|

How to Handshake, Ep. 7: Air Gaps and Other Lies.

Welcome back to How to Handshake, Optigo Networks’ podcast series on OT networking, building automation, and the conversations that actually move the industry forward. Subscribe to the podcast on Apple Podcasts, Spotify, Deezer, and YouTube!

OT Cybersecurity: Why “Not Connected” Doesn’t Mean Safe

In episode seven, we’re joined by Fred Gordy, SVP of Secure Connected Solutions at KMC Controls, and James Roberts, OT Cybersecurity Protections Leader at Kelso Building Services, to dig into why OT security is a fundamentally different problem from IT security, where the real risks live, and where to actually start.

What happens when a disgruntled employee wipes every schedule in a building — and nobody has a backup? What does a phishing email have to do with your HVAC system? Is BACnet SC the answer, or is it a ten-year problem? And who, exactly, is supposed to own all of this?

Youtube video

Transcript:

Ryan LaFlamme: Most OT networks in our buildings today were built on an assumption that turned out to be wrong — that those networks would never touch the outside world. The gear from that era might still be in the field, but that assumption is long gone. In this episode, Ping and I are joined by Fred Gordy and James Roberts to dig into where the real risk lives and where to start. I’m Ryan LaFlamme, and this is How to Handshake, Episode Seven.

Ryan LaFlamme: This is How to Handshake episode seven, and today we’re talking OT cybersecurity. Joining me here today is Fred and James. I’ll quickly just go around the room and ask you to introduce yourself — who you are and what you do. We’ll start with you, Fred.

Fred Gordy: Thank you. Glad to be on today. I’m Fred Gordy. I’m the SVP of Secure Connected Solutions at KMC Controls. What that means is KMC is really committed to the cybersecurity of their systems, but also the education of their SIs — helping them learn to do this on their own. That was one of the main reasons I wanted to come over here: the commitment to cybersecurity.

Ryan LaFlamme: And James, welcome.

James Roberts: Hi. Yeah, James Roberts. I currently work for Kelso Building Services. We’re a kind of a big service offering company — HVAC, construction, plumbing, electrical. But our department mainly handles systems integration. In my role I’m OT Cybersecurity Protections Leader, kind of a digital building protection leader for our group. I’m also head of the fault detection diagnostics offerings and the MSI division piece, which is the master system integration.

Ryan LaFlamme: And as we were mentioning before we started taping here, the two of you have known each other for quite some time.

Fred Gordy: What is it, 25 years now?

James Roberts: Yeah, at least 20 over 25 years, I’d say.

Ryan LaFlamme: Excellent. That should make for a great conversation. OT security often gets framed as if it’s just IT security applied to a different network. But anybody who’s actually worked on one of these networks knows it’s not that simple. So what makes security a fundamentally different problem for OT than it is for IT — and where does the standard IT playbook start to break down?

Fred Gordy: A couple of topics come to mind. IT optimizes for confidentiality, where OT is all about availability and physical safety. Very different risk matrices entirely. In my example, a patch that’s routine on a laptop could stop a heating system or a life safety system mid-operation. That’s kind of where my head goes. It’s a big difference.

James Roberts: To continue that thought — like Fred said, confidentiality was his world. Availability is 100% the control systems world. James and I have been fortunate enough to work alongside each other in several companies over the years, and we’ve done assessments in different places. There was a group we both know that was caught unaware, let’s put it that way. When we reviewed the policy they’d written, one of the guys said, “I’m not changing our patching policy.” I said, “Well, if you don’t, let me explain how it goes bad.” I will say — it is getting better. They’re at least listening better.

Ping: And that’s been a recurring theme from past guests as well — that for a long time there was a real gulf between IT and OT. But there are a lot of bridges starting to be built. And that’s a good segue into the next question. Building OT networks have changed a lot in the last decade. We have web-based BAS front ends, cloud-hosted analytics platforms, vendor remote access tools of all sorts. All of these have punched holes in what used to be a closed, isolated environment. Which of those specific changes do you think have had the most impact on a typical building’s security posture — and which ones get unfairly blamed by IT?

Fred Gordy: IT sometimes gets into a rush to secure without understanding the environment they’re going into. James and I were working with a medical group and they had operatory suites in their buildings. An operatory suite requires you to monitor temperature, pressure, and so forth. You can’t just be blind to it. And they pushed out Java updates and locked out their HVAC systems — not in one, but multiple locations. They had to cancel surgeries for two days. James and I both have story after story where IT has just trampled on top in a rush to secure, and as a result, cost themselves a lot of rework.

James Roberts: Yeah, one comes to mind up north where they tried to run a scan on an OT network and probably crashed 80% of the building. The IT playbook just doesn’t translate well on the OT side. The assumptions don’t hold.

