ControlTalk Now: Episode 403: From Building Automation Controls to Cyber Security, Careers That Matter!

Show Notes:

Eric Stromquist 0:06
you’re tuned in Episode 403, of the Chromebook now the HVAC and smart buildings podcast. If you’re looking for cutting edge ideas and control news you can use, you’re at the right place. If not stick around anyway, I could use the views. My name is Eric Stromquist. And let’s dive into the week. That was for February 26 2023. I have an interview that I believe is very timely. My guest today comes from outside of our industry, he tells a story about how he got started in a in building automation controls. And then a step by step journey as he went from a building automation control specialist to one of the most highly regarded cybersecurity specialists in our industry. So if you’re looking to get into building automation controls, or looking for the next step in your building automation controls career, or if you just want to understand what motivates people like our guests to achieve what he did stick around. But first, a word from our sponsor. Yes, I said our sponsor, our sponsor this week is my favorite HVAC and smart building controls distributor Stromquist, and company Stromquist has been around for over 60 years providing quality products and service with a huge inventory of highly trained Technical Staff friendly and efficient customer support, and an easy to use intuitive online ordering experience and competitive pricing. Stromquist and company is a great choice for the HVAC control pro doesn’t have time to mess around. As the founder of Stromquist. And company my dad used to say trouble costs more than quality. So give Stromquist a chance ww.stromquist.com tell America sent you would you like to have an ad like this and have your message be heard by the global ControlTrends community ControlTrends is offering a limited number of sponsorships for the control talk now show. If you’re a company that provide quality products, a company that has a great reputation a company that’s known for this integrity, then you are eligible to be considered. As for a sponsorship of this show, if you’re interested, let’s talk hit me up at control trends. hotline@gmail.com that’s all one word control trends hotline@gmail.com. And put I want in the subject line. Speaking of marketing, listen to this clip from Brian Collins from Episode 402. on why we need to up our marketing game to attract more people into our industry.

Brian Collins 2:27
If you really want to change people’s lives. This industry is one that you want to send your CV to, it’s the one you want to apply to. It’s the it’s the industry that makes sure that the people that actually are working on apps and things can actually do that. I mean, the miles and miles of of cabling and the controllers in the in the interoperability that’s needed, right. And we need to tell the story, we need to tell the story to the people who have been laid off in these in these tech industries who are looking for jobs. And we need to say you need to come over here, man, there’s something important if you really want to change the world, you’ll come over here.

Eric Stromquist 3:11
Well said Brian, I couldn’t agree more. But more specifically, I believe as an industry, we need to up our cool marketing game. What I mean is as an industry, we project into the world heavy doses of who we are through LinkedIn, Twitter, and maybe Facebook, if we’re really edgy. I think we need to keep doing that. I think we do a good job with that. But the younger prospects that we that we want to attract our industry. I don’t think that’s where they go to be social. I think you’ll find them on Instagram, but more than likely you’re going to find them on that dreaded taboo site. Tick tock. Yes, I said tick tock, tick tock. I’m not on it yet, but I’m going to open an account. Here’s why. I read a marketing study recently that says more products are being sold on Tik Tok than any other platform. And the numbers keep increasing. You might just think tick tock is just about people making silly videos while under the influence of brainwashing from China. And yes, there are a lot of funny videos. But also there are a lot of how to videos that are showing up on tick tock. Companies like Home Depot are gaining a lot of traction by doing videos like for example on how to select paint or how to mix paint and the How To videos. I think to ignore tick tock is a big mistake. It’s where the younger people spend the majority of their time and we as an industry want to reach them. We have to show up where they are and be cool. The showing up on Tik Tok is pretty easy. Just opening an account start posting stuff, the being cool, well, that’s going to be the hard part. And we as an industry have to band together and figure out how to be cool on some platforms like Tiktok Silicon Valley has and that is why they attract more talent than we do. Now if you go to tick tock and you search like from Microsoft and Apple on those companies, they do have tick tock accounts. But it looks like what they do is they have brand ambassadors, they have younger people that are posting under their own names, videos about those products. So that might be one of the tips or one of the things we need to look into. But still, it gets back to cool, cool, how to be cool. I mean, I have no idea. And I need your help on that. So what are we created a mastermind group, we get the younger people in our companies involved. And you know, because they know what’s cool, and they know we even have a chance of being cool. And we began to formulate and put together sort of a best practices for how to engage younger people on some of the social media platforms that we’re not on. The one thing I know for sure is that if we don’t do something different, nothing’s going to change. Let me know what you think in comment. Or you can reach out directly to me at control trends. hotline@gmail.com. And in this subject, line, put attempt to be cool, Eric, let’s talk about this and see if we can figure it out. That being said, I have no new news this week. So let’s get right on it with this week’s guest. All right, I’m so excited to introduce my next guest, his name is Carl Peters. He is to me the most interesting man in the controls industry. He might even be the guy that they use for that commercial with the beer. I don’t often drink beer, but when I do think that might be him. So Kyle, who’s with intelligent buildings, welcome to the show.

