What if I change the accounting information so you sent it to a different bank? Or you altered the record so that now these employees are going to come on and do the work, but they're not employees with the paving company anymore. These are things we have to start worrying about. So that means the protection mechanisms I put in place for my municipality, I now have to make sure that I'm considering all of the third parties that attach to my municipality. And particularly those engineering firms that do larger projects for us, like water treatment or critical infrastructure, or let's say adjusting the lights and the braking systems for our light rail transit program. Those are the systems that we really have to start worrying on.

Louis Savard: 07:18.78 - 08:29.16
And that's another really, really good point because I think for most of our listeners that are not, I'm in this day in, day out, you know, so, so are you. Um, but for our listeners that are not typically when you say ransomware, you know, they see the dollar sign, they go, ah, they're going to go after banks, big government, you know, municipality, hospitals, schools. They're not going to come after my hairdresser. They're not going to come after, you know, those small outfits typically that, and that's the mindset that we've, I think most people have had for ever. Right. Which is really what has to change because those are the targets now. Right. And what I'm seeing from, from what I'm hearing from, from peers is that it's no longer a large attack to cripple your whole systems, but they will very much target pieces of your infrastructure. And you mentioned a critical infrastructure. Drinking water, if I can get ahold of that and cripple it to the point where now it's endangering life and safety, firefighting, drinking water, all of this sanitary, all of that. Now I've got something that someone will want to pay to get back. Right. So are you seeing those trends, like where they're targeting more of those critical rather than I got everything, pay me to get it back.

Tim McRae: 08:29.80 - 12:45.63
Yeah. And you bring up some really good points is if I, again, I try to occasionally put myself on the other side of the web and where would I try to monetize my efforts? Where would I try to get the biggest impact for the work that I'm doing? And you're right. Many years ago, I'm going to cripple the entire system. So I'm going to block up the entire system. I'm going to put it, lock it up in encryption and you're going to have to pay for all of it. But what we have seen this last few years is they've become far more pointed in the attacks. The folks on the dark web have gained incredible insight, particularly with artificial intelligence engines and help from other avenues where now they're able to craft far more meaningful attacks. And to your point, Louis, it's, it's a perfect example. If I can get in and I can totally encrypt your control system for water treatment, that has value, right? I, you know, I would be hard pressed to not want to talk to the people who've encrypted it so I can get that back. That becomes a concern, right? Is that there, we've already seen, especially in the U S where some of those, uh, we call them proof of concepts have already been launched and they worked. or they were launched and they were just held off from being successful. So we've already identified that the vector is there, the avenue is there, and the skillset is there. So from a, you know, from a bad guy's perspective, they really are starting to target specifically systems like that, that they know, I don't have to encrypt all the payroll system. I'm going to get more if I encrypt what you're putting in place for water treatment or sanitation. Or how about the light system or the braking system? Aren't those all anything that's attached to life safety or to ensuring the safe transport of, you know, people, products and services across the city? Those are the things that I'm going to worry about. So those are the things that we need to start worrying about as well, is how can I ensure that I'm putting programs in place that can address those types of security requirements from the very beginning? You know, not to what you'd mentioned in the introduction where I'm bolting on the back end, because you and I both know that bolting stuff on is not structurally sound. It doesn't really work well. And more importantly, it means that if I had thought of only putting in these controls, when I first started the project, could I have saved myself some time and effort down the road? And my answer always is yes, about 10 times the effort. When I was at the provincial government and even some of the larger organizations I've been at, my favorite was, Tim, can you take a look at this project? And it would be, you know, till we're launching it on Friday. Well, it's Thursday. So thanks for the day notice. I really appreciate that. But I used to joke with all of my teams that if you could come to me when you walk out of a bar with a napkin and a really good idea, stop. The second person you should talk to is our team. Because now we can actually take a look at this, try to understand what you're trying to do. And let's help you put in the right types of controls in place so that if I put the effort in now and As if I'm designing a bridge, as if I'm designing a circuit board or putting into place a smart system for a building, what if I started looking at controls at the very beginning of that process as opposed to at the very end? What can I save for time and effort? Can I start baking in these requirements for security as we're designing these systems that we all rely on now? You know, I expect to have my air conditioning work in my home. I would be really upset if someone got into my house and took over my air conditioning. I'd be pretty ticked. Yeah. Especially today. Yeah. Especially for you folks out East. Holy smokes. I can't imagine what you're going through, but can you imagine HVAC systems as an example? If it's a smart system, it means someone can access it remotely across the internet to your building. You can see where I'm getting a little worried now. What have I got for controls in place to make sure that the solution that I've architected, the environment I've tried to create is going to be the same from the day I launched the building to the first big heat wave of 2025? How do we know? What if it changed? Would I have to send everybody home? Like what's the, what's the parameters? What's the risk? What am I willing to accept as I start designing these systems for buildings or for municipalities or for water treatment? I think that's where we have to start getting our friends in engineering to start working with us to design these programs and start looking at how can I create a foundation of security as opposed to this idea of bolting it on at the back end.

