Digital Innovation Key to Securing US Infrastructure

America’s critical infrastructure—the assets that power our homes, bring water to our faucets, and move people and goods from place to place—has grown frighteningly vulnerable to new kinds of threats. To protect these essential systems, federal IT leaders and infrastructure managers need to continue down the path of digital transformation, placing special emphasis on data management, analytics, and improved portfolio management.

If the steady drip of headlines on the subject has you worried about the nation’s vulnerability to infrastructure disruption, you’re not wrong to be concerned. The Colonial Pipeline attack sent ripples of pain along the entire East Coast, and its impacts pale in comparison to what could result from an assault on positioning, navigation, and timing (PNT) systems like GPS, or an electromagnetic pulse (EMP) attack meant to take down a major electrical grid. While these types of threats escalate in scope and sophistication, the attack surface itself is expanding beyond the surly bonds of Earth with the recent push to classify satellites, sensors, command and control systems, and other space assets as critical infrastructure.

Thankfully, government agencies are taking meaningful steps to respond. The Department of Energy launched a 100-day collaborative plan with the electricity industry and the Cybersecurity and Infrastructure Security Agency (CISA) to enhance industrial control system and supply chain cybersecurity. For its part, the Department of Homeland Security (DHS) Science & Technology Directorate recently released PNT resources and algorithms to thwart attempts at GPS spoofing. The Space Policy Directive-5 gives DHS and CISA lead roles in enhancing the nation’s cyber defenses for key systems involved in such critical services as global communications, navigation, and weather monitoring.

Moves like these are admirable and necessary, but we must go further. To that point, let’s take a closer look at how and why critical infrastructure has become so vulnerable.

For government agencies, connected systems and other essential new technologies present an unfortunate dilemma. Consider something like smart building technology. It would be folly for agencies to not take advantage of its ability to bring together connectivity, automation, open architecture, and interoperability as a means to optimize the total performance of buildings, businesses, and their occupants. But connecting an organization’s physical systems to IP networks, external access, and the cloud creates a potential path for cyber criminals to take down the entire enterprise. 

This is hardly a hypothetical. Security researchers have proven the sinister possibilities on numerous occasions, such as when they hacked the building control system at a major internet search provider, or when they were able to take control of every room of a large Chinese hotel. Armed with such power, hackers could easily disable or misuse security systems, make off with private data, or destroy temperature-sensitive IT equipment by manipulating heating or cooling controls.

The risks and rewards of smart connectivity go well beyond buildings. Connected warships and spy planes could be targeted by hackers looking for valuable, sensor-gathered surveillance data. PNT solutions could be attacked to disrupt navigation of all kinds, from military to travel to shipping. In 2016, when unidentified hackers caused a power outage in Ukraine that affected over 225,000 people, they made real the fear that a surprise cyber attack could takedown an entire electrical grid.

At the same time that increasingly powerful bad actors are upping their assaults on a growing attack surface, federal agencies face multiplying infrastructure-related portfolio management challenges, including fragmented ownership. When a water utility’s infrastructure is owned partially by the government, partially by a private-sector partner, and partially by an owner/operator, who is ultimately responsible for cybersecurity and other threat protection? And how can all parties work in concert to achieve and maintain system-wide resilience? Resolving such issues will require agencies to get active about breaking down siloes, and to take a flexible, adaptable approach to technology development, procurement, and upkeep. 

Other portfolio management challenges are rooted in the very nature of operational technology (OT). Most IT systems can be taken offline for extended periods of time for vulnerability testing, patching, risk assessments, and so on. This not an option for most OT, which controls essential physical processes that often cannot be interrupted, like the flow of water through a city’s pipes. Many industrial control systems, with their decades-long lifespans, predate cybersecurity as a concern. They were built for unfailing reliability and safety, but not necessarily to be resistant to digital infiltration. Overcoming such challenges to meaningfully securing OT will require multidisciplinary teams with specialized, experience-born knowledge in industrial control system security and risk and sophisticated threat assessment tools to more effectively detect and thwart manmade attacks. 

As digital innovation has given rise to new critical infrastructure resiliency challenges, it can—and must—be turned toward overcoming them. Happily, this is already happening, and has been for some time. System program offices, for example, are employing innovative wargaming and strategic simulation tools to inform efforts to modernize GPS and strengthen the protection of SCADA systems—the supervisory control and data acquisition systems used to monitor and control industrial control systems.

Emerging technologies must also play a role as we design and build new, more efficient, more resilient infrastructure to refurbish and replace now-crumbling, decades-old systems that were once, themselves, marvels of cutting-edge engineering. One such emerging technology, "digital twins"—precise, three-dimensional virtual models that exchange detailed status information with their real-world counterparts to update in near-real time—is empowering space-faring organizations to test satellites in myriad likely scenarios to identify vulnerabilities and strategize protection against them.

Drones, light detection and radar (LiDAR), and Internet of Things (IoT) systems are being used in the field of engineering and construction to produce rich streams of data to inform the development of more efficient and accurate planning, design, construction, and maintenance techniques. Fully evolved, these techniques may well transform traditional architect-engineering methods, and the data used to the develop them could also be used by artificial intelligence to prescriptively advise planners and portfolio managers and help usher real-time autonomous critical infrastructure management from concept to reality. 

As digital transformation continues and accelerates, it will certainly solve more problems than it creates. But, as with any disruptive engine of modern progress, it will create a significant number of new challenges. In the case of infrastructure, those challenges are serious threats to the security of buildings, power grids, satellite systems, and more, and we need to apply the same degree of innovation to solving them that we do to driving transformational progress more generally. The examples described above are just the beginning. There are many, many more ways—some proven, some emerging—that data science, analytics, and other emerging technologies can help us protect and strengthen the critical infrastructural systems that are truly foundational to our way of life.