If you fail to upgrade your Internet technologies, you’ll find yourself stuck in 1997. But if you fail to upgrade your infrastructure, you’ll find yourself stuck in 1897. It’s a well-worn joke, but it illustrates the importance of secure, well-functioning infrastructure to modern society.
Moreover, the rise of sophisticated cyberattacks on infrastructure make it an area of increasing vulnerability, experts say. As a result, the global market for critical infrastructure protection is growing, and it is projected to reach $94 billion by 2020, according to Global Industry Analysts, Inc. This demand is being driven by the increasing need to protect critical assets and prevent disruptions to normalcy due to threats, the company reports. And because critical infrastructure assets and systems are vital to the economy, disruptions or breaches can be catastrophic.
Given the stakes in play, Yves Duguay, CEO and founder of HCIWorld, sees a clear trend in infrastructure protection—a greater focus on resilience, on being prepared before an incident occurs, and on maintaining operating continuity before and after an incident. HCIWorld’s clients include airports, transportation systems, and other key infrastructure facilities.
“Resilient organizations have moved from the ‘if’ to the ‘when,’” he says. “It’s not a question of whether or not a given scenario will materialize, it’s when and how often it will be repeated, as exemplified by the viral number of cyberattacks recorded by security agencies.”
This is an important issue in the business community, because while governments do oversee and protect some critical infrastructure, much infrastructure is in the hands of the private sector. For example, in Canada, where HCIWorld is based, a recent survey found that 80 percent of the infrastructure in the energy and water sectors is privately held. The situation is similar in the United States. “Generally speaking, there is a lot more private sector involvement, on both sides of the border,” Duguay says.
By focusing on resilience and risk management in infrastructure security, companies can dem­onstrate proper due diligence in managing the range of risks they face. “This not only offers a protection of the company’s reputation, but it also reduces its legal liabilities, and possibly its insurance costs,” Duguay says.
Some forward-thinking firms have adopted infrastructure resilience strategies that include contingency and emergency plans, which are practiced and reviewed with their employees. “Resilience must become part of everyone’s job description, not only of the security department,” Duguay says. When employees understand why certain measures are taken and their own role in contingency and emergency planning, they become much more involved and committed, Duguay explains.
When a crisis does happen, communication is crucial, he adds. “The key to the success of protecting infrastructure also lies in the ability of companies, especially large ones, to involve their employees by communicating with them in real time, and providing them with accurate information and guidance during an emergency,” he explains.
Resilience can also have bottom-line financial benefits. “Activating a contingency plan quickly to resume business activities will translate into a competitive advantage for these companies,” Duguay says.
In addition to the move toward greater resilience, another clear trend in infrastructure security is greater interconnectedness, says Jeffrey Slotnick, CPP, PSP, CSO of OR3M and president of Setracon. Slotnick has been an architect in the U.S. homeland security enterprise, including stints writing standards and managing assessments for critical infrastructure protection.
He offers the example of a computer, which may be connected to a printer, a scanner, and other hardware. It works under the “plug-and-play” concept: all equipment is integrated, and can be operated by simply turning on one switch. Right now, infrastructure protection tools are not interconnected to the level where an access camera, a door controller, and other systems are fully integrated to the plug-and-play level. “We haven’t got there yet in the security industry,” he says.
But that’s the direction that infrastructure security will be moving in the next five years, Slotnick says. The next logical step is a common operating platform, on which disparate systems will be integrated and can talk to one another. This is already happening in some smart cities, where integrated systems are becoming more common, he explains.
There’s also a demographic driver to this trend, as the number of technology-savvy millennials increases in the workplace. “Millennials manipulate technology differently,” Slotnick says, and they will demand more integration.
However, Slotnick also cites one negative trend that continues: the fact that infrastructure facilities are often guarded by officers who are inadequately compensated and insufficiently trained. “We take a minimum wage security officer and place that officer in front of multimillion dollar infrastructure facility, and then we wonder why situations arise that may not necessarily be to our liking,” he says.
Europe has a better model, he explains. There, security officers are in a “guild profession” with a more equitable pay scale that correlates to different position levels, such as site supervisor or area manager, for example. In contrast, the modest wages in the American system means that turnover is often a problem because officers will switch companies for a 25-cent-per-hour increase.
“If I could change one thing in the security industry,” Slotnick says, “it would be that.”