Louis Savard: 12:47.36 - 13:41.21
Absolutely. Right. The foundational pieces are so critical to, I mean, to anything you do a bridge building included, um, at the end of the day, change management is a, is a beast and people don't like change. So if you're, if you're putting something in place and then two years on the road saying, Hey, by the way, we now have to put these controls in place. You're getting an immense amount of pushback wise if you do it from the start it's just. Part of the day today we were already used to this we're not changing anything we're just maybe we're tweaking but we're not changing anymore right i want to come back to. In your in your answer to the first question you mentioned eighty four percent increase. I mentioned that most of the people you know. Still think of ransomware as big banks big government. Where do you see the increases happening? You know, is it various, various organization or is it very pigeonholed to a specific. sort of subcategory of organizations?

Tim McRae: 13:41.77 - 15:35.66
No, we're actually seeing a broader spectrum of companies that are being targeted. And you made a really good point. They're not just going after the large companies anymore. They're going after all types of companies. And one of the areas we're seeing is small, medium business being targeted as well, because they can't afford folks like me or you to help protect their systems. And they're relying on potentially, you know, information that they receive from people within the company or they can't afford, you know, some of the bigger consulting firms or they don't have somebody monitoring their systems. So they don't have the same types of security or security programs as larger firms do. So those folks are getting targeted and successfully targeted because unfortunately, if there's information that they need to, you know, sustain their business or operate every day, if it's being taken as a ransom, if it's being held, you know, for ransom by somebody else, Many times these organizations will pay because they need to get that information back. You know, it's, that's when we started asking questions, you know, like how, how great is your recovery program? Have you tested it? Does it work? Have you tested it? Does it work? Right. I keep asking those questions. When's the last time your program was tested? And when I asked this of some small, medium businesses, they don't have those programs in place because they either can't afford it or they didn't focus on the requirement for it. Unfortunately, after a breach occurs, that's the worst time to start looking at planning. That's where I am really trying in my company and helping folks that I know is can we get to those answers before something happens? Can I be preventive in my approach as opposed to always reactive? I'm, you know, I joke, I'm really tired of putting up the yellow tape after stuff has happened. I kind of want to, I don't want to see that anymore. I want to be able to help, you know, firms establish and create a program that they can live with, but deals with risks that they face every day. Regardless of whether you're two people or 200,000 people, it doesn't matter. You still need to identify what are the risks and how can I protect against those risks.

Louis Savard: 15:37.12 - 17:01.42
Absolutely. And, and one, you mentioned, you know, test it, does it work and then test it again? And does it work and test it again? Right. I had that question. I posed that question to, to appear. And cause we talked about air gap backups and, you know, in case events or where things like that. And I asked them, have you tested, have you actually like sort of redeployed your environment into another environment to make sure your backups are working? And he kind of looked puzzled. I said, well, how do you know what's working? And he showed me the invoice that said paid. Right. And we, we paying for the service that has to work. I mean, they wouldn't sell me something that doesn't work. Right. But, but that's not the point, right. Cause on our side, we're also facing a resource crunch where time is, time is, is limited. We may not have the right resources that should be in place. Whenever you're doing a whole restore activity, it can't just be the it team. It has to be your senior management in a municipal world. You know, council may have to be involved so they can see what the process is so that they understand when we say, Hey, we need some support here because of ABC. They have an idea of what's happening, right? So it's, those are critical, critical, critical question. But for you, Tim, we've talked about increases and government and hospitals and small to medium businesses. How about we scare our listeners a little bit and share with us maybe a real world example of a engineering firm or engineering sector that got hit and what the impacts were.

