Ep 103: Cyber Risk in Construction: Securing AEC Projects in a Digital, AI-Driven World | PrOTect IT All
HomeEpisodes › Episode 103
Episode 103
Episode 103 Interview

Cyber Risk in Construction: Securing AEC Projects in a Digital, AI-Driven World

Apr 27, 2026 00:49:49 with Lee Carsten
OT SecurityAIRisk ManagementRansomwareLeadership

Watch This Episode

Construction sites are no longer just physical - they’re digital, connected, and increasingly vulnerable. In this episode of Protect It All, host Aaron Crow sits down with Lee Carsten to explore the rising cyber risks across the architecture, engineering, and construction (AEC) industry.

As digital transformation accelerates - with AI, digital twins, and connected building systems becoming standard - construction projects are expanding their attack surface in ways many organizations don’t fully understand.

Aaron and Lee unpack the unique challenges facing AEC environments, from fragmented systems and evolving workflows to the growing need for integrating cybersecurity into business decisions - not just IT functions.

You’ll learn:

Whether you’re in construction, engineering, IT, or OT security, this episode delivers real-world insights to help you protect the infrastructure we rely on every day.

Tune in to learn how to secure modern construction in a connected world - only on Protect It All.

Key Moments: 

05:39 Importance of interpersonal skills

08:08 Construction security and recent projects

11:46 Challenges in AEC industry adoption

19:30 Importance of disaster recovery

20:31 Discussing costs of business interruptions

24:06 RFP process and bid management

27:25 Complexity of building projects

32:02 FBI investigation triggers and readiness

36:55 Managing complex building assets

39:37 Choosing durable equipment and future tech

42:01 Understanding OT data for security

About the guest : 

Lee Carsten’s journey in technology began in the era of punch cards - painstakingly sorted and fed into compilers, where a single fumble could mean hours' worth of work undone. Lee studied COBOL in college, envisioning a future as a programmer. That path nearly led to Walmart, where Lee’s mother worked on the company’s pioneering buyer decision support system under Randy Mott. While the family connection and an offer from Kevin Turner to join a new team were tempting, Lee ultimately decided against moving to Bentonville and working for $18,000 annually. This early exposure to large-scale business technology, combined with pivotal career choices, shaped Lee Carsten’s perspective on IT and the evolving world of software development.

How to connect Lee: https://www.linkedin.com/in/leecarsten/

Website: https://whitecaprisk.com/

Connect With Aaron Crow:

Learn more about PrOTect IT All:

To be a guest or suggest a guest/episode, please email us at [email protected]

Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

Chapters

05:39Importance of interpersonal skills
08:08Construction security and recent projects
11:46Challenges in AEC industry adoption
19:30Importance of disaster recovery
20:31Discussing costs of business interruptions
24:06RFP process and bid management
27:25Complexity of building projects
32:02FBI investigation triggers and readiness
36:55Managing complex building assets
39:37Choosing durable equipment and future tech
42:01Understanding OT data for security
Read the full transcript

Aaron Crow: Excellent. Thank you for joining me on another episode of the PrOTect IT All podcast. Lee and I were just talking before this. I've said this many times on my podcast, but a lot of times I'm talking with people for the very first time. Maybe we've interacted, had a pre-call, engaged a little bit through email or LinkedIn messaging, but many times these are the first times I've really had an extended conversation with people that I get to sit across from. And those are amazing conversations for me. Some people get nervous because, as you can attest to, Lee, we have no agenda. I don't exactly know what we're going to talk about or where we're going to go. And that can be nerve-wracking. But at the same time, for me, that brings out really honest conversations. They're not marketing, they're not a sales pitch. They're just raw conversations. Like I always tell people, it's like sitting down and having a beer or a coffee or lunch and just talking about what we do and why we do it and why we're passionate about it. So Lee, thank you very much for accepting my LinkedIn message, realizing I wasn't trying to sell you something, and responding and taking time to come talk with me and the audience about the things that you do. So with that, who are you? What do you do? And how did you get to where you're at today?

Lee Carsten: Sure. Thanks again for having me on the pod. This is exciting for me too. I have my own risk advisory firm that started last summer, and I'm focused in the architecture, engineering, and construction space, the AEC space. That's not how I got here. How I got here is a windy road. It started in third grade when my mom went back to college for a computing certificate at NC State. My babysitter was a COBOL lab. It was punch cards, taking them to the compiler, and, please don't drop them, it's going to take us forever to resort this. So that's kind of how I got started in IT. Things obviously evolved and changed. Did some COBOL in college, was thinking that was going to be my path coming out of college.