Kyle Peters 6:25
Well, thank you very much. I appreciate being here. Well, it’s

Eric Stromquist 6:28
great to have you. So is there any truth to the rumor that you were the guy that they used a modeled after for the most interesting man in the world?

Kyle Peters 6:35
Well, you know, that guy might have better hair up top than I do. But he’s got to work on his beard game a little bit to keep up over here. Dude,

Eric Stromquist 6:44
you definitely get dizzy. Right off the bat, man, how long have you been rocking the dome?

Kyle Peters 6:49
You know, through COVID, my wife started cutting my hair. And I think she just got tired of not having very much to cut. And so

Eric Stromquist 7:01
because through your story, how did you get into business? And how do you how did you become a super cybersecurity guy?

Kyle Peters 7:06
Oh, goodness. Yeah, well, I’m not sure I’d go quite that far. But I got in trouble again. Did you know we all do it, we all do. And that’s and that’s what I did. I started out with a lot of different jobs through my younger years, and, you know, went to college and got a bachelor’s degree that I don’t really use at all anymore. And worked for a police department for a little while worked as a professional gunsmith for a couple years, kind of bounced around doing all kinds of things, just found myself in a dead end job, talk to a friend said, Hey, if you hear of anything, I need something. And that’s how I got into controls, you know, purely by accident, like most people seem to do strangely enough. And I showed up at this at this place. You know, they just said come in tomorrow for an interview. I had no idea what they did. They hired me all the same. They were trying a new program of hire and greenhorns as they referred to us. And so as a whole class of people who’ve never done it before, and, and it worked out well, you know, it was it was a great training program that they had, and I learned a lot. And it was high stress, man, you know, it was like, You’re gonna pass you’re gonna get at the end of this five week training class, you’re gonna pass the test with at least a with at least I think it was like an 80% or something. And what I discovered was that there was a whole industry this controls industry that I absolutely loved, and I didn’t even know it existed. So I live out in the middle of nowhere. And I was driving into a live about an hour outside of Denver. And I was driving into Denver every day and I just as I was doing this, I was learning more and I was really enjoying it. And I started listening to podcasts and and, and this podcast was one that was like, as soon as it came out, man, I hit the top of the playlist every single time every week. So thank you so well thank you, you know a lot a lot of credit or blame I don’t know a lot of credit or blame for my for my where I am. Comes from comes from you and Kenny you know you guys were great.

Eric Stromquist 9:22
It’s all Kenny man saw the man

Kyle Peters 9:25
Yeah, I just started listening to a lot of podcasts because I had a lot of windshield time. And and I started here and you know that crazy guy Phil Zito man, he started mentioning some stuff and I like you know, I see what he’s talking about. I don’t I didn’t know it. But I could see a lot of those things and say to myself, like there’s there’s a gap here. There’s stuff I’m doing that I’m pretty sure isn’t right. And one of the things he mentioned was taking the CompTIA courses. And so I went to the local Community College. And I took the CompTIA A plus class, which has nothing to do with controls. But what it did do was, let me understand how computers work. And you know, but it really helped me understand how, because controllers are just you know, a Jace is just a small form factor computer, I got into the networking side. And that’s when stuff really started clicking for me, I started learning more and more, I took the security plus class and that was really good. But it’s all it focused. But the IT industry has got some amazing technology and amazing things that they do. And I think we can learn a lot from that. But what I’ve also found in the last couple of years, especially as those IT guys are scared to death of our control stuff, or they assume a lot

Eric Stromquist 10:52
fascinating about you, Kyle, and one of the reasons I want to have you on the show is that you have been building automation guy, you’ve done the programming, the coding on that side, you’ve seen the world through those eyes. And you know, most of our listeners, that’s the world, the way they see the controls world is through those eyes. But now, you know, you’re working, you know, as a cybersecurity consultant, and, you know, studying the hackers and how they’re getting, what would you have told yourself what you know, now, if you went back five years or so, when you were doing the building automation controls and the setup and programming?

