In today’s digital world, infrastructure, like everything else, is “rapidly becoming part of a cyber ecosystem,” said Mikhail Chester, Ph.D., M.ASCE, a professor of civil, environmental, and sustainable engineering at Arizona State University.
From company emails to digital models to the widespread adoption of artificial intelligence, the cyber ecosystem keeps expanding. And it’s not just hardware and software being integrated into infrastructure.
“It’s more so the functioning of our infrastructure is increasingly taken over and made sense of by a broader ecosystem of cyber technologies that often are outside of the traditional governance systems that we have used for about a century now,” Chester said.
Digital technologies can be fantastic tools for civil engineers, simplifying tasks and making monitoring much more efficient.
“Instead of only relying on periodic inspections or manual observations, engineers can now use sensors, artificial intelligence, digital models, and real-time monitoring to understand how infrastructure is performing while it is operating,” said Fares Al-lahabi, M.ASCE, co-founder and CEO of CarbonCLAIR.
But entering cyberspace means accepting the risks of operating in a not necessarily new but evolving landscape.
“I think cybersecurity has become a higher priority,” said Brad Allenby, Lincoln Professor of Ethics and Engineering at ASU’s Lincoln Center for Applied Ethics. “But at the same time, I think that the awareness and the level of concern is still way below what it needs to be.
“And the cycle time of the challenge has gotten far faster than the response time of the engineering community.”
New technology, new risks
On May 7, 2021, a ransomware attack shut down Colonial Pipeline, a company whose network of pipelines supplies 45% of all fuel consumed on the East Coast.
The attack caused a domino effect. East Coast drivers flocked to gas stations to fill their tanks before what many worried was the impending loss of fuel access. And many gas stations did run out of fuel. Georgia even declared a state of emergency, and the U.S. Department of Transportation’s Federal Motor Carrier Safety Administration made exceptions to rules for truck drivers responsible for transporting fuel.
Fortunately, the company was able to reopen pipelines five days later. But the attack made it clear that when it comes to infrastructure, cybersecurity matters.
Pegah Farshadmanesh, Ph.D., EIT, M.ASCE, assistant professor of teaching and director of the Securing Tomorrow through Engineering Education and Resilience, or STEER, Research Lab at the University of Memphis, said the attack “was a turning point in public awareness of infrastructure cybersecurity.”
“The event showed that a cyber incident does not need to physically damage infrastructure to create major consequences; disrupting the business or operational systems needed to keep infrastructure functioning can still affect essential services, regional supply chains, and public confidence,” she said.
Ransomware, software that locks access to a system and demands payment for access to be restored, is just one type of cyber risk. Ransomware attacks use malware – code or software intended to compromise data or privacy – to shut systems down. Spyware, a type of malware intended to track activities, is another risk. Cybercriminals can also conduct phishing attacks – messages posing as people such as a boss – to gain access to sensitive information.
There are a variety of factors that influence the level of risk within an infrastructure system, and some sectors have made more cybersecurity progress than others. Chester noted the power sector as one example.
“That’s not a coincidence, right? You have to manage power on millisecond time frames,” he said. “So, cyber is heavily integrated to do that, which introduces those vulnerabilities.
“The power system community has also already done a lot in terms of cybersecurity,” he continued. “That's not to say they are invulnerable, but they have already been working in that space.”
Chester has seen digital technologies become more prevalent in the transportation sector, and the addition of new tools makes it “ripe for cyber disruption.”
“(Transportation) infrastructures are wildly diverse, but you are already at a point where you've seen a heavy amount of cyber technologies introduced into both the infrastructure, the vehicles themselves, the rolling stock, and the users,” he said.
Water systems are at the opposite end of the spectrum, as they are based primarily on legacy mechanical technologies.
“(Cyber technologies) tend to be concentrated at water treatment plants where you have chemical titration that’s done by a computer now instead of a human being,” Chester said. “So yes, that is vulnerable.”
Farshadmanesh noted that it isn’t necessarily the type of system that determines the strength of its cybersecurity.
“Vulnerability depends less on the sector itself and more on the practices and resources surrounding a particular system, including staff training, cyber hygiene, accountability, access controls, maintenance practices, and regulatory requirements,” she said. “Two utilities in the same sector can have very different levels of exposure, depending on their staffing, funding, technology, and organizational culture.”
She also highlighted the importance of redundancy, which was limited in the Colonial Pipeline incident.
“In that sense, the (Colonial Pipeline) attack highlighted a broader resilience issue: When infrastructure systems have limited redundancy or few practical substitutes, a disruption at one point can quickly become a regional problem,” she said.
Cyber vulnerabilities are heavily influenced by the intentionality of a system’s designers, meaning older sites are often missing strong cyber defenses.
“I think older infrastructure sites are especially vulnerable when new digital tools are added to systems that were not originally designed with cybersecurity in mind,” said Al-lahabi.
“A wastewater facility, pumping station, transportation asset, or utility site may have been built decades before sensors, cloud dashboards, remote access systems, or AI-based monitoring were common,” he added. “When new digital systems are added onto older infrastructure, the risk is that the physical asset and the digital system are not designed together.”
Some specific vulnerabilities include outdated control systems, weak network separation, unsecured sensors, shared logins, remote access points, and data platforms that collect sensitive operational information.
However, these vulnerabilities don’t exist in a vacuum; digital pitfalls are only one part of the equation.
Part of what makes infrastructure vulnerable to cyberattacks is the shift in the geopolitical environment that has occurred in the past decade, Allenby noted.