One of my career what-ifs was I got an offer to work at Walmart, because my mom at the time was working for Walmart in Bentonville for Randy Mott and helped build Walmart's first buyer decision support system. I got to see that evolution and just vicariously live some of that through her. A guy named Kevin Turner was starting a new team and interviewed me and gave me an offer. I said no, because I didn't want to make 18 grand a year, I didn't want to live in Bentonville. Now, if you look at Bentonville, it's great, but at the time it was just a sleepy little town. What I didn't know is that the offer was to be on the first web team at Walmart. That would have been cool.

Then I got picked up by a recruiter, and I spent the first part of my career recruiting technology people. I wanted to work in technology and be a technologist, and that wasn't exactly where it got started. But it was a great first career for me. A lot of the work that was happening at the time was building networks, and then I had projects where people were starting to put firewalls in the networks and bring other folks in. So that's where I got pulled into cyber. That was 20-something years ago. Did that for a little bit longer, got my first real cyber job at an advanced-technology Cisco VAR. Did that for a couple of years. Then I moved to a boutique application security consultancy in San Antonio and did layer-seven AppSec work for seven years. The final move before starting Whitecap was I joined Stroz Friedberg as part of the DFIR and proactive services team. Shortly after that, we got bought by Aon. I spent nine years at Aon living inside the cyber solutions group, which was also their broking and quant teams, which is pretty cool. It's a neat, interesting space to be in, especially on the cyber side, because you really get to learn and see how the business thinks about cybersecurity. Then Aon spun that division out last summer, and when I was looking around at what I wanted to do, what I'm doing now is exactly what I wanted to do.

Aaron Crow: Right. Like I said in the beginning, I get the joy and the opportunity and the privilege to talk to folks like you. It's always surprising, or it shouldn't be surprising by now. The people that are the most successful in their careers are people that maybe don't always have a, "I went to college, I've got a computer science degree, I started coding COBOL and I've been a programmer my whole career." There are obviously people that are that, and I'm not throwing shade at those. But you just talked about how you went through this path and you thought you were going to go over here and then you ended up in recruiting, which on the surface is not super technical. That skillset, I would assume, because I have a similar path in mine, it wasn't the beginning, it was in the middle, that experience helped you along the path.

You probably didn't think about at the time that it would be beneficial as a coder or as a cyber person to have those interpersonal skills, being able to read people, being able to make those soft skills work for you. It's how you can open a business, how you can do a consultancy, it's how you can do all of those things. They're not taught at traditional schools when you get your computer science degree. They're not teaching you language and communication and business acumen and all the other things that you need to understand when you get into this business. A mentor of mine said a long time ago, and I say this all the time, people probably get tired of hearing it, but all business is a people business. No matter if you're the CEO or the janitor or the coding guy, you have to work with and through people. You can do that with a hammer and force your way through, or you can do it with an olive branch and make friends and connections and relationships and do that much faster. So I appreciate that.

Lee Carsten: Yeah. I've heard that in the past is influence and authority. If you always lead with authority, it hurts your influence. So you want to lead with influence as much as you can. A lot of the roles that I've had haven't had a ton of authority with them. It required me to influence decision makers, project teams, engineering groups, to get everybody aligned and rowing in the same direction. That served me well for sure.

Aaron Crow: So digging into what you're doing. Everything is blowing up. Obviously AI is blowing up. We're building more data centers, we're building more of the engineering side, and how all these things interconnect. You look at cyber-informed engineering, and we're looking at power plants and operations and manufacturing and all this type of stuff. Some of the difficulties that we've had in the OT side and critical infrastructure and all these spaces is we're trying to bolt on cyber that wasn't designed in the process in the beginning, whether it's the management system, the air conditioning, whatever. How is that just blowing up right now with all that's coming with AI and all the data centers and all the logistics and physical infrastructure that this country and others are trying to build out?

Lee Carsten: Sure. And famously, if you go back a few years, the Target breach was one of the first where a building automation system was the point of entry. In the construction space, when you say security, that means building security for the most part. So that's HID cards and proximity sensors and all this stuff that goes into the BAS systems. Even the electrical contractors have a low-voltage group that does their physical security piece. They're really tied into what ultimately becomes part of the OT environment for a lot of these organizations.

