To read the new report, benchmark your organisation and find more articles about the Future of Infrastructure, please visit www.infrastructure.aecom.com
The new generation of infrastructure will be smarter and more efficient, but with high performance also comes vulnerability. Future proofing and designing resilience into civil infrastructure projects is one of the biggest challenges facing the industry, write resilience experts Ronald Hahn and Josh Sawislak.
Safe, secure and resilient infrastructure is a lifeline to our future. It is the differentiator between successful and struggling economies and societies. So, it is not surprising that much hope and expectation is resting on the new era of development.
No one can argue with the facts that demand currently outstrips supply, that existing networks and systems are under strain, and that massive investment, innovation and industry change is required to secure the US$94 trillion of global infrastructure funding that — according to the G20’s Global Infrastructure Hub — is needed by 2040.
But just adding capacity is not enough. To be durable and future proof, the infrastructure of tomorrow must cope with, and adapt to, a complex, extensive and evolving mix of hazards, risks and threats. As a result, resilience must now be an essential component of every project across its entire life cycle — integrated from the planning and design phase — and not just added on as a last-minute feature.
The price of progress
While there is agreement that embracing innovation and the use of digital tools will be invaluable, our growing digital dependency has led to fears about the impact of hackers disrupting critical infrastructure.
In AECOM’s Future of Infrastructure research, industry respondents were in no doubt about the challenges ahead, particularly in terms of cyber and terrorist attacks and the negative impacts of climate change.
Approximately one in three infrastructure professionals believes that cyber-related catastrophic events — including city-wide transport disruption and even deaths — are a certainty in the near future.
Their concerns are reflected in research by cybersecurity firm Kaspersky Lab, which found that 40 percent of the world’s infrastructure had been the subject of a cyberattack during the second half of 2016. Meanwhile, in the U.K., government statistics in the Cyber Security Breaches Survey 2017 reveal that almost seven in 10 large companies identified a breach or attack in the previous year.
What’s more, civil infrastructure must also withstand the escalating physical threats of terrorism and climate change. For these combined reasons, ensuring the resilience of civil infrastructure is one of the biggest challenges facing the industry.
Physical acts of terror (kinetic terrorism) features prominently in the industry’s concerns. Some 55 percent of professionals questioned in the Future of Infrastructure research believe the industry is prepared to manage the threat of attacks on critical buildings and transport links.
Globally, we’re seeing an uptick in the number of terrorist threats, as well as the use of unanticipated methods. These threats have evolved significantly over the last decade ―much of the infrastructure we rely on was neither designed nor built for such threats.
The challenges posed by the natural world are no less worrying. Extreme weather events and natural disasters are two of the most likely and impactful risks identified in the World Economic Forum’s 2017 Global Risks report.
And the United Nations 3 estimates that the global cost of natural disasters from 2003 to 2013 was US$1.5 trillion, and that these disasters affected more than two billion people. Climate models predict increases in the frequency and severity of these types of events, so we can expect to see the costs and human impact rise. In just the past year, hurricanes in the U.S. and the Caribbean alone have caused more than US$265 billion in damage so far, with the full scope of the damage and recovery costs still being assessed.
When two worlds collide
Most worrying of all is that these two classes of threat — the physical and the digital — are rapidly converging.
In the era of smart cities, wide-scale adoption of the internet of things (IoT) and cloud technology all offer significant advantages across the built environment, from increasing communicability and maintenance monitoring to reducing traffic congestion.
Yet this increased digital access also makes infrastructure assets more vulnerable. In recent high-profile and large-scale cyberattacks, we saw disrupted power supplies, government departments and banks in the Ukraine along with the U.S., U.K., Australia, Russia and others. It was reported that in the Ukraine, hackers were able to infiltrate several of the country’s power distribution centers, leaving more than 250,000 residents without electricity.
These attacks have the potential to become even more destructive. For example, the Center for Strategic and International Studies  believes that North Korea is building its cyber resources and is “capable of conducting damaging and disruptive cyberattacks” – as the recent attacks, attributed to North Korea, against Sony Pictures Entertainment and financial and media institutions in South Korea have shown.