Ping: I wanted to talk about an article we wrote late last year — a roundup of real-life cases where bad data inside an OT system caused real impacts. Things like HVAC failures and mold exposure. That was an actual situation that happened at Seattle Children’s Hospital. And separately, Google’s Sydney office had their building management system sitting on the public internet, completely unpatched. If that’s what can happen from a misconfiguration, what happens if somebody actually gains access deliberately? From what you’ve seen in the field, do examples like these capture what’s really at stake?

Fred Gordy: The example I have is an insider attacker — a disgruntled employee who still had access, and they simply went in and wiped all the schedules. That’s all they did. The remediation was very extensive. Took a lot of time. Unfortunately, there were no backups of the schedules. Nobody knew what they were supposed to be. So the change was very simple — the remediation was extensive.

And that kind of gets me on my soapbox. Throughout the entire time I’ve been doing this, the biggest problem isn’t the technology — it’s what I call response paralysis. Nobody’s planning for it. We’ve had situations where the backup was five or six years old and many changes had been made since then. Or there’s the case where somebody backed the virus up along with everything else.

James Roberts: The line between accident and attack is almost invisible from the inside of the system. Same bad value, same consequence. If your monitoring can’t tell you why a setpoint changed, it really doesn’t matter whether it was on purpose or a bad config push. Continuous monitoring is the piece we push. Deep packet inspection right there on your network. It’s all about anomaly detection — if something’s happening out of the ordinary, flag it so you can act quickly.

Ping: Fred, James — we get asked often: where do we start? Especially for organizations that aren’t far along the cybersecurity framework route. What do you tell them?

Fred Gordy: It’s not as daunting as it seems, and I’ve been on this journey a long time. There are three questions I ask when somebody says “what do we do?” — and I’m a broken record about them: Do you know what you have? Do you know how it’s connected? And do you know who has access? Most of the time they can’t answer all three.

You plug into the network and they think they had ten devices, and they’ve got 22. And our industry doesn’t handle user access like IT does. I worked for a decent-sized mechanical contractor that had started their automation controls business in 1998. When I came on in 2006, there were past employees and current employees who all shared one username and password. There’s an economic reason for it — you can’t run out and update credentials across 2,000 systems every time someone new joins. But if you map that out across 100 buildings with six systems each, you’ve got roughly 4,800 people with 24/7 access to your systems. They had no idea.

Ping: And that’s a really important point. It’s basic cybersecurity hygiene, and this is a major difference I’ve seen coming from IT to OT. OT devices span a much wider gamut — older devices with no built-in authentication, and BACnet has no encryption, meaning basically anyone who can touch the OT network can touch all of it. So there are a few options on the table for protecting OT gear: tight network segmentation, OT monitoring in real time, and protocol fixes like BACnet SC, which bakes encryption into the protocol itself. We actually spoke with Nate Benes about BACnet SC in an earlier episode — I’ll drop that link in. Fred, is there a combination of these that actually works in the field?

Fred Gordy: Adoption rate is terrible for anything in our industry. Just keeping it real. When you’re in a non-federally regulated industry, it all comes down to dollars. There’s no ROI per se for what we do. But there is a thing called operational interruption — how much does that cost you? If a building is offline for days, what did that cost? If you start looking at it from an operational resilience standpoint, not just cybersecurity, and you ask somebody that question — you don’t have to tell me, just go do the math internally. What does it cost you if people can’t be in the building?

On BACnet SC — I think it’s a great aspiration and it’s moving forward. But my world is 90% brownfield. You can’t tell somebody to rip out their entire network and replace it.

James Roberts: Segmentation is a good floor. Not the ceiling. It buys you time, but it doesn’t stop a determined actor who’s already inside your network. On BACnet SC — there’s real progress and adoption, but most field controllers won’t be retrofitted. They’ll be replaced on a normal life cycle, and that just doesn’t happen quickly. I see BACnet SC as more of a ten-year rollout problem. Segmentation, and continuous monitoring — that’s what you’re deploying this quarter. That’s where you’ll get your wins right now.

Ping: I agree with both of you. BACnet SC is a great technological advancement. I see it doing really well almost as a replacement for VPN at the edge of your isolated OT network. But rip and replace inside the brownfield is just not economically feasible. The path is: take the devices out as they age, replace with SC-enabled hardware, isolate the rest. And I want to double down on what James said — monitoring, knowing what’s happening, knowing who has access to it and when. And the third piece is training, because humans have a pretty good sense of “something feels different here.” Let humans know that feeling is worth chasing. Systems should not behave differently unless something has been intentionally changed.

