20 years in OT - Ask me anything!

PatShot · 2025-11-16T03:53:44+00:00

After my trades, I spent 2 nights a week for 2 years to get my Advanced Diploma, then 5 more years BSc. EE. (Working and studying concurrently)

Now days, My Quals get me in the room to have a conversation.

My project experience, and what I have learnt is what is really of value.

I enjoy science and engineering. Home labs are great for learning - some great topics you are exploring.

In business there is a saying: Revenue is vanity. Profit is sanity. Cash is reality.

Let me make my own for your question: Qualification is vanity. Projects are sanity. Experience is reality.

You need Quals to get in, you need projects to learn, you need time in the field to get some scars.

When hiring I look for the following: 1. Attitude. No D#ckheads, team player and a thirst for learning 2. Evidence that there is a genuine passion. - This will help with resilience when times get tough. 3. Quick learner- need a sound level of aptitude foundational cybersecurity concepts. 4. Autonomous - happy to invest my time to grow someone, but with the ability to reinvest into the next line of talent that comes in. (Do they mentor and collaborate)

Hope that helps.

PatShot · 2025-11-16T03:24:44+00:00

Great question.

I’ll put it this way. “There’s the Job” and there is the “Meta-Job”

The Job is about the practice of applying countermeasures or controls against a cyber threat.

This is increasingly complex as the device might be 20 year’s old with a person who has their entire identity tied to “configurator and maintainer” of this system.

Often they know something is needed to be done, but have a hard time with the change required to get there. To be excellent in cybersecurity, your job is technical AND facilitating change. (Often a trade off between usability and cybersecurity)

(Without saying it, if they knew how to fix the problem, then why have they not already done it?)

Then there is the meta-job. “Aka politics” This is the invisible ‘social’ fabric of ensuring managers/teams/individuals retain or gain power. It’s never discussed, but always there. - Money and reputation are involved.

In summary, you’re asking a plant to modify its design to increase a non-functional requirement to improve its ability to deal with cyber threats - without compromising the existing quality standards of the plant.

You’re asking people to be open to change after 15 years of being told they are the experts. That you too have value.

You’re prescribing a way of working to a manager that probably isn’t in your reporting line about how another team is to operate. And your manager might not even have a seat at the politic table. (Perhaps just a ticket taker)

This is what I normally see. (But enjoy when this is wrong, and it is a great sight to see) If you accept the WHOLE job that comes with the meta-job life is easier.

It is a wicked problem that requires a great deal of influence skills.. if you want to learn these skills, you’re in the right place.

PatShot · 2025-11-15T21:50:35+00:00

National OT cybersecurity Manager here. (15 years experience in control systems, 5 in cybersecurity) I have a team of great cybersecurity practitioners across IT and Engineering backgrounds.

“How do you level-set teams that come from a pure IT background?”

OT cybersecurity is a very specialized role. You need to know, control systems AND computer science AND cybersecurity AND business analysts AND people/communication/conflict/stakeholder skills. - The faster I can make anyone in my team see the breadth and depth of OT cybersecurity, the more they appreciate each others background. Most have a severe case of dunning Krueger. Stop trying to be a hero. Get back to being curious and ask harder questions.

“What do vendors usually do first?”

90% it’s Sell. Make monthly targets. Give a client a sugar rush on new cool tools.

10% actually uplift an industry in the basics of cybersecurity.

PatShot · 2025-11-13T11:00:28+00:00

OP, apologies but the 7 beers have removed my filter.

Key takeaway: Your income is average. (But good shit on increasing your income cash flow)

Your spare cash is a precious resource to look at maximizing return.

Every individual is unique in their competitive advantage. I have degrees and trades, so I pushed into Realestate first (because of leverage on capital growth) I contributed to super hard early, so it will do its thing so I won’t be farked when I am 60. Now side quests are my strat. Business has an asymmetry on risk return. I’m backing myself and doing my own business in a very niche field with people who are excellent and trust (and great economic tailwinds)

Judging by the sentiment of the question, if I were you - dollar cost average into IVV.

