Episode Transcript
[00:00:00] Speaker A: I'm Dave Rubenstein, the CEO of Opti RTC and you're listening to the Water Values Podcast.
[00:00:06] Speaker B: The Water Values Podcast is sponsored by the following market leading companies and organizations by Xylem, Let's Solve Water by the American Waterworks Association. Dedicated to the world's most important Resource by Black and Veatch Building a World of Difference by Advanced Drainage Systems Our Reason is water by 1898 and CO possibilities powered by experience by Woodard and Curran High Quality consulting, Engineering science and Operations Services and by Innovation and Stewardship for a sustainable tomorrow. This is session 284.
Welcome to the Water Values Podcast.
[00:00:57] Speaker C: This is the podcast dedicated to water utilities, resources, treatment, reuse and all things water.
[00:01:03] Speaker B: Now here's your host, Dave McGimpsey.
Hello and welcome to another session of the Water Values Podcast. As my daughter Sarah said, my name is Dave McGimpsey and thank you so much for joining me and thank you for your support over the last nearly 12 years. Yes, we're almost 12 years old.
We have a great show for you today that addresses Reece Tisdale's sleeper issue for 2026, cybersecurity. And we address it in a fun and constructive way with 1898 and co's Victor Atkins. Victor frames the issue against the upcoming World cup soccer, I mean, football matches scheduled to take place soon in North America, predominantly in the US and he does a phenomenal job. You're going to learn a lot because I sure did.
And for our Bluefield on Tap segment this month, Reece Tisdale gives us a fresh perspective on water and data centers. But before we get to today's conversations, we always say thank you to our awesome sponsors at the top of every show. And we have Fantastic sponsors for 2026. We have Xylem, the American Waterworks Association, Black and Veatch, Advanced Drainage Systems, 1898 Co, Woodard Curran and and Entera. That, my friends, is a terrific collection of impactful companies that have affirmatively decided to support water industry thought leadership and education.
And I thank you all. And I'd like you, the listener, to please do me a favor. If you work for or with any of the sponsors, please thank your boss or thank your contact at the sponsor firm and let them know that you appreciate their leadership in the industry through the sponsorship.
That simple little note of thanks goes a long way, believe me.
And as long as you're letting the sponsors know you appreciate their support of water industry thought leadership and education, why not leave a rating and review on Apple podcasts or whatever other Podcast directory you access the podcast on. It'd be greatly appreciated and will help others find out about the podcast. And also please don't forget to subscribe to the podcast. Yes, the all important subscription.
That way you won't ever miss an episode. Before we head on to the interview with Victor, we've got a Bluefield on Tap segment with Bluefield Research's Rhys Tisdale. So take it away, guys.
Reece, welcome to the Water Values podcast and another Bluefield on Tap segment. How you doing today?
[00:03:29] Speaker A: I'm pretty good. You know, when we just got on, you asked me how 26 is going so far and I, there was a long pause. I'm not sure and I'm not going to lie as I look to my right outside the window, there is a pile of snow in my driveway that is stacked up to the basketball rim to the very top. So we're saying 10ft, 10 foot pile of snow. So I suppose it's okay.
[00:03:53] Speaker B: Yeah, I, I shoveled my driveway and I had a couple of people scold me for saying, didn't you know that males over 45 years old, that's one of the leading causes of a heart attack?
[00:04:03] Speaker A: Well, there's no doubt about that. But it's, you know, I keep telling myself it's good exercise so I just do it.
[00:04:09] Speaker B: Yeah, I just said, hey, I monitored my pulse and my pulse never got more than 142.
Well, so lot going on in the water sector, as always, good problem to have. What's rising to the top of your stack this.
[00:04:25] Speaker A: Well, before I jump into my conversation, one thing I want to do, and I mean partly because of introductions, because of you, I want to give a big thanks to Denton's and the Keystone Policy Center. I was on a webcast yesterday for the Denton Smart Cities and Connected Communities Think Tank Virtual roundtable with Damian George and Jennifer Morrissey from Denton. So I thought that was a great conversation we had yesterday. So shout out to Denton's thank you, thank you.
[00:04:53] Speaker B: We appreciate you participating. That was a great panel.
[00:04:56] Speaker A: Yeah, it was super fun and great to get to know people better. So if anybody's interested, also shout out to the Keystone Policy center.
They were on as well and contributed. So but the topic of the day in water, and I know we've talked about this in various forms, but it feels like the worm has turned a little bit, at least as far as the type of questions we're getting. And I don't know if you want to call it pushback, but Bluefield's done a fair amount of analysis on data centers and water usage.