Today, nation states use cyber to target adversaries. Civilian infrastructure, such as pipelines or water treatment plants, is “probably one of the softest places to attack,” he said.
And attaching more digital systems to any piece of infrastructure creates new places to attack. Allenby emphasized that all infrastructure systems are targets, regardless of type or sector.
“In the U.S., we are at the more advanced end of integrating cyber into our physical systems, which opens us up to these vulnerabilities where other countries are not nearly as far along,” Chester noted. “The generalization is: The more cyber technology in the civil infrastructure, the more vulnerable it is at this point.”
Civil engineers, their job training, and education have not necessarily caught up with these important shifts.
“One of the things that I think engineers haven’t really come to understand is that their civilian work, their designs, their buildings, their maintenance, all of that is now considered a legitimate military target by our adversaries,” Allenby said. “That's a very fundamental change, and it changes the threat under which civilian infrastructure operates.”
A collaborative future?
Civil engineers are often highly specialized, so it isn’t realistic to expect them to know everything about cybersecurity. But the nature of cyber – with software typically being made by an outside provider – makes collaboration key.
“Civil engineering firms shouldn’t try to be Microsoft in terms of fighting cyberattacks,” Chester said. “They should be able to do what they can in-house and be able to protect their systems.”
When dealing with large-scale attacks, such as the Colonial Pipeline incident, that could be challenging. Chester sees co-governance as a potential remedy.
“There need to be new governance models that emerge that hybridize these functions across technology firms, civil engineering firms, and federal agencies that do this sort of thing,” he said.
Allenby hopes to see civil engineers working more closely with military organizations that could better inform them of geopolitical risks, which go beyond what civil engineers are typically trained to think about.
Turning vulnerabilities into defense
The technology that brings cyber threats could also be used to spot them.
Chester said that although there aren’t currently answers, there are “remarkable possibilities” for using AI to spot vulnerabilities, scan for attacks, and propose solutions.
“If I’m designing a bridge with a bunch of control systems and sensors today, I would be going to AI and saying, ‘What are the potential cyber vulnerabilities of this setup? How do I design protections now for these cyber vulnerabilities?’” he said. “I would be leveraging AI to give me design options to affect how I’m ultimately delivering that product so that when I deliver that product, it has fewer cyber vulnerabilities than if I was unaware of or not designing in those cyber protections in the first place.”
Farshadmanesh said AI, along with sensors and monitoring systems, can “support cybersecurity by helping detect unusual behavior, unexpected operating conditions, or data patterns that may indicate a problem.”
During a CarbonCLAIR project with the New York City Office of Technology and Innovation, Al-lahabi observed the agency’s strong focus on data storage practices, one example of how civil engineers can integrate cybersecurity into their designs.
“For civil engineers, the idea is similar to physical design,” he said. “We design structures with redundancy and safety factors, and we should think about digital systems the same way. If one sensor, platform, or connection fails, the entire infrastructure system should not fail with it.”
There are many ways to build a system with a secure foundation. Al-lahabi listed access controls, multifactor authentication, network segmentation, backups, updates, and incident response planning as some measures civil engineers can implement.
What needs to change?
As the future unfolds, it is critical to ensure that civil engineers understand how they can build and maintain infrastructure that is cyber secure.
That starts with education.
Allenby said that civil engineering education has not yet changed to provide students with the cybersecurity knowledge they need in today’s environment. And making that change starts with “educating the educators,” many of whom were educated before cybersecurity reached the infrastructure field.
“And as we know, the new developments in AI and cybersecurity are a real problem for existing systems, much more so than it was only six months or a year ago,” he said.
Farshadmanesh sees teaching cybersecurity as part of her responsibility as an educator.
“We need to prepare students to understand data security, the potential cybersecurity risks associated with using AI, and the role they play in maintaining the safety of infrastructure systems,” she said.
And education shouldn’t end with school. On-the-job training is another factor, and “both need to have cybersecurity as central to what it means to be a civil engineer,” said Chester.
“We are naturally managing systems that are now cyber-physical,” he said. “We can't pretend they’re not.”
Even as collaboration with digital service providers grows, Chester cautioned that relying on them to take care of any security problem will not solve the fundamental issue: infrastructure and related systems being designed without considering cybersecurity.
He also recommends increasing education around uses of digital tools that could help solve this problem.
“More and more, I am convinced that we need to have capabilities to use AI tools to be able to assess vulnerabilities and also deploy solutions, as well as design how not to make something cyber vulnerable,” he said.
And intentionality is a must.
“Civil engineers can minimize cyber risks by thinking about cybersecurity early in the project, not after the technology is already selected,” Al-lahabi said. “During planning and design, we should ask what systems are connected, what data is being collected, who has access, and what happens if that data is wrong or unavailable.
“As infrastructure becomes more digital, cybersecurity will become part of engineering resilience,” he continued. “Civil engineers will need to work more closely with cybersecurity professionals, technology vendors, and agencies to make sure new tools are safe to implement.”
Despite slow progress, civil engineers are waking up to cybersecurity.
“You’re starting to see on-the-job training that’s emphasizing cybersecurity,” Chester said. “I mean, the actual engineers who are designing these systems that are now cyber-aware in a number of different ways.”
Al-lahabi sees a continued shift in how civil engineers approach cybersecurity.
“In the future, I think cybersecurity will be treated like sustainability or safety: not a separate topic, but a standard part of responsible infrastructure design,” he said.
