Ronald Nielson, CTO, Cyber and Intelligence. Parsons, discusses the importance of cybersecurity to future infrastructure
How important will cybersecurity be to future infrastructure projects? It is an often-heard question, but is not a question for tomorrow; it has already arrived in the infrastructure of today. Most, if not all, infrastructure systems already possess a digital footprint. They are composed of systems of systems that are interconnected to gain performance efficiencies, improve customer experience and realise cost savings through automation and connectivity. While these are not all the reasons, it is important to note that many infrastructure systems are increasingly digital and the precursor for this digitisation has nothing to do with cybersecurity. A digitised infrastructure is not the world of tomorrow, but of TODAY.
Most reasons to digitise are valid and well thought-out. They provide an improvement to services, performance and costs. The number of Industrial Internet of Things (IIoT) devices now connected to the operational technology (OT) systems that comprise our infrastructure is staggering and growing at a rapid rate, but were they put in place while considering potential unintended consequences?
Many digitisation measures are already in place and have often been implemented by individual teams to achieve one of these single enhancements to their operations and organisation. We must understand very clearly that this is not a question of IF, but more importantly one of HOW we will react to this digital smart infrastructure.
How is the market performing in this transformational time? Are we providing these needed benefits and keeping track of safety, security and indeed the impact cyber will play on this infrastructure? With such a divergent and broad technical understanding required to execute this transformation quickly, it begs the question of how well versed and disciplined we are in applying proper measures in each of these fields.
A recent Parsons survey (Critical Infrastructure Risk Assessment, 2018: https://www.parsons.com/cipsurvey/) collected the thoughts and opinions of a broad group of qualified respondents working in this market each day. The opinions provided from the focus group are enlightening and I believe the findings are worth reading.
I see no helpful reason to cry wolf or further project the ominous and dire warnings about damaging cyber events, hacks, outages or problems. You are aware of those on your own. We should be talking about solving or improving the work that we do, the difficulty of the task at hand. We should be promoting concepts that deliver positive outcomes and improve this smart infrastructure.
So how crucial is it to design in cybersecurity when considering a modernisation or construction project? Very! If those reasons to digitise are valid, then surely the loss of those systems or a compromise to safety and monitoring devices within that infrastructure would not be welcomed. We cannot continue to receive the desired improvements that digitisation delivers if the system is compromised.
A common reaction to this cybersecurity risk is to bolt on some software modification. I call this the shiny toaster method of perceived improvement. I truly believe there are effective cyber tools and that many of them can provide a meaningful reduction in digital risk. They should be considered when the organisation is prepared to do so.
In the past, the IT teams delivered digital systems to achieve corporate efficiencies: office tools, email, internet-connected business processes and other improvements to corporate performance and personal quality of life measures. When we tried to bolt on cybersecurity, we often disrupted the performance of the digital systems we were trying to protect. The cyber efforts often collided with system performance, all without even understanding the IT department’s mission of delivering digital capabilities.
Today is not much different. If we are to converge cybersecurity with our infrastructure systems, we need to have a unified approach, one where both missions are vested in performance and in security. If we don’t accomplish this, we will just repeat the IT and cyber errors that have been the bane of business delivery and customer satisfaction.
Where do we focus our efforts? We must design in cybersecurity when beginning any of our infrastructure projects. I didn’t say cybersecurity systems; just cybersecurity. Cybersecurity should be more than a list of tools – cybersecurity begins with design, architectures, configurations, processes, procedures and then tools. Don’t buy the shiny toaster cyber tool unless it is the capability you need, and can be integrated efficiently within your processes and workflow. Don’t buy software-centric tools when you really need mission/performance-centric capabilities that also enhance security. Sometimes the best answer might be a simple design or workflow change.
When approaching a project to modernise or build a new infrastructure component, it would be a dream come true if we could start from a clean slate and just build the best system with today’s technology. That is rarely true for any initiative. A meaningful advancement in design and build efforts is to include IT/cyber personnel alongside your OT engineering workforce. But don’t stop there. Ensure there is operational interaction between these teams to find additional value in operations.
Parsons is continually finding synergies in this approach, and we feel it is delivering an optimised ‘system of systems’ in design and performance. By bringing these workforces together in the early design phase, we are identifying OT/IT system optimisations in performance, situational awareness, safety monitoring and general risk avoidance that fully integrate with physical security efforts. Further advancements employ digital event anomaly detection, big-data analytics and machine learning techniques for system monitoring, which delivers optimised OT/IIoT systems and maintenance scheduling efficiencies, all while employing cybersecurity concepts, tools and capabilities that raise the level of security and resiliency.
Cybersecurity will be an important aspect in all infrastructure projects. When combined with professional engineering and an understood mission focus, IT/cybersecurity missions will also be a productive inclusion.