In the United States, the $1.2 trillion Infrastructure Investment and Jobs Act is being called a “once-in-a-generation investment” in infrastructure. A lot of that money will flow to state and local governments throughout the nation. Virtually all of the infrastructure that is being repaired, replaced, or initiated has a digital element. Whether you’re talking about bridges, dams, roads, or wastewater conduits, they all have some type of network component, ranging from passive sensors that report on environmental conditions to operational technology (OT) devices that control core functions.
Considerations for Government Leaders on Infrastructure Concerns
Much of the new infrastructure money will go to states to disperse; other funds will flow directly to local government. But in any jurisdiction, here are some topics government officials should consider as they plan or execute infrastructure upgrades.
1. Focus on Interoperability
It is too easy to focus on addressing each of these digital infrastructures in isolation—especially since the money often comes from a funding source that is focused on a particular mission (in the case of a federal agency that may be dispersing funds under the Infrastructure Investment and Jobs Act). Funds are likely to be spent by state and local government officials or their private sector partners on discrete projects in specific infrastructures. Yet, as understandable as this outcome may be, taking such a stove-piped view breeds a form of institutional myopia that limits the potential benefit that can accrue from investing in and upgrading multiple infrastructures simultaneously. I consider this an updated version of the line in the 1980’s movie Field of Dreams: If you connect them, we will benefit. Can anyone readily forecast how enabling, for example, railway switches and wastewater pipes to communicate with each other will be useful? Perhaps not—but neither when the bill creating the interstate highway system was signed in 1956 could anyone have predicted how upgrading road infrastructure would transform American life and even our landscape.
For those who worry that connecting these disparate infrastructures will give malicious actors greater ability to attack multiple sectors and create broader impact, the reality is that we already see malicious cyberactivity that targets multiple sectors or demonstrates the ability to move from one critical infrastructure to another. Failing to ensure that the security component of our upgraded infrastructure can, at a minimum, share threat data, will leave us unprepared to face threats that are already present and that are only likely to become more severe.
2. Plan for the Long-Term
Digital technology evolves and improves rapidly, but physical infrastructure typically doesn’t. At least one major U.S. city still uses water pipelines that were installed before the Civil War. Unlike our personal electronics, where we routinely swap out older products for new and improved ones, with infrastructure, you typically can’t “rip and replace,” so it’s essential to consider the long-term implications of your purchases. If there’s a choice, instead of adding hardware that is difficult to update later, opt for software-based solutions, such as software-defined networking (e.g., software-defined wide-area network or SD-WAN) and cloud solutions. To the extent that capabilities can be achieved through either software- or hardware-based solutions, software-based approaches typically are more readily and affordably updated and upgraded.
Set broad functional requirements instead of identifying specific levels of performance. Using cybersecurity as an example, consider requiring that infrastructure devices employ endpoint protection/endpoint detection and response (EDR) capabilities, rather than specifying how fast or comprehensive these capabilities should be. Choose standards that can evolve, such as relevant National Institute of Standards and Technology (NIST) or International Standards Organization (ISO) standards that will be updated. Defining specific performance levels (such as “use 512 bit encryption”) may be attractive in the short term but risks locking important aspects of performance into premature obsolescence as technology and threats evolve. Choosing software-defined functions and externally derived standards can provide a degree of future-proofing for infrastructure.
3. Security Needs to Be an Essential Element
The top priorities for operational technologies in infrastructure are usually safety and reliable performance. Security comes third. But cybersecurity needs to be included in every infrastructure project. Failing to do so not only leaves that infrastructure and its users vulnerable, because of the interconnected nature of infrastructure, but it also leaves us collectively more vulnerable to cascading failures and consequences that can spread across sectors and regions.
CISA’s new Common Baseline Cybersecurity Performance Goals are reasonably comprehensive and give exemplars that can help non-experts plan implementation. These goals are both user-friendly and can accommodate both use by organizations such as small, local infrastructure providers and large organizations that have a bench of cyber experts and tools. Following common goals should facilitate interoperability across the spectrum of size and complexity of connected organizations within and across infrastructures.
Start with the basics. Recent analysis by the Center for Internet Security reiterates that implementing a modest set of basic/essential cyber hygiene measures can reduce vulnerability to attack by 75%. These are measures that can be implemented even by personnel and resource-constrained small infrastructure providers.
For small infrastructure organizations such as public utilities that may require additional protection, externally provided Security-as-a-Service may be more feasible than trying to generate it from scarce in-house security talent. Security-as-a-Service solutions range from simple offerings such as externally managed niche products through more complex offerings such as SOC-as-a-Service or full portfolios of externally managed capabilities. These products are available at a range of levels of performance and price. In some cases, potential users might band together in state or regional markets with economy of scale and greater security efficiency.
Next Steps to Secure Infrastructure
Our refreshed infrastructure needs to be “smart.” Disparate infrastructures should be able to talk to one another, and funding agencies and infrastructure providers need to plan ahead to avoid siloed solutions to achieve interoperability. Because threats can move across networks and even to other networks, no infrastructure can afford to operate in an information vacuum, and cybersecurity plans need to include sharing of threat information. You can’t protect yourself against a threat that you don’t understand and that you can’t see. Cyberattacks are inevitable, so infrastructure providers should be able to coordinate their responses to improve their ability to recover from them. Much like first responders in neighboring jurisdictions need to be able to use common communications in the event of an emergency that requires a multi-jurisdiction response, it’s easier to plan for interoperability at the front end rather than to improvise it during a crisis.
Before agencies start putting potentially incompatible systems into place, now is the time for government to consider the role of interoperability, standards, and to look for creative ways of facilitating upgrades as systems age. And all of this digitally enabled and connected infrastructure needs to be secured. Obviously, no one sets out to buy solutions that aren’t secure, but not everyone in local government or an infrastructure’s procurement office is likely to be aware of all the options that exist across the cybersecurity industry or to be cognizant of the latest threats. Executives and legislators need to be smart in thinking about the money they are about to receive. This once-in-a-generation opportunity is our best chance to reshape infrastructure in a way that can be transformational. It’s worth taking the time to make smart choices as we prepare to build this smart infrastructure.