Kyle Peters 11:25
Yeah, absolutely. So I’m pretty sure I still have the the mark of the underside of a five gallon bucket on my backside from all the time sitting, sitting in, you know, in clogged dusty closets of buildings that are half done, pounding away on the keys, what I’ve learned, is the advice of an old friend. And a somewhat notorious hacker was don’t be the bottom rung on the ladder. My friend, the the hacker and hackers are the good guys just so we’re clear, you know, the the the people doing bad things. They’re the bad guys, they’re criminals. You know, this guy, this guy is amazing. And he’s been in the news more than a couple times. But that was his advice was don’t be the bottom rung on the ladder. And I thought, all right, so what’s that mean? For the you know, for the guys who are out there sitting on the five gallon buckets, be curious, be willing to push the limits a little bit, you get a lot of pushback. A lot of folks say what do I need all this stuff for, but be curious. And if you want to, if that’s something you want to do, do it drive forward on your own time, if you have to, you’ll probably have to, you know, I had to take classes I’d get done. Doing my doing my job for the day, putting in my eight to 10 hours. And I drive over the local community college and take classes. I’d listen to podcasts on my way to and from, to and from work every day on my daily commute flood my brain with as much as I could. And don’t, don’t listen to the naysayers.

Eric Stromquist 13:08
You know, I want to sort of advocate for some of our programmers that might be interested in pursuing this path. I mean, you can be a legendary building automation controls programmer, you know, and there are a lot of those. But look, if you get into the security side, I mean, you got Billy the Kid Rios, you got Fred Gordy. And you got you right? I mean, you know, you can be a legend short order, right?

Kyle Peters 13:35
Well, you know, I’m not going to hold myself up to, to Billy and Fred to their level. And, and in addition to that, there’s another fellow that is paired tightly with Fred and that’s James Roberts and he’s, he’s amazing at what he does as well. Less in the limelight. You may not have heard of him. He’s probably going to kick my button out because his LinkedIn profile is going to get hit

Eric Stromquist 14:03
from these he’s going to hack our system right now and probably so program right? He’s gonna

Kyle Peters14:08
He’s gonna DDoS my house. And shut me down. They call it

Eric Stromquist 14:12
D. Dawson. Great. Enzo D. Dawson.

Unknown Speaker 14:17
Yeah, yeah.

Eric Stromquist 14:19
Both Rob and Tom from intelligent buildings have been friends of the show. For years. We’ve known those guys for years. And you know, that’s what you’re walking, working with now, sort of walk us through give us a brief overview of sort of how intelligent buildings would use all their skills, especially yours to make a building more secure.

Kyle Peters 14:40
Yeah. So you know, what we do and this is, this is a step here for anybody aspiring to do this kind of thing that thinks this is where they want to be. Grab as much info as you can on the ISA 62443 standards. And that’s sometimes easier said than done. I will admit Because like buying a copy of the standards, it’ll cost you about 1400 bucks to grab the four primary sections of that it is when

Eric Stromquist 15:09
you know what I’m thinking, I’m thinking that they charge that much, because your first test is be able to hack it and get it for free, right?

Unknown Speaker 15:19
There. No comment.

Eric Stromquist 15:24
We know where you got yours.

Kyle Peters 15:27
But the standards are fantastic, you know, and intelligent buildings. That’s what we’re building our cybersecurity program more, you know, building the depth from what Fred has initially started, when he was here with us and moving forward is 60 443, having a standard and driving forward that and what it does, is it starts out, it’s got this great diagram actually, of how to run a cybersecurity program. For its lifespan, it’s an ongoing thing, because that’s the the real rub was cybersecurity is it’s not a one and done thing. It’s, it’s forever, you know, you can’t lock your doors on Monday morning, and then return home and never lock your door again and expect yourself to be safe because you did it on Monday. And it’s the same thing with cybersecurity. So what we usually start out with as we go on site, we do a high level assessment, we get a general picture of what’s going on looking at that kind of stuff, we get that high level assessment, we get a big picture of where things are at. And from there, we can go a couple of different ways. And we usually start working on policy, you know, having a policy within the company and with their vendors. So this is where this is where the guys like me, you’re going to start getting hit with as as building owners are coming more into the modern age, and they start implementing this, they’re going to have new policy that you’re going to have to meet before they’ll ever sign on with you. Yeah, so that, you know, and especially, especially right now with, with the government. So the government and I think it was in 2020 started their cmmc program, having to be certified in that having to be able to prove that on our side from from the vendor side, we do things a certain way, because we don’t want to introduce problems into your government facility. And, you know, that was just the news this morning that the Pentagon has had an email server out on the open internet for the last two weeks. Oh, my goodness, you know it because I mean, really, it’s just an event. How many times have we heard this? What’s the worst that can happen? You know, the lights go out? The building gets hot in the summer, cold in the winter? Well, the worst that can happen with the data side, the IT side? Is that is that the Pentagon loses control of their emails, because I mean, now not that they would actually send anything important back and forth by email, right? No way. So especially not while there’s Chinese balloons flying over head at that exact time. I’m not saying there’s a link because there probably isn’t, but it just clicked in my head that the timing lined up perfectly for that. You know,