Tim McRae: 17:02.12 - 18:51.94
Sure. I mean, so I did a little research before I came on, so I wanted to make sure I had some data points for you. So there's two we can talk about really quickly. The first one happened in 2020 with WSP Global and it was the United Kingdom operation and they were hit with a cyber attack. And it actually took out some of their internal systems and it caused some temporary service disruption. And what it was is a cloud-based file sharing application and project access done remotely is what caused it. That's what opened up the avenue into WSP in the UK office. So that was, um, expensive, uh, and it had to be repaired, but it was a weak point that was identified in their structure. And they did go through a process of redesigning their systems, but that was back in 2020. There's a more recent one in 2023 with Sargent and Lembe in the United States. And they, the LockBit ransomware group had targeted them and were successful in ransoming their environment. So sense of project files and a lot of employee data was exfiltrated out of the organization. And that's as recent as 2023. And how they did it was that it was, again, I'm looking at how can I protect information that's in a cloud-based environment? Am I mixing different types of data? Am I classifying my information correctly? Do I have the right types of controls? Because if not, and you are targeted by LockBit or other groups, and they're able to get to it, can I see just the information that's public? Can I see project data? Can I see employee data? And unfortunately, in this particular instance, they could see all the data. Not a great place to be. And those are two examples that I found really quickly on just engineering firms that have been targeted and were unfortunately successfully breached by the bad guys.

Louis Savard: 18:53.31 - 19:15.95
So Tim, you touched on a really good point about properly classifying your data. And I think for a lot of people, that's a very pretty folder structure sometimes with different colors and proper nomenclature, but it is much more than that. Right. So could you dive a little bit into that and what other practices could organizations do to protect their data? No, it's a really good question.

Tim McRae: 19:16.01 - 22:23.71
And it's one that we work with often whenever we start helping an organization design its security program, because data is fun, you know, fundamental to how we are successful every day. We need data to make business decisions, risk decisions. We need information to pay our people, to pay our contractors, but it all starts off with this idea that. When you're designing your data structure, you have, no, you have systems of record and systems of engagement and then systems of insight. But what I like to look at is the data that your team needs. Let's take a look at your engineering team in your municipality that they need every day to be successful. And I'm going to store it somewhere. And I have a pretty file structure. That's awesome, but that's the first step only. Now it's who needs access to that information? What do they need to do to that information? Is that information classified as confidential, like that would actually cause harm to the municipality if it was released? Is it public where it could go on the website and nobody really would care? Is it internal where it would be kind of embarrassing if it was sent outside of our organization, but it's not going to cripple any of our systems or give away confidential data? We try to keep it as simple when we start talking to people and ask them, how do you store it? How often do you access it? Who needs access to it? And then the concept that tends to screw people up is who owns it and who's the custodian. And the owner of the data is not always the person that manages the data. In many organizations, custodians are the IT team, but the owners of the data may be the business unit. It could be the engineers that are out in the field with their iPads submitting their observations on a bridge that's being reviewed for retrofit. They could be the owner of the data, but IT is managing the systems on their behalf. So that means when you're working with the data in your organization and try to understand what to do with the information, this needs to be a collective approach. It can't just be your team putting it in a lovely, pretty folder and hoping for the best. No, you need to sit down with your operations team, with your IT team, as well as your security team, and try to understand the flow of the data, who should have access to it, and what type of access. what type of access is allowed to each piece of information, and more importantly, how do we protect the systems for you? That takes time, that takes effort, and it takes more time than just setting up, you know, a nice file folder structure. But by taking that type of care and attention to your data when you first start collecting it, using it for business decisions, and then using it to support your reports to your clients, From an engineering perspective, that's where you start seeing huge value in developing a security program based on a collective approach, based on the risk to the information that you have, and understanding what type of information do you have inside your organization. It all takes time, but if you spend the time this way, now you're going to start seeing the benefits of it as soon as you start getting access to bigger projects, to more employees, and then you start, you know, dealing with some of the potential security controls that you have to have in place and that you can grow over time as well.