But what we have not done today and we're about to release is really to look, you know, not just data centers on site or direct water usage, we're looking also at the power sector as well. And how much water does the power sector use? And that really, when you combine the two on site and off site, the power, the electric power plant, that's really where you get significant volumes of water. And there's just a lot of questions about who's responsible, what does it mean, and so on and so forth. So just to maybe briefly put in perspective, when you look at the data center water impact, out of the hundred percent on site and off site, the power sector makes up 72% of the total. So that's really where the push is happening. And as a result, there's going to be a lot of changes and they're already happening on the power side of the equation.
[00:06:29] Speaker B: Can you, can you dive into that a little more?
Power sector and its water usage? It's not. I wouldn't call the power sector's usage consumptive, would you? I mean, it's. They return a lot of that one.
[00:06:43] Speaker A: Yeah, they do. It's. Yeah. So I mean, I think that's a really good point. Right. There's a lot of usage. They're drawing from rivers, lakes, for cooling purposes, thermal power, and so their usage is much, is much higher than consumptive. Right. I think one of the things is just as far as like water withdrawals, when you look at the US Water power sector withdrawals have actually been declining. The power sector has been becoming increasingly more efficient over the last decade, let's say. So it's declined about 3 to 4%. As far as water withdrawals are concerned.
What's happening with data centers, they're reversing that trend because the power demand is up and, and they're partly the trend is slowing, partly because some coal plants that were going to be retired are going to stay online, some gas plants as well, with new tech. I think you had a great podcast and I brought this up before. It's Patrick Reagan who now is at Salinas. I believe you had a really good podcast. I don't remember what episode number it was talking about the power sector's water usage.
But it has been changing over time with, with natural gas and renewables for that matter, coming online.
And so that's really what I think the, maybe the bigger concern is. And it's all happening so fast. Right. That's the other challenge is Is when we look at this big tech and data centers, they're moving at a far different pace or faster pace than municipal infrastructure. Municipal infrastructure never planned for anything like this in their design and cap.
The power plants didn't either. And they move at a battleship group pace rather than a Ferrari pace.
[00:08:33] Speaker B: In terms of forecast for what water consumption looks like in the future, are you, are you seeing technological innovation help with cooling at those thermonuclear, you know, those thermogeneration plants, or how do you see the water usage shaping up in the future?
[00:08:51] Speaker A: Yeah, I think, look, the data centers themselves are becoming more efficient. They're moving towards liquid cooling. You know, they use dry, dry cooling when they can.
So it's not fair to always say, hey, that data set, every data center uses X amount of gallons of water.
It is changing, but it takes time. There is an existing fleet of data centers. The more hyperscale data centers come online, that will change. But every move they make in some cases is defer. If is deferring the water usage over to the power sector. On the power sector, they're becoming more efficient as well. I mean, and they're, they're all in all, on all fronts, reuse more efficient. Cooling is becoming more efficient and deployed at greater scale. But I think, you know, when you think about it, when we look at it and we've put dollars to, you know, what is this going to cost? CapEx, OpEx? And I look at it even more broadly, data centers over the next five years. Water management is about a $4 billion business.
Electric power is about a $15 billion business.
And then I'm not even talking about the even further upstream impact of natural gas. And that's fracking, right? Fracking is a $28 billion business. And that's part of this. This power demand for natural gas is sustaining the gas basins in places like Marcellus Shale and the Permian Basin.
[00:10:21] Speaker B: And nuclear uses water as well. And that's, that's really what the Trump administration has staked a lot on. But it's not just the Trump administration. I mean, both Republicans and Democrats are very supportive of nuclear.
[00:10:34] Speaker A: You could argue that. I mean, I would say, are we in a nuclear renaissance? I mean, the discussions are real now between recommissioning places, plants like Three Mile island, but also these small reactors. The challenge is going to be how long will it take for that to happen? That may take a decade. But the chat, as I mentioned, data centers in these developers, they're moving at a much faster pace than 10 years, right? They're ready to roll and it's that it's also capacity but then there's also the grid connections, you know, can they get the power to the data centers themselves?
That's a whole nother constraint.
[00:11:15] Speaker B: O location is a big issue there. Yeah. So Reece, can you talk a little about, you know, data centers are very controversial.
[00:11:24] Speaker A: Yeah, I mean I, yeah, I think, I think cities, I think they really see these as opportunities. Right. They provide construction jobs initially, maybe not long term. It is development.
I just don't think they're quite ready for it. Right. They're not ready to move this quickly. Right. Munis are already cash strapped. Right. They're looking for funds for the to deal with their own infrastructure. Inflation is playing a role. They've got workforce challenges, they've got new regulations to deal with things like PFAS and lead on the water side. So that's one big issue. And they're like, we're not quite ready for this.
