It’s no secret that hackers regularly seek intellectual property and sensitive data for financial gain. You can’t scan your newsfeed these days without at least one cybercrime headline.

Critical infrastructure has already proven to be in the crosshairs, with attacks on power grids and financial systems. From water treatment plants to power grids to mass transit systems, our society depends on the security and resilience of our infrastructure to keep us safe and productive, and attackers know this.

However, protecting critical infrastructure is complicated. The responsibility for protection is shared between private companies and the government entities that commission society’s infrastructure. Federal agencies need visibility and access to malware and attack information on private networks; without it, they are missing a piece of the puzzle. Private companies need intelligence information and context from the government that helps them differentiate what is significant from the noise. Partnership between government and private companies is essential, yet sometimes presents a bigger challenge than the adversaries themselves.

The need for collaboration is clear, but the execution often fails due to a historic lack of trust and ability to share sensitive information between the public and private sectors. Declassification of key cyber-threat indicators, so that they can be shared with owners and operators of critical infrastructure in a timely manner, is imperative. But as necessary as it may be, it isn’t an easy task when our national security relies on restricting the flow of sensitive information.

And it goes both ways… Concerns about the ramifications of a security incident for example — either reputational or legal — leave organizations reluctant to share with each other, as well as with the government. While it may seem like a good idea to make an example of companies that are breached, there can be the unintended consequence of companies withholding useful information to avoid such risks.

We’re also faced with the challenge of trying to protect antiquated infrastructure and its supporting technology — not designed with security in mind — making it cost-prohibitive or impossible to defend.

We must build, or in some cases rebuild, critical infrastructure with security and resilience in mind, from conception to completion. We can no longer afford to think of security as an optional line item or an add-on feature. AECOM’s Converged Resilience™ approach, providing integrated, holistic solutions to avoid and absorb threats is an example of the thought leadership the industry needs today. The concept of “engineering-in” safeguards must become the new normal.

With an abundance of related standards, frameworks and legislation, the industry has spent a great deal of resources focusing on compliance. The end result is “compliant” systems that simply aren’t secure. Not only does compliance not equate to security, but it can often create a false sense of security. We must pivot away from mandating and legislating, and move toward measuring security effectiveness.

For Infrastructure Week, I will join fellow security industry colleagues on May 17 to discuss these issues at a Bloomberg Live discussion: “The Future of Cybersecurity: Risk and Resiliency Across Critical Infrastructure.” If you’re interested in learning more, register via the Infrastructure Week Calendar: http://infrastructureweek.org/event/future-of-cyber/

This blog post is part of a series covering critical infrastructure-related topics in the lead up to and during Infrastructure Week and this year’s theme #TimeToBuild.

Originally published May 16, 2018

Author: Sarah Urbanowicz

Sarah is AECOM’s chief information security officer, responsible for enterprise information security strategy, architecture and operations.