Opinion: Critical infrastructure and convergence

Opinion: Critical infrastructure and convergence

Aluisio Figueiredo CEO at ISS – Intelligent Security Systems explains why the convergence of technologies and integration of information and communication have increased the threats


According to a recent research project conducted in May 2020 by ResearchAndMarkets.com, the global critical infrastructure protection (CIP) market is estimated at close to $129 million this year and growing at a steady CAGR of 3.4% to over $152 million in 2025. The study stressed that the market growth is driven by various factors, such as the growing need to secure Operational Technology (OT) networks, increased government regulations, and rising security breaches and attacks that pose a threat to physical systems.

As CIP security concerns continue to emerge as a top priority for organizations and facilities around the world, it is physical safety and security, the physical identity and access control segment of CIP that is forecasted to grow at the highest rate over the next five years, with cybersecurity ranked as a key element of concern as well. But the study added that the increasing complexities and sophistication of cyberattacks on CIP targets looking to extract huge ransoms threaten to cause major disruptions and cost facilities millions.

Fortunately, advances in applicable technologies have made it possible to strengthen our physical and cybersecurity systems. For example, Facial Recognition and Under-Vehicle Surveillance System (UVSS) technologies can help protect people, property, and data in critical infrastructure applications in a variety of ways. For example, facial recognition can automatically confirm whether people in restricted areas are authorized to be there, and capture images of unauthorized people for further action. UVSS systems scan the undersides of passing vehicles to detect the presence of hidden threats, and can be located to alert authorities before suspicious vehicles enter sensitive areas.

While the United States has been laser-focused on CIP security since the events of the 9/11 terrorist attacks in New York City and at the Pentagon, global interests have moved to strengthen their posture over the last decade as well. Case in point, the recent report showed that the Middle East and Africa are expected to register the highest growth rate for CIP expenditures over the next five years due to increasing government investments in improving overall security posture and increased sophistication of cyberattacks.

“Middle East and Africa are expected to register the highest growth rate for CIP expenditures over the next five years due to increasing government investments in improving overall security posture and increased sophistication of cyberattacks”

When the U.S. enacted the Patriot Act of 2001 following the tragic events of 9/11, the document defined critical infrastructure as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

When the National Infrastructure Protection Plan (NIPP) was adopted in 2013, the country’s vision for CIP and resiliency stated physical and cyber critical infrastructure for the U.S. was to remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened. This goal for CIP is universal and similar visions have driven strategic planning around the globe.

In the U.S., the Department of Homeland Security (DHS) has defined critical infrastructures as assets that provide “the essential services that underpin American society and serve as the backbone of our nation’s economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, the stores we shop in, and the communication systems we rely on to stay in touch with friends and family.” Meaning that it specifically implies that critical infrastructure includes the assets, systems, facilities, networks, and other elements that society relies upon to maintain national security, economic vitality, and public health and safety. In the U.S., more than 89% of physical and cyber infrastructure is owned and operated by the private sector, with only about 10% owned by federal, state, or local governments.

The convergence of technologies and integration of information and communication have increased the threats to critical infrastructure, which have traditionally only been thought to be subject to risks associated with physical threats and natural disasters. As physical security systems like access control and video surveillance become more reliant on complex cyber networks, and IoT devices expand the footprint of end-point sensor devices throughout global facilities, critical infrastructure can become more vulnerable to certain cyber threats, including transnational threats, as well as blatant physical attacks.

Complexity Challenges CIP

This intertwining of physical and cyber functionality at the critical infrastructure level complicates security planning for the four designated CIP lifeline functions – transportation, water, energy, and communications. A breach or attack in any one of these sectors that are so critical to the fabric of society that would result in disruption or loss of function will directly affect the security and resilience of critical infrastructure within and across numerous sectors. These disparate security, cyber and communications technologies will ultimately put global critical infrastructure at risk.

Consultant Pierre Bourgeix, President ESI Convergent explained in in an article on SecurityInfoWatch.com last year that the four elements that are the most critical to protecting our modern world of correlated critical infrastructure threats are Secured Communication, Secured Cloud, Secured Storage, and Secured Entry. He asserted that these elements must reach across the four domains of Information Technology – IT, Operational Technology – OT (control systems such as SCADA, and PLC’s), Physical Security – PS (cameras, access control systems, video management systems) and the Internet of Things – IoT (all things at the edge, such as sensors, etc.) and not be locked in facility silo. He stated: “Security planning begins with a converged assessment of the facility that must not be conducted in a silo since it could lead to an abundance of redundant technology, with layer upon layer of open API and IP addresses, often stemming from the proliferation of edge devices and Sensors across IT, OT, and PS.”

A multitude of integrated solutions, including video management (VMS), license plate recognition (ANPR/LPR), UVSS, facial recognition, contact-tracing, employee tracking and container number recognition, can be deployed selectively to address specific infrastructure threat scenarios, or they can all be deployed in tandem to form a security blanket around critical infrastructure sites. One important consideration, however, is that the selected technologies and systems have a high accuracy, effectiveness, and reliability in keeping with the value of the sites being protected. It can actually be detrimental to site security to install and rely upon ineffective or unreliable systems.

Whether its concerns about the national energy grid, water supplies, or nuclear sites, government and corporate leaders worldwide know that the increasing complexity and convergence of technologies and information systems have increased the exposure of our critical infrastructure to new threats. It is vital that we demand sufficient resources and attention be paid to proactive video surveillance solutions such as facial recognition and UVSS, the integration of these technologies with physical security systems, and a cybersecurity strategy that supports and protects these physical technologies to reduce security concerns and maintain our critical transportation, water, energy, and communications systems.