There's a study done in Austin recently about just where construction lives and what's going on and the scale of what's happening. The UT Medical Center academic campus is happening. Out in Taylor, what Samsung is doing with the billion-dollar expansion of their new fab, and everything else that goes along with it. There are pockets of construction happening at massive scale. I'm part of the Risk Information Management Society, and they're really following a lot of enterprise risk commentary around these big data center projects. One of the challenges right now, if you've read the news, is supply chain. What's slowing down a lot of these data centers is just that the gear they need in the facility is not available.

Aaron Crow: Right. And beyond that, how are we building into these processes the right risk approach? To me, risk and cyber are coinciding. Not all business risk is cyber related, but all cyber risk is a business risk. Ultimately, that's the language we need to put it into. Too many times we're having cyber as this separate thing. It really bubbles up to, many times, the CFO, who is owning the actual risk to the business. That's no matter if it's supply chain, brand reputation, legal, compliance, or cyber. It really should just be one of those things.

Lee Carsten: Yep. Rich Seiersen wrote the book *How to Measure Anything in Cybersecurity Risk*. He talks about the money people all the time. That's one of my core audiences, the money people. I've had the benefit of being part of Aon as long as I was. The room that they're in is the money people room. Generally I was one of the few cyber people, if not maybe the only cyber person, in a lot of those meetings, and I really felt my role was to open that conversation and make sure we got the right people in the room so that we're representing the risks the right way.

In the AEC space, they're masters at managing risk. Architects, engineers, and construction firms, all they do is manage risk. There is a big safety culture. That's physical risk, falls and all of the things that can happen on a job site. I'm really trying to leverage that safety culture to drive more cyber adoption, because what's going on is that the AEC firms are carrying more risk than they realize they're carrying. But the paradox is because the numbers are low enough and everybody's got a story. If you talk to anybody in construction, everybody's been hit with something. A lot of it's fraud. It's still very high levels of BEC. There's some ransomware. Business interruption occurs sometimes, and it gets big enough.

In the past, before I got into doing just AEC work, it was, how do you get a client to get the religion before an event? What does that really look like? What I'm finding in AEC is that they've all had an event and still don't have the religion, because to them it's just another risk. It's something that has to be dealt with. I really think it's because we as an industry and as a security community have made it really too hard for these business owners, where maybe their dad started the company, or their grandpa started the company, they're 50 years old, they're 50 million or 100 million in revenue, they've got a couple hundred employees. They'd rather do it with a pencil and a piece of paper, but IT showed up a while back. They've got either some kind of outsourced MSP, or they tapped the youngest person at the firm to be the computer guy: "You're young, you know this computer stuff." And they've grown up building this as their day job.

A big part of what I'm trying to do is help those organizations get their arms around this, point them to things that make sense, that are not big asks. The lowest-hanging fruit. If everybody has admin on their box, let's fix that. Let's make it a little bit harder for the hackers and get your maturity up from a three out of 10 to a five or a six out of 10. That's really the state of that business right now.

Aaron Crow: Yeah. Coming in as a consultant, many times I walk in the door and there have been five other consultants that have come in before me, and they do the assessment. I say this a lot, but it's like my freshman English paper when I got it back the first time, and it was just all red because everything on it was, this is wrong and this is wrong and this is wrong. What do I do with that? Everything's wrong. Was there anything right? Did I do anything well? Just throw it away and start over? That's where a lot of these places are, especially in OT, especially in engineering and building management systems and physical security systems.

It's very easy to look at them and say, you're not patching, this system is older, and just go down the list and talk about all the bad. But to your point, many times the biggest bang for the buck is going to be the least complicated and the most foundational. Make sure they've changed their passwords. Make sure we don't have devices directly on the internet. Simple, basic, foundational things. If they would do those low-hanging-fruit items, they get a huge return on lowering their risk. Yes, it's not 100%. We're not trying to gold-plate or platinum-plate anything, and you don't have to. Cyber professionals in the industry, obviously trying to sell things, I was a vendor, I get it. But if you overwhelm them, they're just going to do nothing. They're still sitting here with a report that says all these things are wrong and they don't know what to do with it. How do I fix everything? I don't have time, resources, or money to do that. So I'm just going to throw that in the trash bin and continue doing what I've been doing.

Lee Carsten: Yeah. The other thing that does happen is the business is moving forward with a lot of IT-based initiatives. The marketing team is spinning up platforms. Where a business owner will spend money is in the core, something very related to their business. In an architecture firm, there's a platform called Autodesk Construction Cloud, and a tool called Revit. They have an on-site version because some of these files are huge. If you think what a building blueprint for a 20-story building would look like, every electrical connector, every piece of HVAC equipment, every bit of plumbing, every engineering component of that building is in that file. Those files are stored locally. Then they have a sharing platform with ACC, which is how they work with the other subs and the GC and everybody else. Then there are the pay apps that get compiled and consolidated. That's the target for a lot of the threat actors, trying to insert themselves into that payment chain to defraud somebody somewhere. It happens all the time.