People also their constituents, you know, mayor's constituents, city councils, they have louder voices than they ever have had, whether it be because of social media and other things. And like I said, they've never planned for it. So I think that's probably the biggest rub. And there are hotspots where you see these communities where the data center owners, and it's not just Meta and Microsoft, they're real estate investment for us and a number of other types of firms that own these facilities.
They're not being fully transparent about how much water or power, you know, what they need. They're being a bit opaque and maybe they don't know exactly or they're planning for the long term and want to, you know, need a longer Runway than what the today's water needs are. So I think that's part of the challenge and I think that's where they're concerned. And so like anything, you see a couple bad pieces or, you know, news items in, in the media and that's what, that's what people hang on to. And sometimes it's not fair and maybe sometimes it is.
[00:13:10] Speaker B: You're right about municipalities being cash wrapped and I think they're, they look at data centers as tax base. Yeah.
In a big way. All right, well, Reese, great, great information today. Look forward to how it all pans out and we'll talk again soon. Thanks so much for your time.
[00:13:26] Speaker A: All right, Dave, have a good one. Happy once again, 2026.
[00:13:29] Speaker B: Amen.
As always. Great information from Bluefield Research and Reece Tisdale. Now it's time for the main Event, our interview with 1898 and co's Victor Atkins. So let's get that water flowing.
Well, Victor, welcome to the Water Values podcast. Great to have you on. How are you today?
[00:13:47] Speaker C: I'm doing great, thank you. I really appreciate you having me on today to talk about these topics.
[00:13:52] Speaker B: Oh, absolutely. It's such an important topic and it's a high profile topic that we're going to be hitting on. But before we get into that, before we get into the main show, could you tell us a little about your background and how you came to the utility industry?
[00:14:06] Speaker C: Yeah, I think my interest in utilities goes way back, I guess to the beginning. I grew up in a small town in Northeastern California where there's more cows than people, literally.
But in high school and throughout college, I worked there at the Rural Electric Cooperative power company there that served all of the ranches and the remote communities in the area alongside the linemen that had to service and build those lines. And I just appreciated then from an early age how important the utilities are to deliver water and power, especially to rural areas where they rely upon those services.
And from there I think I've always had a service mindset, you know, and I, it pushed me to work for the federal government.
And as things turned out, you know, I came out east coast, went to the University of Virginia and I got a job with the federal government in 2001. And only about a month after I arrived in D.C. area 911 happened, which really I think shaped the trajectory of my life and my career.
I really came to appreciate firsthand, literally how vulnerable we are as a nation to these complex external threats that really exploit gaps and seams in our systems.
And I think that fixation carried me through my federal career in various roles in the intelligence community and national security, spanning counterterrorism. I was the director of Countering Nuclear Terrorism at the, at the White House National Security Council staff for a while.
I've done work in countering state nuclear programs as well, but kind of ended my time in the federal government working in the Cyber Intelligence mission at the Department of Energy, providing analysis and threat informed materials for the energy sector so they could start to defend themselves against nation state threats to their infrastructure.
And I think across all of those threads it kind of goes back to that, that original mindset, you know, no matter how I've been working on risk exposure and risk reduction efforts against these high consequence threats that while they may seem improbable, if they were to happen, would be very catastrophic to us in our way of life. And I think that, you know, brings us back to water and power.
When I left the government, I really wanted to take that knowledge that I had about threats and, and risks and try to help utilities in particular try to defend themselves against these pretty significant threats.
And I came to 1898 and Company, which is a consulting practice within Burns McDonald's, which is one of the largest critical infrastructure engineering and construction companies in North America.
So here I've been able to be exposed not only in the power industry, that's where I came from, but also a lot in the water and wastewater utility space and been able to go to a lot of utilities ranging from very large ones like in New York city or even D.C. here where I live, as well as to small municipalities where, you know, they have not a lot of resources and people to deal with these problems.
And what's striking about even though water and power seem very different, they have a lot in common right now.
Both industries are very, are under a lot of pressure right now to integrate more digital controls and analytics and technology into their environment, while at the same time they face limited resources and these emerging threats that I think we'll talk about today that are developing constantly to try to hold those assets at risk to achieve these other countries national security or national geopolitical objectives. So it's a very interesting time I think if you're in the security and risk business in the utility sector. And I'm just, you know, really grateful that I'm part of it and I'm. As long as I'm able, I. I hope to be able to continue to contribute to security for all of those entities.
[00:18:03] Speaker B: Well, that, that's fantastic. You know, I was Victor, frankly, I was really hoping to get more of a cybersecurity expert on this podcast.
I'm just, obviously I'm kidding.
