Edited by Margaret M. Mitchell
Brad Allenby, Ph.D., Aff.M.ASCE, is the President’s Professor and Lincoln Professor of Engineering and Ethics, School of Sustainable Engineering and the Built Environment in the Ira A. Fulton Schools of Engineering at Arizona State University.
In his many roles, most notably as the founding chair of the Consortium for Emerging Technologies, Military Operations, and National Security at ASU, he has studied the shift from traditional warfare and conflict fought on a battlefield to the less confrontational but just as destructive battle in cyberspace waged against an opponent’s infrastructure, society, and culture.
Allenby spoke with Civil Engineering about the growing prevalence of these issues and the roles civil engineers, education, and professional societies must play in protecting critical infrastructure.
The nature of much civil infrastructure has changed. The built environment increasingly includes information systems, from sensors to operational software, at all scales. Building information modeling software helps design smart buildings; smart water and smart waste technologies become a part of smart cities. SCADA (supervisory control and data acquisition) systems manage operations across industrial and infrastructure systems at many scales. These are all sources of substantial cyberattack vulnerability.
This trend is not accidental; the challenges of complexity and the need for efficiency demand that physical resources be reduced by substituting information systems in myriad ways. For example, vehicles are no longer independent devices but are increasingly part of large, information-dense networks, tied together by information structures such as General Motors’ OnStar and Tesla’s Standard Connectivity networks.
Thus, even where the infrastructure itself appears to be ‘simple,’ as in building roads in an urban environment, it is increasingly tied to coevolving systems dominated by information technologies. Infrastructure is becoming an information domain and in doing so is becoming a cyberattack target.
What conceptual shifts are necessary to accommodate the reality of infrastructure cyberattacks?
The most important shift is to realize that the foreseeable future will be marked by conflict. We are not at peace and will not be for a long while, whether the attacks come from nation-state adversaries, terrorists, or domestic actors with various agendas. While in some cases, such as the Russia-Ukraine war, traditional kinetic warfare may dominate, the real geopolitical tussles for power will often occur in cyber battle spaces with weapons and strategies that consider all elements of a culture, and especially built infrastructure, as fair game.
Only a few of the successful attacks get reported, which allows complacency and a natural desire for peace, rather than conflict, to reassert itself. That is a whimsical fantasy that modern civil engineers, and indeed their societies, can no longer afford.
The second shift is to understand that all infrastructure is a target. The line between civilian and military is so inbred in American culture and education that it can blind us to the reality that, for our domestic and foreign adversaries, it is nonexistent. Civilian infrastructure is to our adversaries a target-rich environment, replete with underdefended targets that, if disrupted, can cause chaos and political meltdowns. Infrastructure is in the front lines of civilizational conflict.
The third is to shift from trying to build absolute defenses at the infrastructure level to building what professionals call ‘cyberdefense in depth.’ Part of the challenge of the cyberconflict realm is the rapid and unpredictable evolution of the threat, so the goal should be to build in enough capability and resiliency so that, even when a cyberattack does occur, damages can be limited.
Why must civil engineers take the lead in safeguarding the infrastructure they design, operate, and maintain?
Quite simply, it is because cyberattacks can occur at all levels of infrastructure systems, and developing adequate defenses thus requires that cybersecurity be a consideration at all levels. Obviously, it isn’t the job of civil engineers to construct complex artificial intelligence cyberdefenses at national scale, but civil engineers often have knowledge of the built environment for which they are responsible that provides important input for cyberdefense in depth.
Cyberdefense isn’t one dimensional; it is a systems challenge that can involve physical design decisions as well as more obvious cyber-oriented choices. For example, when the Oldsmar water treatment plant in Florida suffered a cyberattack that was designed to release toxic levels of lye into the water supply, it was not caught by cybersecurity software platformed on the operating system. Rather, it was caught by operator training and good facility design.
Cyberdefense requires not just good cybersecurity software but good design of target systems, training and awareness for designers and operators, and building in resilience and safety checks from the beginning.
The other thing to remember is that many potential targets are so small and underfunded that they may not have any capability for cyberdefense. In such circumstances, the aware civil engineer, who can try to design in protective alternatives, may be the only line of defense.
What steps should be taken to prepare civil engineers for this age of civilizational conflict?
One of the first steps is simply to create awareness. Many of the most damaging attacks on infrastructure occur because of human failure, which is something that engineers, who are often in a position of authority, can address.