Eric Stromquist 18:33
but hang on, I want I want to hop in interjection real quick, because this is a piece that I think, you know, intelligent buildings does really well, because, again, you’re talking about a culture, you’re talking about going into boiler Bob who’s got you know, his passwords, you know, on the side of his computer, and you’re you’re having to convince them not only do you have to assess weaknesses, right and figure out what the weaknesses are, then you have to put together a plan but more importantly, that you got to get everybody on board with the plan because like they say a chain is only as strong as its weakest link. So that’s that’s a key piece that you guys provide as well. Not necessarily you necessarily but you know, that’s what I think Rob and Tom are really good at.

Kyle Peters 19:14
Oh, yeah, no, those guys are fantastic at getting into the C suite and top and getting them on board between between all of us at intelligent buildings, we we have a lot of different skill sets that complement each other well. And yeah, Rob and Tom, they get out there and they can chat up with folks and get them. They’re good at getting people directed properly. While I’m over on the side doing my thing, you know, that’s the biggest thing is like opening people’s eyes and saying, Hey, this is what you’ve got. Oh, yeah. I mean, like, yeah, we’ve had that Windows XP box in there for the last 17 years. I know you have. This is the problem with it.

Eric Stromquist 19:56
Of what makes you better at your job and people like Billy the Kid Rios no is you have to sort of learn to think, think like the bad guys. Thanks. So let’s say that there’s a branch bank, we want to rob. And let’s just hypothetically say I think he used to work at Delta controls, let’s say it’s kind of a Delta control system. And what how would a hacker think about it? How could a hacker theoretically in the middle of the night break into that bank?

Kyle Peters 20:21
Yeah. So you know, there’s, there’s breaking in, and there’s breaking in. And if I can, if I can do the breaking in part without being there, then I can do the break and in part by being there. And so if I can get on that network, and this is the IT side of it, you know, like if my hacker buddy can get into that network, because he’s really good at that stuff from his house, then I can set him up with open source tools that you can just anybody can download off the internet. And you can now not only change the building pressure setpoint, but you can change what they see. So I can change the value going out to the other controllers, from point 08 inches of water column to two inches of water column. That’s a big jump. But I can still make it look on the graphics. Like it’s point 08, that that’s the setpoint. And I can change the value that’s actually being read to where it looks like it’s still maintaining point 08 or something of that. Yeah. And this connected cameras to write well, if it’s on the same network, yeah, that’s a potential. So now, you know, when was the last time you saw a mechanical safety for a building pressure? I’ve never seen one. They don’t exist. They don’t they don’t do that. And what happens if we get up to an inch, two inches of water column for your building pressure set point? You know, the worst thing the big thing if it gets too high too fast? You start popping windows out? Yeah, yeah. But But before that, when you’re just a little bit too high, then your doors don’t close. So I sit out, I sit out in the in the in the parking lot or across the street in my car, make that quick little adjustment. And I change that setpoint drive the pressure up a little bit. And I just wait for the cleaning lady to go out the back door and throw the trash in the in the in the dumpster back there. And the door doesn’t close behind she

Eric Stromquist 22:27
because it should close automatically. Right? She automatically is has

Kyle Peters 22:31
before. Yeah. Wow. And she’s and she’s busy. You know, she’s got a whole bank to do by herself probably in the next eight hours. So she throws the trash out door doesn’t close all the way behind her. I walk up doors not latched. Because there’s air blowing through there. And now I’m in the building. And I get on my phone. And I released that setpoint building returns to normal within probably a minute. And the door closes.

Eric Stromquist 23:01
Yeah, you were never there. And the money’s not there. And they don’t know what the heck happened.

Kyle Peters 23:05
Yeah, I mean, you know, for a bank, obviously, they’ve got a safe. Yeah. But they’ve also got a server rack. And I’d rather have that information. Because I can sell that information.

Eric Stromquist 23:18
Oh my gosh, yeah. Bank accounts and credit card information. Yeah, stuff and they don’t even know you were there. So

Kyle Peters 23:26
Whoa, I plug one little thumb drive into a computer. And now I’m on their network from anywhere. Now I’ve ransomed I put ransomware on their network.

