Insights on building cybersecurity into critical infrastructure projects from the ground up
I recently had the pleasure of hosting Keon McEwen, head of solutions development for industrial cybersecurity at Black & Veatch, on the Security Square podcast. This cybersecurity-focused series features analyst insights, expert guests, and the latest news and happenings across the security sector. Our conversation centered around a topic that often keeps industrial cybersecurity leaders up at night: why cybersecurity for critical infrastructure must be treated as a foundational design principle, and not a bolt-on solution.
Why Cybersecurity Must Be a Capital Delivery Imperative — watch the full episode here:
The Problem That’s Hiding in Plain Sight
Here’s what’s troubling: while cybersecurity for critical infrastructure has become a board-level concern, it’s often still treated like an afterthought in far too many capital projects. Organizations are designing massive infrastructure investments with blind spots baked right into the foundation. And as we all know, blind spots don’t fix themselves – they create cascading risks that can threaten not just operations, but human safety itself.
What makes this even more concerning is that we’re operating in an era where AI-driven threats are becoming more sophisticated by the day, and regulatory pressure is mounting from every direction. This is no longer simply an IT problem; it’s fundamentally about safety, reliability, and business resilience and continuity.
From Maritime to Critical Infrastructure: A Journey Worth Understanding
Keon’s career journey perfectly illustrates how cybersecurity expertise evolves in our industry. He started on the operational technology (OT) side, programming Programmable Logic Controllers (PLCs) for automated spray foam production, giving him deep insight into how level-zero devices communicate up the network chain and how that communication can be disrupted.
His transition to maritime cybersecurity was particularly fascinating. As he explained, “On a vessel, it has every critical infrastructure, all condensed into one small form factor. You have water treatment facilities, and you also have power generation. All these things are happening on this one asset.” This gave him a unique perspective on multiple types of critical infrastructure through a single lens.
The Communication Gap That’s Costing Us
One of the most striking points from our conversation was how the responsibility for cybersecurity often falls into a gray area between IT and OT teams. Keon put it perfectly: “At the board level, they’re still trying to understand that. Who do they pin the rose on to have the responsibility? Is it the IT professional or is it the OT professional?”
This confusion creates dangerous gaps. But here’s what I believe: when you help people connect the dots between cybersecurity and their daily operational challenges, light bulbs start going off. And that’s one of the reasons I enjoy these conversations with folks like Keon so much.
Keon shared a powerful story about a chief engineer who initially couldn’t understand why cybersecurity experts needed to be on-site. However, when Keon explained how vendors plugging into equipment could cause unexpected malfunctions – including incidents where set points were changed, resulting in tank overflows, that engineer became a cybersecurity champion overnight.
Speaking the Language of Safety and Operations
This brings me to one of the most important insights from our conversation: it’s incredibly important to speak people’s language. Focus on what they care about, in terms they understand and can relate to. For operational teams, that language is safety, hazard mitigation, and reliability. Keon and his team incorporate this approach in their internal conversations across various teams.
“We’re using their same processes, their same understanding, their same flow of information sharing to now attack on the cybersecurity aspect,” Keon explained. Instead of creating entirely new frameworks, successful cybersecurity integration happens when you embed cyber considerations into existing hazard analysis and emergency planning processes.
The Foundation Principle: Why “Security First” Matters
I’ve been talking about security as a foundational element for years, and this conversation reinforced why that approach is so critical. Think about building a house – you don’t wait until the walls are up to pour the foundation. The same principle applies to infrastructure projects.
When you build cybersecurity controls into the design phase rather than bolting them on later, you eliminate massive amounts of rework. You’re not hunting for downtime windows to implement monitoring and segmentation. You’re not retrofitting systems that were never designed with security in mind. You’re building a secure foundation from day one.
Keon shared a great analogy on this front using the seatbelt as an example. He said, “If you’re thinking about purchasing a car, a seatbelt is a very critical part of that vehicle. Would you want to have that seatbelt installed at the factory by the people who created the car and who know all the right information about that seatbelt and how to install it most effectively, or do you want to try and figure out how to install that seatbelt yourself while you’re driving the vehicle down the road?” I think the answer is pretty clear.
The AI Challenge: Friend and Foe
No conversation about cybersecurity today can ignore AI. As organizations rush to embrace generative AI for productivity gains, threat actors are doing the same thing – but with malicious intent.
Keon’s team takes a three-pronged approach to AI: AI in their security tools, AI used elsewhere in the organization, and AI “in the wild” – meaning vendors and third parties using AI in ways that could affect their operations. The recent CrowdStrike incident perfectly illustrates how one dependency can cascade across multiple industries.
What I found particularly compelling was Black & Veatch’s “AI versus AI” approach, where they create red team versus blue team challenges using AI capabilities. They not only embrace this approach as an internal practice, but they are also taking it to area schools, using these gaming challenges to help teach the next generation of tech leaders how to think about protecting against and responding to threats and challenges from an AI capability standpoint while having a bit of competitive fun in the process. Keon and team preach the gospel that the path forward isn’t about shying away from AI, it’s about understanding how to harness it defensively while preparing for AI-driven attacks.
Getting Everyone to the Table
Who needs to be involved in these conversations from day one? According to Keon, it starts with the asset owner and CISO establishing clear expectations and requirements. Without that, the team is “trying to fill a gap but they don’t really know what needs to be filled.” An owner who understands their landscape and the threats they’re dealing with, or a partner working alongside that owner who does, and sharing information and being vulnerable and open leads to the best effect and best results at the end of the day.
And here’s my addition to Keon’s advice: sometimes you have to ask for a seat at the table, and sometimes you have to ask multiple times. If you’re in cybersecurity and you see infrastructure projects moving forward without security input, be tenacious. Be a nuisance if necessary. The stakes are too high for politeness to take precedence over safety.
Two Critical Outcomes: Capability and Clean Build
From every capital project, Keon’s team focuses on delivering two key outcomes: cybersecurity capabilities and a “clean build.” The capabilities piece is straightforward – network monitoring, segmentation, secure remote access. But the clean build concept is equally important: ensuring that no new vulnerabilities are introduced during the construction process itself.
This means maintaining security hygiene throughout the entire project lifecycle, from initial design through handoff to operations teams.
This article was originally published on LinkedIn.
Read more of my coverage:
Mitel Secures JITC Certification for OpenScape Voice: A Major Win in Secure Communications
IBM Emerges as a Security Force at RSAC 2025: Innovation Meets Experience
TELUS Leverages Zoho for Strategic Customer Engagement: A Conversation with TELUS Executives