Dr Rida Hamza, VP, Critical Infrastructure Protection at Parsons, analyses the importance of cybersecurity to new smart infrastructure
Most, if not all, new infrastructure systems already possess a digital footprint. They are composed of systems that are interconnected to gain performance efficiencies, improve customer experience and realise cost savings through automation and connectivity. While these are not all the reasons, it is important to note that many infrastructure systems are increasingly digital and the precursor for this digitisation has nothing to do with cybersecurity.
A digitised infrastructure is not the world of tomorrow, but of today.
Most reasons to digitise are valid and well thought-out. They provide an improvement to services, performance and costs. The Industrial Internet of Things (IIoT) is unlocking new levels of productivity, helping organisations implementing value supply chain, increasing productivity, and maximising return on investments.
At the same time, digitalisation is driving deployment of millions of connected devices, increasing the attack surface and risk of cyberattacks on industrial control systems.
The number of IIoT devices now connected to the operational technology (OT) systems that comprise our infrastructure is staggering and growing at a rapid rate, but were they put in place while considering potential unintended consequences? Not only will these devices allow us to be more productive and help building smart infrastructure, they will also usher in a new era of safety and security practices made possible by interconnected devices.
Many digitisation measures are already in place and have often been implemented by individual teams to achieve one of these single enhancements to their operations and organisation. We must understand very clearly that this is not a question of if, but more importantly one of how we will react to this digital smart infrastructure.
The impact of IoT on infrastructure
The Internet of Things (IoT) is impacting new smart infrastructure and unlocking new levels of automations, helping facilities improve comfort, increase efficiency, and energy savings. At the same time, digitalisation is driving deployment of millions of connected devices, increasing the attack surface and risk of cyberattacks on these buildings control systems whether the HVAC systems, lighting systems, and or electronic security systems and access controls.
How is the market performing in this transformational time? Are we providing these needed benefits and keeping track of safety, security and indeed the impact cyber will have on this infrastructure? Perhaps one of the greatest fears shared by Critical Infrastructure professionals in today’s age of connected infrastructure is the risk for a cyberattack that goes beyond data theft and can bring down the entire facility HAVAC system or a high-rise tower control system and even threatens occupants’ lives.
This pervasive introduction of sensors and connected devices into our lives and with such a divergent and broad technical understanding required to execute this transformation quickly, it begs the question of how well versed and disciplined we are in applying proper measures.
The problem is that most people think of the cyber element of critical infrastructure protection (CIP), such as the protection of information Technology (IT) assets like servers, computers, and switches, but they’re forgetting a whole other side of CIP. Just as important as the protection of IT assets is the protection of OT, assets, including IoT-connected devices that control the backbone control system and automations within smart infrastructures. Most operational networks contain hundreds to thousands of these devices, some of which do not communicate over standard protocols.
This includes HVAC controls, badge readers, security cameras, and even those Amazon Echoes that many of us have in our homes. These devices represent a significant portion of our digital infrastructure, increasing the attack surface that needs protection.
OT networks were traditionally kept separate, i.e. air-gapped from IT networks. However, new smart infrastructure requirements associated with the efficiency benefits of digitalisation, such as smart environmental control systems, just in time irrigation, and interactive access control systems tied to Big Data, are forcing increased connectivity between IT and OT networks, thereby increasing the attack surface and hence the cyber risk.
I see no helpful reason to cry wolf or further project the ominous and dire warnings about damaging cyber events, hacks, outages or problems. We are aware of those on our own. We should be talking about solving or improving the work that we do, the difficulty of the task at hand. We should be promoting concepts that deliver positive outcomes and improve this smart infrastructure.
So how crucial is it to design in cybersecurity when considering a modernisation or construction project? Very! If those reasons to digitise are valid, then surely the loss of those systems or a compromise to safety and monitoring devices within that infrastructure would not be welcomed. We cannot continue to receive the desired improvements that digitisation delivers if the system is compromised.