Autodesk and Procore, these core applications, typically do project management, and there's also a data issue and data ownership issue. Whose data is it? If you've got a general contractor that won the bid and they have the Procore instance that they're working with, Procore is doing some amazing work in the AI space as well. They bought DataGrid. They've got AI capabilities all over the place. It's really around unstructured data, because what in the past was really hard to deal with, let's point AI at that, train it in a way that works in this business so that we can start getting meaningful results from unstructured data that nobody's ever been able to comb through before. All of this stuff is working together.

The risk question is, I don't know if we have the answer for it yet. If a sub is the one that's compromised, and now it's the GC's data, where does the responsibility come? That's still relatively new. One of the things I'm trying to do is help the entire community. I've got a talk at the Association of General Contractors technology conference later this summer. The title of the talk is "Nobody Gets Hacked Alone: How We Build a Cyber Community Inside the Construction Space," because banking's done it, healthcare's done it, oil and gas has done it. All these industries have done it. There are cyber orphans all over the place in the AEC industry. Wendy from Austin talks about this security poverty line, and these are firms that are below it.

Then you have the announcement of the vuln-pocalypse that's come out and everything that's happened in there. Anything that's global, the big company bones that are identified and fixed, that's going to help all of us. That's the rising tide for everybody. The problem is if you have three versions back of an AutoCAD platform you're running locally, or old versions of a Procore platform, now that a known vulnerability is there and there's a fix for it, but you didn't patch and all of your project data is there, you can have a big problem.

Aaron Crow: Yeah. What you just said there is super important for people to hear. As we have AI making vulnerabilities more readily available for bad actors, patching isn't your only solution, and patching isn't potentially even going to help you. You can patch today, and AI could find another vulnerability tomorrow before they even make a patch. That life cycle happens so much faster. It goes to show how we need to be doing the fundamentals that much better.

I need to be able to have disaster recovery. I need to make sure I've got all those files backed up in a place that a vulnerability can't get to it, offline. I remember back in the day of taking the DLT tapes out of the tape drives and putting them into a canister that Iron Mountain would come pick up and take off site to a protected location. Every week they came in, every day they came in, they would rotate those tapes, because we knew, hey, if this data center burns or an EMP or any of those types of things, we have to be able to get it back up from scratch.

It's obviously important that we protect from the outside because we don't want bad actors getting in, ransomware locking things down. But we have to assume and think through what happens when that happens. What happens when the fire takes it down, or a bad actor gets in and ransomware takes over, or any number of things? All of my systems are broken. Now what? I've got new systems. How do I recover? How do I get back up and running?

Lee Carsten: Yeah, for sure. The business interruption is really one of the big costs when you start looking at quantification. One of the things I'm doing now is trying to understand just from a dollars perspective where these organizations are at. What are you spending on IT? What do you think you should be spending on IT? Does that make sense? How does this help you grow? How does this make you bid-ready? Where CMMC is in place, that's an easy one, because the AEC industry has been relatively unregulated for a long time. There's no OCC at the door. There is no HIPAA rule. It's state data privacy laws, CMMC now, and a couple of other things that may drive some of the behavior.

But it's also customers. If you're a sub, and the GC, if the surety bond requires that there is a cyber insurance element, a cyber readiness, because it's a BI problem, a cyber failure in the supply chain could cause a project failure. That's where you get people's attention. It's going to come from the insurance side, it's going to come from the client side, and it may come from the regulatory side down the road.

Aaron Crow: Yeah. It's funny that you just brought that back up. We just wrap back around to how it's tied to the money. Follow the money. The cyber insurance, the risk side of that. It's all about the overall business risk and what the cost is. As I'm receiving bids, if I'm putting out an RFP as a customer and I'm assessing them, I'm not just looking at capabilities, credentials, price. I'm also looking at cyber risk. What level are they at in those things? Because that's going to be a factor in my overall decision. I may pay more for the same work from a different contractor because they have a better cyber posture, over somebody that may be cheaper but they don't have the polished capabilities on the cyber risk side that this other firm does.

That's a realistic state that you're in. To your point, are you below that cyber poverty line or not? AI can help you maybe get above that in some places. Some of those things aren't necessarily expensive. They're just process and procedure. But others may be. They may have a different licensing and architecture and implementation requirement to be able to get to that next level, to be competitive with those larger brands that have a more mature cyber program in their offer.

