1. What is a Security Engineer at Burns & McDonnell?

The Security Engineer role at Burns & McDonnell—often situated within the 1898 & Co. security and risk consulting practice—is distinct from typical corporate IT security roles. Here, your work directly intersects with the physical world. You are not just protecting data; you are safeguarding the critical infrastructure that powers cities, runs manufacturing plants, and secures federal assets. This position bridges the gap between Information Technology (IT) and Operational Technology (OT), focusing on Industrial Control Systems (ICS) and SCADA environments.

In this role, you will act as a technical consultant and a hands-on engineer. You will assist clients in designing secure network architectures, conducting vulnerability assessments on industrial systems, and navigating complex compliance frameworks like NIST RMF. The impact of your work is tangible: you help prevent cyberattacks that could disrupt power grids, water systems, or transportation networks.

For a candidate, this means the role demands a dual mindset. You must possess the technical rigor to harden PLCs and firewalls while maintaining the consulting soft skills required to communicate risk to non-technical stakeholders. You are joining an employee-owned firm known for its commitment to "serving humanity by improving the safety, security, and reliability of the world’s critical infrastructure."

2. Common Interview Questions

These questions are based on real interview experiences from candidates who interviewed at this company. You can practice answering them interactively on Dataford to better prepare for your interview.

3. Getting Ready for Your Interviews

Preparation for Burns & McDonnell requires a shift in perspective. While technical proficiency is the baseline, the interview team is equally focused on your ability to operate in a consulting environment and your cultural fit within an employee-owned company.

You will be evaluated on the following key criteria:

OT/ICS Domain Knowledge – 2–3 sentences describing: This is the differentiator for this role. Interviewers will assess your understanding of how security principles apply to industrial environments (OT) versus standard corporate networks (IT). You must demonstrate knowledge of SCADA systems, PLCs, and the unique availability requirements of critical infrastructure.

Consulting & Communication – 2–3 sentences describing: Because this is often a client-facing role, you must be able to articulate complex security concepts to diverse audiences. Evaluators look for clarity, professionalism, and the ability to write detailed reports and documentation (such as POA&Ms) effectively.

Regulatory & Compliance Fluency – 2–3 sentences describing: A significant portion of the work involves adhering to federal and industry standards. You should demonstrate familiarity with frameworks like the NIST Cybersecurity Framework (CSF) and the Risk Management Framework (RMF), as well as tools like eMASS.

Cultural Fit & Employee Ownership – 2–3 sentences describing: Burns & McDonnell is 100% employee-owned, fostering a culture of accountability and collaboration. Interviewers look for candidates who are self-starters, eager to take ownership of their projects, and willing to collaborate across different divisions.

4. Interview Process Overview

The interview process for the Security Engineer position is structured, efficient, and rigorous. Based on recent candidate experiences, the process is designed to filter for communication skills early on before diving deep into technical and behavioral assessments with the team you would actually work with.

You should expect the process to begin with a digital, one-way video interview. This is a recorded session where you answer pre-set questions without an interviewer present. While some candidates find this format "challenging" or "unnatural," it is a critical step for the hiring team to gauge your communication style and initial technical thought process. If you pass this stage, you will move to the core of the evaluation: a panel interview. This typically involves 4–5 managers and senior engineers from the business and technology groups. This round is comprehensive, covering behavioral questions, technical scenarios, and role-specific knowledge in a single, intense session.

The company values efficiency. Candidates often report a well-organized process where recruiters stay in touch, and the timeline from application to the final rounds can move relatively quickly compared to industry norms. The philosophy here is practical: they want to see if you can do the work and if you fit the team dynamic.

The visual timeline above highlights the streamlined nature of the process. Note that the "Recorded Video Screen" is a major gatekeeper; treat it with the same seriousness as a live conversation. The final "Panel Interview" is your opportunity to meet your future peers—bring your highest energy to this stage, as it is often the deciding factor.

5. Deep Dive into Evaluation Areas

To succeed, you must prepare for a blend of standard cybersecurity questions and specialized industrial security scenarios. The interview panel will probe the depth of your knowledge to ensure you can handle the high-stakes environment of critical infrastructure.

Operational Technology (OT) & ICS Security

This is the most critical technical area. You must understand the distinction between IT (focused on Confidentiality) and OT (focused on Availability and Safety).

Be ready to go over:

• The Purdue Model – Understanding network segmentation in industrial control systems.
• ICS Protocols – Familiarity with Modbus, DNP3, or BACnet and why they are insecure by design.
• Asset Hardening – How to secure PLCs and HMIs without disrupting operations.
• Advanced concepts – Data diodes, unidirectional gateways, and specific SCADA vulnerabilities.

Example questions or scenarios:

• "How does your approach to patching a server differ from patching a PLC in a live production environment?"
• "Explain the difference between IT security priorities and OT security priorities."
• "Describe a time you had to secure a legacy system that could not be taken offline."

Regulatory Compliance & Frameworks

Since many clients are in the federal or utility sectors, compliance is not optional—it is the product.

Be ready to go over:

• NIST RMF & CSF – The steps of the Risk Management Framework and how to apply the Cybersecurity Framework.
• Documentation – Writing Plans of Action and Milestones (POA&Ms) and System Security Plans (SSPs).
• eMASS – Experience with or understanding of the Enterprise Mission Assurance Support Service (used by federal clients).

Example questions or scenarios:

• "Walk me through the steps of the NIST Risk Management Framework."
• "How would you categorize a system based on its impact level?"
• "What is your experience with eMASS or similar compliance repositories?"

Network Security & Architecture

You will be expected to demonstrate strong fundamentals in network defense, specifically how they apply to securing boundaries between zones.

Be ready to go over:

• Firewall Configuration – Rulesets, ACLs, and Next-Gen Firewall (NGFW) features.
• Vulnerability Assessment – Tools and techniques for scanning networks (e.g., Nessus) and interpreting results.
• Penetration Testing – Methodologies for testing web applications and network perimeters.

Example questions or scenarios:

• "How would you design a secure remote access solution for an off-site engineer accessing the control network?"
• "Describe the process of a vulnerability assessment from scanning to reporting."
• "Explain the TCP/IP handshake and where attacks can occur during the process."