The future smart cities including the infrastructure projects in those cities could potentially become a major draw for cyber criminals unless a comprehensive security strategy is integrated early in their design phase, according to a leading cyber-security expert.

“Security today is where safety was 30 years ago,” explains Jay Williams, vice-president, Critical Infrastructure Protection at US-based Parsons. “It has to be embedded in the design and integrated into the request for proposal (RFP) whether the project is an urban transport network or an airport.”

Failure to do so could result in a piecemeal approach towards securing both information and physical assets, which could be easily exploited by hackers.

“If you think about events like the Fifa World Cup in 2022, these entail transporting millions of people on a daily basis and billions of dollars in investments. They require an infrastructure that complies with the most intense security and safety standards,” Williams said.

The widespread deployment of internet-of-things (IoT) that go beyond information technology software and hardware to operational technologies such as industrial control systems and building management systems, among others, requires a centralised and coordinated strategy and budget that ideally requires C-level support, Williams said.

It is understood that an effective security strategy starts with a thorough assessment of all assets and processes in place within an organisation. Most organisations hire security experts, which could only do their job with the help of an internal team comprising IT, operational, administrative, audit, risk management and finance experts. According to Williams, this process in itself is complicated as most business line experts are usually unwilling to give up control of their fields of expertise.

While the process is complicated and usually expensive, and does not guarantee that a company’s network or systems will never fall victim to a hacking activity, an organisation has to be prepared to spend to do the right thing. “No one wants to pay for car insurance , but every car owner does because it is the right thing to do,” says Williams, who was in the GCC to meet existing and potential clients, one of whom was affected by the most recent Shamoon virus attack. “It’s calls like these that organisations would like to avoid,” Williams said.

It has been widely reported that the latest Shamoon virus attack in Saudi Arabia affected two conglomerates and three government agencies, disrupting operations in these organisations for an estimated 48 hours.

The initial attack of the malicious programme took place in 2012, with an image of a burning US flag reportedly overwriting the drives of thousands of computers at Saudi Aramco and Qatar’s RasGas.

Lack of cyber-security experts

Complicating the task of addressing enterprise- or city-wide security is the lack of qualified cyber security experts globally and more so in the region. “Not only are they in short supply, they are also very expensive and there is good reason why they are expensive,” Williams says, citing that it usually takes up to five years for a new graduate of a cyber-security academic programme to acquire the experience of industrial control systems needed to protect them and make them safe.

The executive said they employ about 1,000 cyber security experts globally and will require another 200 over the short-term. “I can guarantee you there are no unemployed cyber security experts today,” he adds.

As an option for organisations, which are willing to build and maintain cybersecurity or other forms of critical infrastructure protection and monitoring processes outside their firewalls, Parsons – like its technology partners - maintains a cyber operations centre in the US. “Certainly availing cyber security or any critical infrastructure protection services on a subscription basis is an option we can recommend for some clients in the long run,” the executive said.

Response plan

Williams also warns that despite the demanding task of coming up with a security baseline it is hardly enough to protect an organisation’s physical or intellectual assets since the incidence of intrusion attempts and their level of sophistication could only rise over time. “What you need next is an active monitoring system for what are advanced persistent threats and a proper incident response plan to ensure that you are as protected as your neighbour or more protected than any time before,” he concludes.