Lee Carsten: Yeah. So do you know how the construction firms win work or what that biz dev process looks like?

Aaron Crow: No, go through it, please.

Lee Carsten: I'm just learning this too. I'll tell you what I know. The teams get created for basically every project, and the teams are different on every project. The community and the relationships that exist in AEC are very, very strong. There's a sense of coopetition to some degree, but I don't get that feel from them, because who you work with today, you may be competing with tomorrow. Especially in Texas and anywhere there's growth, there's a lot of work to go around. The teams get built on a pre-bid basis. There's even a company that does AI bid management called Joist that a lot of people are using, because it's all formal RFPs. There are almost no construction projects that occur without some kind of very formal RFP process. They'll tell you up front, is it low bid, or is it best offer? So it may come down to just the lowest price. Who could do this for the lowest price? The team has to organize and guess what the materials cost is going to be for all of this stuff.

Aaron Crow: Sure, makes sense.

Lee Carsten: There's even an insurance product that when I was at Aon, I heard about, where you can buy insurance to say, if you think lumber is going to go up, because lumber is up and down and all these commodities get priced into these bids, you can buy a policy that will protect you from a giant overage where you're stuck because you thought it was going to be X dollars and it's Y dollars. So the teams get built, everybody has to bring their piece of the puzzle together. The lead bidder has to either trust or verify or both everything that's in that package, roll it all up, and then get it over to the client. They typically call them the owner. If you win the project, you get going.

Every single project, if you're using Procore, every project is a different team. Your suppliers and vendors, sometimes some GCs have subs in their pocket, deep relationships, and that's always the guy we use for that, and it works there. But sometimes it's a totally different group, and maybe for a specific project, you have to use someone with a specialty that's outside of your core experience, just based on the project itself. It's a really unique environment. How structured how you win work is, and then how different teams operate based on the different projects, and everybody's working with everybody. It's really wild.

Aaron Crow: Yeah. Well, if you think about it, it makes sense. Take it down way small. I'm building houses or doing roofing. You've got your electrical guy, you've got your plumber that you usually use, but there may be a particular project you work where you need a certain certification, and Bob, your normal plumber, doesn't have that certification. So you have to use a different plumber. That's why the general contractor, that's their value, pulling all these different subs, making sure they have all those different qualifications and capabilities and check boxes and compliances. That's really what they're bringing to the table.

On something as big as a building, I had a little bit to do with a very large building being built in Charlotte, at least in the early stages of designing and architecting that from the technology and cyber side. My gosh, you talked about the drawing, but all of the different things have to align. The HVAC system and the wiring and the elevator systems, all the things that go into a building and all the different people that have their hands on it. You look at a power plant or any complex manufacturing environment, I've been to very large airports and how crazy it is and how complex they are, how much goes into your bag when you show up at the airport and drop it off to be checked and all the places it goes before it ends up in the belly of the airplane and out the other end when you land. There's a lot of logistics that goes into building a building, building a data center. There's a reason why the prices are going up.

You talked about setting that price. I remember back in COVID, because I built an office, personally built an office addition onto my house, so I added about 30 by 30 by 20. Just buying lumber, I assumed it was going to be X and it was like 5X. The lumber cost was ridiculous. Two-by-fours, OSB, plywood, all those things were so expensive.

Lee Carsten: Wow.

Aaron Crow: It was insane, and it was hard to find, and you didn't have a choice. It wasn't like you could price it. Remember the times, it was like toilet paper was expensive and you couldn't get paper towels, and Clorox bleach was expensive. Everything was off the rockers.

Lee Carsten: I still think that paint should be $20 a gallon in my head. I just still think that. Every time you buy paint at $70, you're like, really, that's what that is?

Aaron Crow: I know.

Lee Carsten: The paint's getting better, but yeah, everything's gone up.

Aaron Crow: Not that much better.

Lee Carsten: Yeah, and then now you're throwing digital at this whole thing and the digital transformation that's occurring in construction. There have been waves of digital that have occurred in the past and that have overpromised and underdelivered. The industry is a little gun-shy. These business owners, their margins are thin enough, and there's so much other risk they have to deal with, that our position in cyber and how we support these organizations just has to be with the understanding of how their business works, how we can help them improve, what little goals can we have, what big goals can we have, show modest improvement, build trust, and then continue to expand.

