A critical opportunity to improve the safety and security of our nation’s infrastructure

The bridge collapse in Pittsburgh on January 28 and similar tragedies are stark reminders that investing in infrastructure is vital for public safety.

By Jim Richberg, public sector CISO Fortinet

The bridge collapse in Pittsburgh on January 28 and the failure of a pedestrian bridge that fell onto Interstate 295 in northeast Washington, D.C. back in June are stark reminders that investing in infrastructure is vital for public safety.

Infrastructure Has Digital Components Too

When you talk about updates to the nation’s infrastructure, most people think about reinforcing unsafe bridges or repaving highways that are disintegrating into rubble. But virtually every infrastructure project also has a digital component. For example:

  • Roads and bridges have traffic and stress sensors to improve performance and safety
  • Public transportation, rail, and airports incorporate automation and networks to keep everything running smoothly and safely.
  • Water, power, and other utilities depend on countless networked control systems.

In the United States, the $1.2 Trillion Infrastructure Investment and Jobs Act is being called a “once-in-a-generation investment” in infrastructure. A lot of that money will flow to state and local governments throughout the nation.

Virtually all of the infrastructure that will be repaired and replaced will need security for the digital component. And that changes how governments need to approach projects and how they should direct funds.

The implications of cybersecurity technology must be included in every infrastructure project. Failing to do so leaves that infrastructure and its users vulnerable. And because of the interconnected nature of infrastructure, it leaves us collectively more vulnerable to cascading failures and consequences that can spread across sectors and regions.

The Challenge of Securing Evolving Infrastructure

Digital technology evolves and improves rapidly, but physical infrastructure typically doesn’t. You might be able to routinely swap out an old iPhone for a new one every couple of years, but you can’t do that with infrastructure. Consider the fact that the bridge that failed in Pittsburgh was built in 1970, which replaced the original 1901 span across Fern Hollow Creek. And that in Philadephia, traffic still travels across the Frankford Avenue Bridge, built in 1697.

While the physical components of infrastructure may endure, security technology won’t be the same in five years and will be antiquated in 10 or 15 years. It is unimaginable to think of security measures lasting for decades, much less a century or more, but because of the digital element of current infrastructure, government officials need to plan for future changes by keeping the following in mind:

1. Think Long Term

Infrastructure projects shouldn’t be addressed in isolation. Unfortunately, it can be easy to do because the money often comes from a funding source that is focused on a particular mission. For example, a Federal agency dispersing funds under the Infrastructure Investment and Jobs Act typically does so for a specific sector or mission, and funds are likely to be spent by state and local government officials or their private sector partners on discrete projects in specific infrastructures. But not looking at the larger picture perpetuates a myopic view of each infrastructure as separate stovepipes, and limits the potential benefits of investing in and upgrading multiple infrastructures simultaneously.

Government officials need to consider the long-term implications of purchases. When there’s a choice, opt for software-based solutions that are easier to affordably update and upgrade later. 

2. Foster Communication

Infrastructure projects should include the ability for systems to communicate with one another. The security component of our upgraded infrastructure needs to be able to share threat data to face current threats and to prepare for the likelihood that threats will become even more severe in the future.

The benefits of going beyond threat sharing to create communication pathways and shared operations between disparate infrastructures may not be immediately apparent. We may not know how communication between railway switches and wastewater pipes might be useful, but that doesn’t mean we won’t find a compelling use for this connectivity in the future. When the bill creating the Interstate highway system was signed in 1956, could anyone have predicted how upgrading road infrastructure would transform American life and even our landscape?

Disparate infrastructures should be able to talk to each other, but funding agencies and infrastructure providers need to plan ahead to avoid siloed solutions and achieve a level of interoperability. Because threats can move across networks, no infrastructure can afford to operate in an information vacuum, and cybersecurity plans need to include sharing of threat information.

3. Follow Standards That Can Evolve

Set broad functional requirements instead of specifying specific levels of performance. Rather than specifying how fast or comprehensive cybersecurity capabilities should be, use standards that can evolve, such as relevant NIST (National Institute of Standards and Technology) or ISO (International Standards Organization) standards that will be updated. Defining specific levels risks locking performance into premature obsolescence as technology and threats evolve.

4. Set Cybersecurity Goals

To orient and structure cybersecurity, consider using constructs such as the Common Baseline Cybersecurity Performance Goals from CISA, which is comprehensive and includes implementation examples. The goals outline baseline security practices that can be implemented even by personnel and resource-constrained small infrastructure providers. Smaller organizations like public utilities that require additional protection may need to look into “security as a service” rather than trying to implement cybersecurity using in-house teams. Security as a service is available in a range of performance and price levels. In some cases, state or regional markets may want to band together for security efficiency and economies of scale.

5. Coordinate Responses

Cyberattacks are inevitable and the sophistication is increasing according to Fortinet’s FortiGuard Labs threat research. Recent threat events against organizations and infrastructure show unparalleled speeds at which cyber adversaries are developing and executing attacks today. Ransomware continues to be top of mind and is not slowing down.

Infrastructure providers need to be able to coordinate their response to improve their ability to recover. Much like first responders in neighboring jurisdictions need the ability to use common communications in the event of an emergency that requires a multi-jurisdiction response, it’s easier to plan for interoperability at the front end rather than to improvise it during a crisis.

The Opportunity is Now to Think Cyber-first

All of our digitally enabled and connected infrastructure needs to be secured. Before agencies start putting potentially incompatible systems into place, now is the time for government to consider the role of interoperability and standards and look for creative ways to facilitate upgrades as systems age.

Obviously, no one sets out to buy solutions that aren’t secure. But not everyone in local government or an infrastructure’s procurement office is likely to be aware of all the cybersecurity options that exist. Executives and legislators need to spend infrastructure money wisely. This once-in-a-generation opportunity is a chance to reshape infrastructure, so it’s worth taking the time to make smart choices.

Learn more about how Fortinet can help governments protect digital assets and critical infrastructure against evolving advanced cyber threats. 

Learn about how Fortinet’s Training Advancement Agenda (TAA) and NSE Training Institute programs, including the Certification ProgramSecurity Academy Program and Veterans Program, are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.

The content is paid for and supplied by advertiser. The Washington Post newsroom was not involved in the creation of this content.

Content From