So in the context of what you've just laid out, all the cybersecurity risks generally, the US Is hosting the FIFA World cup coming up here. And what better stage for a bad actor to.
Because soccer is the most popular sport in the world, what better time to showcase how the US Is vulnerable than to launch a cyber attack during FIFA World Cup. And so I think that's what I want to talk about are kind of how you see put some context around why the World cup in the US in 2026 is kind of a heightened risk for utilities.
So if you want to, if you want to talk a little more about that, I just, I kind of saw it from a big picture. But if you want to dive down into that?
[00:19:12] Speaker C: Yeah, absolutely.
I mean, when you think about these global sporting events, and I'm talking mostly I'm thinking here about the Olympics or the World cup, the first thing you got to think about is why they're such attractive targets. You hit on this a little bit, but they're international, right? They're prolonged. They, they occur over months in some cases and they're watched by the entire world.
In the United States, soccer may not be the, the largest sport, but in the rest of the world it is.
And these kind of events, they're not like Super Bowls or large US Based events, they have these other qualities to them and they present this enormous stage for other countries that have these kind of cyber attack capabilities to be able to showcase those capabilities and pursue other strategic object objectives. For instance, they may want to demonstrate how they can reach into our systems and touch whatever they want at a time of their choosing. And one thing that's attractive about cyber is that it kind of contains this element of plausible deniability. They can have the effect everybody kind of knows who did it, but they can hide attribution and obscure their hand in it. So it kind of keeps it from being something that escalates from there.
They may want to also undermine the public trust in government. I mean, what better way to demonstrate to the world and the United States and our partners that, you know, our vulnerabilities and weaknesses if we can't even protect an event within our own borders? And so there's a lot of objectives that adversaries can and do pursue when they attack these events. And, and, and we have to be mindful of that. When you think about China and Russia in particular, which are the two kind of main threat actors that I think about right now, they're seeking greater political clout at a moment when, you know, the rules based international order is, is going through a lot of changes. I mean, even as we're talking today, the World Economic Forum is happening in Davos and there's a lot of discussions there about what it means, how the US is changing its approach to partnerships and, and other international, or the international order of which we have built Since World War II and other countries are talking about how they fit into that. And so right now, at this moment, the World cup coming up this summer prevents a really high visibility event and it creates that opportunity for others.
And this isn't just hypothetical or theoretical.
We have seen this pattern play out before.
Cyber activity against large global games really started with the Pyeongchang Olympics in 2018 when Russian operators deployed a destructive malware which was aptly called Olympic Destroyer, where they disrupted WI fi and the broadcast itself and some of the access control systems to the Games. And that got a lot of attention to what the Russians were capable of doing. And that was seemed to be what their goal was. And then if you move to Tokyo in 2020 again, Russian intelligence conducted extensive recon of networks there to support the Games.
And then if we shift to the World cup in soccer, the Qatar games in 2022 and then the Euro matches in 2024, in both of those cases multiple nation state actors were reported to have probed critical infrastructure in particular. So it's where it shifts a little bit from IT based threats to more of the control systems around the critical infrastructure that supported those Games. From water and power communications, they were mapping, they were reported to have mapped weak points and pre positioned for potential disruptions. And although they did not actually attack those games, they were positioning themselves to be able to do so.
And so I think that that's where we kind of have to look at this situation coming up. The United States this year we will see, I think a lot of attention on those Games. It's within the United States. The United States is having a lot of conflicts, partners and adversaries. China and Russia on the rise. I just think there's a lot of elements within the geopolitical environment right now that drives the risks up that utilities in particular have to be mindful of because they support all of the infrastructure and all of the pop. The this massive population that's going to be coming into these areas to, to observe the Games.
[00:23:46] Speaker B: Yeah, absolutely. And I'm curious, the natural question coming from that is what should utilities be doing?
And do you know, do smaller utilities, should they feel safe or exempt from this? Or is it because the cyber attackers are only going to go for high profile targets during these games?
[00:24:07] Speaker C: Yeah, yeah, I mean it's a good question. So it's not like they're going to attack everything or they could attack everything. I mean really what we have at our advantage here is, you know, these things are going to happen at a particular place at a particular time. So in further your audience who's not tracking with this, the World cup in 2026 will have 104 total matches running between June 11 and July 19 within six cities across the U.S. canada and Mexico and the U.S. we will host 78 of those matches.
And so if we, and we are expecting you, there's lots of estimates you can look up. But you know, the the estimates range up to like 6 million people may come to the United States to, to watch these games over that period.
So with that kind of footprint, utilities in those areas. So the utilities that kind of serve those footprints or are adjacent to it. And it doesn't have to be just the venue. It could be the practice facilities and the hotel and kind of restaurant and service industries that are around that.