Louis Savard: 22:25.09 - 22:37.78
And it's such a, such good words. I mean, it's, it's music to my ears, right? It's, it's invest the time now to do it properly because once it's, once it's too late, it's too late. There's no, there's no going back. Too late is too late.

Tim McRae: 22:38.40 - 23:31.86
Exactly. And I mean, and this is one of the things that, you know, I wanted to ask your audience well, as well as when you're designing your programs, like when you're designing, let's say a system, when you're building out a brand new bridge, when you're building on a, you know, an HVAC system for, you know, a company. Have you tested it from a security perspective? Have you done a risk assessment against it? If not, why not? Why would you not start looking at that type of approach and, you know, starting looking at using security as part of this concept of secure by design? What if you started looking at employing the security team as you're beginning your project, as you start working through the different phases of your project and as you close out your project? That way, you know, to your, to your point earlier, wouldn't it be great to have this information started sooner than later? And what if I can start focusing on the types of controls I should be putting into place for this project, as opposed to, you know, rushing in a mad hurry at the end of a project to put them all in place.

Louis Savard: 23:31.88 - 24:21.74
Okay. That's such a great point. About security controls. I want to loop back to a comment you made earlier on, and you said that sometimes you'll try and put yourself on the other side of the web. The world that we live in, meaning myself and yourself, you know, is it always feels like we're one or two steps behind, right? We're, we're putting up the fences to something that we saw happen somewhere else. So we're going to defend ourselves against that. Not really knowing essentially if we're a target for one and for two, if we are, what are we being targeted by or what are we being targeted for? So. What does being on the other side of the web mean and how can that potential information be valuable to, to, to the engineering firms?

Tim McRae: 24:22.24 - 27:27.59
Yeah, good question. So I've always been a big proponent of trying to understand, you know, it's like a chess match, trying to understand who your opponent is and what are some of the drivers behind behavior, because that tends to change how I'm going to consider the different types of controls I want to put into place as well. But if I have access to good intelligence from the dark web, that's going to help shape the program that I have. And that's something that I would recommend that firms take a look at and try to understand. Can you get a better perspective of how you're being viewed? by a potential cyber criminal, because that should change your perspective on one. No longer do we get a chance to just say, I'm too small to be a target. That's not accurate anymore. It just means that you may have been assessed, but they're not going to spend the time and effort yet to look at your environment. And the second one is, I don't have anything of value. Well, that's incorrect as well. Information has value. Many times when cyber criminals do attack smaller firms or mid-sized firms, they're doing it to collect the information for a future event, not for a current event, but for something that they're planning in the future. So how I try to work with clients and, you know, I've talked about this. What if we start at the beginning? So I build my program based on this principle that the security program is there to enable the business. So my goal in security is to ensure that the business has a better than 50% chance every day to be successful. I would love it to be a hundred percent. Would we all? Yeah, I think we're all there. I want to make sure that I understand one, why my business exists and what the business is trying to do every day. Then I want to understand what are the assets that the business needs to have in place every day to be successful. And if I can identify what those assets are, I'm going to work through the process of now let's look at the risks. And if I can do a, you know, team sessions where I sit in a big room with a whiteboard, you know, and my crayons and team members from across the company and ask the questions, what if. And that's what we're going to go through is a series of what if questions. What if this isn't available? What if this happens? And as we work through that, we also come up with potential opportunities to reduce that risk. Well, now we could try to put this into place or let's put this into place. Let's try this. At the end of all of it, we come back to the executives with our recommendations to here's the assets we have, the risks that we've identified, and here's the mitigation strategies we want to put in place to reduce the risk and help the business be successful every day. I think that, that process, that understanding of from business all the way through the life cycle, back up to business. If all firms, engineering and others could start embracing that as an approach, I think we're far further along because now it's a risk-based business approach and it applies secure by design principles. And what I love about this too is now it's design thinking, right? Because this becomes this process of from IDA through to prototypes through to launch into production. And engineering firms are very familiar with this concept of design thinking. This is now an opportunity to apply that same discipline to building a security program for your engineering firm.