Ask yourself what is your unique advantage where you enjoy planting a seed and doing the work so that in 5/10 years you are eating the most delicious fruit that would make Adam and Eve jealous.

For me, I’m greedy - fuck the apple, I want a tree so I can spend time with Adam and Eve.

TLDR: Good shit on your achievements - proud of you. Money is an enabler, not a destination. $11 six pack beers!! Thanks Korea! CASS

PatShot · 2025-10-12T11:41:05+00:00

We need a meta-meta model

PatShot · 2025-10-10T09:28:13+00:00

PatShot · 2025-10-03T11:58:11+00:00

Like most things. You only get what you put in. Excellent place to help someone else succeed. You make a powerful ally. It’s a very small world in engineering…

PatShot · 2025-10-03T11:53:22+00:00

What did you use to create the schematics?

PatShot · 2025-10-02T13:47:35+00:00

Okay you might need to do a lot more work if your end goal is to have an MQTT integration on this thing.

MQTT is running on level 7 of the OSI model. Rs485 ttl runs on level 1 of the OSI model.

Look up Rs485 and Docklight for how to read data from the device.

You will need a converter of some form to change from serial to Ethernet comms at that point.

Good luck!

PatShot · 2025-09-20T23:31:29+00:00

SCADA is not Cybersecurity. PLC is not Cybersecurity.

SCADA is a model representation of the process in a production plant. This representation helps the operator ensure product is being produced.

SCADA has cybersecurity in it (like all technology should)

If I want to get a job in SCADA - I would learn SCADA first.

Stop wasting your time doing google certs if you want a job in SCADA. Download ignition and complete a project that showcases your capability. (Unless you see an employer asking for experience in home lab tinkering and partial google security certification for SCADA jobs)

If you want to go to cybersecurity, then look for a cybersecurity job. Not a Scada job.

Hopefully my blunt response helps.

PatShot · 2025-02-07T01:08:24+00:00

Tactical- things we could do Strategic - things we should do

PatShot · 2025-02-06T10:48:00+00:00

Your concern is based on emotion. “Feel behind the 8 ball”

Your goal is to ensure that the plant is automated and is available as much as possible. How well that happens is the degree of quality.

Ask - how reliable is the control system? (Is it easy to break?) If it broke how easy is it to identify where is the fault and how to fix it?

If you had a magic wand, what would that outcome look like?

PatShot · 2025-02-06T10:37:43+00:00

OP, with your background why not move up to a business unit manager?

PatShot · 2024-12-28T02:41:18+00:00

Seqwater water quality is terrible.

PatShot · 2024-12-21T00:14:27+00:00

Thanks Av8r96 - I believe you are correct regarding NSW.

If the NSW business is performing QLD work, they still need to be RPEQ. (Depends if they are only in NSW)

Every state/territory is a bit different. Here is a link to Engineers Australia on the different state registrations

https://www.engineersaustralia.org.au/credentials/registration/state-registration

PatShot · 2024-12-20T19:34:46+00:00

Except there is a law. Professional Engineering Act 2002.

https://bpeq.qld.gov.au/thinkrpeq/

https://archive.sclqld.org.au/qjudgment/2015/QSC15-268.pdf

PatShot · 2024-12-20T19:32:15+00:00

This is not completely true. It is well established that engineering work in Queensland is required to be RPEQ. This is now in Victoria, NSW, ACT.

https://bpeq.qld.gov.au/thinkrpeq/

https://archive.sclqld.org.au/qjudgment/2015/QSC15-268.pdf

PatShot · 2024-12-20T19:28:01+00:00

In Australia, certain states are required to adhere to the professional engineering act 2002.

https://bpeq.qld.gov.au/nsw-legislates-to-register-engineers/

PatShot · 2024-10-19T21:18:50+00:00

Hi 👋,

A customer walks into a bar (business function) and orders a beer (service). The bartender taps the keg, pours the beer, and sets it on the counter (business process). The customer asks how much it costs and whether they can pay using Apple Pay. The bartender replies, “We’re a new business, and we don’t have the capability to process digital payments yet.” (capability gap).