Conversely, physical threats, such as those resulting from climate change, can also pave the way for digital disruption. There is a far greater symbiosis between the digital and physical worlds than most people realize. Buildings and structures become more vulnerable to cyber or kinetic attack during a natural disaster.
The effects of natural disasters that impact critical infrastructure, such as power, water, wastewater and communications, rely on our digital backbone to function. Without access to the digital backbone, the ability to restore basic infrastructure functions is dramatically reduced or prevented altogether.
Where do responsibilities lie?
As the threats to critical assets evolve, the resiliency strategies of infrastructure owners and service providers have not kept pace.
The industry professionals surveyed by AECOM are candid about their industries’ abilities and inabilities when it comes to withstanding emerging threats. Most respondents cite infrastructure resilience to cyberattacks and climate change as key priorities when planning major projects. But no more than six in 10 feel the industry is well prepared to meet these risks.
A lack of definitive resilience solutions may be due in part to the fragmented nature of today’s infrastructure landscape. As national, regional and city governments struggle to pay for new and upgraded critical infrastructure, they are more frequently looking to various forms of ownership and risk transfer to the private sector.
Business-critical resilience investment
We are starting to see the global financial markets ask questions about how to assess and price the impacts of climate change. As the 2017 report from the industry-led Task Force on Climate-related Financial Disclosures 6 highlighted, there is increasing demand for improved climate-related disclosures.
The markets want to understand how it affects impacts on physical assets, liability and the cost of stranded assets (transition risk).
In response, the Task Force, established by the Financial Stability Board 7, consulted with financial and business leaders to identify a new, accessible framework 6 for climate-related financial disclosures to inform better pricing of these types of risks.
As the financial services industry matures its treatment of infrastructure risk, weak resilience planning will increase costs and lower value for asset owners through borrowing, and insurance costs and valuation.
Likewise, investors and rating agencies will increasingly require organizations to demonstrate their capability to manage the threat of attacks or extreme weather events. Those able to demonstrate resilience will enjoy significant advantages, and negotiate discounted premiums.
Counting the cost – the price of non resilience
1. US$4.2 trillion — The expected value of at-risk losses to manageable global infrastructure assets from a 2°C rise in average temperatures (in present value terms). The Economist, 2015. 8
2. US$3 trillion — Projected cost of low “cyber-resiliency” on global productivity and growth by 2020. McKinsey, 2014. 9
3. US$306 billion – Total economic losses from natural and man-made disasters in 2017 are estimated to be US$306 billion, up from US$188 billion in 2016. Swiss Re 10
4. 0.5 percent – Projected economic cost to Australia’s annual GDP of unmitigated climate change by 2020 (rising to 1.2 percent in 2050). Garnaut Climate Change Review, 2011. 11
5. US$121.4 billion – Potential cost of a worldwide cyberattack. Lloyd’s of London, 2017. 12
6. 1,986 – Number of terrorist attacks targeting critical infrastructure occurring in the United States during 1970-2015. National Consortium for the Study of Terrorism and Responses to Terrorism, 2016. 13
Converged Resilience – an industry game changer
The changing infrastructure landscape has created the need for holistic, industry-wide solutions for identifying and managing risks. Resilience is not a one-dimensional or static issue, and successful attacks find and exploit vulnerability.
AECOM has developed a holistic approach called Converged Resilience™, which acknowledges the interdependency of the physical and digital worlds — and uses this understanding to build lasting, integrated strategies for infrastructure resilience.
As any risk manager will confirm, risk cannot be eliminated altogether; however, we believe that infrastructure owners and service providers — both public and private — can become better at planning for and mitigating threats, including those as yet unknown. The goal should be to manage risk effectively, understand which risks, at what level, should be mitigated or transfered, and even accept some risk.
So, what should infrastructure organizations do to prepare to manage these risks effectively?
Five-point plan for a Converged Resilience™ framework
Converged Resilience™ provides the approach for a lasting resiliency strategy. While each organization and situation is different, it is possible to apply a common framework to the problem. The goal is to simplify the risk-management process while allowing the flexibility to cope with a broad range of scenarios across both the digital and physical environments.