Aaron Crow: What are some of the big ways you're helping people build that trust? To your point, we're dealing with this digital stuff, and we're dealing with all the problems you talked about earlier. I've been doing this for 50 years, I took over this company from my dad, we've done this stuff by paper, I don't have a dedicated team that does cyber stuff. How do we help them understand we want to do this left of bang, we want to do it before a bad thing happens? It's cheaper to do it now, and it doesn't have to be platinum-coated. How are you winning the hearts and minds of the folks on these things to really understand the value of this in their organization, and how it's going to help them win bids and make everything better, longer, even make more money in the long run?

Lee Carsten: Yeah. My approach is I'm really just trying to understand where they're at. Nobody's done nothing. Everybody's done something. I'm trying to understand what do they do, what was your experience with that, why do they do it, what do they think it was going to give them? Talk through any kind of events or problems that have occurred. I had the CEO of a pretty large electrical contractor tell me, man, if there's a cyber scam out there, we've been hit by it. We fall for everything. We've been hit by everything. They've developed capability and built a team. So I think the traditional model of how you approach someone in the AEC, like you would someone in financial services, that's not the right path.

Part of it is I leverage the FBI information, like the Winter Shield that came out a couple of months ago. There are 10 things that the FBI has noticed that are the problems that would occur that would result in some kind of investigation where they get involved. Let's take a look at that. What are those 10 things? Have you guys done something about what, have you not done something about what, and what does that gap look like? Is there something on there that would create some benefit above and beyond just doing cyber for cyber's sake?

The other thing is just helping them think through what would you do the next time something bad happens. What would you do? Are you ready? Helping them build a readiness mindset. Most of them haven't run a formal tabletop exercise. I've partnered with some guys in LA that built a tool called Reflex Security that is a very cool use case for AI crisis readiness and crisis prep. We're having some success with that and helping them think through it. On every job site there's a sign, and it says X many days since what?

Aaron Crow: Since the last incident.

Lee Carsten: Right. Taking that mentality and trying to help drive that towards the cyber side of things too. How do we get that board for cybersecurity in the industry, understanding all the challenges we've discussed and the profitability and the real crunch on dollars, and get some of those dollars transitioned? Some of this is through the digital transformation that's already occurring. The attack surfaces are growing. They're doing more stuff with tech. If they see an advantage, if the technology they're implementing is helping them save money, increase wins and sales, or do more. There's this concept of digital twin. Have you heard of digital twins?

Aaron Crow: Sure. Yep, but why don't you talk about it? Yeah, please.

Lee Carsten: When Notre Dame burned, I didn't know anything about a digital twin. Notre Dame burns in France, and on the news they're saying, well, we have this scan, and this scan of the church may help us actually rebuild the church. What it was was a digital twin. There are really two main ways you can do it. There's digital twins for old buildings where you don't know what's in the walls, and digital twins where you're starting from scratch, and as the building goes up physically, you're building a digital version of that building. You can, in the modern way, check for variants, check for completeness, you're able to go into the project plan, and as milestones get met, you're using this digital twin to help validate and get in front, maybe proactively, so you don't get to the top-off, where they start putting the roof on the building, and you've got a problem. You could see it early. Can we stop that before?

In historic construction, it's a way to forensically investigate. Once the scan is done and you have some information about what's going on, you can extrapolate that to know how the walls are built and what changes you can make and what kind of loads will hold. Even in that case, the trees that were available when they built it 500 years ago are very different from the trees that are available today. If you're going to use wood now versus wood then, what are the structural components of that wood? All this digital-twin stuff is super interesting to me. The result of a digital twin is that at the end of the project, instead of handing over as-builts in PDF or a roll of paper with rubber bands on it, and you're like, here's the project, we built it, and they give it to the owner, and then if there's any problems later, yeah, this is it.

Aaron Crow: Yeah, here's the keys.

Lee Carsten: Instead, they're providing digital as-builts. That blower in the ceiling as part of the air conditioner, it's got a seven-year expected life, this is the serial number, this is the company that put it in, this is the warranty. The preventive maintenance would come along with that. There's a ton of stuff you can do with it. Engineering firms and others are selling these services as a leave-behind, a little subscription service where the owners are paying for access to these data models that are going to help them lower the cost of building ownership or just give them a better experience for that. It's really cool. When you can tie cyber to an initiative that is driving new work or helping create a differentiation for that company in the marketplace, I think that's a winner too.