While, you know, it's a finite amount, but with that kind of footprint, water and electricity will be stressed. You know, they'll be pushed because of just the demand on those services over that period.
And it isn't just going to be that. It could be communications, it could be transportations. But, you know, we were talking about water. And I think that that's going to be part of the, part of the, the consideration.
Burns and McDonnell is hook is located in Kansas City. Right. So I kind of thought about the Midwest here.
There'll be six matches in Kansas City, including a quarterfinal and some others. There could be up to 700,000 visitors to that region, which would increase the population just in the Kansas City Metro area by 30%. You know, that's an enormous strain on the capacity of utilities to support that. And if you go to somewhere like Dallas and Houston, they could up. They could have up to 1.5 million visitors across that space.
And so the other element the utilities have to focus on is they'll be under enough stress as it is to be able to meet the capacity that will be put on their systems because of that footprint. And then, of course, systems that are put to their limit are, are their most vulnerable. Right. So that is what I think utilities have to consider is it isn't just their ability to meet that demand, but, you know, they'll be at a place where there won't be a lot of capacity to restore things. If they are, if they do have an issue.
[00:26:43] Speaker B: Yeah. What, what's. What are the most likely targets? I mean, is it, is it just operating systems or.
I'm just kind of curious what you see them, what you see most.
[00:26:55] Speaker C: Well, let's just look at the past, right?
What the, what they've done in the past. And you know, we can kind of expect that now or at least have that as a frame of reference. As we look at IT in cyber, we kind of think about the two domains as information technology or it, and then operational technology, which is called ot.
We're not creative in our acronyms here, but the IT systems you could think of as like, you know, venue, you know, identity access systems, vendor Remote access portals, ticketing to credentials, all those things that are around the venue, those are going to be, I think, potential issues. But if we look at just utilities, when you think about the operations, whether it's IT or ot, it's the kind of systems that could be monitoring for vuke or control any kind of pumps or valves or anything that runs the actually operates the water system or even in the electricity system. There's a lot of digital technology for view and control. I think those things could be. If we're looking at disruption as one of the possible opportunities that they want to, or you know, one of their objectives, then I think utilities really do need to focus in on the exposure that they have in those, in those networks, particularly to anything that's Internet facing or might be an unsecured or unmonitored communication pathway.
Those are the ways in or in or out. That's the kind of, that's how cyber attacks operate typically.
And so, you know, anything that's within those environments that has those control or view features that has, you know, access through something that the utility doesn't really have a lot of control or monitoring over is going to be an area of concern.
[00:28:43] Speaker B: Right, right.
I'm, I'm curious, what if a utility is wondering, you know, am I, am I set up? Or even worse, they think they're safe, but they may not be. Because one of, one of my favorite quotes is from.
It's attributed to Mark Twain. Right. It's. It ain't what you don't know that gets most, most folks into trouble. It's what you know for sure that just ain't so. Because I've, I've spoken with lots of utilities about cyber and they sometimes they probably just don't want to get sold, but they say, yeah, we're good, we're covered.
[00:29:15] Speaker C: Yeah.
[00:29:16] Speaker B: And they just say it. No, so nonchalantly. I just think, are you really or you just don't want to talk about it?
[00:29:22] Speaker C: Yeah.
[00:29:22] Speaker B: So if you're a utility, kind of, what are you, what should you be doing right now to help prepare for all this?
[00:29:30] Speaker C: Well, let's, if we step away from cyber and kind of funnel out to big picture again, kind of, let's take the big picture and drill down.
The security around these events is going to be significant. And at the, if you think of it as kind of like an inverted pyramid, at the top of that pyramid is the federal government, DHS and FBI provide threatened intelligence and incident response support. Excuse me. They coordinate the law enforcement, the intelligence partners within Mexico and Canada. So at that level there's a lot of activity to try to put a security infrastructure around the games. And then in the middle you have the states. Some states have fusion centers where some of this comes together.
But they also, states align the emergency management, they coordinate. Typically they can coordinate mutual aid agreements between utilities, particularly if they're across states.
They can help link rural and urban, public and private operators together for emergency response or. Yeah, or local security.
But at the bottom of this pyramid where all of the kind of attack, where the attack is aimed at are the utilities themselves.
And you know, these are typically, Sometimes they're large IOUs, but as you and your audience know in the water sector, large, well funded, regulated, investor owned utilities are only like 5% of the, you know, total surf, only about 5% of the population. Most are small regional water authorities.
And those are the ones that have the real responsibility to guard and protect their networks and monitor their traffic.
So that's the conundrum, right? Those entities at the bottom with the most responsibility for resilience and security have the least resources, staffing or the capacity to prevent.
