Cyber resilience 2035

March 2018

Cityscape at nightDr Richard Piggin MBCS, from design, engineering and project management consultancy Atkins, considers future city security, given urbanisation, technology trends and increasingly sophisticated cyberattacks targeting critical infrastructure.

The physical and digital worlds are converging. The internet of things (IoT) extends the reach of the internet to physical assets with embedded computing. Industrial systems or operational technologies (OT), operate building infrastructure, utilities, transport, logistics, manufacturing, autonomous vehicles, ships, drones, robotics and healthcare equipment.

These systems and technologies are now becoming internet-enabled and networked with new digital systems, providing greater efficiencies but also creating new risks. Chief amongst these is their vulnerability to cyber-attack.

Industry 4.0

This convergence of IT and OT is hailed as the Fourth Industrial Revolution, after the 2011 Hanover Fair, or simply ‘Industry 4.0’. The original German research focused on smart factories, with different machines communicating with each other to cooperate, enabling efficiencies. The approach will transform the digital enterprise, cyber physical systems and our city infrastructure.

Building information modelling and digital technologies are also changing the design, build and operation of our built environment, and facilitating collaboration throughout the supply chain and infrastructure lifecycle. New business models, value chains and services are enabled by increasing digitisation and connectivity.

The benefits of smart sensors, automation and intelligence are realised through data gathering and data analytics, and facilitated by cloud services, machine learning and artifi cial intelligence. We are accelerating toward a world of pervasive connectivity and unbounded complexity, with increasing dependencies and interdependencies.

These interconnected systems are the backbone to the operation of our critical infrastructure - a change in approach is therefore required to ensure future infrastructure resilience.

Rapid urbanisation

Simultaneously, we are witnessing rapid urbanisation around the world. By 2035, most of the world’s population will be living in urban environments. In 2015, 54 per cent of the worlds’ population lived in urban areas.

However, by 2050, this is predicted to increase to 66 per cent. The United Nations World Urbanization Prospects 2014 report predicted the increase in global cities from 525 in 2014 to 731 in 2030.

Technology will provide solutions to satisfy demand through greater digitisation and ubiquitous connectivity to optimise, operate and automate essential services and our city infrastructure. This will increase our reliance upon connected infrastructure.

Given that infrastructure technology lifetimes of 15-20 years are common and typically far exceed these, it is inevitable that our once isolated and aging legacy systems will become even more interconnected. Security vulnerabilities will endure, particularly in critical systems, which can’t readily be turned off  to apply frequent, un-validated patches.

Yet, these systems are difficult to attack successfully and repeatedly, as threat actors need to understand the engineering processes and technologies, not just the underlying computing and network infrastructure. But they are susceptible to disruption by well-intentioned employees, untargeted malware or ransomware, as WannaCry and NotPetya demonstrated.

However, nation states have demonstrated or declared capability, and cyber reconnaissance has been widely reported. In the USA, this led to the development of the NIST Cybersecurity Framework, following President Barack Obama’s executive order.

It called for a voluntary framework to guide cybersecurity for critical infrastructure, to defend economic prosperity. We are yet to witness the fruits of international diplomacy to limit cyber warfare, despite Microsoft’s call for a Geneva cyber convention.

Recent UN talks suggest international norms are more likely to place limitations on what cyber operations can target, rather than bans on the development of offensive capabilities or the means of cyber intervention.

Unfortunately, nearly 10 years after Stuxnet, we still need to raise awareness of the importance of cyber resilience. After the peak of euphoria for OT security postStuxnet, we fell into the valley of cynicism and in some cases, remained on a plateau of protracted apathy.

The July 2014 Ponemon Institute report, ‘Critical Infrastructure: Security Preparedness and Maturity’, made for sobering reading and remains relevant. Survey respondents recognised the threats and were allegedly committed to defending assets reliant upon operational technology. However, the concerns expressed were not matched by activity.

The dichotomy suggests issues with governance, exacerbated by communications and siloed organisational structures. We need leadership to embrace business resilience, ensuring appropriate governance and risk management.

When it launches in 2018, the Network and Information Systems Directive will focus attention on risk management, particularly given that suppliers of essential services will face fines of up to €20 million or four per cent of global turnover for failing to protect those services from cyber-attack.

Future opportunities and exponential risk?

The consequences of innovation and increased reliance on technology in the future will have an enormous impact on society’s way of life. IoT devices, designed and implemented with minimal security requirements, in increasingly complex networks, could lead to extensive vulnerabilities in infrastructure systems.

These developments will create new opportunities, for good or ill. Consider the pervasive nature of new smart sensors and devices yielding improved efficiency and convenience, whether in autonomous vehicles, the smart grid, building or home automation, healthcare and personal devices. These have implications for privacy, safety and continuity of services.

The implementation of artificial intelligence (AI), could lead to increased vulnerabilities, whether narrow AI, that perform specialised tasks, or general AI which aims to replicate aspects of human cognition. The increased reliance on AI for autonomous decision-making will create systems that are potentially susceptible to disruption and deception, that might be difficult to anticipate or immediately recognise.

Compromised automation systems could create opportunities to disrupt or damage critical infrastructure and increase the risk of consequential hazards and accidents. During a busy summer, the UK’s National Cyber Security Centre confirmed reports of malicious cyber activity targeting the energy sector globally.

Countries are acutely aware of their infrastructure weaknesses, the offensive opportunities offered by such vulnerabilities and the risk posed by international supply chains and service suppliers. Security developments including behavioural monitoring, machine learning, AI, and other advances will increase security capability if implemented appropriately by suitably trained and experienced personnel. Cyber resilience remains first and foremost a people matter.

Image: iStock.com/Pablo_k