1) Start early
For maximum impact, a resiliency strategy must be introduced as early as possible in the lifespan of an asset. The industry has often viewed resilience as an add-on to the core design-build process, and that is too late.
This may link back to the industry’s binary view of the physical and digital worlds. We still see examples, such as during the construction of an airport building or a rail track — when plans for introducing the IT and security systems are started after the physical asset has been built.
For infrastructure owners, the goal must be to build in resilience planning as early as possible — the sooner a protection framework is implemented, the more cost efficient and effective it becomes.
2) Understand the risk
Having early-stage conversations about risk management makes it easier for an organization to customize a resiliency strategy. First, this means knowing which assets it wants to protect, as well as, more importantly, understanding the function of those assets and the potential cost of losing or devolving that function. Beyond simple replacement cost, what is the business case for determining which assets to protect and how? Through efforts such as the 100 Resilient Cities program 14 (100RC) pioneered by the Rockefeller Foundation, municipalities are taking a strategic approach to understanding, not only the risks, but also the interaction of the risks and different urban systems and goals. Resilience strategies will help cities and companies fully integrate resilience into all of their efforts — from the earliest stages of planning and development — as well as assess what should be retrofitted.
3) Prioritize to optimize
It is impossible to eliminate risk completely.
If its assets are aging, an infrastructure owner will need to select where it wants to focus its resiliency investment. Consider where most effort and resources need to be focused.
In addition to functionality, the service life of an asset and the feasibility of replacing it must come into consideration. For example, a manufacturing plant for airplane parts may have a 40-year service life. The time and cost of replacing such a facility is tremendous, so the owner will want to make a significant investment in keeping it running throughout its design life. By contrast, a data center with hardware assets that are replaced every two years will have less at risk, as its long-term asset is only the building that houses the equipment.
4) Accept, mitigate or transfer
With new vulnerabilities constantly evolving, infrastructure owners must decide how to manage the many risks they face.
The first option is to accept the risk and manage it internally with the resources available. A second option is mitigating risk as new threats emerge by adapting or retrofitting an asset. The goal is to restore functionality, either fully or partially, in the fastest time.
The third approach is to transfer the risk; for example, by creating a back-up facility that can quickly take on the functionality of the original asset. When this is not feasible, a company or municipality may look to transfer a much larger proportion of risk to the insurance market.
It is important to understand, however, where that risk is transferred in order to ensure it is managed effectively. For example, leasing a second data line into a facility from a different provider than the primary line may transfer risk, but only if it is a different physical path that is not connected to the primary line.
Building infrastructure resilience cannot be a one-time investment. Just as being healthy requires a certain lifestyle, resilience demands a new way of operating.
Having put a strategy in place, it is essential that the protection plan is revisited and updated regularly. Continuous risk mitigation must be the goal. The threats are constantly evolving. Business changes, government changes, environments change, compliance increases, technology is exploding — it is crucial to stay engaged and agile.
Conclusion: Opportunity out of adversity
Investing in infrastructure resilience can be an expensive and time-intensive process, but it is a necessary one. Early planning not only mitigates the impacts of disruption, it also creates interesting net benefits. For example, the introduction of on-site renewable energy into an organization’s energy mix creates distributed generation. This is effective, as it introduces resilience into the grid. At the same time, there are enormous benefits from a sustainability- and fuel-reduction standpoint, and it can create a hedge to fluctuations in energy costs.
Looking at the bigger picture, infrastructure-focused, climate-change initiatives have the potential to offer positive effects for the wider global economy while generating market advantages and goodwill with customers, employees and investors.
According to OECD projections, the infrastructure investments needed to support the shift toward a low-emission society would generate fuel savings of up to US$1.7 trillion a year worldwide through 2030.
Organizations of all shapes and sizes should take heed. Risk affects every one of us. The public and private sectors have a responsibility — whether it is to their shareholders or constituents — to balance the books and to generate growth. Building resilience is a critical part of this business case.