And so if, if I were a utility, one of the steps I would be taking is to try to make sure I'm at least linked up in that pyramid. So make sure that I'm linked up with state and local responders and incident, incident command, if there's an incident command system that's being stood up around the games, make sure you're part of those conversations.
Make sure. And it could be as simple as just knowing who to contact.
You know, if you. I've been in incident response planning, as I kind of talked about my background, high threat type scenarios.
The number one kind of rule of thumb is you just cannot expect that anything you do on a normal day will be available for you on a, in during a crisis. And you don't want to be in a situation where you're going to have to exercise those muscles that you haven't used ever, maybe during a time of crisis. So you want to at least have the basics, contact information and fold yourself into some of these communities within that security pyramid so that you know, they know to call you if they have questions and you know to call them if you have issues. If there's a cyber attack, for instance, on a utility, you can bet your bottom dollar the FBI and possibly even DHS will show up at your doorstep asking for forensics information, trying to figure out who did it.
So it's a really good best practice, I would say, is to build some connective tissue with those entities in advance so that you know who to call, they know who to call and you know what kind of information they would be expecting to get from you and that you actually can get that information. You know, if they require logs or something like that do, do you even retain those kind of things? So I think that's the kind of the big thing if we're talking about just internal to an organization which irrespective of all of the stuff that's going on outside, I think that the number one thing that a utility can do is to exercise its internal emergency response plans particularly. So like we have, it's, we're here in January right now, the games are in six or six months or so.
That's a, that's a not a lot of time but it is enough time to start running some focus scenario driven exercises, Tabletop even couple hours to execute it with your leadership or with the, with the operators, engineers and security personnel that would be functioning within the geographical footprint of the games themselves. Tabletop exercise in my experience are the most effective. The government does this and they. I think it's been proven out that this the most cost effective way to build muscle memory and procedures without spending a lot of money or time. So you can buy down a lot of risk by doing that.
And if you're bringing in operators and your information security and your operational security teams, the leadership, anybody who would be responsible for strategic messaging to the public.
If you can walk through a couple what if scenarios, you know, that are time and geographically abound around the games themselves and decide like how you would operate and who would have to call who, where are the interdependencies within the organization that may exist in normal order as you know, just kind of loose bound relationships. You want to be able to make sure that that's actually known within the environment. I mean I know of cases where people knew on their checklist that they needed to call Joe but Joe did not know that he was on the hook to be called. You know, so it's kind of like make sure that everybody in that chain is at least prepared that they may be on the hook to do something or if they see something, how do they escalate that into the organization so that they can get help and you know, decisions at the right level about what to do next.
And I think it clarifies roles and responsibilities, it can expose gaps and again it builds relationships within an organization between sometimes disparate groups, the tribes around it and ot are you know, sometimes frenemies you know, but if you build a, if you build a, a relationship around a scenario, you actually can potentially propel that relationship through into the future beyond the games, which also helps, you know, build your overall resilience and your, and your risk, and it reduces your risk profile. So I think exercises more than anything would expose the kind of issues that you either have to do at the time or that you can anticipate you would need. And you could start to do some work on shoring up that gap before you. Before you actually need it.
[00:36:20] Speaker B: Yeah, you mentioned tabletop exercises, and I know it sounded like you went on to describe that, but is that what you were describing, the tabletop exercise? Because I just want to make sure the listeners understand what a tabletop exercise actually is.
[00:36:37] Speaker C: Oh, yeah, yeah. So a good one. I mean, you can do them in all kinds of different ways, but the best thing to do is first start with a scenario, a scenario that's realistic to you. Now, we don't have to make that up in the World cup case.
We've got a time. We got a geographical area that is at high risk. So therefore, as an organization, you know what, you operate within that footprint, so you probably can figure out who needs to be involved. So you get the right people at the table with a scenario that you know and you can concoct it however you want. But if the goal is, let's say we face a cyber attack or we lose a communication pathway that we find critical, or, you know, the first indication that we have a problem is that we have a pump that fails or something like that. Like, start with a scenario that seems realistic enough and then walk through. If you have a plan, put the plan on the table and say, okay, does this plan that we've had in the organization for however long you've had it, does it apply or does it work for this scenario?
Odds are it probably doesn't. Okay, it's the best practice is to have a third party facilitator, like hire a consultant or somebody to come in and actually facilitate this for you so that you can participate in the event without trying to run it.
You want the decision makers at the table to play out their roles as opposed to playing out their roles while also anticipating what has to happen next for the meeting or whatever.