Louis Savard: 27:29.23 - 27:56.95
Fantastic. So now you've got the attention of the people, you're designing the program, you're designing the protocol. Now you have to decide on what platform you're going to use, right? Google, Microsoft, Amazon. What questions should engineering firms or technology professionals as a whole, what questions should they be asking themselves when they are now faced with, okay, now we have to select a platform. What do you need to look for?

Tim McRae: 27:57.45 - 29:58.61
Yeah. And that's always daunting for some companies, right? They'll, they look at these big, big cloud providers, like Jesus, where do I start from here? And it's, let's go back to basics. I want to store information in your environment. Awesome. I can do it on my laptop, but it doesn't, you know, it's not very practical, really safe as long as they turn my laptop off, but it doesn't work very well. So how I've always considered this and provided this to others is, look, take a look at the providers that you're considering. Then start asking from a business perspective, how accessible is it? Can I get to it from around or across the globe? Invariably, that answer is always yes. Terrific. Now, is there a limitation to the types of information I can put in there? That's going to help make some different decisions. Can I restrict access to who can see the information? Can I restrict it based on geography, based on role, based on time of day, based on the company that you work for, based on the relationships that we've established? Are you a third party service provider, an employee, a contractor, a full-time, a part-time? Can I start looking at and validating your access to that information every time you log in, every time you gain access to a new document, or every time you request access to a document that you don't have rights or privilege to? Walk me through the process of what zero trust would look like within this environment. Meaning, every time I go to look at a document, even if I looked at it two minutes ago, are you still going to ask me to authenticate myself to make sure it's still Tim who wants to access this sensitive document that's going to help rebuild an elevator structure inside an office tower downtown in your municipality? Those are types of questions you can start to ask your vendors and you can start looking at solutions that can really help protect all that foundational information you need to be successful every day. Because even though you're looking at a third party to manage that information, ultimately that accountability for the information lies with you, the engineering firm, not the SaaS provider. You still have to be accountable for the information you collect on behalf of your clients.

Louis Savard: 30:00.26 - 30:59.49
Absolutely. Accountability is key and it lends it also some kind of transparency as well, where you can very clearly say we are doing everything right. So if God forbid, something does happen, you can come back and sleep at night saying we did everything that we could. It's not that we didn't do it. It's just, they just got the best of us. Right. And that happens every day. You bet. Now, I want to touch on dark web for a second. And the reason I want to do that is I want to clarify to our listeners that dark web is not the incognito mode in Google Chrome that makes your stuff black. It's not dark theme on windows. It's a real space. And it's a real scary space at times. How, how can firms like yours or other professionals in the cyber world leverage this dark web to the benefit of organizations like municipalities and engineering firms and technology professionals.

Tim McRae: 31:00.85 - 33:48.49
Great question and a frightening one at the same time. It is The time that I have spent on the other side of the web and being an observer only. So I wasn't, you know, not active in doing anything other than seeing the results of some, some amazingly talented individuals over the years, finding intelligence information. It is a frightening space on the other side of the web. And it's because it is organized on the one thing that drives what they do best, which is commerce. What drives the dark web is value and money and what can be sold and what can be traded and what can be used as leverage to gain more income, more Bitcoin, et cetera. So entire marketplaces exist on the sale of credentials. There are terms that are used across to, you know, designate what people do, whether it's an initial access broker or someone who's actually helping plan an attack. They have project management teams that actually will help you design your cyber attack on a target for a percentage of the profit you're making off of that attack. It is well structured. It is, they have well-defined hierarchies within it. There's opportunities to prove yourself so you can move from one level within the dark web to another in that hierarchy, in that underground. And the resources that they've been able to commit to some of the projects that they have are truly impressive. Like they are truly impressive. They, you know, when they have their own AI engines behind the scenes on the dark web to help craft a far better email than we saw even three years ago. It's amazing how adaptive the dark web is, how it embraces the use of technology. And more importantly, it still relies on humans to click on a link, to open up an email and launch an attack because humans will still do that. Humans are still going to click on things. I mean, I did my thesis for my master's on this idea that will we ever get to the point where technology and training will stop humans from clicking on links? Yeah, you could have saved yourself the 154 page read and just said, you know, no, it's, and it's because it's because we, especially, you know, depending on the, how you're being targeted, people want to help. They want to give, they want to provide information. They, they want to win something free. They want to get something for nothing. And it's those different types of appeals that have been honed over decades of work on the dark web. And it still works. And now they're changing their approach for the next generation. Now they're changing their approach for those who want to be, you know, in a different space. They're a different age bracket than me. They have different roles and positions, but they're learning and they're changing and they're adapting. So this is why, you know, when I talked about ransomware going up like 84% since 2024, yeah, it's because they're being, they're still being successful in the attacks that they launched.