Aaron Crow: Absolutely. The sky's the limit when you think about all the value on both the customer that's buying the building, the owner of the building. Think about the life cycle asset management. We already talked about how complex those buildings are and how many pumps and blowers and electrical circuits and wires and all the things that go into making that thing work. If you think about a vulnerability that comes out, or a pump or a motor has a known issue and the manufacturer reaches out and says, how many of these do you have? I've been in that situation where I don't know, and I have to send a team out to the plant or the location to go individually find every one of them and count them and check the serial number. Is this one of the ones that are applicable or not? Because we don't have that detailed as-built documentation. Yeah, I have as-built documentation from 20 years ago, but it hasn't been updated since then. We don't have anything that's live or even near real time.

Imagine if you had something that accurate on day one, and you also had the leave-behind that you're steadily updating, and you have some kind of asset management and change management process where when I replace that blower motor in the ceiling, it's also updated in the documentation. It's part of that whole life cycle management of your whole building, but also the systems within the building and the devices that make up the systems in the building. All those things help you understand what is the total cost of ownership of this thing? Those blowers were supposed to last for seven years, but they've only been lasting two. Why don't we go ahead next time and look at a different vendor? Maybe we need to get a different model, because those blowers are not working as expected. Those are all the financial things that you can justify. Yes, there's a cost, but there's a huge return on investment from an owner's perspective of having that data that you can then process and do something with.

Lee Carsten: Yeah, for sure. I bought an ice machine a couple of summers ago. My in-laws have a place at the coast, on the Texas coast. When I bought it, I bought it from a guy in Fort Worth, and basically he was selling me the new ice machine, and it had circuit boards in it, and there were all these things it could do. I'm like, I'm putting this in a garage in Corpus Christi, Texas. He's like, yeah. I said, what are the chances this is going to be around? He said, yeah, man, that could be a problem. What we ultimately found was a machine that was built for Africa. It was built for sub-Saharan Africa by a company in Europe that this guy had access to, and they had some of the US, one of the very last ones. I said, I want the old thing. I want the thing you could stick in a garage in a really hot, humid environment and is not full of circuit boards that are just going to fail one after the other.

Some of it is about spec, right, and understanding the environment, being able to do that. As these data models get better and as the AI gets better, the predictive analytics that are going to be around with that are going to help us be better at bidding projects and at making recommendations to owners and supporting those businesses that are just trying to build things and keep their crews employed and make sure everybody's being successful and growing what they can. A lot of them aren't really interested in growth. If they have 30 or 40 people, they've had that for a long time. They're really happy doing that, and they're comfortable there. It's how do you support that firm?

Aaron Crow: Yeah. As you're saying all these things, I'm just thinking through the value of this. Everything now is digital. Most of these pumps, most of these things have IP addresses. They're smart. I literally was just replacing a toaster that I got 18 years ago when my wife and I got married as a wedding present, and the toaster is finally on its last leg. I go to buy a new toaster, which, there's not very many places you can buy toasters anymore. I went to Amazon, I put in toaster on Amazon, and the first 20 of them have display screens, push buttons. I don't need a freaking push button on a toaster. It's a toaster. I just need it to toast. That's it. Nothing fancy.

Lee Carsten: Yeah. Just like a transistor that's like light-dark. That's it.

Aaron Crow: That's it. That's the extent. But almost all of them had all these extra features. I get it, if you want that, but I don't. I want a basic toaster that will work for another 18 years and I can put toast in it and I push it down and I just change how dark or light I want that toast. But that's rarely an option. Now everything has an IP address, even in these spaces and buildings. The value of that, especially when you get in that digital twin world, imagine if all of those things were part of your asset inventory, you were monitoring those things. When you started feeding all, because that's one of the problems we have in OT, we get access to all this data and we pipe it into a SOC, a Security Operations Center, and we've got these analysts that are looking at it, but they're normally from an IT background. There's not enough models yet of OT environments that I can plug this into SIEMs and understand this OT traffic. What does good look like?

If I have this digital twin and I understand all the assets, what they are, what their function is, then I can start correlating those things to events that are happening in the real world and say, is this a normal expected thing? Are we in an outage maintenance window? Is this normal behavior? Does this thing normally reboot on a Friday night? What is normal? Then you can start building those things out. Then that's how you can help the owners. You're helping management, you're helping these companies that can have another billable thing that they can do on recurring revenue, managing and monitoring these systems for the owners and making sure they're more reliable, more available, and getting all the use they can from them. They're replacing them before they break. That preventative maintenance thing is huge in a building where people are paying a lot of money for their air conditioner to work. They don't like it when their air conditioner starts working, especially if you're in Texas.

Lee Carsten: Yeah, it's like the billboards in Texas that say, your wife is hot, better call us. In the summertime.