Furthermore, most engineering students and professional engineers throughout their working lives receive little training regarding the cybersecurity risks inherent in their professional decisions, even as those decisions increasingly integrate sophisticated information technologies, from sensors to AI to advanced communication and information-processing components.
War, conflict, and quasi-criminal activities sponsored by nations are not part of engineering curricula or professional continuing education, and most people would rather not think about them. Yet, under modern strategic doctrines of many nations, including adversaries of the West, infrastructure systems are considered legitimate targets at all times.
The second is to make basic cybersecurity awareness and training a part of professional competence and licensing. The goal isn’t to turn civil engineers into cybersecurity experts but to create professionals who are able to understand the risk that cyberattacks pose to their designs and the infrastructure for which they are responsible and plan accordingly. A professional who, through ignorance or lack of training, creates a vulnerable system should not be considered a professional.
The consideration of cybersecurity issues should be a routine aspect of every civil engineering job. In some cases, of course, the amount of attention required might be negligible — replacing a segment of pipeline, for example. On the other hand, designing and building a pipeline system dependent on SCADA software is a different matter.
The third is to push engineering education to do its job. Constant challenge by criminal actors — foreign and domestic — and an environment of continual, low-level, civilizational conflict may not be the world professors or students want, but it is today’s reality. Engineers build the physical systems upon which society depends — and those systems must be safe for use and provide the needed services. The failure to adequately educate engineers regarding cybersecurity is simply irresponsible.
You advocate that national cybersecurity requirements for infrastructure development be created. Why is that?
In the early days of cybersecurity, the ‘fortress’ mental model was dominant; access by bad guys was limited by stout software walls. Modern cybersecurity systems, however, are better conceptualized as immune systems, multilayered defenses that seek to limit damage and create resilience rather than try to stop cyberattacks with single solutions.
National cybersecurity standards for infrastructure, such as those being proposed by the Cybersecurity and Infrastructure Security Agency under the authority of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, are thus properly understood as an important component of a defense in depth system running from the individual engineer up to the national level.
A national set of standards and practices can do a number of things: encourage attention to cybersecurity by firms and individuals that might otherwise not be paying adequate attention to their cyberdefenses; create a baseline of security that is especially important where, as in cyberwar, the best way into a system will often not be a direct attack on the target but through a weak link in a cyber network; and create a community that can identify and propagate best practices.
But even when fully implemented, such a national system does not relieve individual professionals of their responsibilities for cybersecurity.
Why is mandatory cybersecurity training an ethical issue for civil engineers?
In the preamble to ASCE’s Code of Ethics it states that members of ASCE must ‘conduct themselves with integrity and professionalism, and above all else protect and advance the health, safety, and welfare of the public through the practice of civil engineering.’ Designing, building, operating, and maintaining infrastructure and other major systems in ways that are vulnerable to deliberate cyberattack and sabotage fails to meet this professional standard.
Similarly, one must ask whether college- and university-level engineering education programs or professional continuing education and certification programs that provide no (or very little) background or familiarity with the cybersecurity domain are ethical, given today’s realities.
How might this cybersecurity focus change the way inter-disciplinary teams work when designing projects?
In many ways, cybersecurity is like any other new issue, such as sustainability, that competent engineering needs to integrate into practice in the 21st century. Being a good engineer today is more challenging than in past eras because the context of engineering has changed. This means that today’s engineers should have enough familiarity with cybersecurity so that they know when such issues are important and can include the appropriate experts on their teams. This is where national cybersecurity requirements for infrastructure could be useful, both as a signal that cyber issues are involved and to provide an easily accessible cybersecurity baseline.
Including cybersecurity in engineering teams doesn’t mean that cybersecurity requirements are always privileged or that they will be implemented regardless of cost or ergonomics or any other of the other myriad dimensions that engineers must consider. But building cybersecurity expertise into engineering practices and software will make for more resilient, safe, and effective infrastructure. It will, in short, be better engineering.
Margaret M. Mitchell is the editor in chief of Civil Engineering print magazine.
On March 5, the ASCE Board of Direction adopted Policy Statement 565 — Cybersecurity and Infrastructure Security, which recommends that all public and private infrastructure owners conduct regular cybersecurity and physical training for staff and contractors, among other actions, to avoid disruption and preserve public safety.
This article first appeared in the November/December 2022 issue of Civil Engineering as "Preparing for the Age of Civilizational Conflict."