BLOG
Meet our OT team: Bruce Large
We’re the OT security specialists, and we want you to get to know our team better. We sat down with Bruce Large, Principal OT Security Architect and Chief Evangelist, to find out more about his OT journey, OT cyber security concerns, and what he is excited to achieve in his new Secolve role.
How long have you been working in/with OT?
I often joke my elevator pitch is a long ride! I have over 15 years’ experience in IT and operational technology (OT). I studied telecoms engineering at QUT (Queensland University of Technology) and as part of an engineering degree you have to do work experience, so I applied for a couple companies, and was offered a scholarship position with Queensland Rail (QR). I was a Railway Telecoms engineer for seven years. I left the railway to go work in the Emergency Services SOC, supporting G20 when it was hosted in Brisbane in 2014.
After that, I had some experience contracting, before heading back to university to study a finance degree. I went to PwC where I worked on the Australian Energy Sector Cyber Security Framework (AESCSF) with energy utilities. From PwC I went to Stanwell to be the OT Security Specialist and I had the opportunity to join CyberCX as their National OT Cyber Security Lead. I left CyberCX to be the OT Cyber Security Team leader at Powerlink and now I have joined Secolve as the Principal OT Cyber Security Architect and Chief Evangelist.
Why do you like operational technology (OT)?
OT is awesome because they are systems that interact with the physical world. I remember back at uni working on micro controllers and being fascinated with being able to turn physical relays off and on, and making lights pulse with software code. Working in OT is a lot of fun because you get to play in the real world too. I enjoyed being able to take four-wheel drives out to remote sites to do the “normal” IT work that most people do from an office.
What are you most concerned about when it comes to OT cyber security risks?
What I’m most concerned about is physical processes being disrupted due to cyber security issues. So things like power grids being shut down, water systems being unavailable, mining systems being disrupted, rail networks being degraded or destroyed. Physical destruction of plants is the most concerning, but the more likely is temporary loss of service.
What advice would you give someone looking to work in OT?
For people wanting to get into OT, the best thing they can do is develop their understanding of terminology and concepts of operational technology. Watching YouTube channels, like Practical Engineering, to understand the physical processes, the physics, and all that kind of stuff, is a great place to start. There are some really great free resources there like the S4 OnRamp and Highway videos – 45 minute focused topics, very much designed for beginners in the industry. So understand the basics of OT, basics of process control, understanding system architecture, testing of OT systems, and OT threats.
What’s something (surprising) about your roles that you’ve had in OT that people might not know about?
One of the things that I always remember from the railways is we used to drive a lot. There’s a lot of driving, that’s something people don’t really talk about. Another surprising thing too is all the places you can go where no one really questions what you’re doing when you wear hi-vis. There can be a real complacency in security protocols. It’s wild how easy it can be to gain unauthorised access to sensitive areas, so it’s a good reminder that you need to implement robust security measures and a culture of vigilance. A friend of mine once told me if you wear a uniform and carry a ladder, you can basically go anywhere you want. People just assume you’re there to do something!
On that note though, if you’re interested in urban exploration or physical red teaming, OT might be something you could be interested in. For me, I call myself an infrastructure tourist, and I think if you enjoy infrastructure and the built environment, OT security is a great career for that. You can understand how things are made – if you’re interested in big spinny things, things on fire, things that shouldn’t be on fire, OT security is a great career.
What are you most excited to achieve now that you’ve joined the Secolve team?
What I’m most excited about is being able to take the lessons learned that I’ve had in different industries, different fields, and help consult with our clients, especially around things like making pragmatic architectures that actually make defence durable. It’s quite exciting and I think also being able to be that bridge between IT and OT, to help OT security functions speak better to their IT teams. Lesley Carhart from Dragos, calls themself an “OT marriage counsellor”, and I’m a big fan of that term. I think it’s an important role for us to do as consultants – to help be that bridge and help the OT teams better articulate their risks and get the resources to manage it all.
Also, being able to take things like SABSA, IEC62443, AESCSF, and help tie that in with engineering risk management. Taking things like ISO 55000 and asset management, and pulling it all together so IT people can understand OT, and OT people can express themselves to IT. That’s something I’m very excited about. Often clients will have a lot of the ideas already in their heads, but they can’t really get it on paper, and I feel like that’s where we can assist – helping them articulate their thoughts and align them with what’s happening in industry and general trends.
I think there is also a lot of work to be done to align with the Security of Critical Infrastructure (SOCI) Act and their Critical Infrastructure Risk Management Program (CIRMP). So how do we, as Secolve, help our critical national infrastructure best manage risks? That’s something I’m very excited to about. Aligning organisations to mandated government uplift, getting out there as Chief Evangelist to talk with industry, connect industry with the government, with policymakers, and helping people get OT security front of mind so that we’re managing risk properly.
Bruce and our team of OT security specialists are here to help with all your organisation’s AESCSF and security uplift needs. Get in touch today to see how Secolve can help you.
Bruce Large has over 15 years experience working with IT and Operational Technology (OT) in network, telecommunications and system engineering roles. Bruce has worked in Electricity Generation & Transmission, Railway, Aviation, Emergency Services and Consulting industries. Bruce considers him self a Security Architecture enthusiast and Infrastructure Tourist.
He is a Chartered Professional Engineer (CPEng), Registered Professional Engineer of Queensland (RPEQ), Foundation Chartered SABSA Architect (SCF), holds the Global Industrial Cyber Security Professional (GICSP), GIAC Response and Industrial Defense (GRID), GIAC Security Operations Manager (GSOM), an ISA/IEC 62443 Expert, and has attended Industrial Control Systems (ICS) Cyber Security training at QUT.