Eric Stromquist 23:38
Alright, alright, well hang on a second. Now you and I know what ransomware is? Did you get some stable datum? Because I know my audience is gonna say yeah, ransomware is something that Eric’s ex wives did to him. But that’s not what we’re talking about here. Just give us a quick overview of what ransomware is and how it works. And then

Kyle Peters 23:54
ransom ransomware is a form of malicious software, which is where the term malware comes from malicious software. And what it does is it gets on, don’t let me get away without talking about how this gets on your system to Okay. So it gets on your system on a computer on spreads through your network, and it encrypts all of your data and says, pay me and I’ll let you have your data back. I’ll give you the key to unlock your data.

Eric Stromquist 24:24
And Phil Zito is teaching a course on how to do that now and either ransomware ransomware is what he calls his black market course.

Kyle Peters 24:32
It’s the black market course that’s awesome. How it gets on your so how does right yeah, how does ransomware it doesn’t happen by some jackwagon like me sneaking in and putting a thumb drive in. That is one way but that’s not the way usually happens. It’s usually by email you own or you click on a link So rule number one as it were of cybersecurity of good cyber hygiene is don’t click on stuff don’t Click on stuff, you know, because that happens all the time and people get an email, they get fished. So that’s what, when, when the bad guys cast out their line, see who answers an email, and you just got caught. And you clicked on that link. And suddenly, you’re you may even, it may even look like you went to the right site. But you didn’t, and you had a download that you didn’t even see you didn’t authorize, or maybe you did, without realizing it. And now you’ve got that malware that ransomware on your computer. That’s, that’s the most common way. There’s also a thing called spearfishing, which is exactly what it sounds like, you’re not just casting a line out aiming for any of those fish. I’m aiming for that fish.

Eric Stromquist 25:49
Yeah, I think that’s where working with a company like intelligent buildings, that really gets your because I mean, you you can do everything cybersecurity to protect a building or facility, right. But if your people don’t know best practices about what emails they click on, and so on, and so forth, in a certain way, all for not right,

Kyle Petersr 26:06
not just not knowing what to eat, to click on, because that is hard that and I mean, I’ve seen some really good phishing emails, we do at intelligent buildings, we do a monthly training, and we get fished by our own company on occasion. But what just, you know, to test us, and that’s kind of fun to be part of too. But it’s doing those kinds of things on the server for your building automation system. You know, checking your Gmail, on the server for your BAS, watching Netflix, I honest to god walked into a control room. And they had they had a cool setup, you know, they had all the big monitors up overhead. And Harry Potter was playing on the middle one to pathway in, right? Yeah, well, when you start accessing those kinds of things that are non business related, on a critical system, you open up the door for the possibility of things like that getting in,

Eric Stromquist 27:06
give me three things that they can take away right now, you know, what your what you used to do talking to your old self back now three things in terms of making making a building a building automation system more secure.

Kyle Peters 27:19
So I want to, I’m gonna divide that up real quick for you into two groups of three. And I want to, I want to say three things that the technicians themselves can do. And three things that should be done on the job. And one of them is use. So from from how you set up your machines, how you set up your networks and whatnot, use managed switches, in insist upon them, put them in, get them set up, and and learn how to do that. That’s hard, by the way, I freely admit, but work with your owners work with your customers, from an integrator standpoint, to set up these networks in a secure way from day one. Quit in don’t, I started, as you mentioned, as we mentioned earlier, I started on Delta controls. And back in the olden days, it was delta login, you typed in delta and the username login was your login password. And get rid of that, you know, do away with that. Try to work with your company and work with your customers so that everybody has individual logins, all that kind of stuff. So, you know, switches, managed switches passwords, and flip that little toggle in when you’re in tritium or what have you, you know, if you’re if you’re if the product that you’re installing, has HTTPS only do that go that extra little bit that extra mile to put in certificates and get encrypted traffic between your devices where ever you can

Eric Stromquist 28:57
copy our guests this week out. Thank you so much, man. Thank you, sir. Have a great rest of the day. And hey, next time I see you maybe next time I see you we’ll have an empire Imperial Stout together. Okay,

Unknown Speaker 29:09
that would be wonderful.

Eric Stromquist 29:10
Kyle, thanks so much, brother.

Kyle Peters 29:11
Thank you, sir.

Eric Stromquist 29:13
Okay, there you have it another week on control talk now the smart buildings video casts and podcast. Thank you so much for tuning in. Remember, be bold, stay in control and stay relevant. As Hunter Thompson used to say, buy the ticket. Take the ride

Transcribed by https://otter.ai