Digital change is happening at such a great pace in the infrastructure sector that keeping systems and networks safe requires a step-change in cyber security, says Matt Simpson.

We’re living in an increasingly digital world, where advances over the past five years have been staggering. Autonomous vehicles are being tested on our roads. Driverless trains are on the increase. Computer systems on aircraft are so advanced that planes could ?y themselves. 

The industry is, of course, attracted to the wealth of new opportunities unleashed by the digital revolution; but where there are opportunities, there are also threats. Change is happening exponentially, not gradually, and to keep our new systems – and our physical transport network – secure, we need a step-change in how we embrace cyber security. There’s no escaping the fact that cyber resilience is as much of an issue to passenger safety as safeguarding physical infrastructure and addressing this risk is business-critical.

Opening up to new opportunities 

Traditionally, transport networks are siloed, with control at a local level. As the industry and technology have advanced, we’ve begun connecting systems to one another, centralising control, automating processes and making data more widely available.

This data is transforming transport networks which are becoming smarter and more passenger focused. By better understanding how transport networks are used, we can make future systems more reliable. In turn, this can increase throughput, seeing more passengers, more journeys, and reduced congestion. 

For example: imagine all drivers move from A to B using a smart navigation system that’s updated in real-time. By centralising the data collected during their journeys, road users can be distributed more evenly along the road network, reducing and even removing congestion. 

The dangers of connectivity

However, through digitalisation the threat landscape is changing rapidly. By increasing interconnectivity and providing greater access to data, we’re increasing the potential for exploitation. The whole network, as an organism, is vulnerable in a way it never has been before. With potential impact on both a local and national scale, systems become a more attractive target for those looking to create a disruption. 

Securing such a large volume of legacy systems isn’t a quick fix. We need a structured change management approach, driven by an understanding of risk, that enables us to protect legacy systems whilst we design new systems with resilient security principles and the latest security technologies. Controlling the data gateways between legacy and digital systems is paramount to protecting both domains from each other.

So how do we secure these complex digital systems?

The controls we put in place need to be balanced across people, process and technology.

• Secure by Design

We’ve been managing risk for over 80 years in the engineering sector. Cyber security is just the next evolution of risk management, as we ensure our products are designed to be safe and resilient in a connected world. 

That means cyber security is built-in to our delivery processes. It’s a big task, and it’s a major transformation that affects the entire engineering and project delivery process, because now – and going forward – they should have security woven into them. 

• Monitoring

Using real-time monitoring technology allows for decisions to be made about threats and their impact as they’re happening. This goes beyond just monitoring assets and networks, to include emerging threats and vulnerabilities associated with your technology, company, nation and beyond.

• Training 

Digital safety and cyber security need to be embedded into a work culture where keeping data secure is second nature. 

Securing an ecosystem of technology requires everyone to be involved, from the designer to the user, to ensure we don’t introduce vulnerabilities through our own inaction. This can be further reinforced through targeted training; providing people with the know-how to respond and repel attacks. 

• Collaboration

Ownership of risk can be complicated when you’re working on a national scale. Does this sit with the manufacturer? The operator? The regulator? Does the user even have a role to play in managing risk? As connectivity continues to grow, one could argue that responsibility sits with a mixture of all these individuals. Audit and compliance assessments at multiple stages of an asset’s lifecycle is a potential solution. 

Securing our networks isn’t optional 

In the joined up, digital transport network, new interdependencies will cause threats, opportunities, and the need for action. When so much is at stake if our transport networks aren’t fully protected, we can’t afford not to respond.

Matt Simpson is technical director for cyber resilience at Atkins, a member of the SNC-Lavalin Group.