Louis Savard: 33:50.15 - 34:17.92
That's, that's, that's incredible. Is there, out of all of that, is there information to be gleaned, um, to be more proactive from an organizational standpoint, engineering firms, technology organization, um, or various, is there information from all of that that can be gleaned and, and, uh, used to, I'm going to say protect yourself, but to truly be proactive and, and very much less reactive.

Tim McRae: 34:18.73 - 39:02.91
Yeah. I mean, those are all good questions to ask. And I think something particularly for the audience here from an engineering perspective, what if you started looking at security the same as your discipline and create security as part of this engineering discipline where you would start aligning the work that you do from a risk-based perspective instead of an afterthought? That would be fantastic. What if I started looking at throughout the process of designing a solution from an engineering perspective, I'm going to incorporate a cybersecurity and physical security perspective so that I can assess my solution or what I'm creating for my client and assess it for risks in advance of giving it to the client. What if I started looking at security within an engineering firm as part of a system, right? Cause engineering firms are fantastic for this because they do systems thinking. So I look at if I'm designing a system of a system, that's terrific. But what if I create security as part of that system thinking so that when I'm, you know, here's a good example. I'm, I'm offering or creating an HVAC solution for an office tower in one of your municipalities. And I'm using, but I'm, but I'm using a smart control system so I can get to it remotely if I have to update any one of the sensors or, or swap out any of the firmware. What if in that process, I bring in the security team to start understanding how can I protect this system within a system so that we don't become the weak link inside that building cybersecurity posture? I think that that'd be super cool if we could start looking at that. And I think this secure by design or design thinking iterative approach, what if we started bringing the humans into this as well? You and I have both seen this right throughout our careers where the human is still going to do something. But what if we start thinking about it and try to ask the why and then try to come up with solutions so that we can reduce the impact of a human clicking on something? And, you know, that means to your point earlier, I really should test this more often. I really need to make sure that I've classified my information. What if, what if I actually make sure that I back up my file folder that looks so pretty and I test it once a month just to make sure I can still get to it. Or, you know, what we talked about just earlier, what if I made sure that Tim could only see this file folder from the legal file, but he doesn't get a chance to see the file folders for HR. And we're going to test that, right? We're going to test that every month to make sure that Tim hasn't gone and tried to change that. Or I'm going to look for IDs and go, Hey, wait a second. How did Louie's ID get attached to the HR system? He's not supposed to be there. How did that happen? What if we just did stuff like that and started asking the human questions, wait a minute, why is Tim still accessing this, but somebody isn't, I don't understand this. Can I, let's walk through that. It doesn't take much to do that. And a couple of the things that we should really focus on, you know, particularly within engineering firms, because you do so much of this already, this concept of documentation and understanding lifecycle. You document and create some amazing documentation for your clients. I've received so much of it over my career when we were designing new buildings and I was part of a security team or when I was working in the provincial or municipal government and we would receive engineering diagrams on different facilities that we were helping design from a security perspective. Holy smokes, you guys do a fantastic job. of documenting solutions that are going to be in place for years if it's a bridge, a water treatment plant, braking systems for LRTs. But what if you also documented the security program in the same way? What we're asking for is to be treated in the same discipline that you folks do when you're designing your solutions for clients. Can you bake the security solution in and follow the same approach from a documentation and from a lifecycle perspective as well? Great examples, we just talked about it where I have a smart, you know, a smart enabled HVAC system, but did you take into account how often you're going to have that patch and update? When do you have to change operating systems? How do I narrow down so that just Tim can gain access to this instead of Tim and his company? How can I create it so that I know where I have gone in that HVAC system to update it and upgrade it? Have we looked at that? Can we put those controls in place? How hard is it to track Tim's progress in the system when I'm doing a review of all the different sensors and I have to patch five of them? Can you make sure I patch just five or did I do ten? Or did it create a backdoor so I can get to it when I get home tonight? Those are the things we need to start looking at because the systems that are being put into place today by engineering firms, particularly those that blend physical and cyber, I have a physical control in the field on an IP based environment. Those are the places that the bad guys are going to first, right? Because we've proven over time that a particular critical infrastructure and in some of these other, you know, siloed industries that I can get to it because we haven't changed that control in 20 plus years. If I can get to it and I can alter it, that's not a good thing, right?