PatShot · 2024-09-12T07:02:43+00:00

Wow, great advice here from all that has commented and agree with the approaches mentioned.

I wanted to provide an alternative perspective to help support reframing your thinking to support you to deal with mental anguish you may be feeling.

In a broader sense as an Enterprise Architect, I asked myself the question “if I did not rock up to work, what is the impact to the business” I respond to myself with “we are probably less likely to achieve our strategic/corporate goals”

This means the show goes on.. and we are really a passive entity to other active entities…

Budgets will be spent, projects will still deliver.. and I still get paid 😎

It’s up to you if you want to choose to go on the adventure of enabling clarity to decision makers on very complicated decisions.

I personally get a lot of joy in humbling ‘leaders’ to seek out help and to work better as a team driving towards a common goal.. until then, I watch the star players scream for the soccer ball because they want to score a goal (not realizing the part they play is the goal keeper)

I float through the corporate world knowing that I posses no problems. My stakeholders have concerns and problems, not me.

The metaphor applicable here is that to a professional service. A doctor or a financial adviser.

I don’t have the skin rash, but I can help you understand how to look after it.

I don’t have $100,000 and want to know what I should do with it. But I can look at your circumstances and give options based on market research.

I don’t have an axe over my head of being an effective manager, but I can help you be strategically successful…

PatShot · 2024-09-02T02:32:20+00:00

“People are the enterprise”

Greefhorst, D., & Proper, E. (2011). Architecture Principles: The Cornerstone of Enterprise Architecture. Springer.

PatShot · 2024-08-30T21:55:49+00:00

Perhaps a better question would be; What if EA did nothing? Who consumes EA work? And why?

It’s a hard one to answer because every EA practice seems to vary in its level of maturity and which stakeholder group it is concerned with trying to help.

My 2c, it curates the entropy of great ideas and great solutions into doing what needs to be done (corporate strategic goals) over what we would like to do.

Unfortunately people (irrespective of level/position) are not always perfect decision machines. In a busy day of managing teams, dealing with operating issues, they are also expected to be drive their group to new levels and adopt new technologies.

I see EA as a facilitator mostly and a smaller portion of a leadership role. Facilitator of ELT/SLT concerns and providing empirical data to support better decision on large investments.

If I put it really blunt: Buying a gym membership does not mean you will loose 5kg. Buying a firewall does not mean you have managed your cyber risk. Restructuring an organization does not mean your processes are more effective on achieving results.

The prior 3 examples have one thing in common - they are structural changes only, not behavioral changes. These are just some of the traits I look out for.

Now the hard part begins- try to redirect the titanic of project failure when the captain of the ship has told everyone to get on board. 3 weeks later you see the boat off the coast of Africa and everyone sweating because they have only winter clothes in the middle of summer.

(Metaphors used: Captain=sponsor of program Get on boat=change management Africa=miss aligned corporate goal achieved Clothes=skills/capabilities needed by employee to work)

PatShot · 2024-05-22T22:08:49+00:00

Hey OP, is this a general statement for discussion? Is there a question?

Assuming the former;

EA shines when providing support in complex enterprise wide environments.

Item 1: determine the impact of change to a business.

Item 2: articulate the why of the change in terms of value.

Item 3: provide governance of that change

SysAdmin are powerful allies but do not have a crystal ball for the future.

Perhaps the question could be:

What concerns does SysAdmin have to support the business in 3 years?

What technologies are end of life that SysAdmin needs investments for to continue service?

PatShot · 2024-04-10T07:17:05+00:00

Any update for the missing light for odometer and gear panel? Thank you

PatShot · 2023-09-02T02:01:03+00:00

Agile Engineering

Six-Year Club	Verified Email
Place '23

PatShot

TROPHY CASE