The price of progress
While there is agreement that embracing innovation and the use of digital tools will be invaluable, our growing digital dependency has led to fears about the impact of hackers disrupting critical infrastructure.
Approximately one in three infrastructure professionals believes that cyber-related catastrophic events — including city-wide transport disruption and even deaths — are a certainty in the near future.
Their concerns are reflected in research by cybersecurity firm Kaspersky Lab, which found that 40 percent of the world’s infrastructure had been the subject of a cyberattack during the second half of 2016.1 Meanwhile, in the U.K., government statistics in the Cyber Security Breaches Survey 2017 reveal that almost seven in 10 large companies identified a breach or attack in the previous year.
What’s more, civil infrastructure must also withstand the escalating physical threats of terrorism and climate change. For these combined reasons, ensuring the resilience of civil infrastructure is one of the biggest challenges facing the industry.
Physical acts of terror (kinetic terrorism) feature prominently in the industry’s concerns. Some 55 percent of professionals questioned in the Future of Infrastructure research believe the industry is prepared to manage the threat of attacks on critical buildings and transport links.
Globally, we're seeing an uptick in the number of terrorist threats, as well as the use of unanticipated methods. These threats have evolved significantly over the last decade ― much of the infrastructure we rely on was neither designed nor built for such threats.
The challenges posed by the natural world are no less worrying. Extreme weather events and natural disasters are two of the most likely and impactful risks identified in the World Economic Forum’s 2017 Global Risks report.2
And the United Nations3 estimates that the global cost of natural disasters from 2003 to 2013 was US$1.5 trillion, and that these disasters affected more than two billion people. Climate models predict increases in the frequency and severity of these types of events, so we can expect to see the costs and human impact rise. In just the past year, hurricanes in the U.S. and the Caribbean alone have caused more than US$265billion in damage so far, with the full scope of the damage and recovery costs still being assessed.
Physical and digital resilience combined
Most worrying of all is that these two classes of threat — the physical and the digital — are rapidly converging.
In the era of smart cities, wide-scale adoption of the internet of things (IoT) and cloud technology all offer significant advantages across the built environment, from increasing communicability and maintenance monitoring to reducing traffic congestion.
Yet this in Ukraine along with the U.S., U.K., Australia, Russia and others. It was reported that in Ukraine, hackers were able to infiltrate several of the country’s power distribution centers, leaving more than 250,000 residents without electricity.4
These attacks have the potential to become even more destructive. For example, the Center for Strategic and International Studies5 believes that North Korea is building its cyber resources and is “capable of conducting damaging and disruptive cyberattacks” — as the recent attacks, attributed to North Korea, against Sony Pictures Entertainment and financial and media institutions in South Korea have shown.
Conversely, physical threats, such as those resulting from climate change, can also pave the way for digital disruption. There is a far greater symbiosis between the digital and physical worlds than most people realize. Buildings and structures become more vulnerable to cyber or kinetic attack during a natural disaster.
The effects of natural disasters that impact critical infrastructure, such as power, water, wastewater and communications, rely on our digital backbone to function. Without access to the digital backbone, the ability to restore basic infrastructure functions is dramatically reduced or prevented altogether.
Infrastructure resilience: Where do responsibilities lie?
As the threats to critical assets evolve, the resiliency strategies of infrastructure owners and service providers have not kept pace.
The industry professionals surveyed by AECOM are candid about their industries’ abilities and inabilities when it comes to withstanding emerging threats. Most respondents cite infrastructure resilience to cyberattacks and climate change as key priorities when planning major projects. But no more than six in 10 feel the industry is well prepared to meet these risks.
A lack of definitive resilience solutions may be due in part to the fragmented nature of today’s infrastructure landscape. As national, regional and city governments struggle to pay for new and upgraded critical infrastructure, they are more frequently looking to various forms of ownership and risk transfer to the private sector.
Business-critical resilience investment
We are starting to see the global financial markets ask questions about how to assess and price the impacts of climate change. As the 2017 report from the industry-led Task Force on Climate-related Financial Disclosures6 highlighted, there is increasing demand for improved climate-related disclosures.
The markets want to understand how it affects impacts on physical assets, liability and the cost of stranded assets (transition risk).
In response, the Task Force, established by the Financial Stability Board7, consulted with financial and business leaders to identify a new, accessible framework8 for climate-related financial disclosures to inform better pricing of these types of risks.
