Infrastructure represents a huge cyber-security target and its success in countering that is vital to communities and nations. At the recent Global Leadership Forum summit, we spoke on camera with André Schneider, CEO of Geneva Airport, and Bill Cox, CEO of Aurecon, about what industry needs to do.
For a long time, consumer industries dominated cyber-risk because thy were targeted for their high quantities of customer data. Over time, however, that has changed and infrastructure has become so much greater a focus that NATO has warned that countries face significant national security risks from lack of cyber prevention around certain infrastructure assets.
Risks are also highly diverse. There have been attacks on airports that coincided with decisions by their governments to send support to Ukraine. At the same time though, we have seen international companies being locked out of their own systems by hackers who hope to extort a fee for returning access to their own systems.
So, how deep is the underlying challenge?
Andre Schneider, CEO of Geneva Airport, is clear that one of the major problems is that infrastructure involves so many embedded systems, which means it can be attacked not only through conventional IT systems but through something of a back door.
He explained that it may be worryingly easy to bring down a building by tacking control of less thought about systems like its climate control. At the same time, he recognises that providers of such systems are still looking for the right standards and testing.
This isn’t only a concern for those who own and operate assets, but also for the companies who design and build them. Bill Cox, CEO of consulting engineering firm Aurecon, says this is something that is testing companies who design, plan and construct assets around the world and is something that continues to grow.
As a result, he says that companies like his must work closely with clients and challenge themselves with new design theories, approaches and innovations to make cyber-attacks as difficult as possible, as well as prepare and mitigate for when attacks get through.
So, what does that involve? Well, there are many systems, technologies and services that can help and these need to be examined across the whole industry. At the same time, the efforts already underway to raise awareness must continue to ensure everyone involved in infrastructure, and especially client organisations who own and operate infrastructure, understand that many are best put in place early in a project process.
Awareness also plays a vital role, ensuring industry understands what practices may be risky and how different systems and practices might leave the door open for cyber-attackers. However, with so many different risks involved, all of this may involve some difficult conversations that go beyond what many industry leaders would normally feel comfortable with.
Bill Cox explains that business leaders – and especially for designers and construction supervisors – need to be open about lessons they have learned from good practice, but also share with others the things that have gone badly so that all of industry can learn.
One of the cultural challenges that may hold organisations back is the huge number of people who need to be involved. Many cyber attacks target user-interfaces because every individual with access to a networked system can slip up, even with something as innocuous as opening a bad attachment.
Training so many people for what to be aware of and keeping them vigilant – not only within your own company but across multiple suppliers across an entire project or infrastructure operation is not easy, though there are tools that can help, like consultant firms that run dummy attacks that can highlight to anyone who makes such an error aware of what might have happened.
But such vigilance is needed and can be made to work, according to Andre Schneider.
He told us that good practice has to become a natural way of working and this works best where the issue of cyber-security is embedded at the very start of any process, not left until later when some have then considered how operations can minimise cyber-risk.