The impact of physical and cyber threats is becoming increasingly damaging and expensive, and it also has the potential to be highly dangerous to both government and industry enterprises. By working together across borders and departments to anticipate risk and create a planned response, states, cities and communities can build confidence in their future, write security and resiliency experts Ronald Hahn, John Esquivel and Richard Johanning.
A hurricane rips into America’s Carolina coast at night. The National Hurricane Center has been tracking this fierce Category IV storm for days, and now it has picked up intensity and made landfall. Power utilities are hit with outages adversely affecting more than two million residents. Back-up generator power is limited, causing water treatment pumps to fail. First responders are running short of fuel. The nightmare scenario is completed by hackers blocking all cellphone signals within a 100 mile radius.
Fortunately, this scenario is imaginary. But it is also a realistic possibility.
Today, critical infrastructure is vulnerable to a wide range of threats – from extreme weather events to terrorism. And because our networks and systems are so thoroughly interconnected and interdependent, cities and communities need plans in place to ensure they are prepared to minimize the effects when disaster strikes.
Time for a new approach
As we know from recent history, these major storms and floods, along with terrorist and cyberattacks, are not confined to small areas. Most often their effects ripple across communities and infrastructure in unanticipated ways. Understanding the complexities of these situations and the ways to mitigate them requires a broad and deep understanding of all factors. To ensure the best possible outcomes growing numbers of government and business leaders agree that the time is right for a new approach to protecting cities, infrastructure, businesses and communities. And for maximum success, this approach must flow from the bottom up, from communities and from town and city administrations.
Connected problems require converged solutions
The changing urban and infrastructure landscape has created the need for holistic, industry-wide solutions for identifying and managing risks. Resilience is not a one-dimensional or static issue and successful attacks are always about finding and exploiting vulnerability. For these reasons, and because we do not know the nature of all future threats, it is important to build adaptive security and resiliency into infrastructure as early as possible, ideally from the start.
So, what should government and business organizations be doing to ensure they are prepared to manage risks effectively?
1. Think holistically
The growing physical and cyber risk demands new solutions. Instead of the disjointed approach we’re taking today, cities need integrated risk management frameworks that are repeatable and adaptive to the rapidly evolving threat to our national security. To help build holistic solutions it is important to consider physical and cyber risk mitigation together to create resilience plans that are fit for purpose. New frameworks like AECOM’s Converged Resilience approach combine a deep technical understanding of how infrastructure works with leading security expertise to assess the risks and help cities and states create an integrated approach to preventing and responding to new types of threats.
2. Look beyond the fence line
As well as assets directly within their control, our militaries are dependent on the vulnerable civil and commercial infrastructure that supports them. Protecting telecommunications, water treatment capabilities and utilities from high-end physical and cyber threats has become a shared responsibility. When communities become interdependent ecosystems, then critical national defense operations and infrastructure must be seen as one. In the interests of national defense, critical infrastructure needs to be better protected inside and outside the military fence line. An example of best practice includes exercises such as the City of Houston’s Jack Voltaic 2.0 Cyber Research Project, where AECOM is working with the Army Cyber Institute and the City of Houston to bring together military, civil and commercial stakeholders to understand the challenges, mitigate the risks and plan for the future.
3. Increase skill and capacity for the future
It is no longer sufficient for military forces and US state National Guards to be highly trained in providing physical security alone. Supporting cities also requires armed forces to build capability in providing cyber protection. AECOM has developed cybersecurity training for the Air Force which incorporates the skills required to protect cities in the cases of cyber and physical threat. The Air Force is now taking a holistic view of their mission essential tasks to understand the impact of Facility-Related Control Systems (FRCS) and General Support Systems, at all classifications, on the overall National Security Strategy. This includes understanding installation and facility interdependencies on local utilities and municipalities and means the Air Force can measure and track their ability to maintain a high level of mission readiness.
4. Get the right people around the table
Resilience is too important to be the responsibility of just the IT department or sustainability specialists. Everyone has a role to play in protecting our critical infrastructure – from the Pentagon to the local police department, from federal leaders to first responders. States have a critical role in supporting city response to physical and cyber events. State-wide campaign plans for incident response and rapid information sharing are essential for regularly assessing a state’s readiness. These plans need to include operational concepts for implementing state-wide Information Sharing and Analysis Organizations (ISAOs) across all communities in a state.
5. Rewrite the book
This advancing threat requires a new rulebook – policy and legal authorities at federal and state levels don’t currently enable the best cyber incident response to cities. Policies need to be reviewed and adjusted to better help cities against particularly aggressive physical and cyber threats. We’re working alongside national and state policy makers to take a step back and review enterprise risk. Current policies, standards, and guidelines assume that governments and organizations have aligned and defined their dependence upon Data, Information Technology (IT), and Industrial Control Systems (ICS) to be able to follow those policies. Through our Enterprise Risk Analysis Process (eRAP) we are helping organizations and governments, such as the U.S. Department of Defense, account for these dependencies by redefining impact attributes tailored to their respective risk tolerances.
Turning adversity into opportunity
As any risk manager will attest, risk cannot be eliminated altogether. However, government and business organizations can become better at planning for and mitigating risks, including those as yet unknown. The goal should be to manage risk effectively and understand which risks at what level to mitigate or transfer and even accept some risk. Building plans and preparedness needs to be part of building confidence in the future for all of us.
For more on AECOM’s Converged Resilience framework read Infrastructure Resilience: In a shifting world, part of our 2018 Future of Infrastructure report.