Cybersecurity for Smart Infrastructure

CSIC’s winter Partner Event brought focus to the challenges and opportunities of Cybersecurity for Smart Infrastructure and featured a number of presentations from leading experts.

Image: CSIC's Cybersecurity Challenges for Smart Infrastructure Partner Event

Designed for both users and providers of Smart Infrastructure solutions, the presentations and workshop considered the implications of cybersecurity, highlighted pressing issues and recommended the range of support available.  

“This event provided Partners with the chance to exchange experiences and concerns around cybersecurity for Smart Infrastructure. CSIC will now consider what we can bring to this area and share resources – be it training, additional workshops or identifying good practice,” said Dr Jennifer Schooling, Director of CSIC.  “This is one of a series of CSIC Partner events and we look forward to announcing details of the next workshop which will take place in spring.”    

The event, which was fully booked and attracted a number of industry Partners, including BP International Ltd, Highways England, Mott MacDonald, PA Consulting, ARUP, TfL, Tideway and Topcon, featured a morning of presentations by a number of cybersecurity experts. The afternoon workshop gave attendees an opportunity to consider key security themes in relation to their own organisation, and to hear accounts from fellow professionals from a range of infrastructure organisations – some experienced in tackling these issues and some new to the challenge.

“The chance to exchange experiences, both good and bad, was of value to everyone attending the event. It was very interesting to look at a shared industry issue from a number of perspectives, ” said Dee Dee Frawley, CSIC Communications Manager and Partner Liaison, who led the workshop.

Cybersecurity for Smart Infrastructure presentations:

BIM, digital engineering and smart infrastructure – real physical, personnel and cyber security challenges – UK Government security advisor: this presentation highlighted the range of threats that the UK and its infrastructure face, including from organised crime, espionage and terrorism. It warned of the potential issues arising from widely shared digital engineering data, including BIM, and the presentation demonstrated the need for a security-minded approach to the increasing number of these collaborative initiatives so as to deny ready access to the data to those with malicious intent. The over-arching message was for organisations to identify an internal governance structure to consider protective security in all their self-generated initiatives and those affecting neighbourly assets, to ensure all staff consider security in their personal and professional lives, and for them to contract their supply chain accordingly.

Emerging challenges from a smart infrastructure provider’s perspective – John Foster, Topcon: this presentation looked at the challenges from a provider of smart infrastructure solutions, including working with a large number of partners and the growth and democratisation of reality capture applications that results in huge amounts of data. In recent years the industry emphasis has been on sharing data rather than security, with tools making data more accessible to the multiple partners involved on a project. This is a cultural issue as the mechanisms to be security minded, such as password and log-in protection, have always existed but the people operating the mechanisms are not always using them. In terms of the supply chain, the security – if it is in place – dilutes further down the chain. Rented devices that collect data for detailed models can be used by a number of rental partners. Is there an organisational structure in place to ensure the SD card is cleaned before the device is rented to the next project? The key message was the need for a cultural shift towards security mindedness and the administrative framework for this to succeed in organisations to be in place.

Security-minded standards for digital engineering, smart cities and asset management – Alex Luck, A Luck Associates: this presentation showed the range of threats that can potentially damage infrastructure and asset management organisations. It recognised that the volume of data and information arising through the increasing use of, and reliance on, digital engineering and technologies is growing. Recognising this data and information as valuable assets and managing them accordingly, including the challenges arising through aggregation becomes ever more important.  Security should be an enabler not a blocker of innovation, but measures must be appropriate and proportionate – the more critical the asset, the higher the level of trust and security that is likely to be required around both the asset and the data and information associated with it. The key message is that most security breaches arise from human error, so security-mindedness must be embedded in the culture of an organisation from the very beginning, in combination with good governance, physical and technological security.

Securing the internet of things – Justin Lowe, PA Consulting. A lack of security design awareness, standards and regulation has led to security risks. There are technical complexities to address, there are a large number of different devices out there, and security incidents are commonplace. Third party risk must be considered; attackers can target a supplier in the chain and steal data.  The key message is to be secure by design. Managing security over the lifecycle of an asset is crucial. The General Data Protection Regulation (GDPR) and the EU Network and Information Systems Directive that come into force in May 2018 will have an impact on IoT security and will introduce fines for security breaches. Embed security thinking from the start of a project – build in IoT health checks and secure end-to-end security architecture now.

Case study presentations from practice included:

Implementing PAS 1192-5; taking the lead and meeting requirements – Sarah Davidson, Gleeds. Organisations must collaborate in a managed way: think about the entire construction project; what are the standards to comply with; how is data being held; and what is the behaviour of the people operating the systems. Leadership in security mindedness is key to be effective throughout the supply chain. Construction organisations do not take security seriously enough and there is a pressing need for leadership in this area which is essential in terms of PAS 1192-5. This issue is relevant to all construction clients regardless of project characteristics and the security triage should be undertaken to remove a ‘no security requirement’ assumption and determine the extent to which a project is sensitive (this will include neighbouring sites). Need to consider common data environments and who is responsible for the provision and when it is active. There needs to be awareness of standards to comply with, how data is being stored and an efficient file naming system is required. Importantly, the behaviour of the people operating the systems should be considered. We often assume the information we are exchanging is not of value but this is not the case. The key message is for organisations to consider the profile of all projects to determine their sensitivity. A security-minded approach needs to inform the way the construction industry operates. We have access to so much data, from our own organisation and others. Steps must be taken to ensure that data cannot be accessed maliciously to create a security threat

Security Mindedness – everyone’s problem – Graham Herries, Laing O’Rourke. Cyber threats are constantly changing and security mindedness needs to become mainstream in order to keep up with evolving threats and vulnerabilities. Laing O’Rourke (LOR) has taken a ‘next gear’ approach to create a resilient environment and have policy and guideline documents that they send to their clients, including protocols of how to behave with sensitive projects. Having policies and procedure in place is essential. LOR has a group of Chief Information Officers who meet to share information in order to educate people on how to act. Security mindedness is supported through internal communications too. The key message is that security mindedness needs to be mainstream for organisations, in the same way that Health and Safety is: create a resilient environment; educate people in and working with your organisation; have policies and guidelines in place.

Useful links

1. Centre for the Protection of National Infrastructure (CPNI): Digital Built Assets and Environments
www.cpni.gov.uk/digital-built-assets-and-environments

2. PAS 1192-5:2015 Specification for security-minded building informationmodelling, digital built environments and smart asset management
shop.bsigroup.com/forms/PASs/PAS-1192-5/

3. PAS 185:2017 Smart Cities. Specification for establishing and implementing a security-minded approach
shop.bsigroup.com/ProductDetail?pid=000000000030350938

4. National Cyber Security Centre
www.ncsc.gov.uk/guidance/risk-management-collection