Ping: Circling back to something touched on earlier — vendor remote access. We know that every building has at least one vendor with a remote connection. The security posture of some of those connections is a lot worse than people think. One credential shared among 40 people. How common is that today, and what does good vendor remote access actually look like?

Ping: I’ll add before passing to Fred and James — remote access is increasing, not decreasing. More remote access today than five years ago, more than ten. That’s not going away. There’s a strong economic reason for it.

James Roberts: Kelso is actually building a remote ops center specifically for this purpose. Part of that is secure remote access as a service. We’re deploying zero trust at the edge so we can offer and push more services to the customer — secure remote backups, endpoint management, endpoint monitoring, managing that entire relationship and triaging alarms. What does good look like? Per-session identity. Per-session approval. Time-boxed access. Full audit trail. Zero trust principles: never trust the connection just because it’s a vendor.

Ryan LaFlamme: Can you elaborate a little more on the concept of zero trust? A few of us will know it, but for the listeners who don’t —

James Roberts: It’s the trusted gateway. If your gateway is at the edge and it’s outbound only, per-session identity is all about locking it down to that specific person — the fingerprint of their machine, their identity, their multi-factor access. You’re bringing in multiple methods of credential validation. And to your point, Ryan, even if it’s your laptop logging in, it might not be you at the laptop. That’s the point.

Ping: There’s a framework making the rounds for auditing a smart building’s OT security posture — what do you have, how is it connected, who has access. By some estimates, 90% of building owners can’t confidently answer those three questions. What does it actually take to get there — and which of these approaches can work without crashing the 30-year-old controllers running on the OT network?

Ping: I smile because this takes me back to when I first met Fred — at the first iteration of the NIST framework. The five pillars. And I still use them.

Fred Gordy: The NIST framework — it’s identify, protect, detect, respond, and recover. Those last two — response and recovery — we haven’t talked much about, and they’re critical. But at the core, there is asset owner responsibility. The asset owner is ultimately the person who is responsible and going to be liable for whatever happens. We’ve lived through 40 years of nobody thinking it was really their responsibility. And I’ll say it clearly: the asset owner is ultimately responsible. The service provider has responsibilities to the asset owner. The system design is in that mix as well.

I recently became a SANS instructor. I have customers — I won’t say names — but my first class is 150 facility people being trained to assess their own building systems. And then they go back to the SI with a punch list: here are the problems I found. Why hasn’t this been addressed? Stop and think about that. That puts you in a very bad light if you haven’t been doing the basics. And when you go to a SANS course, it’s not cheap — about $7,000 per person. These organizations are serious.

James Roberts: And to back that up — IEC 62443 is probably the best standard out there right now. It is the only standard, really. Everything else is just a framework. It’s a shared responsibility model — it gets the manufacturer, the system provider, and the end user all in the same room agreeing to be mindful of security as a whole. An assessment is the best way to get a look at what you have. But it doesn’t stop there. It goes back to continuous monitoring and being able to detect what’s on that wire, because it changes tomorrow. Once you have an assessment, that’s a snapshot. You have to know what’s being placed on the network in real time.

Fred Gordy: Exactly. It’s like an onion. You figure out what’s worst, you fix it, and then you start again. Layer by layer. And SIs need to wake up — one day you’re going to be facing an asset owner who has armed themselves. When they come back with a punch list of vulnerabilities you’ve left unaddressed, that’s a very different conversation from what most SIs are prepared for.

James Roberts: The cost of an assessment and the price of admission to Fred’s course? Peanuts compared to what it costs to recover from a ransomware attack on a system you can’t restore because you don’t have good backups.

Ping: It does bring up the balance of cost and risk. A hospital cybersecurity event could be devastating. We have to right-size. But there is an ROI to recovery — if you’re doing continuous monitoring, if you’ve got good backups, good disaster recovery and incident response, that recovery looks very different from someone who has none of that. That’s where you get your investment back.

Ping: What should a building owner be telling their vendors and IT teams to focus on?

James Roberts: Phishing. Phishing to OT impact. We do a lot of phishing exercise campaigns and cybersecurity awareness training directed specifically at facilities teams and staff. You’d send a flier from a major controls vendor offering a free gift card if you fill out a survey. I get a 98% click rate on that one. Another one: “Hey, I’m your boss — have you filled out your security compliance training yet?” I get 100% on that one. It’s about basic hygiene. Secure remote access. Asset management — non-existent in most shops. User management — non-existent. Techs checking their Gmail on a BMS head end computer. We’ve seen that a lot.

Fred Gordy: We had one case where a single phishing email opened by a technician on a computer that controlled multiple building systems took the building non-operational for nearly a week — and it took 92 days to fully recover. One building. One email. 100% avoidable.

