I came to work into WSP’s highways business from the railways and cybersecurity services industry, where I was a member of a group that wrote new cyber security standards for the industry. I’m currently doing the same in the Industrial Internet of Things (IIoT) context.
I have to admit, I soon discovered that cyber security is even more important for roads than I’d initially thought. This is because of the crucial role digital technology plays in keeping traffic flowing and in designing and delivering road schemes – from overhead gantry information to 3D design tools. And that’s before widespread adoption of connected and autonomous vehicles, which will feed on and interact with data flowing along the road.
Disruption to services has the potential to be network-wide. What would happen if a hacker gained control of gantry signs and removed running lanes across the country? Or if the emergency services were fed the wrong information? The disruption – and potential harm – would be widespread and so would the knock-on economic impact.
Cyber-terrorism, cyber-crime and collateral damage
Where might such disruption come from? There are three main sources, the first of which is cyber-terrorism. Given the UK’s prominent geopolitical position there is always a risk that terrorists may target our critical national infrastructure, including our road network. The potential for one person with a laptop to do a lot of damage makes a cyber-attack an enticing prospect for different groups.
The second threat comes from cyber-crime. This has become a multi-billion-pound industry with many layers – because it works. During the Covid-19 pandemic we’ve seen a rise in ransomware, which criminals use to infect systems and threaten to publish personal data or continue blocking access unless a ransom is paid. Critical infrastructure is becoming a prime target for ransomware.
The third threat is collateral damage. Even if you’re not the intended target of a cyber-attack, you can still be affected. The NHS wasn’t the intended target of the 2017 ransomware attack that left many of its systems down. Neither were Deutsche Bahn or shipping company Maersk. The Ukranian power grid was the target but, in an interconnected world, other organisations with the same software and patch level were also affected. The incident cost Maersk $200-300 million.
The benefits outweigh the risks
This shouldn’t deter anyone from using technology, though, because it has so many benefits. I love it. From chatting with my family on three continents to managing my pension, my whole life is digital. It’s brilliant and the risks don’t make me consider giving it up for a second. But it does make me realise it’s important to take precautions to prevent things going wrong or to deal with them if they do. I have password protection and encryption. I can delete my devices remotely if they were to be lost or stolen.
The phrase that’s often used about cyber-security is that it takes a risk-based approach. This means being aware of why you need a system, how critical it is and what would happen if it were compromised. The answer might be that a system is useful but not essential and that a bit of downtime wouldn’t matter too much. If that’s the case, then you don’t need to do much in terms of countermeasures. For example, would it matter if a predictive road maintenance algorithm were down for day or two? But if a system is crucial and its loss would have a severe and immediate impact then you need to take action. Risk-based means the response is appropriate to the threat.
Understanding and training
What form should this action take? There’s a perception that cyber-security is all about firewalls and similar protection. That’s only part of it, though, because nothing is 100% secure. New vulnerabilities are discovered daily. Employees write passwords on post-it notes and leave them lying around, not because they are bad employees, but because they are just human and maybe the password policy is too complicated. Besides, if you pile on too many security measures the system itself will become too complicated and unusable for your day-to-day needs.
Ultimately, you have to accept something bad will happen at some point. When it does, you’ll be glad of the investment you made in ensuring all your data was backed up – and in monitoring. Just as CCTV provides an overview of what’s happening on the road network, so cyber-security monitoring gives you a picture of what’s happening in your IT network and helps you understand what to do. The companies that suffer the worst reputational damage from a cyber security incident are typically not those worst affected but those that handle it badly.
Put simply, cyber-security is about using digital technology with your eyes wide open.