We sat down with Aurecon CEO and GLF Advisory Board member Bill Cox (BC) to discuss the industry’s response to cyber security ahead of his session on the subject at FIDIC’s inaugural Global Leadership Forum Summit in Geneva.
IG: How well is the infrastructure industry adapting to rising levels of cyber security risk?
BC: “Right across society we see more and more that infrastructure is not immune. But that comes with good news too because it has seen our industry be proactive about safeguards and security measures against cyber-risk.
“We are also seeing governments incorporating cyber security into specs and expectations for projects and operations, and there is a far greater recognition now that this is not an IT issue but a whole operations issue.
“That said, we must not forget that cyber attacks are a matter of when, not if. So industry also has to be as prepared as can be for attacks, running scenarios and tests that can help when bad actors strike.”
IG: The Global Leadership Forum Summit has identified cyber threats as a subject in need of collective response. What does that look like?
BC: “The level of sophistication of cyber threats is rising all the time so we need industry to share good practice openly and look to other sectors so we can share in their experiences too, because no one company or industry has all the answers.
“That is partly about openness by leaders over the bad experiences we have, but also about sharing successes too. Different organisations understandably have different approaches to how they share those experiences but groups like the Global Leadership Forum can help to bring those experiences together and generate frank conversations.
“That matters now more than ever. The way projects are delivered and operated is more complex than ever and involves huge supply chains across many borders. So getting strong cyber security practices right for that is not always easy.
“You need fit for purpose practices and technologies, but we also need fit for purpose understanding of our supply chains. Otherwise good technologies and practices won’t be sufficient.”
“Every situation is unique. Every attack and asset needs a bespoke set of tools and a framework for the right response. And that response must reflect the impact of the attack.” Bill Cox
IG: That raises the question of culture across the industry. How are the people working throughout infrastructure adapting?
BC: “Just as we need to understand how different companies see things, the same is true about understanding the people involved. The human interface is a huge part of being cyber safe and is where many breaches occur.
“That makes training important, but not just training – we know the best outcomes are achieved when we explain why. People in our industry are very purpose driven, so helping to ensure they know why we adopt such strong practices, strengthens adoption of them.
“That is helped by the fact that unfortunately many people have now been affected by cyber threats in their daily lives. From subscription services being hacked, to bank or other services suffering information leaks, people across society do ‘get it’ now.
“And clients have been through that journey too. Recent headline issues about major cyber attacks means clients fully appreciate how important this is and the consequences involved.”
IG: If cyber attacks are a matter of when, not if, how should companies be preparing for when one happens?
BC: “Every situation is unique. Every attack and asset needs a bespoke set of tools and a framework for the right response. And that response must reflect the impact of the attack. The response to a breach that was detected and halted is very different to an attack that causes real asset downtime.
“At Aurecon we have put in place a multi-pronged crisis management plan for that. That plan sets out who the key people are within the business for our response, who are the key stakeholders to engage immediately and how to facilitate the information flow both internally and externally.
“That approach needs to be in place for any company or project and it needs to be robust. Companies must run workshops to pressure test their plan with hypothetical scenarios, which can be quite confronting for those who do it, but better to do that than be confronted by gaps in a real cyber attack situation.
“And a big focus for that process is how you quarantine the response team to allow them to do what they must, while allowing the rest of the business to continue operating, at least in some form. Some crises might make that impossible, but when it is possible it needs doing because the industry’s responsibilities are wide-ranging.”
Bill Cox led discussions at FIDIC’s inaugural Global Leadership Forum Summit in Geneva.
