You don’t need me to expound upon the risk of a cyber-attack on infrastructure; governments, intelligence agencies and cyber security firms have been warning the public about the systemic risks for years.
But now, the urgency seems increasingly dire. ‘Things’ are getting connected at an amazing rate which, in turn, is unlocking wonderful new opportunities, insights and efficiencies across the world of infrastructure. The problem is that it’s also creating more frequent and more virulent risks.
Hackers have already demonstrated how they can take down electricity grids, automated vehicles and power plants. As those types of assets become increasingly connected (in the future, automated cars will need to interact with the electricity grid in order to maintain optimal balance of generation capacity and demand) the risks increase exponentially.
My concern is that – according to a recent global survey of infrastructure CEOs conducted by KPMG International – few infrastructure organizations seem to be ready for an attack. Indeed, barely one-in-ten of the CEOs in our survey said they were ‘very well prepared’ for a future cyber attack. Only one-in-five thought they were very well prepared to spot potential new cyber threats when they emerge.
The fact that so few infrastructure CEOs were able to place the highest level of confidence in their cyber preparedness is worrying. Assuming that some of the respondents were probably being a bit bullish, it suggests that preparedness remains dangerously low across the sector.
Perhaps more worrying, however, is what our data suggests about the focus of their preparedness. Consider this: 57 percent of the CEOs in our survey said they were concerned about how a cyber attack could impact their reputation and brand. But just 13 percent said they were concerned about how it would impact their supply chain. And they were 10 times more likely to say there were concerned about the impact on their talent strategy than their operations.
Given that so few CEOs believe their organization to be fully prepared for a cyber attack, it is clear that this lack of concern about operations and supply chain impacts is not simply a reflection of their confidence in their capabilities. More likely, it suggests that too few infrastructure CEOs are seeing the full picture of the cyber risks they face. And that is a problem.
To be clear, the overall cyber security environment for infrastructure is continuously improving. New guidelines are emerging; standards are developing; asset management techniques are going digital; and security protocols are becoming more sophisticated. I’m just not sure that it’s improving fast enough. The data from our survey certainly suggests that the sector still has a very long way to go.
As my colleagues and I noted in this year’s Emerging Trends in Infrastructure, improving cyber security in the sector will almost certainly require more budget, better planning and new skills. Based on these survey results, I would argue that it now also requires a high level of urgency.