As the financial services industry matures its treatment of infrastructure risk, weak resilience planning will increase costs and lower value for asset owners through borrowing, and insurance costs and valuation.
Likewise, investors and rating agencies will increasingly require organizations to demonstrate their capability to manage the threat of attacks or extreme weather events. Those able to demonstrate resilience will enjoy significant advantages, and negotiate discounted premiums.
Converged Resilience™ – an industry game changer
The changing infrastructure landscape has created the need for holistic, industry-wide solutions for identifying and managing risks. Resilience is not a one-dimensional or static issue, and successful attacks find and exploit vulnerability.
AECOM has developed a holistic approach called Converged Resilience™, which acknowledges the interdependency of the physical and digital worlds — and uses this understanding to build lasting, integrated strategies for infrastructure resilience.
As any risk manager will confirm, risk cannot be eliminated altogether; however, we believe that infrastructure owners and service providers — both public and private — can become better at planning for and mitigating threats, including those as yet unknown. The goal should be to manage risk effectively, understand which risks, at what level, should be mitigated or transferred, and even accept some risk.
So, what should infrastructure organizations do to prepare to manage these risks effectively?
Five-point plan for a Converged Resilience™ framework
Converged Resilience™ provides the approach for a lasting resiliency strategy. While each organization and situation is different, it is possible to apply a common framework to the problem. The goal is to simplify the risk-management process while allowing the flexibility to cope with a broad range of scenarios across both the digital and physical environments.
1/ Start early
The industry has often viewed resilience as an add-on to the core design-build process, and that is too late.
This may link back to the industry’s binary view of the physical and digital worlds. We still see examples, such as during the construction of an airport building or a rail track — when plans for introducing the IT and security systems are started after the physical asset has been built.
2/ Understand the risk
First, this means knowing which assets it wants to protect, as well as, more importantly, understanding the function of those assets and the potential cost of losing or devolving that function. Beyond simple replacement cost, what is the business case for determining which assets to protect and how? Through efforts such as the 100 Resilient Cities program15(100RC) pioneered by the Rockefeller Foundation, municipalities are taking a strategic approach to understanding, not only the risks, but also the interaction of the risks and different urban systems and goals. Resilience strategies will help cities and companies fully integrate resilience into all of their efforts — from the earliest stages of planning and development — as well as assess what should be retrofitted.
3/ Prioritize to optimize
It is impossible to eliminate risk completely.
If its assets are aging, an infrastructure owner will need to select where it wants to focus its resiliency investment. Consider where most effort and resources need to be focused.
In addition to functionality, the service life of an asset and the feasibility of replacing it must come into consideration. For example, a manufacturing plant for airplane parts may have a 40-year service life. The time and cost of replacing such a facility is tremendous, so the owner will want to make a significant investment in keeping it running throughout its design life. By contrast, a data center with hardware assets that are replaced every two years will have less at risk, as its long-term asset is only the building that houses the equipment.
4/ Accept, mitigate or transfer
The first option is to accept the risk and manage it internally with the resources available. A second option is mitigating risk as new threats emerge by adapting or retrofitting an asset. The goal is to restore functionality, either fully or partially, in the fastest time.
The third approach is to transfer the risk; for example, by creating a back-up facility that can quickly take on the functionality of the original asset. When this is not feasible, a company or municipality may look to transfer a much larger proportion of risk to the insurance market.
It is important to understand, however, where that risk is transferred in order to ensure it is managed effectively. For example, leasing a second data line into a facility from a different provider than the primary line may transfer risk, but only if it is a different physical path that is not connected to the primary line.
Having put a strategy in place, it is essential that the protection plan is revisited and updated regularly. Continuous risk mitigation must be the goal. The threats are constantly evolving. Business changes, government changes, environments change, compliance increases, technology is exploding — it is crucial to stay engaged and agile.
Conclusion: Business case for resilient infrastructure
For example, the introduction of on-site renewable energy into an organization’s energy mix creates distributed generation. This is effective, as it introduces resilience into the grid. At the same time, there are enormous benefits from a sustainability- and fuel-reduction standpoint, and it can create a hedge to fluctuations in energy costs.
Looking at the bigger picture,
Organizations of all shapes and sizes should take heed. Risk affects every one of us. The public and private sectors have a responsibility — whether it is to their shareholders or constituents — to balance the books and to generate growth. Building resilience is a critical part of this business case.