Louis Savard: 39:03.03 - 39:06.83
That's not a good thing. It's it's it needs a windows 95 to run. I'm sorry.

Tim McRae: 39:06.89 - 40:09.53
Oh my God. I heard. And do you know my favorite was well, but Tim it's windows NT. No one, no one knows it's there. Oh, for God's sake, stop. Are you kidding me? Like it's just. And we spent tens of thousands projecting this one. And don't get me wrong. I get why they needed it, but honest to God, guys, are you kidding me? You can't hard, like we used to have fights all the time with other, you know, other parts of particularly when I was in the government. Well, Tim, we can't, we can't upgrade the PDF version of the Adobe because it costs money. Are you kidding? So they would hard code in the requirements for Adobe. Oh my God, stop. This is just, guys, there's a better way to do this. And you're right. It's just that I need, I need Windows 7 on this. No, no, you don't. This is that whole concept of how do I life cycle out old equipment and old operating systems and bring in new. We have to have that capability. And it's not that, you know, other industries are at fault as well. That's a politically correct way of putting it. But since we're talking to engineers, folks, You can plan this into the life cycle of the devices that you put out in the field. I promise. Right. And we're here to help. You just have to ask. Right.

Louis Savard: 40:10.30 - 40:50.62
Yeah, absolutely. Now I've got, I've got one final question for you, Tim. And I think, I think we have the answer already, but we'll ask it anyway. We talked about secure by design over and over and over here. And we talked about engineering projects and bridges and all this fun stuff. And you touched on the HVAC, but so let's, let's dive in that for the final question. As smart infrastructure is becoming more and more prevalent, like it's, Nothing is not smart connected anymore like my toaster is right like it nothing is not smart connected anymore. How critical is it to embed that secure by design or that security chat right at the design level.

Tim McRae: 40:51.81 - 44:28.28
Oh, I mean, this is, so again, I go back to that 10 to one ratio. If you come out of your, you know, your design session with an amazing opportunity and a path forward and a system that you're going to design, and it's going to be a smart enabled system, this is terrific. So as soon as you get out of that room or. It would be lovely if you had us in the room, but as soon as you get out of that room with that napkin and a pen, bring us in. That's where you, you first need to bring in security at the very beginning, that first iteration of what that design needs to be. Because what we want to be able to do is sit down with you and go, okay, great. This is a smart enabled toaster. Well, let's use that example. That means that, so you're attached to your wifi network. You have an ID and a password and it attaches to your wifi in your home. Awesome. Is it a default ID and password? And can I figure it out somewhere along the way? What's the security controls on your Wi-Fi environment? Do you have guests? Is it on your guest network? Can I see it if I park outside of your house? Can I get to it if I drive by your home? What if I can get from your Wi-Fi to your toaster or from your toaster to your Wi-Fi and then your Wi-Fi network to your laptop and from your laptop to your banking and from your banking to start transferring money? That's where it starts. So what if we sat down in that room with you when you decided that you wanted to create a smart enabled system, that you wanted to have a connected system that's available remotely. Terrific. What restrictions can we put into place? What access should I have? What roles should I have? For God's sake, could you just swap out the default ID and password? That'd be awesome as a start, right? Like. I don't know, but I remember, and I shouldn't pick on Nortel, but I can cause they're not around anymore. Could you just change admin one, two, three, four. That was the password on every switch ever. Jesus, you guys, like you weren't even original. Like we knew as soon as we logged in, I just did my one, two, three, four. And there we go. Local admin access to every switch everywhere. And I'm like, oh my God. Don't do that. There's better ways to do this and work with your security team or work with folks like me at Tailcraft and other companies as well. We can sit down with you and start taking away what is considered these default, very basic approaches to security, but designing a program that works far better for the environment that you want this thing to operate within. So let's say we graduate from a toaster now to an HVAC system that's smart and enabled for an entire building in downtown in your municipality. Awesome. So we are going to do the same thing. Is it a company or multiple companies? Do I have access to all of the controls in the building or just a few? How am I going to gain access to it? Do I have to be on site? Can I do it remotely? My laptop, the company's laptop, municipalities network, how do I get there? work my way in, what can I do when I get into the system? How do I back up the system so that I know if something happens, I can replace a board, a controller, the entire system, the firmware. If something gets ransomed, smoked, damaged, burnt, et cetera, can I come up with an approach that I can test a shutdown of the system and bring back up if I need to? How resilient is that program going to be if I got to bounce back better after a massive failure or power outage or flood, et cetera? These are all things that we can actually help design the controls to be put into place to, you know, protect the environment, to ensure that Tim and only Tim is gaining access to this elevator control because he's authorized to do that. And we prove that by identifying his credentials and validating his access every time he logs in. So instead of just the default password of admin1234, I have multi-factor authentication proving that it's me and a callback mechanism to ensure that it is still me on the device that I have typically used in the past. There's lots of opportunities to work through these different security scenarios. We just want the opportunity to do that with you.