Ping: And I want to counter the narrative that’s often used as a response to all of this: a closed-loop system does not mean a secure one. A lot of people may not understand what “closed loop” means, so —

James Roberts: Closed loop typically means no connection to the internet, that it’s self-contained. But first — there are very few truly closed-loop systems. There’s almost always one PC that bridges the IT network and the OT network. And second, the false sense of security that comes from “it’s closed loop, I don’t need to worry” leads to lack of updates, lack of monitoring, lack of understanding. We fight that constantly. I had a heated argument with someone at a conference about how MS/TP is not more secure — it’s more obscure. Security through obscurity is not security.

Fred Gordy: Every standard out there says you have to monitor. So when somebody tells me they have an air-gapped system, I say: that just means you’re not watching it. That doesn’t mean you’re secure. And you know who one of the worst offenders are? Elevators. They say, “We’re not on the network.” Open the door — there’s a cell modem. And bells and whistles that came in recent years for dispatch systems have been attaching them to the network, often without anybody knowing.

Ping: So who should own OT security? Finger pointing is a favorite hobby in this industry. Is it facilities? IT? A third party? What does good alignment look like?

Ping: I’ll start: it is not the vendor. The asset owner is ultimately responsible. Your integrator, your consultant, your contractor, your vendor — they may be part of the solution, because they have the most system knowledge. But they don’t own the risk. The asset owner does.

Fred Gordy: Everybody needs a seat at the table. Someone from IT. Someone from the C-suite. Definitely people from the facility side. Too many times the approach is “we’ll just tell the facility guys what we’re doing.” That is the worst mistake you can make.

James Roberts: Ownership works best as a shared model with one clear, accountable owner — and that’s going to be facilities, it’s going to be the property management piece. Good alignment looks like a joint risk register. Not separate risk lists that never talked to each other. Facilities defines the operational guardrails — what you shouldn’t touch. IT and facilities both need to sign off on exceptions.

Ryan LaFlamme: And we keep coming back to the same answer — just get everyone in the room. As Doug from Dartmouth said: order pizza, let them start talking, get over the initial nomenclature hump. There’s a lot more in common than there is different.

Ping: Final question. This industry has been talking about cybersecurity seriously since around 2012. For those who wanted to do something early on, they couldn’t find a budget for it. Has that changed? Are we seeing more investment?

Fred Gordy: I’d say yes. When you’re training 150 people to assess their own building systems, that’s real investment. People are thinking about operational impact, not just cybersecurity as an abstract. That’s the shift. And what James and I do aids operational resilience — it’s not just a security checkbox. Buckets of money? No. But it’s better.

James Roberts: Small things matter too. For smaller sites, skip the platform play for now. Fix the boring basics first. Most incidents trace back to one of those boring basics that got skipped — asset inventory before everything else. You can send someone around to document what’s on the site right now. I’m seeing more awareness. We still have a way to go. But more awareness.

Ryan LaFlamme: And that’s probably the perfect place to wrap up. Fred, James — thank you so much for joining us. Where can people find you online?

Fred Gordy: Go to KMC Controls and hit the consulting tab. Or find me on LinkedIn — I’m Fred Gordy, easy to find, and I try to respond to everybody.

James Roberts: Find me at Kelso Industries online, or same path to LinkedIn. I put together a daily intelligence brief for our industry — OT-focused, what’s happening today in the cyber world around products in your building that might be vulnerable. If you want to know what’s happening, give it a read. You might be surprised — you probably have something on the list. DM me on LinkedIn if you want to get on the mailing list.

Ryan LaFlamme: I’ll be subscribing right after this call. Most of those bulletins are IT-focused, so having a resource specifically for OT is quite valuable. Thanks to both of you, and thanks to Ping. We’ll talk to you again soon.

Fred Gordy: Thank you.

James Roberts: Yeah, thanks. Take care, guys.

Share

Table of Contents

Related Articles

Promotional banner for OT Networking series with speakers

How to Handshake, Ep. 6: Predict This.

Welcome back to How to Handshake, Optigo Networks’ podcast series on OT networking, building automation, and the conversations that actually...

Read More >

Man pointing at framed green artwork on wall

How to Evaluate Smart Building Monitoring Software

Key Takeaways: Why Smart Building Teams Need Purpose-Built Network Monitoring Managing a portfolio of smart buildings means dealing with thousands...

Read More >

A photograph of an orange and a tomato side by side, on a green background

7 Best OT Network Monitoring Tools for 2026

Compare OT network monitoring and BACnet troubleshooting tools. Strengths, limits, and which platform fits your building automation needs....

Read More >

Stay Updated with Our Latest Posts

Subscribe our newsletter and get handpicked articles, exclusive insights, and bi-weekly roundups delivered straight to your inbox. No spam, ever.