The shiny toaster method
A common reaction to this cybersecurity risk is to bolt on some software modification. I call this the shiny toaster method of perceived improvement. I truly believe there are effective cyber tools and that many of them can provide a meaningful reduction in digital risk. They should be considered when the organisation is prepared to do so.
In fact, many of today’s OT networks are transited over smart building networks, leverage common internet protocols, run on general-purpose hardware and mainstream operating systems, and are increasingly connected via wireless technologies. As a result, it is vital to deploy those cyber tools at the very early stage of design to bolt both IT and OT simultaneously to ensure that the hardware and software that monitor and control physical equipment and processes for critical infrastructure no longer present a wildly attractive target for those who seek to cause disruption or to threaten infrastructure for their own purposes.
In the past, the IT teams delivered digital systems to achieve corporate efficiencies: office tools, email, internet-connected business processes and other improvements to corporate performance and personal quality of life measures. When we tried to bolt on cybersecurity, we often disrupted the performance of the digital systems we were trying to protect. The cyber efforts often collided with system performance, all without even understanding the IT department’s mission of delivering digital capabilities.
Today is not much different. If we are to converge cybersecurity with our infrastructure systems, we need to have a unified approach. If we don’t accomplish this, we will just repeat the IT and cyber errors that have been the bane of business delivery and customer satisfaction.
Where do we focus our efforts? Many design flaws allow attackers to get access to connected devices. We must design in cybersecurity when beginning any of our infrastructure projects. Cybersecurity begins with design, architectures, configurations, processes, procedures and then tools.
When it comes to big software vendors who cater to enterprise infrastructure solutions, the problem is more with the implementation rather than the use of essential elements of security. Don’t buy the shiny cyber tool unless it is the capability you need and can be integrated efficiently within your processes and workflow. Don’t buy software-centric tools when you really need mission/performance- centric capabilities that also enhance security. Sometimes the best answer might be a simple design or workflow change. Buy only from mature known OEM players. Software from Startups or Small vendors are usually more vulnerable as they do not use essential elements of cybersecurity and they might be cutting corners to rush their software to the market.
Even with some reckless OEM players, vulnerabilities also can get more serious with no updates of middleware, in some cases attackers can run basic bypass attacks to get past weak security authentication methods accessing their devices. When approaching a project to modernise or build a new infrastructure component, it would be a dream come true if we could start from a clean slate and just build the best system with today’s technology. That is rarely true for any initiative. A meaningful advancement in design and build efforts is to include IT/ cyber personnel alongside your OT engineering workforce. But don’t stop there. Ensure there is operational interaction between these teams to find additional value and share intelligence on reported defects in some devices and or flaws in programming.
Delivering an optimised ‘system of systems’
Many Infrastructure Protection companies, including Parsons, are continually finding synergies in this approach. Professionals in the CIP field would agree that is delivering an optimised ‘system of systems’ in design and performance. By bringing these workforces together in the early design phase, we are identifying OT/IT system optimisations and avoid design flaws.
How to outsmart the cyberhackers? Smart device vendors and software developers have a responsibility to work on better IT/OT design and test products before releasing them to market – The smart devices space for smart infrastructure still is very much an emerging market and often developers and manufacturers race to be the first to get a product to market. All these device vendors should continuously issue patches and software updates to avoid not only actual flaws if any but to avoid traceability.
In performance, situational awareness, safety monitoring and general risk avoidance that fully integrate with physical security efforts. Further advancements employ digital event anomaly detection, big-data analytics and machine learning techniques for system monitoring, which delivers optimised OT/IIoT systems and maintenance scheduling efficiencies, all while employing cybersecurity concepts, tools and capabilities that raise the level of security and resiliency.
The IOT is unlocking new levels of smartness into the infrastructure. These networked sensors and control devices are at risk of tampering if someone with malicious intent has access. Thus, Cybersecurity will be an important aspect in all infrastructure projects. When combined with professional engineering and an understood mission focus, IT/ cybersecurity missions will also be a productive inclusion.