Building a Cyber Armory

By Lori Musser

It all boils down to people – the human factor.

Infrastructure is built by people and can be damaged, destroyed, interrupted, protected or improved by people. In this cyber era, new ways to do all those things are emerging. The key is to leverage technology for good while warding off evil.

Infrastructure glitches, bottlenecks and failures caused by poor design, inadequate protective measures, operational errors, and deficient maintenance are almost always preventable. At a cost.

Global engineering, procurement and construction, or EPC, companies and infrastructure owners are increasingly focused on developing affordable tech solutions that ensure industrial controls work right, human errors are mitigated, and malicious interference is prevented. It is a massive challenge to deploy technology to armor up new infrastructure builds, and perhaps an even greater challenge to incorporate successful cyber systems in legacy infrastructure such as electrical grids, hospitals, subways and pipelines.

EPC giant Bechtel has launched an effort to tackle infrastructure’s cyber challenges, largely from an engineering perspective. Bechtel’s Industrial Control Systems Cybersecurity Technology Center was created to help customers protect large-scale industrial and infrastructure systems.

Rob Scott, cybersecurity general manager of Bechtel National, said Bechtel is one of the first global EPCs to offer industrial control system, or ICS, cybersecurity capability for customers. He said that, as the worlds of information technology (used for data-centric computing) and operational technology (used for monitoring and controlling industrial operations) evolve and converge, opportunities are surfacing.

“The industrial Internet of Things produces tons of data. We no longer want that,” he said. “What we want now is usable information, at our fingertips. Deploying a combination of asset strategy and risk management, predictive forecasting, reliability-centered maintenance, and tools for data capture, integration, visualization and analytics, Bechtel can help increase an asset’s efficiency while increasing cyber resiliency.” That is the goal of the Virginia-based ICS cyber lab.

Scott said the cyber initiative looks beyond a project’s EPC and commissioning/startup phases: “We are building on lessons learned throughout Bechtel, such as creating modular and scalable products and services. We want to leverage our design, construction and operational expertise. Customers shouldn’t have to choose between hardening an asset and improving performance efficiency. We can help them do both.”

Bechtel has already introduced solutions at diverse sites within its Defense and Space Business Line and in support of its Energy and Mining and Minerals businesses.

Scott described a three-phased approach starting with a project assessment with the customer, defining the elements that are within or outside of their network. That isn’t always well-documented, especially with older systems. With a complete assessment in hand, and a full knowledge of IT and OT sensors, priorities for improvement can be found, whether the goal is to harden a network, reduce downtime or debottleneck. New data will be needed, and its sources must be identified. Then there will be light EPC, which may include adding and/or removing sensors, air gapping certain parts of the asset’s critical path, and other measures. Customers ultimately decide on scope limits. “They can’t do everything,” Scott noted.


High Time

“A lot of what we do now leverages cloud computing and [site] edge computing, Wi-Fi, platforms, 5G, and artificial intelligence machine learning. Ten years ago, there was some poor soul crunching numbers and trying to find anomalies – today so much has been automated,” Scott said.

Amid the plethora of data from sensor readings, there are valuable insights and actionable information. Bechtel’s ICS cybersecurity initiative helps customers refine that information. It helps customers protect and operate critical infrastructure through OT cybersecurity and asset performance management solutions that integrate process optimization, cybersecurity, and the asset-related software that runs the enterprise.

This can involve numerous strategic partners, including, of course, cloud companies. The May 12, 2021, White House Executive Order, “Improving the Nation’s Cybersecurity,” included public-private data-sharing provisions that may prove helpful in the quest to secure U.S.-based infrastructure. “We have to find ways to work together. It is a new operating environment and requires new partnerships,” Scott said.

That might include asset advisory teams with a life-cycle lens. “There is no one company that commissions, constructs, operates and maintains an asset.” Finding companies with merging interests that understand the integration and synchronization required to build a dam, electric plant or road is a challenge, he said.


Leveraging Sensors, Stopping Failures

Scott said Bechtel’s approach to cybersecurity starts at the sensor level. “We leverage the asset’s existing original equipment manufacturers’ sensors. We look for data anomalies or system compromise.”

Scott described a case where automated robots were having a high failure rate. “Engineering figured out that the percentage of foam in a water tank when serviced was an indicator of a failure in automation two weeks later. Now we track the foam and know when there will be an outage,” he said. In this way, the right data can help prevent shutdowns due to a simple sensor failure. “With the right data, you can make the right decision. Backups are expensive,” Scott said.

Every toll booth or ship, pipeline or port can be hacked, and the industry continues to underestimate the interdependencies within the supply chain. “What happens to a ship or office can affect what happens to a terminal or crane. The Colonial Pipeline shut down because their accounting network was hacked … The adversaries don’t have to get to the crane or gate or ship, they don’t have to control the throttle,” Scott said. Transportation systems are complex and if they are not synchronized there can be chaos. With that synchronization – which technology has improved greatly in recent years – comes vulnerability.

Scott said the goal should be to make transportation infrastructure more resilient while finding ways to operate more efficiently. He said the improvements will be iterative as cyber solutions evolve.


Controlling ICS

Ensuring infrastructure is not compromised requires expertise. Scott shares three recommendations to those responsible for such weighty tasks. First, approach it from a crossfunctional perspective. “It can’t be IT, or engineering, or Ops. This requires a cross-functional approach with trade-offs.” Second, there are no guarantees. The surest way to be hacked is to declare your asset’s invulnerability. There must always be robust plans for early threat identification and response. Third, follow the threats. Training and human behavior modification with workforce incentives are some of the most important aspects.

And remember that everything comes back to the human element. Recent cyberattacks on major infrastructure could have been prevented by deleting an expired password, preventing the use of a USB drive with code running in the background, changing passwords, and other relatively simple cyber-hygiene efforts.

“The adversary has the advantage right now. We have to be strong everywhere. The adversary has to get lucky only once,” Scott said. “But if we all work together, we find ways to radically improve resiliency.”

Based in the U.S., Lori Musser is a veteran shipping industry writer.