So you run through the scenario, you identify who needs to be called, and people can ask questions about what they have to do, or somebody will inevitably identify a dependency inside the organization that, that nobody else really appreciated. Like, hey, in order for me to do this action that you all say I'd have to do I rely upon these folks to give me information or I have to rely upon this decision from the boss. Are you telling me that I don't have to rely on that now? Those kind of things get worked out in the moment and the outcome of that couple hour session, if it's well done, gives you a list of actions. Sometimes the actions are, hey, we have to update our call list and make sure that everybody's phone numbers are updated.
Maybe we have to make sure our supervisors on shifts are trained properly about how to do a proper turnover. And, and to make sure that everybody's aware of what to look file for and pass on any information that they receive or that they were observing during their shift to the next.
Sometimes it's, hey, maybe we need to make sure that our strategic communicators are in the room here because the public is going to ask us questions. Right. How do we communicate that and, and what are the considerations they want to have at, at the ready so that they can have that discussion with the press or with, you know, people that are emailing in or whatever.
So I think that you come up with a list of things you either have to do to shore it up or maybe you have identified an information gap, like information about the status of a particular facility. Right. How do you, how usually in a normal day you may just look on, in your control center and you look up on the screen and you can monitor its status through a screen. Does that make sense?
[00:39:57] Speaker B: Yep.
[00:39:58] Speaker C: But what if that screen is gone? What if the adversary has eliminated that view altogether so you can no longer trust or even have access to what's going on at that facility? That's not where you're sitting.
Well, how do you actually then verify that? Do you have to send, you have to roll out trucks? Are there people on site that you can communicate through radios? Because maybe the way you usually communicate with them is through like teams or some kind of network based chat system. Well, maybe that system is down. So how do you communicate with them if you can't trust or rely upon your normal systems? So that may give you a requirement. Oh, we bet we need to go and get some, some radios if we don't have them. Or we need to dust off those old satellite phones that we haven't used in 10 years and make sure they're plugged in and people know how to use them. So I think those kind of things come out of the exercise and all of these things matter, I think, and it's the Little things probably matter the most because, again, human beings in a.
In a. In a contested environment where they're kind of under stress and they're under attack or they're. They under stress to do something. The 48 first 48 hours, I think, matter the most. That's the place where you can make decisions that could harm you later or you fail to make decisions that you wish you would have made later. So exercises allow you to kind of figure out what those things are, and you can try to control or do the best you can within that first 48 hours. After that, things start to normalize. I believe help comes in from the outside, or maybe you get. You can get the system back up and running. So then you figure out a way to kind of manage yourself back to normal, whatever the case may be. But that first 48 hours is critical. So do what you can to manage yourself through that period, and then, you know, and then take it from there, so to speak.
[00:41:52] Speaker B: Perfect. I love. That's great practical advice. You know, the small things. When you said that, it initially jumped in my head. What. You know that line from King Lear that says, my kingdom for a horse.
If he just had. You know, if he just had the little things, he wouldn't have to give.
[00:42:07] Speaker C: Hey, I didn't know we were making literary references. I'd have prepared better.
[00:42:11] Speaker B: I normally. I normally don't do that. But.
[00:42:13] Speaker C: No, I love it. I love it. So. No, but it does. The little things matter, you know, and in a.
Again, this may seem like such an enormous threat that a utility. And I get this a lot. It's like, well, you've scared me, but it seems now I'm, like, so scared that I'm paralyzed. There's. It's too big for me to handle. What can I do?
[00:42:34] Speaker A: Right, right.
[00:42:36] Speaker C: And I believe that in these kind of situations, defense is. Always has. Defense has the advantage. The offense has the advantage of surprise and preparedness and planning.
But once it hits the fan and things start rolling, I think the defenders have an advantage as long as they're prepared to defend their space. And that doesn't mean just technical solutions and adding more technology.
I find that it's the people making, you know, rational, informed decisions, even though they're under stress, that. That save the day.
And I think that the only way to really get yourself into a situation, be able to do that, is to have walked through it in a controlled way first so that you can have something to grab onto when you need it. And. And ideally, you know, this is. There's a deterrence element to this too. If you are prepared and it is visible to an adversary that you, that's maybe observing your network before they want to attack it, that you are prepared, that makes you a less viable target. And maybe they go do it, they go somewhere else, or maybe they choose not to go after you in the first place. So preparedness has a huge advantage in just even possibly in deterring the thing from happening in the first place. So, but that can only be, I think the biggest element of that is to have the organization actually take the preparedness steps, typically through exercises, so that they can start to move the organization into a better footing in case something bad happens. And of course, if nothing bad happens, what did you lose? Right. The, one of the problems with security is it's hard to gauge the return on investment if, if nothing happens. I mean zero is a bad metric. Right.