Louis Savard: 44:29.95 - 45:16.05
Absolutely. Absolutely. So, so for our listeners, uh, if you have one thing to take away from what Tim just said, is if you have a connected toaster, be careful, it becomes a very expensive toaster deck sandwich. Right. It can get very expensive. No, but, but, but in all, but in all, in all fairness, though, that's so it's, that's exactly it. Right. Default passwords are. Just that default passwords, right? They're meant to be changed. Uh, and one thing that I try to tell, uh, most of our users and our departments through my team is we're not here to tell, you know, we're, we're here to tell you not this way, right? We're here to help you walk through the path of here's how we do it properly. Let's do it together. Rather than us having to jump in and respond to an oops down the road. Right.

Tim McRae: 45:16.83 - 46:16.33
Yeah. And I agree. And I think that's, that's probably the best way to describe where security needs to move to over the next five to 10 years is we're no longer the group that says, no, we just, we, we have lost that right a long time ago to put up our hand and say, no, you can't do this. But what we've become now is just that. What if we give you a different path? What if we show you a way to reduce the risk and you're still able to be successful every day in the work that you need to do? Can we look at that path instead? And that's the approach that we're trying to get as many security professionals as we can through Tailcraft is to teach people this idea that our job now is to enable the business. And to develop a program that's based on business, not on technology, not on an enforcement mechanism, but it's based on the role that business plays or your municipal government or the organizations that you work for and your clients. But it's based on this concept of understanding the business, understanding the risks, what are the assets and kind of come up with a strategy to reduce the risk. But as a collective, not as an individual, that has to be now as a collective approach.

Louis Savard: 46:17.27 - 46:49.79
Absolutely. Absolutely. Well, folks. There you have it. You've heard it from the expert. We're not here to say no. We're here to work with you. And now more than ever is the appropriate time for engineering firms and technology professionals to really put the secure by design at the front end and think about security from the get-go, not from phase 1A, 1B, from phase zero. So Tim, thank you so much for the insight. Thank you so much for your time. It was a pleasure reconnecting and having this chat.

Tim McRae: 46:50.70 - 46:54.68
Thank you, sir. I appreciate it. It's been great to chat with you and I hope the audience enjoys the session as well.

Louis Savard: 46:55.50 - 47:34.39
I know this is like in my wheelhouse and I was smiling the whole time, even though this is an audio podcast, I hope you folks can feel my smile as much as you can feel Tim's passion for this, but this was very, very appreciated. And folks, remember, if you want to provide any type of feedback, or if you have any ideas for any future podcast topics, please send us an email at techtakes.oacet.org. That's techtakes, T-E-C-H-T-A-K-E-S, at oacet, O-A-C-E-T-T, dot org. And until next time, bye for now.