You Don’t Know What You Don’t Know: A Case for Programmatic Cybersecurity
Building our nation’s transportation infrastructure, workplaces, fun places and living spaces is more complex than ever, especially because the lines between them are quite blurry these days. Railway stations serve as the foundations for high rise buildings containing bars, restaurants, offices, and apartments. Autonomous vehicles shuttle residents and tourists to and from the entertainment venues down the block. The blurring of lines continues into the buildings themselves, as technology continues to encroach. The amount of technology used in the built world is increasing every day, making life tremendously easier. Software is in fact “eating the world” one building at a time.
However, with technology comes different layers of risk. Builders are no longer able to focus solely on beam load limits and ingress / egress requirements. In order to deliver safe and secure environments, they must also account for digital risk that encroaches with the technologies employed. Should this stop us from building the places we work, live and play? NO. We do lots of things in our daily lives that are risky, but we count on programmatic, overlapping measures like hardware and software working in concert to keep us safe. The blind spot monitors and collision avoidance systems in our modern cars are familiar examples of individual systems working together as part of the overall safety management system. We feel safe counting on the safety system because we trust the engineers who built it are experts. Real estate owners, design, and construction firms may effectively manage the cyber risk for their individual businesses. However, building out an effective and scaled team to design, build and maintain a cybersecurity program is a tall task, given the complexity of each project, the increasing array of technologies involved, and the multiple firms engaged. And this complexity is only increasing. These digital security challenges present an increasing risk to those leading the development of the built environment. How are you managing this risk?
The Built World is a System of Systems
Technology and more specifically, information management is critical to the built world from the moment a real estate owner scratches out the idea on the back of a napkin. She snaps a picture of the idea and sends it to her team to build out financial projections in excel and her designer to create a rough 3D model of what it might look like. As the idea grows, more and more external companies get involved to transform this idea into reality. Each company uses a multitude of digital systems, increasingly more often in the cloud, to design and build these places. The individual companies end up with data silos full of important information to help run their specific design or construction businesses as well as project specific information they need to share with others. It’s easy to see why industry leading software companies in the built world like Procore, Autodesk and Trimble are focusing on creating their own integrated platforms for data and information management to securely connect all the stakeholders on a given project. The next goal for the industry is to securely connect the multiple platforms used on the project to give the real estate owners a more programmatic view of what went into building the asset, essentially a system of systems, as they move towards operating it for many years to come.
The built assets described above are increasingly smarter to the point that they are now arguably systems themselves. The software and sensors used to determine occupancy or sense pedestrians walking across the path of an autonomous shuttle provide benefits for managing energy usage and maintaining a safe environment, but they also introduce complexity and increase the steps required to mitigate the risk to the point where we can live comfortably as we go about our lives. Protecting the information used to design and build the asset as it moves between the system of systems is only part of the challenge to consider. Making sure the system of systems used to operate the asset adds the exponential element to this risk equation.
Is it really possible to manage so much complexity and risk? YES. Born in other industries already consumed by technology, such as financial services, best practices exist to understand and manage such risk. It is now time to apply these best practices among the systems of the built environment.
Taking a Programmatic Approach to Cyber on Built World Projects
Large, complex projects are often called a program because they are really a collection of multiple smaller yet related projects. Think of a campus program which consists of multiple buildings serving a single company or university. Each building has a specific purpose within the organization but are tied together through infrastructure like power, water, parking, and security to effectively operate as one.
We can look at cybersecurity through the same lens. A programmatic approach to managing cyber threat includes a combination of people, process, and technology to protect against each attack vector with an eye on the asset or organization as a single entity to make sure it can operate effectively. Several members of the Grayline Cybersecurity team co-authored a research report published by the Mineta Transportation Institute titled “Aligning the Transit Industry and their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges.” In a subsequent analysis of the report, Kathryn Seckman asserts “ the majority of U.S. public transit agencies are in need of significant improvements to their information technology risk management practices and, more specifically, to their cybersecurity practices.” So, let’s go full circle back to our title. If the owner doesn’t know what they don’t know as evidenced by the results of the previously cited report, then how can transit agencies ensure the necessary cyber precautions are taken for the projects they fund? How far off is the cyber maturity for private sector owners/developers and the construction managers they hire on their projects?
With all the funding on the street now from the infrastructure bill, let’s look at how to best mitigate cyber risk on built world projects with a real-world example. Grayline Group is managing the cybersecurity program for what will be the largest deployment of autonomous vehicles by a public agency. Working on behalf of Balfour Beatty and the Jacksonville Transportation Authority (JTA), Grayline is responsible for governance design, framework compliance, and security systems development. As a key member of the project team, Grayline engages project partners where necessary to effectively manage risk across the technology stack and among the various vendors and subcontractors on the project team as it delivers a secure and resilient autonomous vehicle system.
JTA wisely elevated cybersecurity from workstream to stand-alone program, reporting directly to the prime contractor. This structure enables Grayline to effectively engage the entire project team throughout the design / build process, as risk responsibility and mitigation execution is shared across organizations. Given the unique nature of the technology involved and the evolving threat landscape, this project will serve as a template for how to effectively manage risk as emerging technology integrates with traditional infrastructure development.
If you now realize you don’t know what you don’t know, take a tactical pause and reach out to a trusted resource to help you assess your risks, inform your decision making and build safer spaces with confidence. Contact us if we can be helpful.
Join the Catalyst Monitor
Join our community, where we push out regular insights to help maintain situational awareness on technological and socioeconomic trends.