Every government, regulator, owner and operator should be worried about the security of their infrastructure. Given the size and frequency of physical attacks, natural disasters and cyber-attacks on critical infrastructure and in public spaces over the past few years, it is clear that there is an urgent need to reduce the vulnerability of infrastructure assets and to protect citizens and users.
For some, this is about responding to a clear and present danger. Terrorism is a very real threat to infrastructure (both physically and through cyber-attack), particularly in densely populated urban areas and during major events where any action can have devastating and far-reaching consequences. For many others, it is about taking the right steps and making the right investments to protect the overall security of their people, assets and economies.
The threat of cyber-attacks on infrastructure is increasing, whether from terrorists or state-backed players bent on disrupting perceived enemies; commercial hackers looking for valuable data; or simply ne’er-do-wells and the disenfranchised seeking a new thrill or challenge.
The challenge has been compounded by the growing interconnectedness of systems. A hack on a state power grid, for example, has the potential to disrupt millions of businesses, individuals and other infrastructure systems which, in turn, will disrupt millions of other businesses and lives.
Part of the challenge is that few infrastructure executives truly understand their risk profiles and controls; fewer still fully understand the cyber element of the risk. And as geopolitical tensions grow, the skills of cyber-attackers become more sophisticated, and technology becomes more interconnected, the threat will continue to shift and evolve.
The bigger challenge, however, is one of cost. Improving security (particularly for existing assets) will require investment across the lifecycle – from the design and planning phase right through to operations and (in the case of nuclear facilities, for example) decommissioning. But that will require authorities to prioritize their security investments and make difficult choices between security (which will largely be invisible) and investment into expansion capacity.
In 2016, we expect public and private infrastructure owners to start placing more emphasis and investing more towards developing guiding principles, clearly defined responsibilities and major initiatives designed to enhance both physical and cyber security.
With political unrest on the rise in many parts of the world and several high-profile, cross-border infrastructure projects underway or currently being planned, the physical and cyber security of assets will only increase in importance, particularly to individuals and users. Notwithstanding a ‘breakthrough’ in cyber protection, expect security to start taking up a larger portion of infrastructure budgets.
© 2017 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.