However much you think you have cyber-security under control, you do not. That is the message from the CEO of Geneva Airport, André Schneider, ahead of the inaugural FIDIC Global Leadership Forum Summit in April.
Cyber-security is a growing challenge for the world’s infrastructure, with more data networks involved than ever before. So why is infrastructure so deeply at risk?
André Schneider (AS): “When you hear about retail banks being hacked it is usually about IT systems, which can happen to infrastructure operators too. But in infrastructure we also have an incredible array of embedded systems for diverse activities. That is a problem because, as we have seen with hacked cars recently, quite some damage can be done by systems that you might not expect.
“In our airport those systems might be the climate control or the security censors for fire doors or even our 13km of baggage sorting and directing installations. These are embedded systems with all kinds of different specialist software.”
IG: So just how big a threat does this represent?
AS: “Very big. NATO has a research lab for cyber-security that identified elderly airports as one of the weak spots for attacking military systems. That was because they are riven with old systems that were developed before people thought about cyber-attacks. That means we must think about control systems that are put into place from the very start.
“Fortunately, some systems aren’t connected to the internet, so they are less vulnerable. But the infrastructure industry focuses on getting things to run well – good climate control, efficient maintenance, etc. Recent trends saw greater moves towards online systems that help achieve those goals but may also have created opportunities for hackers. We’ve seen a huge pipeline manager in the USA was hacked, and airports in Germany faced waves of attacks after their country decided to deliver arms to Ukraine.”
“Operators need to know what systems they have and which systems to keep off the internet so they are not attackable from outside.” André Schneider
IG: When faced with that level of complexity, how do you ensure you have the right defences in place?
AS: “We started employing companies to test-hack our systems for many years because you can think as much as you like that you have things under control – but you do not. There is no question about if you’ll face cyber-attacks, there is only the question of when and how bad. So, you must push the ‘when’ out as far as possible and continue on working to reduce the potential impact of an attack.
“We do that by thinking about cyber security at the start of any design processes and by thinking about the installations, the systems that will be used and how secure they are. Operators need to know what systems they have and which systems to keep off the internet so they are not attackable from outside.
“Another thing we do more and more is using an external supervising systems. It’s a bit like a radar system to let us know what is happening around our site regarding potentially approaching cyber-threats.
“You also need to manage how external actors access your systems. Maintenance programmes can be a path to start a hacking attack and you need to keep updated all the time. To address all these risks, we have a chief security officer whose job is just to look at what is happening in this field and define our standards and approaches.”
“we must accept that certain types of cyber-attacks would be so crippling that we would have to shut down.” André Schneider
IG: A new or rising risk can impact on staff. How do you create sufficient awareness?
AS: “Repetitive sensibilisation – and to make risk more and more visible because your number one risk is your employees. For example, when an email comes from outside, our system highlights it at the top, in colour, saying this is an outside mail, don’t click on this if you don’t know the source and what you are clicking on.
“The other thing is security measures. We now require dual identification for most outside accesses. You need a password and a phone with a second password to access our systems. We also ask ourselves where we store data – because outside data companies can be hacked too. Industry has to rethink everything, even if it means giving up some wonderful web solutions that unfortunately increase exposure to risk.”
“Industry has to rethink everything, even if it means giving up some wonderful web solutions that unfortunately increase exposure to risk.” André Schneider
IG: Are there any steps that industry could take collectively to put itself on the best possible footing for that?
AS: “The biggest asset would be a platform approach to detecting all potential risks. That would allow us to test and trial what would work, and help industry develop the software solutions it needs. With Windows or Mac there is a real force behind what they do and there are cyber-security companies involved in that process. But for infrastructure’s embedded systems there really isn’t the same situation.
“Propriety systems are good at what they do, but often you then depend on the company for their security systems. A common platform to help establish standards and collectively test embedded systems would be a valuable step.”
IG: And finally, if a cyber-attack is ‘when’ not ‘if’, what can be put in place for ‘when’ one hits?
AS: “Independent of cyber-security, we have a whole management system for urgent situations spanning airplane crashes to IT problems. These define who should do what, what backup systems are deployed, and so on. Sometimes, if an IT system goes down, manual check-in can be done. And these things do happen – not because of cyber-attacks but because things happen.
“As an example, one of our ground agents that works on everything from check-in to baggage sorting around the world, had a major cyber-attack on their global system. Can you imagine sending 500 people to the right place at the right time across an airport, to sort, load and unload baggage, and so on, without any IT system to even tell you if someone is off sick today? You end up with a flipchart and post-its, and you use walkie-talkies to try to co-ordinate hundreds of people. They faced that for three months. It was terrible. A lot of things just didn’t work. So, we must accept that certain types of cyber-attacks would be so crippling that we would have to shut down.
“When that happens, plans kick in for how we inform people about what to do.”
The Global Leadership Forum Summit will bring together infrastructure leaders spanning the design, construction, operation and financing of infrastructure to set a strategic path for the global industry as it faces remarkable new challenges. You can find out how to get involved here.