And so, but I think, and it comes to things like this, we're really talking about risk reduction and, and no one ever like you know, was upset that they over prepared, but they get really, there's a lot of problems and implications that they're not prepared enough.
And in the event of say a public service utility like water or power, particularly if you're regulated, if you did not prepare and something bad happens and if people were harmed in the process and then in the aftermath the regulators and the others come in and start asking, or you have to go to Congress or some, some other third party comes in and start asking questions.
Do you want to be in a position to say I couldn't, I couldn't stand up against the People's Republic of China, but here are all the steps I took in advance to try to make sure that we were prepared. Do you want that story or do you want to say eh, we were good, we thought we were good? Yeah, I think that I would prefer the former.
So, you know, and I, I hope that some people in the audience that are in those positions would also prefer that and just start to take those steps and they're not, it's not an enormous undertaking, but it can, even those little things can make a huge difference.
[00:45:41] Speaker B: Yeah, I think you, you, you made a really good point about if you, if you can show that you're prepared, you may deter the attack. And so even taking some small steps to signal to an attacker that you're prepared may divert that potential attack. So I think that's a great point.
Victor, you've been tremendous today. I've learned a lot and it has been great speaking with you do you have a leave behind message you might share with the listeners before we depart?
[00:46:12] Speaker C: Yeah, thank you. I appreciate that. I think everything is obvious in retrospect, you know, but in our case, particularly with the World cup, we have a lot of foresight. We went over this before. Adversaries have already targeted these events. They've targeted critical infrastructure at these events.
And with the, with it being on US soil and the current geopolitical climate, we have every reason to believe it'll happen here.
So if the. Our advantage is because it's a fixed schedule, we know when and where it's going to happen.
So I think the biggest thing here is I just, I kind of said it before, but I think it's worth repeating. You don't ever regret preparing. You only regret not preparing enough.
And I think that this tournament gives us a rare opportunity to strengthen our posture not only for the tournament, for the enduring future.
And I just hope that people start to take the work, take the initiative to start now because, you know, the clock is ticking.
And every day that we don't take action is a day that I think our risks of something bad happen that we cannot manage escalates from there.
[00:47:22] Speaker B: Yep, well said. Well, Victor, thanks again. You've been again a phenomenal guest. Really appreciate it. And for those who want to find out more about you and 1898 and co, where can they go to get that information?
[00:47:36] Speaker C: Yeah, you can find me on LinkedIn. I think I posted there and I have access to other things I've talked about and even to my website. So you can find me at LinkedIn under Victor Atkins. And then of course my company, we have a website, 1898 and co.com I encourage you to go there. There's a listing of, you know, what we do in security and risk and a lot of the other services that we provide to the, to the industry.
[00:47:58] Speaker B: Right. Well, Victor, again, thanks so much and we'll talk to you soon.
[00:48:02] Speaker C: Thank you. I appreciate the time.
[00:48:04] Speaker B: You bet. Bye now.
[00:48:05] Speaker C: Bye.
[00:48:07] Speaker B: What a great interview by Victor. Really enjoyed the practical insights and the great examples he described, particularly on the benefits of a tabletop exercise for cybersecurity. Really, really good stuff there, Victor. And thanks for coming on. And I hope all water utilities and all critical infrastructure entities take heed and follow Victor's advice.
Well, I'd love to know what you thought about the interview. Please check out the Show Notes page for information and links on this episode.
Just Google the Water Values podcast, click the first link that comes up.
You can email me at david.mcgimpseydent.com and you can sign up for the newsletter at that aforementioned landing page as well. Thank you again for tuning in and I hope you make it a great day. Plus, I want to give a huge thank you to our sponsors again. Sponsors of the Water Values Podcast include Xylem, the American Waterworks Association, Black and Veatch, Advanced Drainage Systems, 1898 and Company, Woodard and Curran and Interra. This show wouldn't be possible without those great companies and industry leaders. And again, thank you for listening and for subscribing to the Water Values Podcast. Your support is truly appreciated.
In closing, please remember to keep the core message of the Water Values Podcast in mind as you go about your daily business. Water is our most valuable resource, so please join me by going out into the world and and acting like it.
You've been listening to the Water Values Podcast.
[00:50:03] Speaker C: Thank you for spending some of your day with my dad and me.
[00:50:06] Speaker B: Well, thank you for tuning in to the disclaimer. I'm a lawyer licensed in Indiana and Colorado and nothing in this podcast should be taken as providing legal advice or as establishing an attorney client relationship with you or with anyone else. Additionally, nothing in this podcast should be considered a solicitation for professional employment. I'm just a lawyer that finds water issues interesting and that believes greater public education is needed about water issues. And that includes enhancing my own education about water issues because no one knows everything about water.
