PRINT BOOKMARK

Protecting digital infrastructure

Andrew Cooke | 15 Jul 2015 | Comments

The continuing digitisation of our infrastructure enhances our experience as citizens and defines our progress as a society. However, the increasing reports of cybercrime and the threat of disruption to supply have led to calls to resist this development and slow the pace of change. Yet the benefits of digitisation are too persuasive and both the expectation of the public and the need to continuously drive down costs mean we cannot stop or even slow down the tide.

The public is very familiar with the concept of the ’digital economy’. We accept that today we live much of our lives online; buying food, goods and services or communicating with friends and family. Though the term ‘digital infrastructure’ is less commonly heard or understood, it is fast becoming a reality that impacts our daily lives. It is the concept that underpins the way critical services are delivered to us today and in the future.

Digitisation of infrastructure helps service providers to track and manage their assets more effectively. It can also put customers in control of the services they use, allowing greater choice and flexibility. Examples of the latter include the sensors on trains and buses that allow us to track the arrival of public transport in real time or the internet-based services that allow us to select the telecommunications, power or water services we want.

As infrastructure becomes increasingly digitised it is essential that it also becomes more resilient. The recent breach of security at the Office for Personnel Management in Washington has highlighted how even the most secure systems are at risk from hackers, whether they are state-sponsored or just inquisitive enthusiasts. When some of the most heavily protected systems in the world are compromised it prompts us to look closer to home and to think about what digitisation of our infrastructure really means to our safety and security.

A recent report highlighted the approach that the UK National Crime Agency are employing to tackle botnets by focusing on closing down the vehicles that the criminals use to affect the crime. Making our infrastructure more resilient requires the same approach. We can’t slow the pace of digitisation so what we must do is to understand what the threats are that impact on the delivery of infrastructure services.

I believe that there are five key steps to making digital infrastructure more resilient:

  • Firstly we need to understand what the goals of infrastructure organisations are. Knowing these will allow each organisation to then consider what is required to deliver those goals, what the risks are to achieving them and what needs to be done to protect them.
  • Next we can look at the assets that are involved in delivering these goals – whether these are physical, information or people assets – and how they are secured. One key challenge for infrastructure organisations is that they often need to make those assets available to their customers in one form or another. This might either be information assets in term of costs, billing statements or access codes, or physical assets in the form of smart meters or transmission equipment.
  • We then need to understand the specific risks to those assets. What could potentially go wrong in delivering the services?
  • Once the risks have been identified we can understand the potential vulnerabilities implicit within those assets and the action required to mitigate those risks and vulnerabilities.
  • Finally, we can put in place a comprehensive plan to make sure that those risks are thoroughly mitigated and a system of reporting is implemented to ensure that incidents are identified and lessons learned.

In many ways it appears a simple solution to a highly complex problem. However thinking of infrastructure as a bundle of assets that need to be protected is the most effective way to ensure that risks are mitigated, breaches are reduced and criminals are deterred.