Aaron Crow: Exactly. You don't want the AC to stop working in your building. No water, sure. No air conditioning, nope. That is a deal breaker. So what do you have coming up? What do you want people to know? One of the questions I always ask people as I'm closing out, and it's obviously changed over the years as AI has become more relevant: what do you see coming up over the horizon in your space? Maybe one thing that's concerning and one thing that's exciting that you see that can make a big impact, either positively or negatively, if we don't take actions.

Lee Carsten: Yeah. I think the digital transformation is here. We're in the middle of it. So it's really about how do we take all of the different vendors that are doing different things with data, take a data-centric approach to that, and opportunistically, as the cyber guy and many times the only one in many rooms, help them protect their organization from future risk as we build these out. This is the time. This is our opportunity to get in front of a lot of it before the cat gets completely out of the bag.

My message to a lot of folks is, really just find a place to start. Security is a game of good enough. Let's really define what maybe good enough was before. Is it still good enough, or maybe it's changed? But I think it's important to go through that process where you have the conversation and think about it. I hope to build a little army of cybersecurity construction folks that are tailor-made to help support these companies and this business, because the people are super cool. Everybody I've met, I love the boots-and-jeans culture. If you like shotgun shoots and cornhole and barbecue, this is the industry you want to work in, because those are all the things near and dear to me. It's a lot of fun. I get called the high-tech redneck in the room because they don't expect you to be in boots and jeans. I don't know what they expect, but when the cyber guy shows up, a pocket protector and tape on your glasses.

Aaron Crow: Absolutely.

Lee Carsten: But yeah, it's been a ton of fun. I'm really excited about what we're building here. I'm really looking to share this message. If there's anybody out there in a similar space who wants to jump on board and help, I can barely make a dent in all of the support that this business is going to need.

Aaron Crow: Yeah, for sure. That's awesome, man. It's a need. I see how much construction is going on, how many large construction projects are going on. Like you said, in Austin, there are cranes all over the place. There are data centers going up. There's Samsung, there's Tesla.

Lee Carsten: Do you know how much telematics and data are inside one of those cranes? Just the crane. I was talking to Tegan at AmeriCrane, and she gets pushback from some of the guys about tech, and she's like, do you know how much tech is in your crane? It's crazy.

Aaron Crow: It is. And it's not going to get less. It's only going to get more. So, dude, thank you so much. This is an awesome conversation. Everybody sees all the construction. OT is everywhere. Technology is everywhere. Cyber is everywhere. We have to have a plan and be talking about these things and get that out there, so people realize, hey, we're not selling fear. The whole point is we want to help you do the right things for your business, but we have to do them now. We can't be thinking, oh, I'll do that later. You don't change your oil later. You've got to change your oil now so it doesn't blow up, because it's really expensive and bad if it does that down the road. That's why I buy Toyota. It's why I have a '91 Land Cruiser in my driveway. Because it just works.

Lee Carsten: That's on-brand, Aaron. That is an on-brand vehicle for you just based on this last conversation for the past hour.

Aaron Crow: Exactly. Well, hey man, thank you. Anything you want people to know? You mentioned your talk that's coming up. Anything else you want people to know or come see you with?

Lee Carsten: Yeah. My website is whitecaprisk.com. Pretty simple. Just hit me up if you've got any questions, or if there's anything I can do to help, or if you've got an idea on something. I'm starting the process of interviews potentially for a book with business owners to help understand, I really want to know what makes them tick around risk. That's happening too. If you've got ideas or want to help with that, I'm certainly open to that conversation too.

Aaron Crow: Outstanding. Everybody, I'll have all the details for Lee in the show notes as always. Check out his website, check out his LinkedIn, reach out if you want to collaborate or work with him. Maybe you're a business owner that would be interested in being interviewed for that book. That sounds like a great idea. Definitely check that out. We'll put it all in the show notes and link it on LinkedIn and all the different things. Lee, thank you so much for coming and spending time with me today. I really appreciate it. We're pretty close to each other, so next time you're in Austin, let me know. Go shoot guns or eat barbecue or all the above. Have a good time.

Lee Carsten: Yeah. All right, man. Thanks.

Aaron Crow: All right, thanks a lot.

Transcript lightly edited for readability.

Want your brand in front of OT, IT, AI, and cloud security decision-makers?
PrOTect IT All listeners are the practitioners and leaders making security buying decisions across critical infrastructure.
See Sponsorship Packages →

Never Miss an Episode

Subscribe to PrOTect IT All and stay ahead of the threats targeting critical infrastructure.